diff --git a/linpeas.sh b/linpeas.sh index b5978a9..ecf5a2b 100755 --- a/linpeas.sh +++ b/linpeas.sh @@ -1,6 +1,6 @@ #!/bin/sh -VERSION="v3.1.5 - Safe OSCP" +VERSION="v3.2.0" ADVISORY="This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission." ########################################### @@ -44,7 +44,7 @@ NOTEXPORT="" DISCOVERY="" PORTS="" QUIET="" -CHECKS="SysI,Devs,AvaSof,ProCronSrvcsTmrsSocks,Net,UsrI,SofI,IntFiles" +CHECKS="SysI,Container,Devs,AvaSof,ProCronSrvcsTmrsSocks,Net,UsrI,SofI,IntFiles" WAIT="" PASSWORD="" THREADS="`((grep -c processor /proc/cpuinfo 2>/dev/null) || ((command -v lscpu >/dev/null 2>&1) && (lscpu | grep '^CPU(s):' | awk '{print $2}')) || echo -n 2) | tr -d "\n"`" @@ -60,7 +60,7 @@ ${NC}This tool enum and search possible misconfigurations$DG (known vulns, user, $Y-w$B Wait execution between big blocks $Y-n$B Do not export env variables related with history and do not check Internet connectivity $Y-P$B Indicate a password that will be used to run 'sudo -l' and to bruteforce other users accounts via 'su' - $Y-o$B Only execute selected checks (SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles). Select a comma separated list. + $Y-o$B Only execute selected checks (SysI, Container, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles). Select a comma separated list. $Y-L$B Force linpeas execution. $Y-M$B Force macpeas execution. $Y-t$B Threads to search files inside the system (by default it's the number of CPU threads). @@ -190,7 +190,7 @@ echo " RED: You must take a look at it" | sed "s,RED,${C}[1;31m&${C}[0m," echo " LightCyan: Users with console" | sed "s,LightCyan,${C}[1;96m&${C}[0m," echo " Blue: Users without console & mounted devs" | sed "s,Blue,${C}[1;34m&${C}[0m," echo " Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs) " | sed "s,Green,${C}[1;32m&${C}[0m," -echo " LightMangeta: Your username" | sed "s,LightMagenta,${C}[1;95m&${C}[0m," +echo " LightMagenta: Your username" | sed "s,LightMagenta,${C}[1;95m&${C}[0m," if [ "$IAMROOT" ]; then echo "" echo " YOU ARE ALREADY ROOT!!! (it could take longer to complete execution)" | sed "s,YOU ARE ALREADY ROOT!!!,${C}[1;31;103m&${C}[0m," @@ -247,8 +247,11 @@ groupsVB="\(sudo\)|\(docker\)|\(lxd\)|\(disk\)|\(lxc\)" knw_grps='\(lpadmin\)|\(cdrom\)|\(plugdev\)|\(nogroup\)' #https://www.togaware.com/linux/survivor/Standard_Groups.html mygroups=`groups 2>/dev/null | tr " " "|"` -sidG1="/abuild-sudo$|/accton$|/allocate$|/ARDAgent|/arping$|/atq$|/atrm$|/authpf$|/authpf-noip$|/authopen$|/batch$|/bbsuid$|/bsd-write$|/btsockstat$|/bwrap$|/cacaocsc$|/camel-lock-helper-1.2$|/ccreds_validate$|/cdrw$|/chage$|/check-foreground-console$|/chrome-sandbox$|/chsh$|/cons.saver$|/crontab$|/ct$|/cu$|/dbus-daemon-launch-helper$|/deallocate$|/desktop-create-kmenu$|/dma$|/dma-mbox-create$|/dmcrypt-get-device$|/doas$|/dotlockfile$|/dotlock.mailutils$|/dtaction$|/dtfile$|/eject$|/execabrt-action-install-debuginfo-to-abrt-cache$|/execdbus-daemon-launch-helper$|/execdma-mbox-create$|/execlockspool$|/execlogin_chpass$|/execlogin_lchpass$|/execlogin_passwd$|/execssh-keysign$|/execulog-helper$|/exim4|/expiry$|/fdformat$|/fstat$|/fusermount$|/fusermount3$|/gnome-pty-helper$|/glines$|/gnibbles$|/gnobots2$|/gnome-suspend$|/gnometris$|/gnomine$|/gnotski$|/gnotravex$|/gpasswd$|/gpg$|/gpio$|/gtali|/.hal-mtab-lock$|/imapd$|/inndstart$|/kismet_cap_nrf_51822$|/kismet_cap_nxp_kw41z$|/kismet_cap_ti_cc_2531$|/kismet_cap_ti_cc_2540$|/kismet_cap_ubertooth_one$|/kismet_capture$|/kismet_cap_linux_bluetooth$|/kismet_cap_linux_wifi$|/kismet_cap_nrf_mousejack$|/ksu$|/list_devices$|/locate$|/lock$|/lockdev$|/lockfile$|/login_activ$|/login_crypto$|/login_radius$|/login_skey$|/login_snk$|/login_token$|/login_yubikey$|/lpc$|/lpd$|/lpd-port$|/lppasswd$|/lpq$|/lpr$|/lprm$|/lpset$|/lxc-user-nic$|/mahjongg$|/mail-lock$|/mailq$|/mail-touchlock$|/mail-unlock$|/mksnap_ffs$|/mlocate$|/mlock$|/mount.cifs$|/mount.nfs$|/mount.nfs4$|/mtr$|/mutt_dotlock$" -sidG2="/ncsa_auth$|/netpr$|/netkit-rcp$|/netkit-rlogin$|/netkit-rsh$|/netreport$|/netstat$|/newgidmap$|/newtask$|/newuidmap$|/nvmmctl$|/opieinfo$|/opiepasswd$|/pam_auth$|/pam_extrausers_chkpwd$|/pam_timestamp_check$|/pamverifier$|/pfexec$|/ping$|/ping6$|/pmconfig$|/pmap$|/polkit-agent-helper-1$|/polkit-explicit-grant-helper$|/polkit-grant-helper$|/polkit-grant-helper-pam$|/polkit-read-auth-helper$|/polkit-resolve-exe-helper$|/polkit-revoke-helper$|/polkit-set-default-helper$|/postdrop$|/postqueue$|/poweroff$|/ppp$|/procmail$|/pstat$|/pt_chmod$|/pwdb_chkpwd$|/quota$|/rcmd|/remote.unknown$|/rlogin$|/rmformat$|/rnews$|/run-mailcap$|/sacadm$|/same-gnome$|screen.real$|/security_authtrampoline$|/sendmail.sendmail$|/shutdown$|/skeyaudit$|/skeyinfo$|/skeyinit$|/sliplogin|/slocate$|/smbmnt$|/smbumount$|/smpatch$|/smtpctl$|/snap-confine$|/sperl5.8.8$|/ssh-agent$|/ssh-keysign$|/staprun$|/startinnfeed$|/stclient$|/su$|/suexec$|/sys-suspend$|/sysstat$|/systat$|/telnetlogin$|/timedc$|/tip$|/top$|/traceroute6$|/traceroute6.iputils$|/trpt$|/tsoldtlabel$|/tsoljdslabel$|/tsolxagent$|/ufsdump$|/ufsrestore$|/ulog-helper$|/umount.cifs$|/umount.nfs$|/umount.nfs4$|/unix_chkpwd$|/uptime$|/userhelper$|/userisdnctl$|/usernetctl$|/utempter$|/utmp_update$|/uucico$|/uuglist$|/uuidd$|/uuname$|/uusched$|/uustat$|/uux$|/uuxqt$|/vmstat$|/vmware-user-suid-wrapper$|/vncserver-x11$|/volrmmount$|/w$|/wall$|/whodo$|/write$|/X$|/Xorg.wrap$|/Xsun$|/Xvnc$|/yppasswd$" +# Default Binaries List +sidG1="/abuild-sudo$|/accton$|/allocate$|/ARDAgent|/arping$|/atq$|/atrm$|/authpf$|/authpf-noip$|/authopen$|/batch$|/bbsuid$|/bsd-write$|/btsockstat$|/bwrap$|/cacaocsc$|/camel-lock-helper-1.2$|/ccreds_validate$|/cdrw$|/chage$|/check-foreground-console$|/chrome-sandbox$|/chsh$|/cons.saver$|/crontab$|/ct$|/cu$|/dbus-daemon-launch-helper$|/deallocate$|/desktop-create-kmenu$|/dma$|/dma-mbox-create$|/dmcrypt-get-device$|/doas$|/dotlockfile$|/dotlock.mailutils$|/dtaction$|/dtfile$|/eject$|/execabrt-action-install-debuginfo-to-abrt-cache$|/execdbus-daemon-launch-helper$|/execdma-mbox-create$|/execlockspool$|/execlogin_chpass$|/execlogin_lchpass$|/execlogin_passwd$|/execssh-keysign$|/execulog-helper$|/exim4|/expiry$|/fdformat$|/fstat$|/fusermount$|/fusermount3$" +sidG2="/gnome-pty-helper$|/glines$|/gnibbles$|/gnobots2$|/gnome-suspend$|/gnometris$|/gnomine$|/gnotski$|/gnotravex$|/gpasswd$|/gpg$|/gpio$|/gtali|/.hal-mtab-lock$|/helper$|/imapd$|/inndstart$|/kismet_cap_nrf_51822$|/kismet_cap_nxp_kw41z$|/kismet_cap_ti_cc_2531$|/kismet_cap_ti_cc_2540$|/kismet_cap_ubertooth_one$|/kismet_capture$|/kismet_cap_linux_bluetooth$|/kismet_cap_linux_wifi$|/kismet_cap_nrf_mousejack$|/ksu$|/list_devices$|/load_osxfuse$|/locate$|/lock$|/lockdev$|/lockfile$|/login_activ$|/login_crypto$|/login_radius$|/login_skey$|/login_snk$|/login_token$|/login_yubikey$|/lpc$|/lpd$|/lpd-port$|/lppasswd$|/lpq$|/lpr$|/lprm$|/lpset$|/lxc-user-nic$|/mahjongg$|/mail-lock$|/mailq$|/mail-touchlock$|/mail-unlock$|/mksnap_ffs$|/mlocate$|/mlock$|/mount$|/mount.cifs$|/mount.ecryptfs_private$|/mount.nfs$|/mount.nfs4$|/mount_osxfuse$|/mtr$|/mutt_dotlock$" +sidG3="/ncsa_auth$|/netpr$|/netkit-rcp$|/netkit-rlogin$|/netkit-rsh$|/netreport$|/netstat$|/newgidmap$|/newtask$|/newuidmap$|/nvmmctl$|/opieinfo$|/opiepasswd$|/pam_auth$|/pam_extrausers_chkpwd$|/pam_timestamp_check$|/pamverifier$|/pfexec$|/ping$|/ping6$|/pmconfig$|/pmap$|/polkit-agent-helper-1$|/polkit-explicit-grant-helper$|/polkit-grant-helper$|/polkit-grant-helper-pam$|/polkit-read-auth-helper$|/polkit-resolve-exe-helper$|/polkit-revoke-helper$|/polkit-set-default-helper$|/postdrop$|/postqueue$|/poweroff$|/ppp$|/procmail$|/pstat$|/pt_chmod$|/pwdb_chkpwd$|/quota$|/rcmd|/remote.unknown$|/rlogin$|/rmformat$|/rnews$|/run-mailcap$|/sacadm$|/same-gnome$|screen.real$|/security_authtrampoline$|/sendmail.sendmail$|/shutdown$|/skeyaudit$|/skeyinfo$|/skeyinit$|/sliplogin|/slocate$|/smbmnt$|/smbumount$|/smpatch$|/smtpctl$|/sperl5.8.8$|/ssh-agent$|/ssh-keysign$|/staprun$|/startinnfeed$|/stclient$|/su$|/suexec$|/sys-suspend$|/sysstat$|/systat$" +sidG4="/telnetlogin$|/timedc$|/tip$|/top$|/traceroute6$|/traceroute6.iputils$|/trpt$|/tsoldtlabel$|/tsoljdslabel$|/tsolxagent$|/ufsdump$|/ufsrestore$|/ulog-helper$|/umount.cifs$|/umount.nfs$|/umount.nfs4$|/unix_chkpwd$|/uptime$|/userhelper$|/userisdnctl$|/usernetctl$|/utempter$|/utmp_update$|/uucico$|/uuglist$|/uuidd$|/uuname$|/uusched$|/uustat$|/uux$|/uuxqt$|/VBoxHeadless$|/VBoxNetAdpCtl$|/VBoxNetDHCP$|/VBoxNetNAT$|/VBoxSDL$|/VBoxVolInfo$|/VirtualBoxVM$|/vmstat$|/vmware-authd$|/vmware-user-suid-wrapper$|/vmware-vmx$|/vmware-vmx-debug$|/vmware-vmx-stats$|/vncserver-x11$|/volrmmount$|/w$|/wall$|/whodo$|/write$|/X$|/Xorg.wrap$|/Xsun$|/Xvnc$|/yppasswd$" #Rules: Start path " /", end path "$", divide path and vulnversion "%". SPACE IS ONLY ALLOWED AT BEGINNING, DONT USE IT IN VULN DESCRIPTION sidB="/apache2$%Read_root_passwd__apache2_-f_/etc/shadow\(CVE-2019-0211\)\ @@ -289,7 +292,9 @@ sidB="/apache2$%Read_root_passwd__apache2_-f_/etc/shadow\(CVE-2019-0211\)\ /screen$%GNU_Screen_4.5.0\ /sdtcm_convert$%Sun_Solaris_7.0\ /sendmail$%Sendmail_8.10.1/Sendmail_8.11.x/Linux_Kernel_2.2.x_2.4.0-test1_\(SGI_ProPack_1.2/1.3\)\ - /check_sudo_version$\ + /snap-confine$%Ubuntu_snapd<2.37_dirty_sock_Local_Privilege_Escalation\(CVE-2019-7304\)\ + /sudo%check_if_the_sudo_version_is_vulnerable\ + /Serv-U%FTP_Server<15.1.7(CVE-2019-12181) /sudoedit$%Sudo/SudoEdit_1.6.9p21/1.7.2p4/\(RHEL_5/6/7/Ubuntu\)/Sudo<=1.8.14\ /tmux$%Tmux_1.3_1.4_privesc\(CVE-2011-1496\)\ /traceroute$%LBL_Traceroute_\[2000-11-15\]\ @@ -303,7 +308,8 @@ sidB="/apache2$%Read_root_passwd__apache2_-f_/etc/shadow\(CVE-2019-0211\)\ /xorg$%Xorg_1.19_to_1.20.x\(CVE_2018-14665\)/xorg-x11-server<=1.20.3/AIX_7.1_\(6.x_to_7.x_should_be_vulnerable\)_X11.base.rte<7.1.5.32_and_\ /xterm$%Solaris_5.5.1_X11R6.3\(05-1997\)/Debian_xterm_version_222-1etch2\(01-2009\)" #To update sidVB: curl https://github.com/GTFOBins/GTFOBins.github.io/tree/master/_gtfobins 2>/dev/null | grep 'href="/GTFOBins/' | grep '.md">' | awk -F 'title="' '{print $2}' | cut -d '"' -f1 | cut -d "." -f1 | sed -e 's,^,/,' | sed -e 's,$,\$,' | tr '\n' '|' -sidVB='/apt-get$|/apt$|/aria2c$|/arp$|/ash$|/awk$|/base32$|/base64$|/bash$|/bpftrace$|/bundler$|/busctl$|/busybox$|/byebug$|/cancel$|/cat$|/chmod$|/chown$|/chroot$|/cobc$|/composer$|/cp$|/cpan$|/cpulimit$|/crash$|/crontab$|/csh$|/curl$|/cut$|/dash$|/date$|/dd$|/dialog$|/diff$|/dmesg$|/dmsetup$|/dnf$|/docker$|/dpkg$|/easy_install$|/eb$|/ed$|/emacs$|/env$|/eqn$|/expand$|/expect$|/facter$|/file$|/find$|/finger$|/flock$|/fmt$|/fold$|/ftp$|/gawk$|/gcc$|/gdb$|/gem$|/genisoimage$|/ghc$|/ghci$|/gimp$|/git$|/grep$|/gtester$|/hd$|/head$|/hexdump$|/highlight$|/iconv$|/iftop$|/ionice$|/ip$|/irb$|/jjs$|/journalctl$|/jq$|/jrunscript$|/ksh$|/ksshell$|/ld$|/ldconfig$|/less$|/logsave$|/look$|/ltrace$|/lua$|/lwp-download$|/lwp-request$|/mail$|/make$|/man$|/mawk$|/more$|/mount$|/mtr$|/mv$|/mysql$|/nano$|/nawk$|/nc$|/nice$|/nl$|/nmap$|/node$|/nohup$|/nroff$|/nsenter$|/od$|/openssl$|/pdb$|/perl$|/pg$|/php$|/pic$|/pico$|/pip$|/pkexec$|/pry$|/puppet$|/python$|/rake$|/readelf$|/red$|/redcarpet$|/restic$|/rlogin$|/rlwrap$|/rpm$|/rpmquery$|/rsync$|/ruby$|/run-mailcap$|/run-parts$|/rview$|/rvim$|/scp$|/screen$|/script$|/sed$|/service$|/setarch$|/sftp$|/shuf$|/smbclient$|/socat$|/soelim$|/sort$|/sqlite3$|/ssh$|/start-stop-daemon$|/stdbuf$|/strace$|/strings$|/su$|/sysctl$|/systemctl$|/tac$|/tail$|/tar$|/taskset$|/tclsh$|/tcpdump$|/tee$|/telnet$|/tftp$|/time$|/timeout$|/tmux$|/top$|/ul$|/unexpand$|/uniq$|/unshare$|/uudecode$|/uuencode$|/valgrind$|/vi$|/view$|/vim$|/watch$|/wget$|/whois$|/wish$|/xargs$|/xxd$|/xz$|/yelp$|/yum$|/zip$|/zsh$|/zsoelim$|/zypper$' +sidVB='/apt-get$|/apt$|/ar$|/aria2c$|/arp$|/ash$|/at$|/atobm$|/awk$|/base32$|/base64$|/basenc$|/bash$|/bpftrace$|/bridge$|/bundler$|/busctl$|/busybox$|/byebug$|/cancel$|/capsh$|/cat$|/certbot$|/check_by_ssh$|/check_cups$|/check_log$|/check_memory$|/check_raid$|/check_ssl_cert$|/check_statusfile$|/chmod$|/chown$|/chroot$|/cobc$|/column$|/comm$|/composer$|/cowsay$|/cowthink$|/cp$|/cpan$|/cpio$|/cpulimit$|/crash$|/crontab$|/csh$|/csplit$|/csvtool$|/cupsfilter$|/curl$|/cut$|/dash$|/date$|/dd$|/dialog$|/diff$|/dig$|/dmesg$|/dmsetup$|/dnf$|/docker$|/dpkg$|/dvips$|/easy_install$|/eb$|/ed$|/emacs$|/env$|/eqn$|/ex$|/exiftool$|/expand$|/expect$|/facter$|/file$|/find$|/finger$|/flock$|/fmt$|/fold$|/ftp$|/gawk$|/gcc$|/gdb$|/gem$|/genisoimage$|/ghc$|/ghci$|/gimp$|/git$|/grep$|/gtester$|/gzip$|/hd$|/head$|/hexdump$|/highlight$|/hping3$|/iconv$|/iftop$|/install$|/ionice$|/ip$|/irb$|/jjs$|/join$|/journalctl$|/jq$|/jrunscript$|/ksh$|/ksshell$' +sidVB2='/latex$|/ld$|/ldconfig$|/less$|/logsave$|/look$|/ltrace$|/lua$|/lualatex$|/luatex$|/lwp-download$|/lwp-request$|/mail$|/make$|/man$|/mawk$|/more$|/mount$|/mtr$|/mv$|/mysql$|/nano$|/nawk$|/nc$|/nice$|/nl$|/nmap$|/node$|/nohup$|/npm$|/nroff$|/nsenter$|/octave$|/od$|/openssl$|/openvpn$|/openvt$|/paste$|/pdb$|/pdflatex$|/pdftex$|/perl$|/pg$|/php$|/pic$|/pico$|/pip$|/pkexec$|/pkg$|/pr$|/pry$|/psql$|/puppet$|/python$|/rake$|/readelf$|/red$|/redcarpet$|/restic$|/rev$|/rlogin$|/rlwrap$|/rpm$|/rpmquery$|/rsync$|/ruby$|/run-mailcap$|/run-parts$|/rview$|/rvim$|/scp$|/screen$|/script$|/sed$|/service$|/setarch$|/sftp$|/sg$|/shuf$|/slsh$|/smbclient$|/snap$|/socat$|/soelim$|/sort$|/split$|/sqlite3$|/ss$|/ssh-keygen$|/ssh-keyscan$|/ssh$|/start-stop-daemon$|/stdbuf$|/strace$|/strings$|/su$|/sysctl$|/systemctl$|/tac$|/tail$|/tar$|/taskset$|/tbl$|/tclsh$|/tcpdump$|/tee$|/telnet$|/tex$|/tftp$|/time$|/timeout$|/tmux$|/top$|/troff$|/ul$|/unexpand$|/uniq$|/unshare$|/update-alternatives$|/uudecode$|/uuencode$|/valgrind$|/vi$|/view$|/vigr$|/vim$|/vimdiff$|/vipw$|/virsh$|/watch$|/wc$|/wget$|/whois$|/wish$|/xargs$|/xelatex$|/xetex$|/xmodmap$|/xxd$|/xz$|/yelp$|/yum$|/zip$|/zsh$|/zsoelim$|/zypper$' cfuncs='file|free|main|more|read|split|write' sudoVB=" \*|env_keep\+=LD_PRELOAD|apt-get$|apt$|aria2c$|arp$|ash$|awk$|base64$|bash$|busybox$|cat$|chmod$|chown$|cp$|cpan$|cpulimit$|crontab$|csh$|curl$|cut$|dash$|date$|dd$|diff$|dmesg$|dmsetup$|dnf$|docker$|dpkg$|easy_install$|ed$|emacs$|env$|expand$|expect$|facter$|file$|find$|flock$|fmt$|fold$|ftp$|gdb$|gimp$|git$|grep$|head$|ionice$|ip$|irb$|jjs$|journalctl$|jq$|jrunscript$|ksh$|ld.so$|less$|logsave$|ltrace$|lua$|mail$|make$|man$|more$|mount$|mtr$|mv$|mysql$|nano$|nc$|nice$|nl$|nmap$|node$|od$|openssl$|perl$|pg$|php$|pic$|pico$|pip$|puppet$|python$|readelf$|red$|rlwrap$|rpm$|rpmquery$|rsync$|ruby$|run-mailcap$|run-parts$|rvim$|scp$|screen$|script$|sed$|service$|setarch$|sftp$|smbclient$|socat$|sort$|sqlite3$|ssh$|start-stop-daemon$|stdbuf$|strace$|systemctl$|tail$|tar$|taskset$|tclsh$|tcpdump$|tee$|telnet$|tftp$|time$|timeout$|tmux$|ul$|unexpand$|uniq$|unshare$|vi$|vim$|watch$|wget$|wish$|xargs$|xxd$|yum$|zip$|zsh$|zypper$" @@ -353,7 +359,7 @@ else nosh_usrs=`cat /etc/passwd 2>/dev/null | grep -i -v "sh$" | sort | cut -d ":" -f 1 | tr '\n' '|' | sed 's/|bin|/|bin[\\\s:]|^bin$|/'`"ImPoSSssSiBlEee" fi knw_usrs='daemon\W|^daemon$|message\+|syslog|www|www-data|mail|noboby|Debian\-\+|rtkit|systemd\+' -USER=`whoami` +USER=`whoami 2>/dev/null || echo "UserUnknown"` if [ ! "$HOME" ]; then if [ -d "/Users/$USER" ]; then HOME="/Users/$USER"; #Mac home else HOME="/home/$USER"; @@ -388,7 +394,7 @@ PASSTRY="2000" #Default num of passwds to try (all by default) if [ "$PORTS" ] || [ "$DISCOVERY" ] || [ "$IP" ]; then MAXPATH_FIND_W="1"; fi #If Network reduce the time on this SEDOVERFLOW=true -for grp in `groups $USER | cut -d ":" -f2`; do +for grp in `groups $USER 2>/dev/null | cut -d ":" -f2`; do wgroups="$wgroups -group $grp -or " done wgroups="`echo $wgroups | sed -e 's/ -or$//'`" @@ -435,7 +441,7 @@ profiledG="01-locale-fix.sh|256term.csh|256term.sh|abrt-console-notification.sh| knw_emails=".*@aivazian.fsnet.co.uk|.*@angband.pl|.*@canonical.com|.*centos.org|.*debian.net|.*debian.org|.*@jff.email|.*kali.org|.*linux.it|.*@linuxia.de|.*@lists.debian-maintainers.org|.*@mit.edu|.*@oss.sgi.com|.*@qualcomm.com|.*redhat.com|.*ubuntu.com|.*@vger.kernel.org|rogershimizu@gmail.com|thmarques@gmail.com" -timersG="anacron.timer|apt-daily.timer|apt-daily-upgrade.timer|e2scrub_all.timer|fstrim.timer|fwupd-refresh.timer|io.netplan.Netplan|logrotate.timer|man-db.timer|motd-news.timer|phpsessionclean.timer|snapd.refresh.timer|snapd.snap-repair.timer|systemd-tmpfiles-clean.timer|systemd-readahead-done.timer|ureadahead-stop.timer" +timersG="anacron.timer|apt-daily.timer|apt-daily-upgrade.timer|e2scrub_all.timer|fstrim.timer|fwupd-refresh.timer|geoipupdate.timer|io.netplan.Netplan|logrotate.timer|man-db.timer|mlocate.timer|motd-news.timer|phpsessionclean.timer|snapd.refresh.timer|snapd.snap-repair.timer|systemd-tmpfiles-clean.timer|systemd-readahead-done.timer|ureadahead-stop.timer" commonrootdirsG="^/$|/bin$|/boot$|/.cache$|/cdrom|/dev$|/etc$|/home$|/lost+found$|/lib$|/lib64$|/media$|/mnt$|/opt$|/proc$|/root$|/run$|/sbin$|/snap$|/srv$|/sys$|/tmp$|/usr$|/var$" commonrootdirsMacG="^/$|/.DocumentRevisions-V100|/.fseventsd|/.PKInstallSandboxManager-SystemSoftware|/.Spotlight-V100|/.Trashes|/.vol|/Applications|/bin|/cores|/dev|/home|/Library|/macOS Install Data|/net|/Network|/opt|/private|/sbin|/System|/Users|/usr|/Volumes" @@ -444,6 +450,12 @@ ldsoconfdG="/lib32|/lib/x86_64-linux-gnu|/usr/lib32|/usr/lib/oracle/19.6/client6 dbuslistG="^:1\.[0-9\.]+|com.hp.hplip|com.redhat.ifcfgrh1|com.redhat.NewPrinterNotification|com.redhat.PrinterDriversInstaller|com.redhat.RHSM1|com.redhat.RHSM1.Facts|com.redhat.tuned|com.ubuntu.LanguageSelector|com.ubuntu.SoftwareProperties|com.ubuntu.SystemService|com.ubuntu.USBCreator|com.ubuntu.WhoopsiePreferences|io.netplan.Netplan|io.snapcraft.SnapdLoginService|fi.epitest.hostap.WPASupplicant|fi.w1.wpa_supplicant1|NAME|org.blueman.Mechanism|org.bluez|org.debian.apt|org.fedoraproject.FirewallD1|org.fedoraproject.Setroubleshootd|org.fedoraproject.SetroubleshootFixit|org.fedoraproject.SetroubleshootPrivileged|org.freedesktop.Accounts|org.freedesktop.Avahi|org.freedesktop.bolt|org.freedesktop.ColorManager|org.freedesktop.DBus|org.freedesktop.DisplayManager|org.freedesktop.fwupd|org.freedesktop.GeoClue2|org.freedesktop.hostname1|org.freedesktop.import1|org.freedesktop.locale1|org.freedesktop.login1|org.freedesktop.machine1|org.freedesktop.ModemManager1|org.freedesktop.NetworkManager|org.freedesktop.network1|org.freedesktop.nm_dispatcher|org.freedesktop.PackageKit|org.freedesktop.PolicyKit1|org.freedesktop.portable1|org.freedesktop.realmd|org.freedesktop.RealtimeKit1|org.freedesktop.resolve1|org.freedesktop.systemd1|org.freedesktop.thermald|org.freedesktop.timedate1|org.freedesktop.timesync1|org.freedesktop.UDisks2|org.freedesktop.UPower|org.opensuse.CupsPkHelper.Mechanism" +CONTAINER_CMDS="docker lxc rkt kubectl podman runc" +TIP_DOCKER_ROOTLESS="In rootless mode privilege escalation to root will not be possible." +GREP_DOCKER_SOCK_INFOS="Architecture|OSType|Name|DockerRootDir|NCPU|OperatingSystem|KernelVersion|ServerVersion" +GREP_DOCKER_SOCK_INFOS_IGNORE="IndexConfig" +GREP_IGNORE_MOUNTS="/ /|/cgroup|/var/lib/docker/|/null | proc proc |/dev/console|docker.sock" + ########################################### #---------) Checks before start (---------# ########################################### @@ -507,25 +519,25 @@ print_ps (){ } su_try_pwd (){ - USER=$1 + BFUSER=$1 PASSWORDTRY=$2 - trysu=`echo "$PASSWORDTRY" | timeout 1 su $USER -c whoami 2>/dev/null` + trysu=`echo "$PASSWORDTRY" | timeout 1 su $BFUSER -c whoami 2>/dev/null` if [ "$trysu" ]; then - echo " You can login as $USER using password: $PASSWORDTRY" | sed -${E} "s,.*,${C}[1;31;103m&${C}[0m," + echo " You can login as $BFUSER using password: $PASSWORDTRY" | sed -${E} "s,.*,${C}[1;31;103m&${C}[0m," fi } su_brute_user_num (){ - USER=$1 + BFUSER=$1 TRIES=$2 - su_try_pwd $USER "" & #Try without password - su_try_pwd $USER $USER & #Try username as password - su_try_pwd $USER `echo $USER | rev 2>/dev/null` & #Try reverse username as password + su_try_pwd $BFUSER "" & #Try without password + su_try_pwd $BFUSER $BFUSER & #Try username as password + su_try_pwd $BFUSER `echo $BFUSER | rev 2>/dev/null` & #Try reverse username as password if [ "$PASSWORD" ]; then - su_try_pwd $USER $PASSWORD & #Try given password + su_try_pwd $BFUSER $PASSWORD & #Try given password fi for i in `seq $TRIES`; do - su_try_pwd $USER `echo $top2000pwds | cut -d " " -f $i` & #Try TOP TRIES of passwords (by default 2000) + su_try_pwd $BFUSER `echo $top2000pwds | cut -d " " -f $i` & #Try TOP TRIES of passwords (by default 2000) sleep 0.007 # To not overload the system done wait @@ -731,6 +743,116 @@ if ! [ "$NOTEXPORT" ]; then fi +########################################### +#---------) Container functions (---------# +########################################### + +containerCheck() { + inContainer="" + containerType="`echo_no`" + + # Are we inside docker? + if [ -f "/.dockerenv" ] || + grep "/docker/" /proc/1/cgroup -qa 2>/dev/null || + grep -qai docker /proc/self/cgroup 2>/dev/null || + [ "`find / -maxdepth 3 -name \"*dockerenv*\" -exec ls -la {} \; 2>/dev/null`" ] ; then + + inContainer="1" + containerType="docker" + fi + + # Are we inside kubenetes? + if grep "/kubepod" /proc/1/cgroup -qa 2>/dev/null || + grep -qai kubepods /proc/self/cgroup 2>/dev/null; then + + inContainer="1" + if [ "$containerType" ]; then containerType="$containerType (kubernetes)" + else containerType="kubernetes" + fi + fi + + # Are we inside LXC? + if env | grep "container=lxc" -qa 2>/dev/null || + grep "/lxc/" /proc/1/cgroup -qa 2>/dev/null; then + + inContainer="1" + containerType="lxc" + fi +} + +inDockerGroup() { + DOCKER_GROUP="No" + if groups 2>/dev/null | grep -q '\bdocker\b'; then + DOCKER_GROUP="Yes" + fi +} + +checkDockerRootless() { + DOCKER_ROOTLESS="No" + if docker info 2>/dev/null|grep -q rootless; then + DOCKER_ROOTLESS="Yes ($TIP_DOCKER_ROOTLESS)" + fi +} + +enumerateDockerSockets() { + dockerVersion="`echo_not_found`" + if ! [ "$SEARCHED_DOCKER_SOCKETS" ]; then + SEARCHED_DOCKER_SOCKETS="1" + for dock_sock in `find / ! -path "/sys/*" -type s -name "docker.sock" -o -name "docker.socket" 2>/dev/null`; do + if [ -w "$dock_sock" ]; then + echo "You have write permissions over Docker socket $dock_sock" | sed -${E} "s,$dock_sock,${C}[1;31;103m&${C}[0m,g" + echo "Docker enummeration:" + docker_enumerated="" + + if [ "$(command -v curl)" ]; then + sockInfoResponse="`curl -s --unix-socket \"$dockerSockPath\" http://localhost/info`" + dockerVersion=$(echo "$sockInfoResponse" | tr ',' '\n' | grep 'ServerVersion' | cut -d'"' -f 4) + echo $sockInfoResponse | tr ',' '\n' | grep -E "$GREP_DOCKER_SOCK_INFOS" | grep -v "$GREP_DOCKER_SOCK_INFOS_IGNORE" | tr -d '"' + if [ "$sockInfoResponse" ]; then docker_enumerated="1"; fi + fi + + if [ "$(command -v docker)" ] and ![ "$docker_enumerated" ]; then + sockInfoResponse="`docker info`" + dockerVersion=$(echo "$sockInfoResponse" | tr ',' '\n' | grep 'Server Version' | cut -d' ' -f 4) + printf $sockInfoResponse | tr ',' '\n' | grep -E "$GREP_DOCKER_SOCK_INFOS" | grep -v "$GREP_DOCKER_SOCK_INFOS_IGNORE" | tr -d '"' + fi + + else + echo "You don't have write permissions over Docker socket $dock_sock" | sed -${E} "s,$dock_sock,${C}[1;32m&${C}[0m,g" + fi + done + fi +} + +checkDockerVersionExploits() { + if [ "`echo \"$dockerVersion\" | grep -i \"not found\"`" ]; then + VULN_CVE_2019_13139="`echo_not_found`" + VULN_CVE_2019_5736="`echo_not_found`" + return + fi + + VULN_CVE_2019_13139="`echo_no`" + if [ "`echo \"$dockerVersion\" | sed 's,\.,,g'`" -lt "1895" ]; then + VULN_CVE_2019_13139="Yes" + fi + + VULN_CVE_2019_5736="`echo_no`" + if [ "`echo \"$dockerVersion\" | sed 's,\.,,g'`" -lt "1893" ]; then + VULN_CVE_2019_5736="Yes" + fi +} + +checkContainerExploits() { + VULN_CVE_2019_5021="`echo_no`" + if [ -f "/etc/alpine-release" ]; then + alpineVersion=$(cat /etc/alpine-release) + if [ "`echo \"$alpineVersion\" | sed 's,\.,,g'`" -ge "330" ] && [ "`echo \"$alpineVersion\" | sed 's,\.,,g'`" -le "360" ]; then + VULN_CVE_2019_5021="Yes" + fi + fi +} + + ########################################### #-----------) Some Basic Info (-----------# ########################################### @@ -1040,7 +1162,7 @@ if [ "`echo $CHECKS | grep SysI`" ]; then #-- SY) Environment vars printf $Y"[+] "$GREEN"Environment\n"$NC printf $B"[i] "$Y"Any private information inside environment variables?\n"$NC - (env || set) 2>/dev/null | grep -v "RELEVANT*\|FIND*\|^VERSION=\|dbuslistG\|mygroups\|ldsoconfdG\|pwd_inside_history\|kernelDCW_Ubuntu_Precise\|kernelDCW_Ubuntu_Trusty\|kernelDCW_Ubuntu_Xenial\|kernelDCW_Rhel\|^sudovB=\|^rootcommon=\|^mounted=\|^mountG=\|^notmounted=\|^mountpermsB=\|^mountpermsG=\|^kernelB=\|^C=\|^RED=\|^GREEN=\|^Y=\|^B=\|^NC=\|TIMEOUT=\|groupsB=\|groupsVB=\|knw_grps=\|sidG\|sidB=\|sidVB=\|sudoB=\|sudoG=\|sudoVB=\|sudocapsB=\|timersG=\|capsB=\|\notExtensions=\|Wfolders=\|writeB=\|writeVB=\|_usrs=\|compiler=\|PWD=\|LS_COLORS=\|pathshG=\|notBackup=\|processesDump\|processesB\|commonrootdirs" | sed -${E} "s,[pP][wW][dD]|[pP][aA][sS][sS][wW]|[aA][pP][iI][kK][eE][yY]|[aA][pP][iI][_][kK][eE][yY],${C}[1;31m&${C}[0m,g" || echo_not_found "env || set" + (env || set) 2>/dev/null | grep -v "RELEVANT*|FIND*|^VERSION=|dbuslistG|mygroups|ldsoconfdG|pwd_inside_history|kernelDCW_Ubuntu_Precise|kernelDCW_Ubuntu_Trusty|kernelDCW_Ubuntu_Xenial|kernelDCW_Rhel|^sudovB=|^rootcommon=|^mounted=|^mountG=|^notmounted=|^mountpermsB=|^mountpermsG=|^kernelB=|^C=|^RED=|^GREEN=|^Y=|^B=|^NC=|TIMEOUT=|groupsB=|groupsVB=|knw_grps=|sidG|sidB=|sidVB=|sidVB2=|sudoB=|sudoG=|sudoVB=|sudocapsB=|timersG=|capsB=|notExtensions=|Wfolders=|writeB=|writeVB=|_usrs=|compiler=|PWD=|LS_COLORS=|pathshG=|notBackup=|processesDump|processesB|commonrootdirs" | sed -${E} "s,[pP][wW][dD]|[pP][aA][sS][sS][wW]|[aA][pP][iI][kK][eE][yY]|[aA][pP][iI][_][kK][eE][yY],${C}[1;31m&${C}[0m,g" || echo_not_found "env || set" echo "" #-- SY) Dmesg @@ -1101,17 +1223,22 @@ if [ "`echo $CHECKS | grep SysI`" ]; then if [ "$hypervisorflag" ]; then printf $RED"Yes"$NC; else printf $GREEN"No"$NC; fi fi echo "" + echo "" + if [ "$WAIT" ]; then echo "Press enter to continue"; read "asd"; fi +fi - #-- SY) Container - printf $Y"[+] "$GREEN"Is this a container? ........... "$NC - dockercontainer=`grep -i docker /proc/self/cgroup 2>/dev/null; grep -i kubepods /proc/self/cgroup 2>/dev/null; find / -maxdepth 3 -name "*dockerenv*" -exec ls -la {} \; 2>/dev/null` - lxccontainer=`grep -qa container=lxc /proc/1/environ 2>/dev/null` - if [ "$dockercontainer" ]; then echo "Looks like we're in a Docker container" | sed -${E} "s,.*,${C}[1;31m&${C}[0m,"; - elif [ "$lxccontainer" ]; then echo "Looks like we're in a LXC container" | sed -${E} "s,.*,${C}[1;31m&${C}[0m,"; - else echo_no - fi - #-- SY) Containers Running +if [ "`echo $CHECKS | grep Container`" ]; then + ############################################## + #---------------) Containers (---------------# + ############################################## + printf $B"═════════════════════════════════════════╣ "$GREEN"Containers"$B" ╠══════════════════════════════════════════\n"$NC + containerCheck + printf $Y"[+] "$GREEN"Is this a container? ...........$NC $containerType\n" + + printf $Y"[+] "$GREEN"Container related tools present\n"$NC + which $CONTAINER_CMDS + printf $Y"[+] "$GREEN"Any running containers? ........ "$NC # Get counts of running containers for each platform dockercontainers=`docker ps --format "{{.Names}}" 2>/dev/null | wc -l` @@ -1130,16 +1257,63 @@ if [ "`echo $CHECKS | grep SysI`" ]; then if [ "$lxccontainers" -ne "0" ]; then echo "Running LXC Containers" | sed -${E} "s,.*,${C}[1;31m&${C}[0m,"; lxc list 2>/dev/null; echo ""; fi if [ "$rktcontainers" -ne "0" ]; then echo "Running RKT Containers" | sed -${E} "s,.*,${C}[1;31m&${C}[0m,"; rkt list 2>/dev/null; echo ""; fi fi - echo "" + + #If docker + if [ "`echo \"$containerType\" | grep -i \"docker\"`" ]; then + inDockerGroup + printf $Y"[+] "$GREEN"Am I inside Docker group .......$NC $DOCKER_GROUP\n" | sed -${E} "s,Yes,${C}[1;31;103m&${C}[0m," + printf $Y"[+] "$GREEN"Looking and enumerating Docker Sockets\n"$NC + enumerateDockerSockets + printf $Y"[+] "$GREEN"Docker version .................$NC$dockerVersion" + checkDockerVersionExploits + printf $Y"[+] "$GREEN"Vulnerable to CVE-2019-5736 ....$NC$VULN_CVE_2019_5736"$NC | sed -${E} "s,Yes,${C}[1;31;103m&${C}[0m," + printf $Y"[+] "$GREEN"Vulnerable to CVE-2019-13139 ...$NC$VULN_CVE_2019_13139"$NC | sed -${E} "s,Yes,${C}[1;31;103m&${C}[0m," + if [ "$inContainer" ]; then + checkDockerRootless + printf $Y"[+] "$GREEN"Rooless Docker? ................ $DOCKER_ROOTLESS\n"$NC | sed -${E} "s,No,${C}[1;31m&${C}[0m," | sed -${E} "s,Yes,${C}[1;32m&${C}[0m," + fi + fi - if [ "$dockercontainer" ] || [ "$dockercontainers" -ne "0" ]; then - printf $Y"[+] "$GREEN"Looking for docker breakout techniques\n"$NC + if [ "$inContainer" ]; then + echo "" + printf $Y"[+] "$GREEN"Container & breakout enumeration\n"$NC printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation/docker-breakout\n"$NC + printf $Y"[+] "$GREEN"Container ID ...................$NC `cat /etc/hostname`\n" + if [ "`echo \"$containerType\" | grep -i \"docker\"`" ]; then + printf $Y"[+] "$GREEN"Container Full ID ..............$NC `basename \"$(cat /proc/1/cpuset)\"`\n" + fi + if [ "`echo \"$containerType\" | grep -i \"kubernetes\"`" ]; then + printf $Y"[+] "$GREEN"Kubernetes namespace ...........$NC `cat /run/secrets/kubernetes.io/serviceaccount/namespace /secrets/kubernetes.io/serviceaccount/namespace 2>/dev/null`\n" + printf $Y"[+] "$GREEN"Kubernetes token ...............$NC `cat /run/secrets/kubernetes.io/serviceaccount/token /secrets/kubernetes.io/serviceaccount/token 2>/dev/null`\n" + fi + + checkContainerExploits + printf $Y"[+] "$GREEN"Vulnerable to CVE-2019-5021 .. $VULN_CVE_2019_5021\n"$NC | sed -${E} "s,Yes,${C}[1;31;103m&${C}[0m," + echo "" + + printf $Y"[+] "$GREEN"Container Capabilities\n"$NC capsh --print 2>/dev/null | sed -${E} "s,$containercapsB,${C}[1;31m&${C}[0m,g" echo "" - ls /var/run/docker.sock 2>/dev/null | sed "s,.*,${C}[1;31m&${C}[0m," - ls /run/docker.sock 2>/dev/null | sed "s,.*,${C}[1;31m&${C}[0m," - find / ! -path "/sys/*" -name "docker.sock" -o -name "docker.socket" 2>/dev/null | sed "s,.*,${C}[1;31m&${C}[0m," + + printf $Y"[+] "$GREEN"Privilege Mode\n"$NC + if [ -x "$(command -v fdisk)" ]; then + if [ "$(fdisk -l 2>/dev/null | wc -l)" -gt 0 ]; then + echo "Privilege Mode is enabled"| sed -${E} "s,enabled,${C}[1;31;103m&${C}[0m," + else + echo "Privilege Mode is disabled"| sed -${E} "s,disabled,${C}[1;32m&${C}[0m," + fi + else + echo_not_found + fi + echo "" + + printf $Y"[+] "$GREEN"Interesting Files Mounted\n"$NC + grep -Ev "$GREP_IGNORE_MOUNTS" /proc/self/mountinfo | cut -d' ' -f 4- + echo "" + + printf $Y"[+] "$GREEN"Possible Entrypoints\n"$NC + ls -lah /*.sh /*entrypoint* /**/entrypoint* /**/*.sh /deploy* 2>/dev/null | sort | uniq + echo "" fi echo "" @@ -1147,6 +1321,7 @@ if [ "`echo $CHECKS | grep SysI`" ]; then fi + if [ "`echo $CHECKS | grep Devs`" ]; then ########################################### #---------------) Devices (---------------# @@ -1180,7 +1355,7 @@ if [ "`echo $CHECKS | grep AvaSof`" ]; then #-- 1AS) Useful software printf $Y"[+] "$GREEN"Useful software\n"$NC - which nmap aws nc ncat netcat nc.traditional wget curl ping gcc g++ make gdb base64 socat python python2 python3 python2.7 python2.6 python3.6 python3.7 perl php ruby xterm doas sudo fetch docker lxc ctr runc rkt kubectl 2>/dev/null + which $CONTAINER_CMDS nmap aws nc ncat netcat nc.traditional wget curl ping gcc g++ make gdb base64 socat python python2 python3 python2.7 python2.6 python3.6 python3.7 perl php ruby xterm doas sudo fetch ctr 2>/dev/null echo "" #-- 2AS) Search for compilers @@ -1293,13 +1468,13 @@ if [ "`echo $CHECKS | grep ProCronSrvcsTmrsSocks`" ]; then printf $Y"[+] "$GREEN"Analyzing .service files\n"$NC printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#services\n"$NC services=$(echo "$FIND_ETC\n$FIND_LIB\n$FIND_RUN\n$FIND_USR\n$FIND_SYSTEMD\n$FIND_SYSTEM\n$FIND_PRIVATE\n$FIND_VAR\n$FIND_SYS\n$FIND_SNAP" | grep -E '\.service') - printf "$services\n" | while read s; do + printf "%s\n" "$services\n" | while read s; do if [ ! -O "$s" ]; then #Remove services that belongs to the current user if [ -w "$s" ] && [ -f "$s" ]; then echo "$s" | sed -${E} "s,.*,${C}[1;31;103m&${C}[0m,g" fi servicebinpaths="`grep -Eo '^Exec.*?=[!@+-]*[a-zA-Z0-9_/\-]+' \"$s\" 2>/dev/null | cut -d '=' -f2 | sed 's,^[@\+!-]*,,'`" #Get invoked paths - printf "$servicebinpaths\n" | while read sp; do + printf "%s\n" "$servicebinpaths\n" | while read sp; do if [ -w "$sp" ]; then echo "$s is calling this writable executable: $sp" | sed "s,writable.*,${C}[1;31;103m&${C}[0m,g" fi @@ -1328,12 +1503,12 @@ if [ "`echo $CHECKS | grep ProCronSrvcsTmrsSocks`" ]; then printf $Y"[+] "$GREEN"Analyzing .timer files\n"$NC printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#timers\n"$NC timers=$(echo "$FIND_ETC\n$FIND_LIB\n$FIND_RUN\n$FIND_USR\n$FIND_SYSTEMD\n$FIND_SYSTEM\n$FIND_PRIVATE\n$FIND_VAR\n$FIND_SYS\n$FIND_SNAP" | grep -E '\.timer') - printf "$timers\n" | while read t; do + printf "%s\n" "$timers\n" | while read t; do if [ -w "$t" ]; then echo "$t" | sed -${E} "s,.*,${C}[1;31m&${C}[0m,g" fi timerbinpaths="`grep -Po '^Unit=*(.*?$)' \"$t\" 2>/dev/null | cut -d '=' -f2`" - printf "$timerbinpaths\n" | while read tb; do + printf "%s\n" "$timerbinpaths" | while read tb; do if [ -w "$tb" ]; then echo "$t timer is calling this writable executable: $tb" | sed "s,writable.*,${C}[1;31m&${C}[0m,g" fi @@ -1350,29 +1525,29 @@ if [ "`echo $CHECKS | grep ProCronSrvcsTmrsSocks`" ]; then printf $Y"[+] "$GREEN"Analyzing .socket files\n"$NC printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#sockets\n"$NC sockets=$(echo "$FIND_ETC\n$FIND_LIB\n$FIND_RUN\n$FIND_USR\n$FIND_SYSTEMD\n$FIND_SYSTEM\n$FIND_PRIVATE\n$FIND_VAR\n$FIND_SYS\n$FIND_SNAP" | grep -E '\.socket') - printf "$sockets\n" | while read s; do + printf "%s\n" "$sockets" | while read s; do if [ -w "$s" ] && [ -f "$s" ]; then echo "Writable .socket file: $s" | sed "s,/.*,${C}[1;31m&${C}[0m,g" fi socketsbinpaths="`grep -Eo '^(Exec).*?=[!@+-]*/[a-zA-Z0-9_/\-]+' \"$s\" 2>/dev/null | cut -d '=' -f2 | sed 's,^[@\+!-]*,,'`" - printf "$socketsbinpaths\n" | while read sb; do + printf "%s\n" "$socketsbinpaths" | while read sb; do if [ -w "$sb" ]; then echo "$s is calling this writable executable: $sb" | sed "s,writable.*,${C}[1;31m&${C}[0m,g" fi done socketslistpaths="`grep -Eo '^(Listen).*?=[!@+-]*/[a-zA-Z0-9_/\-]+' \"$s\" 2>/dev/null | cut -d '=' -f2 | sed 's,^[@\+!-]*,,'`" - printf "$socketsbinpaths\n" | while read sl; do + printf "%s\n" "$socketsbinpaths" | while read sl; do if [ -w "$sl" ]; then echo "$s is calling this writable listener: $sl" | sed "s,writable.*,${C}[1;31m&${C}[0m,g"; fi done - if [ -w "/var/run/docker.sock" ]; then - echo "Docker socket /var/run/docker.sock is writable (https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-docker-socket)" | sed "s,/var/run/docker.sock is writable,${C}[1;31;103m&${C}[0m,g" - fi - if [ -w "/run/docker.sock" ]; then - echo "Docker socket /run/docker.sock is writable (https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-docker-socket)" | sed "s,/var/run/docker.sock is writable,${C}[1;31;103m&${C}[0m,g" - fi done + if [ -w "/var/run/docker.sock" ]; then + echo "Docker socket /var/run/docker.sock is writable (https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-docker-socket)" | sed "s,/var/run/docker.sock is writable,${C}[1;31;103m&${C}[0m,g" + fi + if [ -w "/run/docker.sock" ]; then + echo "Docker socket /run/docker.sock is writable (https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-docker-socket)" | sed "s,/var/run/docker.sock is writable,${C}[1;31;103m&${C}[0m,g" + fi echo "" #-- PSC) Search HTTP sockets @@ -1393,7 +1568,7 @@ if [ "`echo $CHECKS | grep ProCronSrvcsTmrsSocks`" ]; then printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#d-bus\n"$NC dbusfols=$(echo "$FIND_DIR_ETC" | grep -E '/dbus-1/system.d|/dbus-1/session.d') if [ "$dbusfols" ]; then - printf "$dbusfols\n" | while read d; do + printf "%s\n" "$dbusfols" | while read d; do for f in $d/*; do if [ -w "$f" ]; then echo "Writable $f" | sed -${E} "s,.*,${C}[1;31m&${C}[0m,g" @@ -1614,8 +1789,8 @@ if [ "`echo $CHECKS | grep UsrI`" ]; then else no_shells="`cat /etc/passwd 2>/dev/null | grep -Ev "sh$" | cut -d ":" -f 7 | sort | uniq`" unexpected_shells="" - printf "$no_shells\n" | while read f; do - if [ "`$f -c 'whoami' 2>/dev/null | grep \"$(whoami)\"`" ]; then + printf "%s\n" "$no_shells" | while read f; do + if [ "`$f -c 'whoami' 2>/dev/null | grep \"$USER\"`" ]; then unexpected_shells="$f\n$unexpected_shells" fi done @@ -1623,7 +1798,7 @@ if [ "`echo $CHECKS | grep UsrI`" ]; then if [ "$unexpected_shells" ]; then echo "These unexpected binaries are acting like shells:\n$unexpected_shells" | sed -${E} "s,/.*,${C}[1;31m&${C}[0m,g" echo "Unexpected users with shells:" - printf "$unexpected_shells\n" | while read f; do + printf "%s\n" "$unexpected_shells" | while read f; do if [ "$f" ]; then grep -E "${f}$" /etc/passwd | sed -${E} "s,/.*,${C}[1;31m&${C}[0m,g" fi @@ -1668,7 +1843,7 @@ if [ "`echo $CHECKS | grep UsrI`" ]; then POSSIBE_SU_BRUTE=`check_if_su_brute`; if [ "$POSSIBE_SU_BRUTE" ]; then SHELLUSERS=`cat /etc/passwd 2>/dev/null | grep -i "sh$" | cut -d ":" -f 1` - printf "$SHELLUSERS\n" | while read u; do + printf "%s\n" "$SHELLUSERS" | while read u; do echo " Bruteforcing user $u..." su_brute_user_num $u $PASSTRY done @@ -1727,7 +1902,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then printf $Y"[+] "$GREEN"Searching mysql credentials and exec\n"$NC mysqldirs=$(echo "$FIND_DIR_ETC\n$FIND_DIR_USR\n$FIND_DIR_VAR\n$FIND_DIR_MNT" | grep -E '^/etc/.*mysql|/usr/var/lib/.*mysql|/var/lib/.*mysql' | grep -v "mysql/mysql") if [ "$mysqldirs" ]; then - printf "$mysqldirs\n" | while read d; do + printf "%s\n" "$mysqldirs" | while read d; do for f in `find $d -name debian.cnf 2>/dev/null`; do if [ -r $f ]; then echo "We can read the mysql debian.cnf. You can use this username/password to log in MySQL" | sed -${E} "s,.*,${C}[1;31m&${C}[0m," @@ -1770,7 +1945,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then if [ "$postgver" ] || [ "$postgdb" ] || [ "$postgconfs" ]; then if [ "$postgver" ]; then echo "Version: $postgver"; fi if [ "$postgdb" ]; then echo "PostgreSQL database: $postgdb" | sed -${E} "s,.*,${C}[1;31m&${C}[0m,"; fi - printf "$postgconfs\n" | while read f; do + printf "%s\n" "$postgconfs" | while read f; do if [ -r "$f" ]; then echo "Found readable $f" cat "$f" | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null | grep -v "^$" | sed -${E} "s,auth|password|md5|user=|pass=|trust,${C}[1;31m&${C}[0m," 2>/dev/null @@ -1812,10 +1987,10 @@ if [ "`echo $CHECKS | grep SofI`" ]; then if [ "$apachever" ]; then echo "Version: $apachever" sitesenabled=$(echo "$FIND_DIR_VAR\n$FIND_DIR_ETC\n$FIND_DIR_HOME\n$FIND_DIR_TMP\n$FIND_DIR_USR\n$FIND_DIR_OPT\n$FIND_DIR_USERS\n$FIND_DIR_PRIVATE\n$FIND_DIR_APPLICATIONS\n$FIND_DIR_MNT" | grep "sites-enabled") - printf "$sitesenabled\n" | while read d; do for f in "$d/*"; do grep "AuthType\|AuthName\|AuthUserFile\|ServerName\|ServerAlias" $f 2>/dev/null | grep -v "#" | sed "s,Auth|ServerName|ServerAlias,${C}[1;31m&${C}[0m,"; done; done + printf "%s\n" "$sitesenabled" | while read d; do for f in "$d/*"; do grep "AuthType\|AuthName\|AuthUserFile\|ServerName\|ServerAlias" $f 2>/dev/null | grep -v "#" | sed "s,Auth|ServerName|ServerAlias,${C}[1;31m&${C}[0m,"; done; done if [ !"$sitesenabled" ]; then default00=$(echo "$FIND_VAR\n$FIND_ETC\n$FIND_HOME\n$FIND_TMP\n$FIND_USR\n$FIND_OPT\n$FIND_PRIVATE\n$FIND_APPLICATIONS\n$FIND_MNT" | grep "000-default") - printf "$default00\n" | while read f; do grep -E "AuthType|AuthName|AuthUserFile|ServerName|ServerAlias" "$f" 2>/dev/null | grep -v "#" | sed -${E} "s,Auth|ServerName|ServerAlias,${C}[1;31m&${C}[0m,"; done + printf "%s\n" "$default00" | while read f; do grep -E "AuthType|AuthName|AuthUserFile|ServerName|ServerAlias" "$f" 2>/dev/null | grep -v "#" | sed -${E} "s,Auth|ServerName|ServerAlias,${C}[1;31m&${C}[0m,"; done fi echo "PHP exec extensions" grep -R -B1 "httpd-php" /etc/apache2 2>/dev/null @@ -1847,7 +2022,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then printf $Y"[+] "$GREEN"Searching Drupal settings.php files\n"$NC drup=$(echo "$FIND_VAR\n$FIND_ETC\n$FIND_HOME\n$FIND_TMP\n$FIND_USR\n$FIND_OPT\n$FIND_PRIVATE\n$FIND_APPLICATIONS\n$FIND_MNT" | grep -E 'settings\.php$') if [ "$drup" ]; then - printf "$drup\n" | while read f; do + printf "%s\n" "$drup" | while read f; do if [ "`echo $f | grep '/default/settings.php'`" ]; then #Check path /default/settings.php printf "Drupal settings.php file found: $f\n" grep -E "drupal_hash_salt|'database'|'username'|'password'|'host'|'port'|'driver'|'prefix'" $f 2>/dev/null | sed -${E} "s,.*,${C}[1;31m&${C}[0m,"; @@ -1862,7 +2037,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then printf $Y"[+] "$GREEN"Searching Moodle config.php files\n"$NC moo=$(echo "$FIND_VAR\n$FIND_ETC\n$FIND_HOME\n$FIND_TMP\n$FIND_USR\n$FIND_OPT\n$FIND_PRIVATE\n$FIND_APPLICATIONS\n$FIND_MNT" | grep -E 'config\.php$') if [ "$moo" ]; then - printf "$moo\n" | while read f; do + printf "%s\n" "$moo" | while read f; do if [ "`echo $f | grep -i moodle/config.php`" ]; then printf "Moodle config.php file found: $f\n" grep -E "dbtype|dbhost|dbuser|dbhost|dbpass|dbport" $f 2>/dev/null | sed -${E} "s,.*,${C}[1;31m&${C}[0m,"; @@ -1877,7 +2052,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then tomcat=$(echo "$FIND_VAR\n$FIND_ETC\n$FIND_HOME\n$FIND_TMP\n$FIND_USR\n$FIND_OPT\n$FIND_PRIVATE\n$FIND_APPLICATIONS\n$FIND_MNT" | grep -E 'tomcat-users\.xml$') if [ "$tomcat" ]; then echo "tomcat-users.xml file found: $tomcat" - printf "$tomcat\n" | while read f; do grep "username=" "$f" 2>/dev/null | grep "password=" | sed -${E} "s,.*,${C}[1;31m&${C}[0m,"; done + printf "%s\n" "$tomcat" | while read f; do grep "username=" "$f" 2>/dev/null | grep "password=" | sed -${E} "s,.*,${C}[1;31m&${C}[0m,"; done else echo_not_found "tomcat-users.xml" fi echo "" @@ -1886,7 +2061,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then printf $Y"[+] "$GREEN"Mongo information\n"$NC mongos=$(echo "$FIND_VAR\n$FIND_ETC\n$FIND_HOME\n$FIND_TMP\n$FIND_USR\n$FIND_OPT\n$FIND_PRIVATE\n$FIND_APPLICATIONS\n$FIND_MNT" | grep -E 'mongod.*\.conf$') (mongo --version 2>/dev/null || mongod --version 2>/dev/null) || echo_not_found "mongo binary" - printf "$mongos\n" | while read f; do + printf "%s\n" "$mongos" | while read f; do if [ "$f" ]; then echo "Found $f" cat "$f" | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null | grep -v "^$" | sed -${E} "s,auth*=*true|pass.*,${C}[1;31m&${C}[0m," 2>/dev/null @@ -1900,7 +2075,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then printf $Y"[+] "$GREEN"Searching supervisord configuration file\n"$NC supervisorf=$(echo "$FIND_VAR\n$FIND_ETC\n$FIND_HOME\n$FIND_TMP\n$FIND_USR\n$FIND_OPT\n$FIND_PRIVATE\n$FIND_APPLICATIONS\n$FIND_MNT" | grep -E 'supervisord\.conf') if [ "$supervisorf" ]; then - printf "$supervisorf\n" | while read f; do + printf "%s\n" "$supervisorf" | while read f; do echo "Found $f"; cat "$f" 2>/dev/null | grep -E "port.*=|username.*=|password.*=" | sed -${E} "s,port|username|password,${C}[1;31m&${C}[0m,"; done @@ -1913,7 +2088,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then printf $Y"[+] "$GREEN"Searching cesi configuration file\n"$NC if [ "$cesi" ]; then printf "$cesi\n" - printf "$cesi\n" | while read f; do cat "$f" 2>/dev/null | grep "username.*=\|password.*=\|host.*=\|port.*=\|database.*=" | sed -${E} "s,username|password|database,${C}[1;31m&${C}[0m,"; done + printf "%s\n" "$cesi" | while read f; do cat "$f" 2>/dev/null | grep "username.*=\|password.*=\|host.*=\|port.*=\|database.*=" | sed -${E} "s,username|password|database,${C}[1;31m&${C}[0m,"; done else echo_not_found "cesi.conf" fi echo "" @@ -1922,7 +2097,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then rsyncd=$(echo "$FIND_VAR\n$FIND_ETC\n$FIND_HOME\n$FIND_TMP\n$FIND_USR\n$FIND_OPT\n$FIND_PRIVATE\n$FIND_APPLICATIONS\n$FIND_MNT" | grep -E 'rsyncd\.conf|rsyncd\.secrets') printf $Y"[+] "$GREEN"Searching Rsyncd config file\n"$NC if [ "$rsyncd" ]; then - printf "$rsyncd\n" | while read f; do + printf "%s\n" "$rsyncd" | while read f; do printf "$f\n" if [ `echo "$f" | grep -i "secrets"` ]; then cat "$f" 2>/dev/null | sed -${E} "s,.*,${C}[1;31m&${C}[0m," @@ -1940,7 +2115,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then if [ "$hostapd" ]; then printf $Y"[+] "$GREEN"Hostapd conf was found\n"$NC printf "$hostapd\n" - printf "$hostapd\n" | while read f; do cat "$f" 2>/dev/null | grep "passphrase" | sed "s,passphrase.*,${C}[1;31m&${C}[0m,"; done + printf "%s\n" "$hostapd" | while read f; do cat "$f" 2>/dev/null | grep "passphrase" | sed "s,passphrase.*,${C}[1;31m&${C}[0m,"; done else echo_not_found "hostapd.conf" fi echo "" @@ -1949,7 +2124,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then printf $Y"[+] "$GREEN"Searching wifi conns file\n"$NC wifi=`find /etc/NetworkManager/system-connections/ -type f 2>/dev/null` if [ "$wifi" ]; then - printf "$wifi\n" | while read f; do echo "$f"; cat "$f" 2>/dev/null | grep "psk.*=" | sed "s,psk.*,${C}[1;31m&${C}[0m,"; done + printf "%s\n" "$wifi" | while read f; do echo "$f"; cat "$f" 2>/dev/null | grep "psk.*=" | sed "s,psk.*,${C}[1;31m&${C}[0m,"; done else echo_not_found fi echo "" @@ -1959,7 +2134,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then anaconda=$(echo "$FIND_VAR\n$FIND_ETC\n$FIND_HOME\n$FIND_TMP\n$FIND_USR\n$FIND_OPT\n$FIND_PRIVATE\n$FIND_APPLICATIONS\n$FIND_MNT" | grep -E 'anaconda-ks\.cfg') if [ "$anaconda" ]; then printf "$anaconda\n" - printf "$anaconda\n" | while read f; do cat "$f" 2>/dev/null | grep "rootpw" | sed "s,rootpw.*,${C}[1;31m&${C}[0m,"; done + printf "%s\n" "$anaconda" | while read f; do cat "$f" 2>/dev/null | grep "rootpw" | sed "s,rootpw.*,${C}[1;31m&${C}[0m,"; done else echo_not_found "anaconda-ks.cfg" fi echo "" @@ -1969,7 +2144,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then vnc=$(echo "$FIND_DIR_HOME\n$FIND_DIR_USERS\n$FIND_DIR_MNT" | grep -E '\.vnc') if [ "$vnc" ]; then printf "$vnc\n" - printf "$vnc\n" | while read d; do find "$d" -name "passwd" -exec ls -l {} \; 2>/dev/null | sed -${E} "s,.*,${C}[1;31m&${C}[0m,"; done + printf "%s\n" "$vnc" | while read d; do find "$d" -name "passwd" -exec ls -l {} \; 2>/dev/null | sed -${E} "s,.*,${C}[1;31m&${C}[0m,"; done else echo_not_found ".vnc" fi echo "" @@ -1980,7 +2155,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then if [ "$ldap" ]; then printf "$ldap\n" echo "The password hash is from the {SSHA} to 'structural'"; - printf "$ldap" | while read d; do cat "$d/*.bdb" 2>/dev/null | grep -i -a -E -o "description.*" | sort | uniq | sed -${E} "s,administrator|password|ADMINISTRATOR|PASSWORD|Password|Administrator,${C}[1;31m&${C}[0m,g"; done + printf "%s\n" "$ldap" | while read d; do cat "$d/*.bdb" 2>/dev/null | grep -i -a -E -o "description.*" | sort | uniq | sed -${E} "s,administrator|password|ADMINISTRATOR|PASSWORD|Password|Administrator,${C}[1;31m&${C}[0m,g"; done else echo_not_found "ldap" fi echo "" @@ -1990,7 +2165,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then ovpn=$(echo "$FIND_ETC\n$FIND_USR\n$FIND_HOME\n$FIND_TMP\n$FIND_PRIVATE\n$FIND_APPLICATIONS\n$FIND_MNT" | grep -E '\.ovpn') if [ "$ovpn" ]; then printf "$ovpn\n" - printf "$ovpn\n" | while read f; do + printf "%s\n" "$ovpn" | while read f; do if [ -r "$f" ]; then echo "Checking $f:" cat "$f" 2>/dev/null | grep "auth-user-pass" | sed -${E} "s,auth-user-pass.*,${C}[1;31m&${C}[0m,"; @@ -2056,7 +2231,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then if [ "$homesshconfig" ]; then echo " --> Some home ssh config file was found" printf "$homesshconfig\n" - printf "$homesshconfig\n" | while read f; do cat "$f" 2>/dev/null | grep -v "^$" | sed -${E} "s,User|ProxyCommand,${C}[1;31m&${C}[0m,"; done + printf "%s\n" "$homesshconfig" | while read f; do cat "$f" 2>/dev/null | grep -v "^$" | sed -${E} "s,User|ProxyCommand,${C}[1;31m&${C}[0m,"; done fi if [ "$hostsdenied" ]; then echo " --> /etc/hosts.denied file found, read the rules:" @@ -2090,9 +2265,9 @@ if [ "`echo $CHECKS | grep SofI`" ]; then printf $Y"[+] "$GREEN"Searching Cloud credentials (AWS, Azure, GC)\n"$NC cloudcreds=$(echo "$FIND_VAR\n$FIND_ETC\n$FIND_HOME\n$FIND_TMP\n$FIND_USR\n$FIND_OPT\n$FIND_PRIVATE\n$FIND_APPLICATIONS\n$FIND_MNT" | grep -E 'credentials$|credentials\.db$|legacy_credentials\.db$|access_tokens\.db$|accessTokens\.json$|azureProfile\.json$') if [ "$cloudcreds" ]; then - printf "$cloudcreds\n" | while read f; do + printf "%s\n" "$cloudcreds" | while read f; do if [ -f "$f" ]; then #Check if file, here we only look for filenames, not dirs - printf "Trying to read $f\n" | sed -${E} "s,credentials|credentials.db|legacy_credentials.db|access_tokens.db|accessTokens.json|azureProfile.json,${C}[1;31m&${C}[0m,g" + printf "%s\n" "Trying to read $f" | sed -${E} "s,credentials|credentials.db|legacy_credentials.db|access_tokens.db|accessTokens.json|azureProfile.json,${C}[1;31m&${C}[0m,g" if [ -r "$f" ]; then cat "$f" 2>/dev/null | sed -${E} "s,.*,${C}[1;31m&${C}[0m,g" fi @@ -2119,7 +2294,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then if [ "$klist_exists" ] && [ -x "$klist_exists" ]; then echo "klist execution"; klist; fi krb5=$(echo "$FIND_DIR_VAR\n$FIND_DIR_ETC\n$FIND_DIR_HOME\n$FIND_DIR_TMP\n$FIND_DIR_USR\n$FIND_DIR_OPT\n$FIND_DIR_USERS\n$FIND_DIR_PRIVATE\n$FIND_DIR_APPLICATIONS\n$FIND_DIR_MNT" | grep -E 'krb5\.conf|krb5.keytab|\.k5login') - printf "$krb5\n" | while read f; do + printf "%s\n" "$krb5" | while read f; do if [ -r "$f" ]; then if [ "`echo \"$f\" | grep .k5login`" ]; then echo ".k5login file (users with access to the user who has this file in his home)" @@ -2153,7 +2328,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then kibana=$(echo "$FIND_VAR\n$FIND_ETC\n$FIND_HOME\n$FIND_TMP\n$FIND_USR\n$FIND_OPT\n$FIND_PRIVATE\n$FIND_APPLICATIONS\n$FIND_MNT" | grep -E 'kibana\.y.*ml') if [ "$kibana" ]; then printf "$kibana\n" - printf "$kibana\n" | while read f; do + printf "%s\n" "$kibana" | while read f; do if [ -r "$f" ]; then cat "$f" 2>/dev/null | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null | grep -v "^$" | grep -v -e '^[[:space:]]*$' | sed -${E} "s,username|password|host|port|elasticsearch|ssl,${C}[1;31m&${C}[0m,"; fi @@ -2166,7 +2341,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then printf $Y"[+] "$GREEN"Searching Knock configuration\n"$NC Knock=$(echo "$FIND_ETC\n$FIND_MNT" | grep -E '/etc/init.d/.*knockd.*') if [ "$Knock" ]; then - printf "$Knock\n" | while read f; do + printf "%s\n" "$Knock" | while read f; do h=$(grep -R -i "defaults_file=" $f | cut -b 15-) ##Search string to know where is the default knock file - example - DEFAULTS_FILE=/etc/default/knockd i=$(grep -R -i "please edit" $h | awk '{print $4}') ##Search string to know where is config file - example - # PLEASE EDIT /etc/knockd.conf BEFORE ENABLING j=$(grep -R -i "sequence" $i) ##If we want we can show sequence number - 'hidded' @@ -2182,7 +2357,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then logstash=$(echo "$FIND_DIR_VAR\n$FIND_DIR_ETC\n$FIND_DIR_HOME\n$FIND_DIR_TMP\n$FIND_DIR_USR\n$FIND_DIR_OPT\n$FIND_DIR_USERS\n$FIND_DIR_PRIVATE\n$FIND_DIR_APPLICATIONS\n$FIND_DIR_MNT" | grep -E 'logstash') if [ "$logstash" ]; then printf "$logstash\n" - printf "$logstash\n" | while read d; do + printf "%s\n" "$logstash" | while read d; do if [ -r "$d/startup.options" ]; then echo "Logstash is running as user:" cat "$d/startup.options" 2>/dev/null | grep "LS_USER\|LS_GROUP" | sed -${E} "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed -${E} "s,$nosh_usrs,${C}[1;34m&${C}[0m," | sed -${E} "s,$knw_usrs,${C}[1;32m&${C}[0m," | sed -${E} "s,$USER,${C}[1;95m&${C}[0m," | sed -${E} "s,root,${C}[1;31m&${C}[0m," @@ -2199,7 +2374,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then elasticsearch=$(echo "$FIND_VAR\n$FIND_ETC\n$FIND_HOME\n$FIND_TMP\n$FIND_USR\n$FIND_OPT\n$FIND_PRIVATE\n$FIND_APPLICATIONS\n$FIND_MNT" | grep -E 'elasticsearch\.y.*ml') if [ "$elasticsearch" ]; then printf "$elasticsearch\n" - printf "$elasticsearch\n" | while read f; do + printf "%s\n" "$elasticsearch" | while read f; do if [ -r "$f" ]; then cat $f 2>/dev/null | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null | grep -v -e '^[[:space:]]*$' | grep "path.data\|path.logs\|cluster.name\|node.name\|network.host\|discovery.zen.ping.unicast.hosts"; fi @@ -2214,7 +2389,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then vaultssh=$(echo "$FIND_ETC\n$FIND_USR\n$FIND_HOME\n$FIND_PRIVATE\n$FIND_APPLICATIONS\n$FIND_MNT" | grep -E 'vault-ssh-helper\.hcl') if [ "$vaultssh" ]; then printf "$vaultssh\n" - printf "$vaultssh\n" | while read f; do cat "$f" 2>/dev/null; vault-ssh-helper -verify-only -config "$f" 2>/dev/null; done + printf "%s\n" "$vaultssh" | while read f; do cat "$f" 2>/dev/null; vault-ssh-helper -verify-only -config "$f" 2>/dev/null; done echo "" vault secrets list 2>/dev/null echo "$FIND_ETC\n$FIND_HOME\n$FIND_USR\n$FIND_PRIVATE\n$FIND_APPLICATIONS\n$FIND_MNT" | grep -E '\.vault-token' | sed -${E} "s,.*,${C}[1;31m&${C}[0m," 2>/dev/null @@ -2255,7 +2430,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then #-- SI) Couchdb printf $Y"[+] "$GREEN"Searching Couchdb directory\n"$NC couchdb_dirs=$(echo "$FIND_DIR_VAR\n$FIND_DIR_ETC\n$FIND_DIR_HOME\n$FIND_DIR_TMP\n$FIND_DIR_USR\n$FIND_DIR_OPT\n$FIND_DIR_USERS\n$FIND_DIR_PRIVATE\n$FIND_DIR_APPLICATIONS\n$FIND_DIR_MNT" | grep -E 'couchdb') - printf "$couchdb_dirs\n" | while read d; do + printf "%s\n" "$couchdb_dirs" | while read d; do for f in `find $d -name local.ini 2>/dev/null`; do if [ -r "$f" ]; then echo "Found readable $f" @@ -2268,7 +2443,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then #-- SI) Redis printf $Y"[+] "$GREEN"Searching redis.conf\n"$NC redisconfs=$(echo "$FIND_VAR\n$FIND_ETC\n$FIND_HOME\n$FIND_TMP\n$FIND_USR\n$FIND_OPT\n$FIND_PRIVATE\n$FIND_APPLICATIONS\n$FIND_MNT" | grep -E 'redis\.conf$') - printf "$redisconfs\n" | while read f; do + printf "%s\n" "$redisconfs" | while read f; do if [ -r "$f" ]; then echo "Found readable $f" cat "$f" | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null | grep -v "^$" | sed -${E} "s,masterauth.*|requirepass.*,${C}[1;31m&${C}[0m," 2>/dev/null @@ -2295,7 +2470,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then #-- SI) Mosquitto printf $Y"[+] "$GREEN"Searching mosquitto.conf\n"$NC mqttconfs=$(echo "$FIND_VAR\n$FIND_ETC\n$FIND_HOME\n$FIND_TMP\n$FIND_USR\n$FIND_OPT\n$FIND_PRIVATE\n$FIND_APPLICATIONS\n$FIND_MNT" | grep -E 'mosquitto\.conf$') - printf "$mqttconfs" | while read f; do + printf "%s\n" "$mqttconfs" | while read f; do if [ -r "$f" ]; then echo "Found readable $f" cat "$f" | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null | grep -v "^$" | sed -${E} "s,password_file.*|psk_file.*|allow_anonymous.*true|auth,${C}[1;31m&${C}[0m," 2>/dev/null @@ -2306,7 +2481,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then #-- SI) Neo4j printf $Y"[+] "$GREEN"Searching neo4j auth file\n"$NC neo4j=$(echo "$FIND_DIR_VAR\n$FIND_DIR_ETC\n$FIND_DIR_HOME\n$FIND_DIR_TMP\n$FIND_DIR_USR\n$FIND_DIR_OPT\n$FIND_DIR_USERS\n$FIND_DIR_PRIVATE\n$FIND_DIR_APPLICATIONS\n$FIND_DIR_MNT" | grep -E 'neo4j') - printf "$neo4j\n" | while read d; do + printf "%s\n" "$neo4j" | while read d; do if [ -r "$d" ]; then echo "Found readable $d" find $d -type f -name "auth" -exec cat {} \; 2>/dev/null | sed -${E} "s,.*,${C}[1;31m&${C}[0m," 2>/dev/null @@ -2317,7 +2492,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then #-- SI) Cloud-Init printf $Y"[+] "$GREEN"Searching Cloud-Init conf file\n"$NC cloudcfg=$(echo "$FIND_VAR\n$FIND_ETC\n$FIND_HOME\n$FIND_TMP\n$FIND_USR\n$FIND_OPT\n$FIND_PRIVATE\n$FIND_APPLICATIONS\n$FIND_MNT" | grep -E 'cloud\.cfg$') - printf "$cloudcfg\n" | while read f; do + printf "%s\n" "$cloudcfg" | while read f; do if [ -r "$f" ]; then echo "Found readable $f" cat "$f" | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null | grep -v "^$" | grep -E "consumer_key|token_key|token_secret|metadata_url|password:|passwd:|PRIVATE KEY|PRIVATE KEY|encrypted_data_bag_secret|_proxy" | sed -${E} "s,consumer_key|token_key|token_secret|metadata_url|password:|passwd:|PRIVATE KEY|PRIVATE KEY|encrypted_data_bag_secret|_proxy,${C}[1;31m&${C}[0m," @@ -2328,7 +2503,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then ##-- SI) Erlang printf $Y"[+] "$GREEN"Searching Erlang cookie file\n"$NC erlangcoo=$(echo "$FIND_ETC\n$FIND_HOME\n$FIND_USR\n$FIND_VAR\n$FIND_PRIVATE\n$FIND_APPLICATIONS\n$FIND_MNT" | grep -E '.erlang.cookie$') - printf "$erlangcoo\n" | while read f; do + printf "%s\n" "$erlangcoo" | while read f; do if [ -r "$f" ]; then echo "Found Erlang cookie: $f" cat "$f" 2>/dev/null | sed -${E} "s,.*,${C}[1;31m&${C}[0m," @@ -2339,7 +2514,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then ##-- SI) GVM printf $Y"[+] "$GREEN"Searching GVM auth file\n"$NC gvmconfs=$(echo "$FIND_HOME\n$FIND_ETC\n$FIND_TMP\n$FIND_OTP\n$FIND_USR\n$FIND_PRIVATE\n$FIND_APPLICATIONS\n$FIND_MNT" | grep -E 'gvm-tools\.conf') - printf "$gvmconfs\n" | while read f; do + printf "%s\n" "$gvmconfs" | while read f; do if [ -r "$f" ]; then echo "Found GVM auth file: $f" cat "$f" 2>/dev/null | sed -${E} "s,username.*|password.*,${C}[1;31m&${C}[0m," @@ -2350,7 +2525,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then ##-- SI) IPSEC printf $Y"[+] "$GREEN"Searching IPSEC files\n"$NC ipsecconfs=$(echo "$FIND_HOME\n$FIND_ETC\n$FIND_TMP\n$FIND_OTP\n$FIND_USR\n$FIND_PRIVATE\n$FIND_APPLICATIONS\n$FIND_MNT" | grep -E 'ipsec\.secrets|ipsec\.conf') - printf "$ipsecconfs\n" | while read f; do + printf "%s\n" "$ipsecconfs" | while read f; do if [ -r "$f" ]; then echo "Found IPSEC file: $f" cat "$f" 2>/dev/null | sed -${E} "s,.*PSK.*|.*RSA.*|.*EAP =.*|.*XAUTH.*,${C}[1;31m&${C}[0m," @@ -2361,7 +2536,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then ##-- SI) IRSSI printf $Y"[+] "$GREEN"Searching IRSSI files\n"$NC irssifols=$(echo "$FIND_DIR_VAR\n$FIND_DIR_HOME\n$FIND_DIR_ETC\n$FIND_DIR_OTP\n$FIND_DIR_USR\n$FIND_DIR_PRIVATE\n$FIND_DIR_APPLICATIONS\n$FIND_DIR_MNT" | grep -E '.irssi') - printf "$irssifols\n" | while read d; do + printf "%s\n" "$irssifols" | while read d; do if [ -r "$d/config" ]; then echo "Found IRSSI config file: $d/config" cat "$d/config" 2>/dev/null | sed -${E} "s,password.*,${C}[1;31m&${C}[0m," @@ -2372,7 +2547,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then ##-- SI) Keyring printf $Y"[+] "$GREEN"Searching Keyring files\n"$NC keyringsfilesfolds=$(echo "$FIND_DIR_VAR\n$FIND_DIR_ETC\n$FIND_DIR_HOME\n$FIND_DIR_TMP\n$FIND_DIR_USR\n$FIND_DIR_OPT\n$FIND_DIR_USERS\n$FIND_DIR_PRIVATE\n$FIND_DIR_APPLICATIONS\n$FIND_HOME\n$FIND_ETC\n$FIND_VAR\n$FIND_MNT\n$FIND_USR\n$FIND_PRIVATE\n$FIND_APPLICATIONS" | grep -E 'keyrings|*\.keyring$|*\.keystore$') - printf "$keyringsfilesfolds\n" | sort | uniq | while read f; do + printf "%s\n" "$keyringsfilesfolds" | sort | uniq | while read f; do if [ -f "$f" ]; then echo "Keyring file: $f" | sed "s,$f,${C}[1;31m&${C}[0m," elif [ -d "$f" ]; then @@ -2385,7 +2560,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then ##-- SI) Filezilla printf $Y"[+] "$GREEN"Searching Filezilla sites file\n"$NC filezillaconfs=$(echo "$FIND_DIR_VAR\n$FIND_DIR_ETC\n$FIND_DIR_HOME\n$FIND_DIR_OPT\n$FIND_DIR_MNT" | grep -E 'filelliza') - printf "$filezillaconfs\n" | uniq | while read f; do + printf "%s\n" "$filezillaconfs" | uniq | while read f; do if [ -d "$f" ]; then echo "Found Filezilla folder: $f" if [ -f "$f/sitemanager.xml" ]; then @@ -2398,7 +2573,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then ##-- SI) BACKUP-MANAGER printf $Y"[+] "$GREEN"Searching backup-manager files\n"$NC backupmanager=$(echo "$FIND_HOME\n$FIND_ETC\n$FIND_VAR\n$FIND_OPT\n$FIND_MNT\n$FIND_USR\n$FIND_PRIVATE\n$FIND_APPLICATIONS" | grep -E 'storage.php|database.php') - printf "$backupmanager\n" | sort | uniq | while read f; do + printf "%s\n" "$backupmanager" | sort | uniq | while read f; do if [ -f "$f" ]; then echo "backup-manager file: $f" | sed "s,$f,${C}[1;31m&${C}[0m," cat "$f" 2>/dev/null | grep "'pass'|'password'|'user'|'database'|'host'" | sed -${E} "s,password|pass|user|database|host,${C}[1;31m&${C}[0m," @@ -2411,7 +2586,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then splunkpwd=$(echo "$FIND_HOME\n$FIND_ETC\n$FIND_VAR\n$FIND_TMP\n$FIND_OPT\n$FIND_USR\n$FIND_MNT\n$FIND_SYSTEM\n$FIND_PRIVATE\n$FIND_APPLICATIONS" | grep -v "/etc/passwd$" | grep -E 'passwd$') SPLUNK_BIN="`command -v splunk 2>/dev/null`" if [ "$SPLUNK_BIN" ]; then echo "splunk binary was found installed on $SPLUNK_BIN" | sed "s,.*,${C}[1;31m&${C}[0m,"; fi - printf "$splunkpwd\n" | sort | uniq | while read f; do + printf "%s\n" "$splunkpwd" | sort | uniq | while read f; do if [ -f "$f" ] && ! [ -x "$f" ]; then echo "passwd file: $f" | sed "s,$f,${C}[1;31m&${C}[0m," cat "$f" 2>/dev/null | grep "'pass'|'password'|'user'|'database'|'host'|\$" | sed -${E} "s,password|pass|user|database|host|\$,${C}[1;31m&${C}[0m," @@ -2436,7 +2611,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then fi #Check gitlab files gitlabfiles=$(echo "$FIND_HOME\n$FIND_ETC\n$FIND_VAR\n$FIND_TMP\n$FIND_OPT\n$FIND_USR\n$FIND_MNT\n$FIND_SYSTEM\n$FIND_PRIVATE\n$FIND_APPLICATIONS" | grep -v "/lib" | grep -E "secrets.yml$|gitlab.yml$|gitlab.rb$") - printf "$gitlabfiles\n" | sort | uniq | while read f; do + printf "%s\n" "$gitlabfiles" | sort | uniq | while read f; do if [ "`echo $f | grep secrets.yml`" ]; then echo "Found $f" | sed "s,$f,${C}[1;31m&${C}[0m," cat "$f" 2>/dev/null | grep -v "^$" | grep -v "^#" @@ -2455,7 +2630,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then printf $Y"[+] "$GREEN"Searching PGP/GPG\n"$NC pgpg=$(echo "$FIND_HOME\n$FIND_PRIVATE\n$FIND_MNT" | grep -E '\.pgp$|\.gpg$|.gnupg') if [ "$pgpg" ]; then echo "PGP/GPG files found:" ; - printf "$pgpg\n" | sort | uniq | while read f; do + printf "%s\n" "$pgpg" | sort | uniq | while read f; do if [ -f "$f" ]; then ls -l "$f" else @@ -2476,7 +2651,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then ##-- SI) vi swp files printf $Y"[+] "$GREEN"Searching vim files\n"$NC vimfiles=$(echo "$FIND_HOME\n$FIND_ETC\n$FIND_VAR\n$FIND_TMP\n$FIND_OPT\n$FIND_USR\n$FIND_MNT\n$FIND_SYSTEM\n$FIND_PRIVATE\n$FIND_APPLICATIONS" | grep -E "\.swp$|\.viminfo$") - printf "$vimfiles\n" | sort | uniq | while read f; do + printf "%s\n" "$vimfiles" | sort | uniq | while read f; do ls -l "$f" 2>/dev/null done echo "" @@ -2504,7 +2679,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then printf $Y"[+] "$GREEN"Searching docker files\n"$NC printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-docker-socket\n"$NC dockerfiles=$(echo "$FIND_HOME\n$FIND_ETC\n$FIND_VAR\n$FIND_TMP\n$FIND_OPT\n$FIND_USR\n$FIND_MNT\n$FIND_RUN\n$FIND_PRIVATE\n$FIND_APPLICATIONS" | grep -E 'docker.socket|docker.sock|Dockerfile|docker-compose.yml') - printf "$dockerfiles\n" | while read f; do + printf "%s\n" "$dockerfiles" | while read f; do ls -l "$f" 2>/dev/null if [ -S "$f" ] && [ -w "$f" ]; then echo "Docker socket file ($f) is writable" | sed -${E} "s,.*,${C}[1;31;103m&${C}[0m," @@ -2516,7 +2691,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then printf $Y"[+] "$GREEN"Interesting Firefox Files\n"$NC printf $B"[i] "$Y"https://book.hacktricks.xyz/forensics/basic-forensics-esp/browser-artifacts#firefox\n"$NC firefoxdirs=$(echo "$FIND_DIR_HOME" | grep -E '\.mozilla') - printf "$firefoxdirs\n" | while read f; do + printf "%s\n" "$firefoxdirs" | while read f; do if [ "$f" ]; then echo "Found $f" find "$f" -name "places.sqlite" -o -name "bookmarkbackups" -o -name "formhistory.sqlite" -o -name "handlers.json" -o -name "persdict.dat" -o -name "addons.json" -o -name "cookies.sqlite" -o -name "cache2" -o -name "startupCache" -o -name "favicons.sqlite" -o -name "prefs.js" -o -name "downloads.sqlite" -o -name "thumbnails" -o -name "logins.json" -o -name "key4.db" -o -name "key3.db" 2>/dev/null | sort @@ -2528,7 +2703,7 @@ if [ "`echo $CHECKS | grep SofI`" ]; then printf $Y"[+] "$GREEN"Interesting Chrome Files\n"$NC printf $B"[i] "$Y"https://book.hacktricks.xyz/forensics/basic-forensics-esp/browser-artifacts#firefox\n"$NC chromedirs=$(echo "$FIND_DIR_HOME" | grep -E 'google-chrome') - printf "$chromedirs\n" | while read f; do + printf "%s\n" "$chromedirs" | while read f; do if [ "$f" ]; then echo "Found $f" find "$f" -name "History" -o -name "Cookies" -o -name "Cache" -o -name "Bookmarks" -o -name "Web Data" -o -name "Favicons" -o -name "Login Data" -o -name "Current Session" -o -name "Current Tabs" -o -name "Last Session" -o -name "Last Tabs" -o -name "Extensions" -o -name "Thumbnails" 2>/dev/null | sort @@ -2539,11 +2714,13 @@ if [ "`echo $CHECKS | grep SofI`" ]; then #-- SI) Autologin files printf $Y"[+] "$GREEN"Autologin Files\n"$NC autologinfiles=$(echo "$FIND_HOME\n$FIND_ETC\n$FIND_VAR\n$FIND_MNT" | grep -E 'autologin|autologin.conf') - printf "$autologinfiles\n" | while read f; do - echo "$f" - ls -l "$f" 2>/dev/null | sed "s,passwd,${C}[1;31m&${C}[0m," - cat "$f" 2>/dev/null | sed "s,passwd,${C}[1;31m&${C}[0m," - echo "" + printf "%s\n" "$autologinfiles" | while read f; do + if [ "$f" ]; then + echo "$f" + ls -l "$f" 2>/dev/null | sed "s,passwd,${C}[1;31m&${C}[0m," + cat "$f" 2>/dev/null | sed "s,passwd,${C}[1;31m&${C}[0m," + echo "" + fi done echo "" @@ -2583,17 +2760,19 @@ if [ "`echo $CHECKS | grep SofI`" ]; then #-- SI) FastCGI params printf $Y"[+] "$GREEN"FastCGI Params\n"$NC fastcgi_paramsfiles=$(echo "$FIND_HOME\n$FIND_ETC\n$FIND_VAR\n$FIND_TMP\n$FIND_OPT\n$FIND_USR\n$FIND_MNT\n$FIND_PRIVATE\n$FIND_APPLICATIONS" | grep -E 'fastcgi_params') - printf "$fastcgi_paramsfiles\n" | while read f; do - ls -l "$f" 2>/dev/null - cat "$f" 2>/dev/null | grep -E "DB_NAME|DB_USER|DB_PASS" | sed -${E} "s,DB_NAME|DB_USER|DB_PASS,${C}[1;31m&${C}[0m," - echo "" + printf "%s\n" "$fastcgi_paramsfiles" | while read f; do + if [ "$f" ]; then + ls -l "$f" 2>/dev/null + cat "$f" 2>/dev/null | grep -E "DB_NAME|DB_USER|DB_PASS" | sed -${E} "s,DB_NAME|DB_USER|DB_PASS,${C}[1;31m&${C}[0m," + echo "" + fi done echo "" #-- SI) SNMP params printf $Y"[+] "$GREEN"SNMPs\n"$NC snmpdfiles=$(echo "$FIND_HOME\n$FIND_ETC\n$FIND_VAR\n$FIND_TMP\n$FIND_OPT\n$FIND_USR\n$FIND_MNT\n$FIND_PRIVATE\n$FIND_APPLICATIONS" | grep -E 'snmpd.conf') - printf "$snmpdfiles\n" | while read f; do + printf "%s\n" "$snmpdfiles" | while read f; do ls -l "$f" 2>/dev/null cat "$f" 2>/dev/null | grep -E "rocommunity|rwcommunity" | sed -${E} "s,rocommunity|rwcommunity,${C}[1;31m&${C}[0m," echo "" @@ -2621,6 +2800,9 @@ if [ "`echo $CHECKS | grep IntFiles`" ]; then echo_not_found "strace" fi find / -perm -4000 -type f 2>/dev/null | xargs ls -lahtr | while read s; do + #If starts like "total 332K" then no SUID bin was found and xargs just executed "ls" in the current folder + if [ "`echo \"$s\" | grep -E \"^total\"`" ]; then break; fi + sname="`echo \"$s\" | awk '{print $9}'`" if [ "$sname" = "." ] || [ "$sname" = ".." ]; then true #Don't do nothing @@ -2638,10 +2820,10 @@ if [ "`echo $CHECKS | grep IntFiles`" ]; then fi done; if [ "$c" ]; then - if [ "`echo \"$s\" | grep -E \"$sidG1\"`" ] || [ "`echo \"$s\" | grep -E \"$sidG2\"`" ] || [ "`echo \"$s\" | grep -E \"$sidVB\"`" ]; then - echo "$s" | sed -${E} "s,$sidG1,${C}[1;32m&${C}[0m," | sed -${E} "s,$sidG2,${C}[1;32m&${C}[0m," | sed -${E} "s,$sidVB,${C}[1;31;103m&${C}[0m," + if [ "`echo \"$s\" | grep -E \"$sidG1\"`" ] || [ "`echo \"$s\" | grep -E \"$sidG2\"`" ] || [ "`echo \"$s\" | grep -E \"$sidG3\"`" ] || [ "`echo \"$s\" | grep -E \"$sidG4\"`" ] || [ "`echo \"$s\" | grep -E \"$sidVB\"`" ] || [ "`echo \"$s\" | grep -E \"$sidVB2\"`" ]; then + echo "$s" | sed -${E} "s,$sidG1,${C}[1;32m&${C}[0m," | sed -${E} "s,$sidG2,${C}[1;32m&${C}[0m," | sed -${E} "s,$sidG3,${C}[1;32m&${C}[0m," | sed -${E} "s,$sidG4,${C}[1;32m&${C}[0m," | sed -${E} "s,$sidVB,${C}[1;31;103m&${C}[0m," | sed -${E} "s,$sidVB2,${C}[1;31;103m&${C}[0m," else - echo "$s" | sed -${E} "s,/.*,${C}[1m&${C}[0m," + echo "$s (Unknown SUID binary)" | sed -${E} "s,/.*,${C}[1;31m&${C}[0m," printf $ITALIC if [ "$STRINGS" ]; then $STRINGS "$sname" 2>/dev/null | sort | uniq | while read sline; do @@ -2679,7 +2861,9 @@ if [ "`echo $CHECKS | grep IntFiles`" ]; then printf $Y"[+] "$GREEN"SGID\n"$NC printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid\n"$NC find / -perm -2000 -type f 2>/dev/null | xargs ls -lahtr | while read s; do - sname="`echo \"$s\" | awk '{print $9}'`" + #If starts like "total 332K" then no SUID bin was found and xargs just executed "ls" in the current folder + if [ "`echo \"$s\" | grep -E \"^total\"`" ];then break; fi + sname="`echo \"$s\" | awk '{print $9}'`" if [ "$sname" = "." ] || [ "$sname" = ".." ]; then true #Don't do nothing @@ -2697,10 +2881,10 @@ if [ "`echo $CHECKS | grep IntFiles`" ]; then fi done; if [ "$c" ]; then - if [ "`echo \"$s\" | grep -E \"$sidG1\"`" ] || [ "`echo \"$s\" | grep -E \"$sidG2\"`" ] || [ "`echo \"$s\" | grep -E \"$sidVB\"`" ]; then - echo "$s" | sed -${E} "s,$sidG1,${C}[1;32m&${C}[0m," | sed -${E} "s,$sidG2,${C}[1;32m&${C}[0m," | sed -${E} "s,$sidVB,${C}[1;31;103m&${C}[0m," + if [ "`echo \"$s\" | grep -E \"$sidG1\"`" ] || [ "`echo \"$s\" | grep -E \"$sidG2\"`" ] || [ "`echo \"$s\" | grep -E \"$sidG3\"`" ] || [ "`echo \"$s\" | grep -E \"$sidG4\"`" ] || [ "`echo \"$s\" | grep -E \"$sidVB\"`" ] || [ "`echo \"$s\" | grep -E \"$sidVB2\"`" ]; then + echo "$s" | sed -${E} "s,$sidG1,${C}[1;32m&${C}[0m," | sed -${E} "s,$sidG2,${C}[1;32m&${C}[0m," | sed -${E} "s,$sidG3,${C}[1;32m&${C}[0m," | sed -${E} "s,$sidG4,${C}[1;32m&${C}[0m," | sed -${E} "s,$sidVB,${C}[1;31;103m&${C}[0m," | sed -${E} "s,$sidVB2,${C}[1;31;103m&${C}[0m," else - echo "$s" | sed -${E} "s,/.*,${C}[1m&${C}[0m," + echo "$s (Unknown SGID binary)" | sed -${E} "s,/.*,${C}[1;31m&${C}[0m," printf $ITALIC if [ "$STRINGS" ]; then $STRINGS "$sname" | sort | uniq | while read sline; do @@ -2761,8 +2945,8 @@ if [ "`echo $CHECKS | grep IntFiles`" ]; then (capsh --decode=0x"`cat \"/proc/$PPID/status\" 2>/dev/null | grep \"CapEff\" | awk '{print $2}'`" 2>/dev/null) || echo_not_found "capsh" (cat "/proc/$PPID/status" | grep Cap | sed -${E} "s,.*0000000000000000|CapBnd: 0000003fffffffff,${C}[1;32m&${C}[0m,") 2>/dev/null || echo_not_found "/proc/$PPID/status" echo "" - echo "Files with capabilities:" - getcap -r / 2>/dev/null | while read cb; do + echo "Files with capabilities (limited to 50):" + getcap -r / 2>/dev/null | head -n 50 | while read cb; do echo "$cb" | sed -${E} "s,$sudocapsB,${C}[1;31m&${C}[0m," | sed -${E} "s,$capsB,${C}[1;31m&${C}[0m," if [ -w "`echo \"$cb\" | cut -d \" \" -f1`" ]; then echo "$cb is writable" | sed -${E} "s,.*,${C}[1;31m&${C}[0m," @@ -2780,9 +2964,9 @@ if [ "`echo $CHECKS | grep IntFiles`" ]; then echo "" ##-- IF) Files with ACLs - printf $Y"[+] "$GREEN"Files with ACLs\n"$NC + printf $Y"[+] "$GREEN"Files with ACLs (limited to 50)\n"$NC printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#acls\n"$NC - ((getfacl -t -s -R -p /bin /etc $HOMESEARCH /opt /sbin /usr /tmp /root 2>/dev/null) || echo_not_found "files with acls in searched folders" ) | sed -${E} "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed -${E} "s,$nosh_usrs,${C}[1;34m&${C}[0m," | sed -${E} "s,$knw_usrs,${C}[1;32m&${C}[0m," | sed "s,$USER,${C}[1;31m&${C}[0m," + ((getfacl -t -s -R -p /bin /etc $HOMESEARCH /opt /sbin /usr /tmp /root 2>/dev/null) || echo_not_found "files with acls in searched folders" ) | head -n 50 | sed -${E} "s,$sh_usrs,${C}[1;96m&${C}[0m," | sed -${E} "s,$nosh_usrs,${C}[1;34m&${C}[0m," | sed -${E} "s,$knw_usrs,${C}[1;32m&${C}[0m," | sed "s,$USER,${C}[1;31m&${C}[0m," echo "" ##-- IF) .sh files in PATH @@ -2883,7 +3067,7 @@ if [ "`echo $CHECKS | grep IntFiles`" ]; then ##-- IF) Read root dir printf $Y"[+] "$GREEN"Can I read root folder? .............. "$NC - (ls -al /root/ 2>/dev/null) || echo_no + (ls -al /root/ 2>/dev/null | grep -vi "total 0") || echo_no echo "" ##-- IF) Root files in home dirs @@ -2916,7 +3100,7 @@ if [ "`echo $CHECKS | grep IntFiles`" ]; then logrotate --version 2>/dev/null || echo_not_found "logrotate" lastWlogFolder="ImPOsSiBleeElastWlogFolder" logfind=`find / -type f -name "*.log" -o -name "*.log.*" 2>/dev/null | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 3){ print line_init; }; if (cont == "3"){print "#)You_can_write_more_log_files_inside_last_directory"}; pre=act}' | head -n 100` - printf "$logfind\n" | while read log; do + printf "%s\n" "$logfind" | while read log; do if [ -w "$log" ] || [ `echo "$log" | grep -E "$Wfolders"` ]; then #Only print info if something interesting found if [ "`echo \"$log\" | grep \"You_can_write_more_log_files_inside_last_directory\"`" ]; then printf $ITALIC"$log\n"$NC; elif [ -w "$log" ] && [ "`command -v logrotate 2>/dev/null`" ] && [ "`logrotate --version 2>&1 | grep -E ' 1| 2| 3.1'`" ]; then printf "Writable:$RED $log\n"$NC; #Check vuln version of logrotate is used and print red in that case @@ -2950,16 +3134,16 @@ if [ "`echo $CHECKS | grep IntFiles`" ]; then ##-- IF) Backup folders printf $Y"[+] "$GREEN"Backup folders\n"$NC - printf "$backup_folders\n" | while read b ; do - ls -ld "$b" 2> /dev/null + printf "%s\n" "$backup_folders" | while read b ; do + ls -ld "$b" 2> /dev/null | sed -${E} "s,backups|backup,${C}[1;31m&${C}[0m,g"; ls -l "$b" 2>/dev/null && echo "" done echo "" ##-- IF) Backup files - printf $Y"[+] "$GREEN"Backup files\n"$NC + printf $Y"[+] "$GREEN"Backup files (limited 100)\n"$NC backs=`find / -type f \( -name "*backup*" -o -name "*\.bak" -o -name "*\.bak\.*" -o -name "*\.bck" -o -name "*\.bck\.*" -o -name "*\.bk" -o -name "*\.bk\.*" -o -name "*\.old" -o -name "*\.old\.*" \) -not -path "/proc/*" 2>/dev/null` - printf "$backs\n" | while read b ; do + printf "%s\n" "$backs" | head -n 100 | while read b ; do if [ -r "$b" ]; then ls -l "$b" | grep -Ev "$notBackup" | grep -Ev "$notExtensions" | sed -${E} "s,backup|bck|\.bak|\.old,${C}[1;31m&${C}[0m,g"; fi; @@ -2971,7 +3155,7 @@ if [ "`echo $CHECKS | grep IntFiles`" ]; then dbfiles=$(echo "$FIND_VAR\n$FIND_ETC\n$FIND_HOME\n$FIND_TMP\n$FIND_OPT\n$FIND_USR\n$FIND_PRIVATE\n$FIND_APPLICATIONS" | grep -E '.*\.db$|.*\.sqlite$|.*\.sqlite3$' | grep -E -v '/man/.*|/usr/.*|/var/cache/.*' | head -n 100) FILECMD="`command -v file 2>/dev/null`" if [ "$dbfiles" ]; then - printf "$dbfiles\n" | while read f; do + printf "%s\n" "$dbfiles" | while read f; do if [ "$FILECMD" ]; then echo "Found: `file \"$f\"`" | sed -${E} "s,\.db|\.sql|\.sqlite|\.sqlite3,${C}[1;31m&${C}[0m,g"; else @@ -2979,7 +3163,7 @@ if [ "`echo $CHECKS | grep IntFiles`" ]; then fi done SQLITEPYTHON="" - printf "$dbfiles\n" | while read f; do + printf "%s\n" "$dbfiles" | while read f; do if ([ -r "$f" ] && [ "$FILECMD" ] && [ "`file \"$f\" | grep -i sqlite`" ]) || ([ -r "$f" ] && [ ! "$FILECMD" ]); then #If readable and filecmd and sqlite, or readable and not filecmd printf $GREEN" -> Extracting tables from$NC $f $DG(limit 20)\n"$NC if [ "`command -v sqlite3 2>/dev/null`" ]; then @@ -2993,7 +3177,7 @@ if [ "`echo $CHECKS | grep IntFiles`" ]; then tables="" fi if [ "$tables" ]; then - printf "$tables\n" | while read t; do + printf "%s\n" "$tables" | while read t; do columns="" # Search for credentials inside the table using sqlite3 if [ -z "$SQLITEPYTHON" ]; then @@ -3029,7 +3213,7 @@ if [ "`echo $CHECKS | grep IntFiles`" ]; then printf $Y"[+] "$GREEN"Readable hidden interesting files\n"$NC printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#read-sensitive-data\n"$NC fils=$(echo "$FIND_ETC\n$FIND_HOME\n$FIND_TMP\n$FIND_USR\n$FIND_OPT\n$FIND_MNT\n$FIND_VAR\n$FIND_PRIVATE\n$FIND_APPLICATIONS" | grep -E '\.msmtprc|\.env|\.google_authenticator|\.recently-used.xbel|\.lesshst|.*_history|\.sudo_as_admin_successful|\.profile|.*bashrc|.*httpd\.conf|.*\.plan|\.htpasswd|\.gitconfig|\.git-credentials|\.git|\.svn|\.rhosts|hosts\.equiv') - printf "$fils\n" | while read f; do + printf "%s\n" "$fils" | while read f; do if [ -r "$f" ]; then ls -ld "$f" 2>/dev/null | sed "s,\.msmtprc|\.env|.google_authenticator|_history|\.lesshst|.recently-used.xbel|\.sudo_as_admin_successful|.profile|bashrc|httpd.conf|\.plan|\.htpasswd|.gitconfig|\.git-credentials|.git|.svn|\.rhosts|hosts.equiv|\.ldaprc,${C}[1;31m&${C}[0m," | sed -${E} "s,$sh_usrs,${C}[1;96m&${C}[0m,g" | sed "s,$USER,${C}[1;95m&${C}[0m,g" | sed "s,root,${C}[1;31m&${C}[0m,g"; if [ "`echo \"$f\" | grep \"_history\"`" ]; then @@ -3063,13 +3247,13 @@ if [ "`echo $CHECKS | grep IntFiles`" ]; then ##-- IF) All hidden files printf $Y"[+] "$GREEN"All hidden files (not in /sys/ or the ones listed in the previous check) (limit 70)\n"$NC - find / -type f -iname ".*" ! -path "/sys/*" ! -path "/System/*" ! -path "/private/var/*" -exec ls -l {} \; 2>/dev/null | grep -v "\.env|\.google_authenticator|_history$|\.recently-used.xbel|\.lesshst|.sudo_as_admin_successful|\.profile|\.bashrc|\.plan|\.htpasswd|.gitconfig|\.git-credentials|\.rhosts|\.gitignore|.npmignore|\.listing|\.ignore|\.uuid|.depend|.placeholder|.gitkeep|.keep" | head -n 70 + find / -type f -iname ".*" ! -path "/sys/*" ! -path "/System/*" ! -path "/private/var/*" -exec ls -l {} \; 2>/dev/null | grep -Ev "\.env|\.google_authenticator|_history$|\.recently-used.xbel|\.lesshst|.sudo_as_admin_successful|\.profile|\.bashrc|\.plan|\.htpasswd|.gitconfig|\.git-credentials|\.rhosts|\.gitignore|.npmignore|\.listing|\.ignore|\.uuid|\.depend|\.placeholder|\.gitkeep|\.keep|\.keepme" | head -n 70 echo "" ##-- IF) Readable files in /tmp, /var/tmp, bachups printf $Y"[+] "$GREEN"Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70)\n"$NC filstmpback=`find /tmp /var/tmp /private/tmp /private/var/at/tmp /private/var/tmp $backup_folders_row -type f 2>/dev/null | head -n 70` - printf "$filstmpback\n" | while read f; do if [ -r "$f" ]; then ls -l "$f" 2>/dev/null; fi; done + printf "%s\n" "$filstmpback" | while read f; do if [ -r "$f" ]; then ls -l "$f" 2>/dev/null; fi; done echo "" ##-- IF) Interesting writable files by ownership or all @@ -3078,7 +3262,7 @@ if [ "`echo $CHECKS | grep IntFiles`" ]; then printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files\n"$NC #In the next file, you need to specify type "d" and "f" to avoid fake link files apparently writable by all obmowbe=`find / '(' -type f -or -type d ')' '(' '(' -user $USER ')' -or '(' -perm -o=w ')' ')' ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null | grep -Ev "$notExtensions" | sort | uniq | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 5){ print line_init; } if (cont == "5"){print "#)You_can_write_even_more_files_inside_last_directory\n"}; pre=act }' | head -n500` - printf "$obmowbe\n" | while read entry; do + printf "%s\n" "$obmowbe" | while read entry; do if [ "`echo \"$entry\" | grep \"You_can_write_even_more_files_inside_last_directory\"`" ]; then printf $ITALIC"$entry\n"$NC; elif [ "`echo \"$entry\" | grep -E \"$writeVB\"`" ]; then echo "$entry" | sed -${E} "s,$writeVB,${C}[1;31;103m&${C}[0m," @@ -3096,7 +3280,7 @@ if [ "`echo $CHECKS | grep IntFiles`" ]; then for g in `groups`; do printf " Group "$GREEN"$g:\n"$NC; iwfbg=`find / '(' -type f -or -type d ')' -group $g -perm -g=w ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null | grep -Ev "$notExtensions" | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 5){ print line_init; } if (cont == "5"){print "#)You_can_write_even_more_files_inside_last_directory\n"}; pre=act }' | head -n500` - printf "$iwfbg\n" | while read entry; do + printf "%s\n" "$iwfbg" | while read entry; do if [ "`echo \"$entry\" | grep \"You_can_write_even_more_files_inside_last_directory\"`" ]; then printf $ITALIC"$entry\n"$NC; elif [ "`echo \"$entry\" | grep -E \"$writeVB\"`" ]; then echo "$entry" | sed -${E} "s,$writeVB,${C}[1;31;103m&${C}[0m," @@ -3111,28 +3295,28 @@ if [ "`echo $CHECKS | grep IntFiles`" ]; then ##-- IF) Passwords in config PHP files printf $Y"[+] "$GREEN"Searching passwords in config PHP files\n"$NC configs=$(echo "$FIND_VAR\n$FIND_ETC\n$FIND_HOME\n$FIND_TMP\n$FIND_USR\n$FIND_OPT\n$FIND_PRIVATE\n$FIND_APPLICATIONS" | grep -E '.*config.*\.php|database.php|db.php|storage.php|settings.php') - printf "$configs\n" | while read c; do grep -EiI "(pwd|passwd|password|PASSWD|PASSWORD|dbuser|dbpass).*[=:].+|define ?\('(\w*passw|\w*user|\w*datab)" $c 2>/dev/null | grep -Ev "function|password.*= ?\"\"|password.*= ?''" | sed '/^.\{150\}./d' | sort | uniq | sed -${E} "s,[pP][aA][sS][sS][wW]|[dD][bB]_[pP][aA][sS][sS],${C}[1;31m&${C}[0m,g"; done + printf "%s\n" "$configs" | while read c; do grep -EiI "(pwd|passwd|password|PASSWD|PASSWORD|dbuser|dbpass).*[=:].+|define ?\('(\w*passw|\w*user|\w*datab)" $c 2>/dev/null | grep -Ev "function|password.*= ?\"\"|password.*= ?''" | sed '/^.\{150\}./d' | sort | uniq | sed -${E} "s,[pP][aA][sS][sS][wW]|[dD][bB]_[pP][aA][sS][sS],${C}[1;31m&${C}[0m,g"; done echo "" ##-- IF) TTY passwords printf $Y"[+] "$GREEN"Checking for TTY (sudo/su) passwords in audit logs\n"$NC aureport --tty 2>/dev/null | grep -E "su |sudo " | sed -${E} "s,su|sudo,${C}[1;31m&${C}[0m,g" - grep -RE 'comm="su"|comm="sudo"' /var/log* 2>/dev/null | sed -${E} "s,\"su\"|\"sudo\",${C}[1;31m&${C}[0m,g" | sed -${E} "s,data=.*,${C}[1;31m&${C}[0m,g" + find /var/log/ -type f -exec grep -RE 'comm="su"|comm="sudo"' '{}' \; 2>/dev/null | sed -${E} "s,\"su\"|\"sudo\",${C}[1;31m&${C}[0m,g" | sed -${E} "s,data=.*,${C}[1;31m&${C}[0m,g" echo "" ##-- IF) IPs inside logs printf $Y"[+] "$GREEN"Finding IPs inside logs (limit 70)\n"$NC - (timeout 100 grep -R -a -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" /var/log/ /private/var/log) 2>/dev/null | grep -v "\.0\.\|:0\|\.0$" | sort | uniq -c | sort -r -n | head -n 70 + (find /var/log/ /private/var/log -type f -exec grep -R -a -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" "{}" \;) 2>/dev/null | grep -v "\.0\.\|:0\|\.0$" | sort | uniq -c | sort -r -n | head -n 70 echo "" ##-- IF) Passwords inside logs printf $Y"[+] "$GREEN"Finding passwords inside logs (limit 70)\n"$NC - (timeout 100 grep -R -i "pwd\|passw" /var/log/ /private/var/log) 2>/dev/null | sed '/^.\{150\}./d' | sort | uniq | grep -v "File does not exist:\|script not found or unable to stat:\|\"GET /.*\" 404" | head -n 70 | sed -${E} "s,pwd|passw,${C}[1;31m&${C}[0m," + (find /var/log/ /private/var/log -type f -exec grep -R -i "pwd\|passw" "{}" \;) 2>/dev/null | sed '/^.\{150\}./d' | sort | uniq | grep -v "File does not exist:\|script not found or unable to stat:\|\"GET /.*\" 404" | head -n 70 | sed -${E} "s,pwd|passw,${C}[1;31m&${C}[0m," echo "" ##-- IF) Emails inside logs printf $Y"[+] "$GREEN"Finding emails inside logs (limit 70)\n"$NC - (timeout 100 grep -I -R -E -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b" /var/log/ /private/var/log) 2>/dev/null | sort | uniq -c | sort -r -n | head -n 70 | sed -${E} "s,$knw_emails,${C}[1;32m&${C}[0m,g" + (find /var/log/ /private/var/log -type f -exec grep -I -R -E -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b" "{}" \;) 2>/dev/null | sort | uniq -c | sort -r -n | head -n 70 | sed -${E} "s,$knw_emails,${C}[1;32m&${C}[0m,g" echo "" ##-- IF) Passwords files in home @@ -3144,11 +3328,11 @@ if [ "`echo $CHECKS | grep IntFiles`" ]; then ##-- IF) Find possible files with passwords printf $Y"[+] "$GREEN"Finding passwords inside key folders (limit 70) - only PHP files\n"$NC intpwdfiles=`timeout 150 grep -RiIE "(pwd|passwd|password|PASSWD|PASSWORD|dbuser|dbpass).*[=:].+|define ?\('(\w*passw|\w*user|\w*datab)" $HOMESEARCH /var/www /usr/local/www/ $backup_folders_row /tmp /etc /root /mnt /Users /private 2>/dev/null` - printf "$intpwdfiles" | grep -I ".php:" | sed '/^.\{150\}./d' | sort | uniq | grep -iIv "linpeas" | head -n 70 | sed -${E} "s,[pP][wW][dD]|[pP][aA][sS][sS][wW]|[dD][eE][fF][iI][nN][eE],${C}[1;31m&${C}[0m,g" + printf "%s\n" "$intpwdfiles" | grep -I ".php:" | sed '/^.\{150\}./d' | sort | uniq | grep -iIv "linpeas" | head -n 70 | sed -${E} "s,[pP][wW][dD]|[pP][aA][sS][sS][wW]|[dD][eE][fF][iI][nN][eE],${C}[1;31m&${C}[0m,g" echo "" printf $Y"[+] "$GREEN"Finding passwords inside key folders (limit 70) - no PHP files\n"$NC - printf "$intpwdfiles" | grep -vI ".php:" | grep -E "^/" | grep ":" | sed '/^.\{150\}./d' | sort | uniq | grep -iIv "linpeas" | head -n 70 | sed -${E} "s,[pP][wW][dD]|[pP][aA][sS][sS][wW]|[dD][eE][fF][iI][nN][eE],${C}[1;31m&${C}[0m,g" + printf "%s\n" "$intpwdfiles" | grep -vI ".php:" | grep -E "^/" | grep ":" | sed '/^.\{150\}./d' | sort | uniq | grep -iIv "linpeas" | head -n 70 | sed -${E} "s,[pP][wW][dD]|[pP][aA][sS][sS][wW]|[dD][eE][fF][iI][nN][eE],${C}[1;31m&${C}[0m,g" echo "" ##-- IF) Find possible files with passwords @@ -3160,7 +3344,7 @@ if [ "`echo $CHECKS | grep IntFiles`" ]; then ##-- IF) Find possible conf files with passwords printf $Y"[+] "$GREEN"Finding possible password in config files\n"$NC ppicf=`find $HOMESEARCH /etc /root /tmp /private /Applications -name "*.conf" -o -name "*.cnf" -o -name "*.config" -name "*.json" 2>/dev/null` - printf "$ppicf\n" | while read f; do + printf "%s\n" "$ppicf" | while read f; do if [ "`grep -EiI 'passwd.*|creden.*' \"$f\" 2>/dev/null`" ]; then echo $ITALIC" $f"$NC grep -EiIo 'passw.*|creden.*' "$f" 2>/dev/null | sed -${E} "s,[pP][aA][sS][sS][wW]|[cC][rR][eE][dD][eE][nN],${C}[1;31m&${C}[0m,g" @@ -3203,7 +3387,7 @@ if [ "`echo $CHECKS | grep IntFiles`" ]; then if ! [ "$SUPERFAST" ] && ! [ "$FAST" ]; then ##-- IF) Find URIs with user:password@hoststrings printf $Y"[+] "$GREEN"Finding URIs with user:password@host inside key folders\n"$NC - timeout 150 grep -RiIE "://(.+):(.+)@" /var/www $backup_folders_row /tmp /etc /var/log /private/var/log 2>/dev/null | sed '/^.\{150\}./d' | grep -v "#" | sort | uniq | sed -${E} "s,:\/\/(.+):(.+)@,://${C}[1;31m\1:\2${C}[0m@,g" + timeout 150 find /var/www $backup_folders_row /tmp /etc /var/log /private/var/log -type f -exec grep -RiIE "://(.+):(.+)@" "{}" \; 2>/dev/null | sed '/^.\{150\}./d' | grep -v "#" | sort | uniq | sed -${E} "s,:\/\/(.+):(.+)@,://${C}[1;31m\1:\2${C}[0m@,g" timeout 150 grep -RiIE "://(.+):(.+)@" $HOMESEARCH 2>/dev/null | sed '/^.\{150\}./d' | grep -v "#" | sort | uniq | sed -${E} "s,:\/\/(.+):(.+)@,://${C}[1;31m\1:\2${C}[0m@,g" timeout 150 grep -RiIE "://(.+):(.+)@" /mnt 2>/dev/null | sed '/^.\{150\}./d' | grep -v "#" | sort | uniq | sed -${E} "s,:\/\/(.+):(.+)@,://${C}[1;31m\1:\2${C}[0m@,g" timeout 150 grep -RiIE "://(.+):(.+)@" /root 2>/dev/null | sed '/^.\{150\}./d' | grep -v "#" | sort | uniq | sed -${E} "s,:\/\/(.+):(.+)@,://${C}[1;31m\1:\2${C}[0m@,g"