search

peass-ng / PEASS-ng

PEASS - Privilege Escalation Awesome Scripts SUITE (with colors)
https://book.hacktricks.xyz
Other
15.34k stars 3k forks source link

AWS EC2 detected as Tencent CVM causing long run time due to incorrect Tencent enumeration #417

Closed credibleforce closed 4 months ago

credibleforce commented 4 months ago

Issue description

Linpeas.sh taking a long time (>30 minutes) to run on AWS EC2 instance. Incorrectly identified as Tencent CVM.

Steps to reproduce the issue

  1. Launch aws ec2 instance
  2. Run curl -L https://github.com/carlospolop/PEASS-ng/releases/download/latest/linpeas.sh | /bin/bash -s -- -s -N -o system_information,container,cloud,procs_crons_timers_srvcs_sockets,users_information,software_information,interesting_files,interesting_perms_files,api_keys_regex
  3. Logs show: 
                                     ╔═══════╗
═════════════════════════════════════╣ Cloud ╠═════════════════════════════════════
                                 ╚═══════╝
═╣ GCP Virtual Machine? ................. No
═╣ GCP Cloud Funtion? ................... No
═╣ AWS ECS? ............................. No
═╣ AWS EC2? ............................. Yes
═╣ AWS EC2 Beanstalk? ................... No
═╣ AWS Lambda? .......................... No
═╣ AWS Codebuild? ....................... No
═╣ DO Droplet? .......................... No
═╣ Aliyun ECS? .......................... No
═╣ Tencent CVM? .......................... Yes
═╣ IBM Cloud VM? ........................ No
═╣ Azure VM? ............................ No
═╣ Azure APP? ........................... No

Which parameters did you use for executing the script and how did you execute it?

-s -N -o system_information,container,cloud,procs_crons_timers_srvcs_sockets,users_information,software_information,interesting_files,interesting_perms_files,api_keys_regex

Is there any AV / Threat protection in the system?

no

Please, indicate the OS, the OS version, and the kernel version (build number in case of Windows)

ubuntu focal

Please, indicate the check that is failing and add a screenshot showing the problem

check_tencent_cvm () {
  is_tencent_cvm="No"
  if [ -f "/etc/cloud/cloud.cfg.d/05_logging.cfg" ] || grep -qi Tencent /etc/cloud/cloud.cfg; then
      is_tencent_cvm="Yes"
  fi
}

the -f "/etc/cloud/cloud.cfg.d/05_logging.cfg" returns true on AWS EC2 instances.

How did you expect it to work?

AWS instances should not be detected as Tencent. When they are run time goes from ~10 minutes to > 30 minutes

ninto1 commented 4 months ago

I've encountered the same issue on physical servers running Ubuntu server

carlospolop commented 4 months ago

Hi guys! Thanks for letting me know! I have disabled the Tencent check until the author sends. PR with a better fingerprint. There should be a new release in a couple of minutes