legndery
commented
4 years ago Add CVE-2019-14287 for sudo version check for < 1.8.28
Open carlospolop opened 4 years ago
legndery
commented
4 years ago Add CVE-2019-14287 for sudo version check for < 1.8.28
carlospolop
commented
4 years ago Add CVE-2019-14287 for sudo version check for < 1.8.28
Hi mate, this should be implemented right now, but I haven't tested it, can you try it?
legndery
commented
4 years ago Sure I can try it as I encountered a CTF today which had this privesc open. Is it the dev branch?
carlospolop
commented
4 years ago No, it's in the master branch
legndery
commented
4 years ago Yes it has the version check. And red version highlight:
[+] Sudo version
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-version
Sudo version 1.8.10p3Thanks
carlospolop
commented
4 years ago Thank you!
necrose99
commented
4 years ago CMakeLists.txt SLN -> CMAKE for MONO / .net under linux to X-build. (https://github.com/pavelliavonau/cmakeconverter)
https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/issues/39
ivym1ke
commented
3 years ago What are your thoughts on md5sums for known vulnerable binaries?
carlospolop
commented
3 years ago Hi @wwwd4ta,
That actually sounds pretty good. We would need to check the sizeof the md5s, but if possible it would be a good idea. Do you have a DB of vulnerable MD5s? Feel free to open a new issue specificly for this.
acmello
commented
3 years ago Do you guys see any value on enabling the possibility of getting a json or something along those lines once linepeas finish running? I'm considering creating a UI version of it (this could be one use case for having data structured like this). WDYT?
carlospolop
commented
3 years ago Hi @acmello, adding a JSON output would be awesome. The problem is that none of the PEAS was designed for such type of output. So all of them would need to be refactored. I have it in the road-map, but this is so time consuming that I don't know when I will be able to do it. Any help is appreciated.
necrose99
commented
3 years ago output Json , ie golang/rust binaries (as their static) or python for linux could use in built scripts.. for windows might want an off the shelf json lib and something simple to parse it it out to json logs or json/syslog out... as from the day job world syslog to >SIEM is the name of the game...
gox can make windows or Linux binaries/mac/bsd/etc of many stripes. ie golang ... https://pypi.org/project/JSON-log-formatter/
https://github.com/slog-rs/slog
go: https://github.com/rs/zerolog https://github.com/sirupsen/logrus
hatecomputers
commented
3 years ago hey @carlospolop, thanks for answering. (still @acmello just using the appropriated account for this lol), I actually started to experiment with the idea as a side thing but since its something interesting for everyone, I might as well fork the project and make an actual contribution :) but you are alright, its really time consuming.
I was thinking in something along the lines of: https://gist.github.com/hatecomputers/b49639fd72caec7c208961be46411341
Let me know if you have any thoughts or better ideas for naming it. cc @necrose99
carlospolop
commented
3 years ago hey @hatecomputers,
How are you planning creating the JSON output? Are you going to refactor each PEAS or will you just parse the output? That json output sounds pretty good, but I would add also an entry on each item for each color that appears in the text. For example, if the text has "some good text" in green, "some bad text" in red and "some pe text" in red/yellow, I would add to the item entry the values:
[...]
"items": [
{
"label": "Operative system",
"value": "....",
"referenceUrl": "https://book.hacktricks.xyz/linux-unix/privilege-escalation#kernel-exploits",
"green": ["some good text"],
"red": ["some bad text"],
"red/yellow": ["some pe text"],
"<other colors>": ...
}Then the colour can be replicated and a monitorization of the improvements executing linpeas in 2 different moments are possible. Also, are you thinking on just creating a json to create a HTML report, or create a web server (in this case several improvements are possible).
hatecomputers
commented
3 years ago hey @carlospolop
I personally think the easiest way to approach this - at least for now - would be parsing the output.
I initially wanted to also do that in bash but I think it gets a little confusing - not much of a bash guy myself unfortunately. I thought of creating a python script or something along the lines which, while extracts the information, builds up a map object (with the data structure proposed) and spit up a JSON in the end. I like the idea of extracting the color although haven't think about how yet.
Lastly, answering your question: I think for starters just parsing the data will be a lot of work :) but once we get the JSON out, its pretty easy to build up from there (e.g, spin up a webserver with a small app that converts JSON into HTML)
carlospolop
commented
3 years ago Hi @hatecomputers,
Nice, I also think it would be better to start that way. Let me know if I should change something in the current output of linpeas/winpeas. Also, It would be awesome to have a web server capable of parsing the current output to json and generating the report in HTML as starter. Then, with this web server, we could be able to implement a history of different executions of the script and maybe even configure it to schedule runs of winpeas/linpeas saving the timestamp and the output in the history. Anyway, thank you for the help to start this part of the project. If you have telegram feel free to mention this issue in the PEASS telegram group and I can open a DM to you so we can communicate faster.
necrose99
commented
3 years ago Faraday sec , to managed.. pentest..
Datadog or many cloud syslog etc will do much of the work.. from syslog format.. if one cares not.. to make ui.. infra etc.
A simple json logoutput plugin/s for winpeas/linpeas should hopefully not disturb main program, but offer a means of extending logoutputs.. , others can add to..
hatecomputers
commented
3 years ago nice @carlospolop, I'll bring it up there.
@necrose99 that would mean restructure most of the output from the peas which isn't necessarily compatible with syslog right? If we are not intending to disrupt the current format or change it in way that feel (bad)different for people use to it, I think the way to go would be parse each response individual with an external script once you get output, at least for now. From what I've seen so far, it can be slightly complex but doable.
but to summarize: I agree with you. Once the data is out and it is structured it can be easily extended/modified. For now I think this could the focus. I like the idea of having external tech supporting the peas though (web app parsing data, generating report etc). Coming from a web dev background I tend to think this could add value :)
carlospolop
commented
3 years ago Hi guys! Is anyone doing the json parse of the linpeas/winpeas result finally? Let me know to not duplicate work!
hatecomputers
commented
3 years ago hey @carlospolop, sorry took so long to get back to this. Things were a little too busy over the past month. Anyway, since the initial proposal was mine I think its natural that I could work on that as long as no else had started off yet. If that's the case however, I still would love to contribute.
mnemonic-re
commented
2 years ago hey @carlospolop Thank you for the tools and frequent updates. Just amazing.
To help with reading RAW output files written by linpeas or winpeas I wrote a small bash script to use PEASS_ng parsers to generate readable HTML\PDF files or JSON parse. It is quite simple and colorful :) I hope it will be useful to someone who does a lot of raw linpeas\winpeas dumps and wants a script for fast conversion to readable formats.
carlospolop
commented
2 years ago Thanks mate, I put it in the parsers readme
mnemonic-re
commented
2 years ago Thanks mate, I put it in the parsers readme
I also noticed a "bug" in the JSON parser. linpeas outfile includes "SECTION 'infos'" while winpeas does not since it is not generating links. If I just take pure "winpeas.exe log" log.out file and try to parse it:
File "/opt/parsePEASS/parsers/peas2json.py", line 132, in parse_line C_SECTION["infos"].append(title) KeyError: 'infos'
So, I had to comment out the "C_SECTION["infos"].append(title) ` elif is_section(line, INFO_PATTERN): title = parse_title(line)
Then output parsing works perfectly for winpeas. It is missing the links in HTML or PDF but there weren't any in the output file to parse and that is why it errored out.
carlospolop
commented
2 years ago Thanks mate, I put it in the parsers readme
I also noticed a "bug" in the JSON parser. linpeas outfile includes "SECTION 'infos'" while winpeas does not since it is not generating links. If I just take pure "winpeas.exe log" log.txt file and try to parse it:
File "/opt/parsePEASS/parsers/peas2json.py", line 132, in parse_line C_SECTION["infos"].append(title) KeyError: 'infos'So, I had to comment out the "C_SECTION["infos"].append(title)
elif is_section(line, INFO_PATTERN): title = parse_title(line) #C_SECTION["infos"].append(title)Then output parsing works perfectly for winpeas. It is missing the links in HTML or PDF but there weren't any in the output file to parse and that is why it errored out.
This weekend I'm pretty busy... if you could try to find a proper fix and make a PR I would appreciate it, if not I will be taking a look next week
mnemonic-re
commented
2 years ago This weekend I'm pretty busy... if you could try to find a proper fix and make a PR I would appreciate it, if not I will be taking a look next week
No problem, just putting it here. I will try to find best solution and PR it so you can check it out when you have the time. Cheers.
ghost
commented
2 years ago Hey @carlospolop Just did a CTF which required exploiting MySQL with UDFs, if you could add a check to see if MySQL is running as root since that happens a lot that would be great! and it would help a lot in CTFs.
something simple i wrote to grab the user if any: systemctl status mysql | grep -o ".\{0,0\}user.\{0,50\}" | cut -d '=' -f2 | cut -d ' ' -f1
carlospolop
commented
2 years ago Hi @NLT33, Linpeas enumerates processes and prints in red "root" (so you can check that there) and also reads the file debian.cnf where the user running mysql should be configured and prints it. However, I have added also that one, hopefully it will be completely clear now (it's true that this is a very common privesc in CTFs). Thanks for the code snippet.
ghost
commented
2 years ago Hey again @carlospolop , It does indeed but in my case you were not able to see any other processes than your own, so in the end it's better just to have another alternative.
This is the list of requested features that I haven't find the time to create yet and aren't top priority. Help is wanted for the following tasks: