Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

All Enhancements are tracked here (Not top priority) #43

Open
1 of 6 tasks
carlospolop opened this issue Apr 25, 2020 · 28 comments
Open
1 of 6 tasks

All Enhancements are tracked here (Not top priority) #43

carlospolop opened this issue Apr 25, 2020 · 28 comments
Labels
enhancement New feature or request

Comments

@carlospolop
Copy link
Collaborator

carlospolop commented Apr 25, 2020

This is the list of requested features that I haven't find the time to create yet and aren't top priority.
Help is wanted for the following tasks:

@carlospolop carlospolop added the enhancement New feature or request label Apr 25, 2020
@legndery
Copy link

Add CVE-2019-14287 for sudo version check for < 1.8.28

@carlospolop
Copy link
Collaborator Author

Add CVE-2019-14287 for sudo version check for < 1.8.28

Hi mate, this should be implemented right now, but I haven't tested it, can you try it?

@legndery
Copy link

Sure I can try it as I encountered a CTF today which had this privesc open. Is it the dev branch?

@carlospolop
Copy link
Collaborator Author

No, it's in the master branch

@legndery
Copy link

legndery commented May 26, 2020

Yes it has the version check. And red version highlight:

[+] Sudo version
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-version
Sudo version 1.8.10p3

Thanks

@carlospolop
Copy link
Collaborator Author

Thank you!

@necrose99
Copy link

necrose99 commented Jun 2, 2020

CMakeLists.txt SLN -> CMAKE for MONO / .net under linux to X-build.
(https://github.com/pavelliavonau/cmakeconverter)

#39

@ivym1ke
Copy link

ivym1ke commented Mar 7, 2021

What are your thoughts on md5sums for known vulnerable binaries?

@carlospolop
Copy link
Collaborator Author

Hi @wwwd4ta,

That actually sounds pretty good. We would need to check the sizeof the md5s, but if possible it would be a good idea.
Do you have a DB of vulnerable MD5s?
Feel free to open a new issue specificly for this.

@acmello
Copy link
Contributor

acmello commented May 17, 2021

Do you guys see any value on enabling the possibility of getting a json or something along those lines once linepeas finish running? I'm considering creating a UI version of it (this could be one use case for having data structured like this). WDYT?

@carlospolop
Copy link
Collaborator Author

Hi @acmello, adding a JSON output would be awesome.
The problem is that none of the PEAS was designed for such type of output. So all of them would need to be refactored.
I have it in the road-map, but this is so time consuming that I don't know when I will be able to do it. Any help is appreciated.

@necrose99
Copy link

necrose99 commented May 18, 2021

output Json , ie golang/rust binaries (as their static) or python for linux could use in built scripts.. for windows might want an off the shelf json lib and something simple to parse it it out to json logs or json/syslog out... as from the day job world syslog to >SIEM is the name of the game...

gox can make windows or Linux binaries/mac/bsd/etc of many stripes. ie golang ...
https://pypi.org/project/JSON-log-formatter/

https://github.com/slog-rs/slog

go:
https://github.com/rs/zerolog
https://github.com/sirupsen/logrus

@hatecomputers
Copy link

hatecomputers commented May 18, 2021

hey @carlospolop, thanks for answering. (still @acmello just using the appropriated account for this lol), I actually started to experiment with the idea as a side thing but since its something interesting for everyone, I might as well fork the project and make an actual contribution :) but you are alright, its really time consuming.

I was thinking in something along the lines of:
https://gist.github.com/hatecomputers/b49639fd72caec7c208961be46411341

Let me know if you have any thoughts or better ideas for naming it. cc @necrose99

@carlospolop
Copy link
Collaborator Author

carlospolop commented May 18, 2021

hey @hatecomputers,

How are you planning creating the JSON output? Are you going to refactor each PEAS or will you just parse the output?
That json output sounds pretty good, but I would add also an entry on each item for each color that appears in the text.
For example, if the text has "some good text" in green, "some bad text" in red and "some pe text" in red/yellow, I would add to the item entry the values:

[...]
"items": [            
     {                
         "label": "Operative system",                
         "value": "....",               
         "referenceUrl": "https://book.hacktricks.xyz/linux-unix/privilege-escalation#kernel-exploits",
        "green": ["some good text"],
        "red": ["some bad text"],
        "red/yellow": ["some pe text"],
       "<other colors>": ...
}

Then the colour can be replicated and a monitorization of the improvements executing linpeas in 2 different moments are possible.
Also, are you thinking on just creating a json to create a HTML report, or create a web server (in this case several improvements are possible).

@hatecomputers
Copy link

hatecomputers commented May 18, 2021

hey @carlospolop

I personally think the easiest way to approach this - at least for now - would be parsing the output.

I initially wanted to also do that in bash but I think it gets a little confusing - not much of a bash guy myself unfortunately. I thought of creating a python script or something along the lines which, while extracts the information, builds up a map object (with the data structure proposed) and spit up a JSON in the end. I like the idea of extracting the color although haven't think about how yet.

Lastly, answering your question: I think for starters just parsing the data will be a lot of work :) but once we get the JSON out, its pretty easy to build up from there (e.g, spin up a webserver with a small app that converts JSON into HTML)

@carlospolop
Copy link
Collaborator Author

Hi @hatecomputers,

Nice, I also think it would be better to start that way. Let me know if I should change something in the current output of linpeas/winpeas.
Also, It would be awesome to have a web server capable of parsing the current output to json and generating the report in HTML as starter. Then, with this web server, we could be able to implement a history of different executions of the script and maybe even configure it to schedule runs of winpeas/linpeas saving the timestamp and the output in the history.
Anyway, thank you for the help to start this part of the project. If you have telegram feel free to mention this issue in the PEASS telegram group and I can open a DM to you so we can communicate faster.

@necrose99
Copy link

Faraday sec , to managed.. pentest..

Datadog or many cloud syslog etc will do much of the work.. from syslog format.. if one cares not.. to make ui.. infra etc.

A simple json logoutput plugin/s for winpeas/linpeas should hopefully not disturb main program, but offer a means of extending logoutputs.. , others can add to..

@hatecomputers
Copy link

hatecomputers commented May 19, 2021

nice @carlospolop, I'll bring it up there.

@necrose99 that would mean restructure most of the output from the peas which isn't necessarily compatible with syslog right? If we are not intending to disrupt the current format or change it in way that feel (bad)different for people use to it, I think the way to go would be parse each response individual with an external script once you get output, at least for now. From what I've seen so far, it can be slightly complex but doable.

but to summarize: I agree with you. Once the data is out and it is structured it can be easily extended/modified. For now I think this could the focus. I like the idea of having external tech supporting the peas though (web app parsing data, generating report etc). Coming from a web dev background I tend to think this could add value :)

@carlospolop
Copy link
Collaborator Author

Hi guys! Is anyone doing the json parse of the linpeas/winpeas result finally? Let me know to not duplicate work!

@hatecomputers
Copy link

hey @carlospolop, sorry took so long to get back to this. Things were a little too busy over the past month.
Anyway, since the initial proposal was mine I think its natural that I could work on that as long as no else had started off yet.
If that's the case however, I still would love to contribute.

@mnemonic-re
Copy link

hey @carlospolop Thank you for the tools and frequent updates. Just amazing.

To help with reading RAW output files written by linpeas or winpeas I wrote a small bash script to use PEASS_ng parsers to generate readable HTML\PDF files or JSON parse. It is quite simple and colorful :)
I hope it will be useful to someone who does a lot of raw linpeas\winpeas dumps and wants a script for fast conversion to readable formats.

https://github.com/mnemonic-re/parsePEASS

@carlospolop
Copy link
Collaborator Author

https://github.com/mnemonic-re/parsePEASS

Thanks mate, I put it in the parsers readme

@mnemonic-re
Copy link

mnemonic-re commented Apr 2, 2022

https://github.com/mnemonic-re/parsePEASS

Thanks mate, I put it in the parsers readme

I also noticed a "bug" in the JSON parser. linpeas outfile includes "SECTION 'infos'" while winpeas does not since it is not generating links.
If I just take pure "winpeas.exe log" log.out file and try to parse it:

File "/opt/parsePEASS/parsers/peas2json.py", line 132, in parse_line C_SECTION["infos"].append(title) KeyError: 'infos'

So, I had to comment out the "C_SECTION["infos"].append(title)
elif is_section(line, INFO_PATTERN): title = parse_title(line) #C_SECTION["infos"].append(title)

Then output parsing works perfectly for winpeas. It is missing the links in HTML or PDF but there weren't any in the output file to parse and that is why it errored out.

@carlospolop
Copy link
Collaborator Author

https://github.com/mnemonic-re/parsePEASS

Thanks mate, I put it in the parsers readme

I also noticed a "bug" in the JSON parser. linpeas outfile includes "SECTION 'infos'" while winpeas does not since it is not generating links. If I just take pure "winpeas.exe log" log.txt file and try to parse it:

File "/opt/parsePEASS/parsers/peas2json.py", line 132, in parse_line C_SECTION["infos"].append(title) KeyError: 'infos'

So, I had to comment out the "C_SECTION["infos"].append(title) elif is_section(line, INFO_PATTERN): title = parse_title(line) #C_SECTION["infos"].append(title)

Then output parsing works perfectly for winpeas. It is missing the links in HTML or PDF but there weren't any in the output file to parse and that is why it errored out.

This weekend I'm pretty busy... if you could try to find a proper fix and make a PR I would appreciate it, if not I will be taking a look next week

@mnemonic-re
Copy link

This weekend I'm pretty busy... if you could try to find a proper fix and make a PR I would appreciate it, if not I will be taking a look next week

No problem, just putting it here. I will try to find best solution and PR it so you can check it out when you have the time.
Cheers.

@ghost
Copy link

ghost commented May 9, 2022

Hey @carlospolop Just did a CTF which required exploiting MySQL with UDFs, if you could add a check to see if MySQL is running as root since that happens a lot that would be great! and it would help a lot in CTFs.

something simple i wrote to grab the user if any: systemctl status mysql | grep -o ".\{0,0\}user.\{0,50\}" | cut -d '=' -f2 | cut -d ' ' -f1

@carlospolop
Copy link
Collaborator Author

Hi @NLT33,
Linpeas enumerates processes and prints in red "root" (so you can check that there) and also reads the file debian.cnf where the user running mysql should be configured and prints it.
However, I have added also that one, hopefully it will be completely clear now (it's true that this is a very common privesc in CTFs). Thanks for the code snippet.

@ghost
Copy link

ghost commented May 9, 2022

Hey again @carlospolop , It does indeed but in my case you were not able to see any other processes than your own, so in the end it's better just to have another alternative.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

7 participants