linPEAS analysis
- Summary: An explanation with examples of the linPEAS output.
- Tags: LinPEAS
Use this post as a guide of the information linPEAS presents when executed.
(As the information linPEAS can generate can be quite large, I will complete this post as I find examples that take advantage of the information linPEAS generates.)
========== Basic information ==========
Provides information about:
- The current user (uid and gid) and the groups it belongs to.
- In the example above, the current user belongs to the
lpadmingroup which allows it to modify the configuration file of the CUPS server. Example: HTB: Antique machine.
- In the example above, the current user belongs to the
- Hostname.
- Writable folders.
- Interesting programs for host discovery.
========== System information ==========
Provides information about:
- The operative system in use.
- Sudo version.
- Possible CVEs to exploit.
- PATH variable.
- Date and time.
- Mounted and unmounted disks.
- Environmental variables.
- Failed signatures verification in dmesg.
- The output of Linux Exploit Suggester, both 1 and 2.
- Information about protections.
========== Container ==========
Provides information about whether we are inside a container or not.
========== Cloud ==========
Provides information about whether we are inside a cloud platform or not.
========== Processes, Crons, Timers, Services and Sockets ==========
Provides information about:
- Cleaned processes.
- Binary processes permissions.
- Files opened by processes belonging to other users.
- Processes with credentials in memory (root req).
- Cron jobs.
- Systemd PATH.
- .service files. analysis.
- .timer files.
- .socket files.
- UNIX sockets listening.
- D-bus config files.
- D-Bus Service Objects list.
========== Network information ==========
Provides information about:
- Hostname, hosts and DNS.
- Interfaces.
- Active ports.
- In the example above, port 23 can be reached from all ip addresses of the machine menwhile port 631 can only be reached from the loopback interface (only available on the machine itself). Example: HTB: Antique machine.
- The possibility to sniff with tcpdump.
========== Users information ==========
Provides information about:
- My user.
- Same information as in Basic Information.
- User PGP keys.
- sudo -l.
- In the example above, our current user can run any command as the
scriptmanageruser. This can lead to a lateral movement or a privilege escalation. Example: HTB: Bashed machine.
- In the example above, our current user can run any command as the
- sudo tockens.
- Pkexec policy.
- Superusers.
- Users with console.
- All users & groups.
- Current logged users.
- Last logons.
- Last logons time.
========== Software information ==========
Provides information about:
- Useful software.
- Installed compilers.
- mysql credentials.
- rsync files.
- ldap files.
- ssl/ssh files.
- Writable ssh and gpg agents.
- PAM Auth Files.
- tmux sessions.
- Keyring Files.
- uncommon passwd files (splunk).
- PGP-GPG Files.
- Postfix Files.
- Bind Files.
- Other Interesting Files.
========== Interesting files ==========
Provides information about:
- SUID files.
- SGID files.
- ld.so misconfigurations.
- Capabilities.
- In the example above, the program
/usr/bin/python3.8has theCAP_SETUIDcapability enabled so the process it generates can change its UID at execution time thus leading to a lateral movement or a privilege escalation. Example: HTB: Cap machine.
- In the example above, the program
- Users with capabilities.
- AppArmor binary profiles.
- Files with ACLs.
- .sh files in path.
- Executable files potentially added by user.
- Unexpected files in root.
- Files (scripts) in /etc/profile.d/.
- Permissions in init, init.d, systemd, and rc.d.
- root files in home dirs.
- Folders owned by me containing others files on it.
- Readable files belonging to root and readable by me but not world readable.
- Modified interesting files in the last 5mins.
- Writable log files (logrotten).
- Files inside /var/spool/lpd.
- Files inside others home.
- Installed mail applications.
- Mails.
- Backup files.
- Tables inside readable .db/.sql/.sqlite files.
- Web files.
- Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders.
- Backup files.
- Interesting writable files owned by me or writable by everyone (not in Home).
- Interesting GROUP writable files (not in Home).
- Passwords in history files.
- password or credential files in home.
- TTY (sudo/su) passwords in audit logs.
- passwords inside logs.
========== API Keys Regex ==========
Provides information about API keys.