PEASS-ng
PEASS-ng copied to clipboard
peass-ng
All Enhancements are tracked here (Not top priority)
This is the list of requested features that I haven't find the time to create yet and aren't top priority. Help is wanted for the following tasks:
- [ ] Profiles-based audit for business models #42
- [ ] .Net to cmake #39
- [ ] Colours for WinPEAS.bat #41
- [ ] Monitoring reports #107
- [ ] Check md5sums of known vulnerable binary files (if you have a list with this information for any OS let me know!)
- [x] JSON Output
Add CVE-2019-14287 for sudo version check for < 1.8.28
Hi mate, this should be implemented right now, but I haven't tested it, can you try it?
Sure I can try it as I encountered a CTF today which had this privesc open. Is it the dev branch?
Yes it has the version check. And red version highlight:
[+] Sudo version
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-version
Sudo version 1.8.10p3
Thanks
CMakeLists.txt SLN -> CMAKE for MONO / .net under linux to X-build. (https://github.com/pavelliavonau/cmakeconverter)
https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/issues/39
Hi @wwwd4ta,
That actually sounds pretty good. We would need to check the sizeof the md5s, but if possible it would be a good idea. Do you have a DB of vulnerable MD5s? Feel free to open a new issue specificly for this.
Do you guys see any value on enabling the possibility of getting a json or something along those lines once linepeas finish running? I'm considering creating a UI version of it (this could be one use case for having data structured like this). WDYT?
Hi @acmello, adding a JSON output would be awesome. The problem is that none of the PEAS was designed for such type of output. So all of them would need to be refactored. I have it in the road-map, but this is so time consuming that I don't know when I will be able to do it. Any help is appreciated.
output Json , ie golang/rust binaries (as their static) or python for linux could use in built scripts.. for windows might want an off the shelf json lib and something simple to parse it it out to json logs or json/syslog out... as from the day job world syslog to >SIEM is the name of the game...
gox can make windows or Linux binaries/mac/bsd/etc of many stripes. ie golang ... https://pypi.org/project/JSON-log-formatter/
https://github.com/slog-rs/slog
go: https://github.com/rs/zerolog https://github.com/sirupsen/logrus
hey @carlospolop, thanks for answering. (still @acmello just using the appropriated account for this lol), I actually started to experiment with the idea as a side thing but since its something interesting for everyone, I might as well fork the project and make an actual contribution :) but you are alright, its really time consuming.
I was thinking in something along the lines of: https://gist.github.com/hatecomputers/b49639fd72caec7c208961be46411341
Let me know if you have any thoughts or better ideas for naming it. cc @necrose99
hey @hatecomputers,
How are you planning creating the JSON output? Are you going to refactor each PEAS or will you just parse the output? That json output sounds pretty good, but I would add also an entry on each item for each color that appears in the text. For example, if the text has "some good text" in green, "some bad text" in red and "some pe text" in red/yellow, I would add to the item entry the values:
[...]
"items": [
{
"label": "Operative system",
"value": "....",
"referenceUrl": "https://book.hacktricks.xyz/linux-unix/privilege-escalation#kernel-exploits",
"green": ["some good text"],
"red": ["some bad text"],
"red/yellow": ["some pe text"],
"<other colors>": ...
}
Then the colour can be replicated and a monitorization of the improvements executing linpeas in 2 different moments are possible. Also, are you thinking on just creating a json to create a HTML report, or create a web server (in this case several improvements are possible).
hey @carlospolop
I personally think the easiest way to approach this - at least for now - would be parsing the output.
I initially wanted to also do that in bash but I think it gets a little confusing - not much of a bash guy myself unfortunately. I thought of creating a python script or something along the lines which, while extracts the information, builds up a map object (with the data structure proposed) and spit up a JSON in the end. I like the idea of extracting the color although haven't think about how yet.
Lastly, answering your question: I think for starters just parsing the data will be a lot of work :) but once we get the JSON out, its pretty easy to build up from there (e.g, spin up a webserver with a small app that converts JSON into HTML)
Hi @hatecomputers,
Nice, I also think it would be better to start that way. Let me know if I should change something in the current output of linpeas/winpeas. Also, It would be awesome to have a web server capable of parsing the current output to json and generating the report in HTML as starter. Then, with this web server, we could be able to implement a history of different executions of the script and maybe even configure it to schedule runs of winpeas/linpeas saving the timestamp and the output in the history. Anyway, thank you for the help to start this part of the project. If you have telegram feel free to mention this issue in the PEASS telegram group and I can open a DM to you so we can communicate faster.
Faraday sec , to managed.. pentest..
Datadog or many cloud syslog etc will do much of the work.. from syslog format.. if one cares not.. to make ui.. infra etc.
A simple json logoutput plugin/s for winpeas/linpeas should hopefully not disturb main program, but offer a means of extending logoutputs.. , others can add to..
nice @carlospolop, I'll bring it up there.
@necrose99 that would mean restructure most of the output from the peas which isn't necessarily compatible with syslog right? If we are not intending to disrupt the current format or change it in way that feel (bad)different for people use to it, I think the way to go would be parse each response individual with an external script once you get output, at least for now. From what I've seen so far, it can be slightly complex but doable.
but to summarize: I agree with you. Once the data is out and it is structured it can be easily extended/modified. For now I think this could the focus. I like the idea of having external tech supporting the peas though (web app parsing data, generating report etc). Coming from a web dev background I tend to think this could add value :)
Hi guys! Is anyone doing the json parse of the linpeas/winpeas result finally? Let me know to not duplicate work!
hey @carlospolop, sorry took so long to get back to this. Things were a little too busy over the past month. Anyway, since the initial proposal was mine I think its natural that I could work on that as long as no else had started off yet. If that's the case however, I still would love to contribute.
hey @carlospolop Thank you for the tools and frequent updates. Just amazing.
To help with reading RAW output files written by linpeas or winpeas I wrote a small bash script to use PEASS_ng parsers to generate readable HTML\PDF files or JSON parse. It is quite simple and colorful :) I hope it will be useful to someone who does a lot of raw linpeas\winpeas dumps and wants a script for fast conversion to readable formats.
https://github.com/mnemonic-re/parsePEASS
https://github.com/mnemonic-re/parsePEASS
Thanks mate, I put it in the parsers readme
https://github.com/mnemonic-re/parsePEASS
Thanks mate, I put it in the parsers readme
I also noticed a "bug" in the JSON parser. linpeas outfile includes "SECTION 'infos'" while winpeas does not since it is not generating links. If I just take pure "winpeas.exe log" log.out file and try to parse it:
File "/opt/parsePEASS/parsers/peas2json.py", line 132, in parse_line C_SECTION["infos"].append(title) KeyError: 'infos'
So, I had to comment out the "C_SECTION["infos"].append(title)
elif is_section(line, INFO_PATTERN): title = parse_title(line) #C_SECTION["infos"].append(title)
Then output parsing works perfectly for winpeas. It is missing the links in HTML or PDF but there weren't any in the output file to parse and that is why it errored out.
https://github.com/mnemonic-re/parsePEASS
Thanks mate, I put it in the parsers readme
I also noticed a "bug" in the JSON parser. linpeas outfile includes "SECTION 'infos'" while winpeas does not since it is not generating links. If I just take pure "winpeas.exe log" log.txt file and try to parse it:
File "/opt/parsePEASS/parsers/peas2json.py", line 132, in parse_line C_SECTION["infos"].append(title) KeyError: 'infos'So, I had to comment out the "C_SECTION["infos"].append(title)
elif is_section(line, INFO_PATTERN): title = parse_title(line) #C_SECTION["infos"].append(title)Then output parsing works perfectly for winpeas. It is missing the links in HTML or PDF but there weren't any in the output file to parse and that is why it errored out.
This weekend I'm pretty busy... if you could try to find a proper fix and make a PR I would appreciate it, if not I will be taking a look next week
This weekend I'm pretty busy... if you could try to find a proper fix and make a PR I would appreciate it, if not I will be taking a look next week
No problem, just putting it here. I will try to find best solution and PR it so you can check it out when you have the time. Cheers.
Hey @carlospolop Just did a CTF which required exploiting MySQL with UDFs, if you could add a check to see if MySQL is running as root since that happens a lot that would be great! and it would help a lot in CTFs.
something simple i wrote to grab the user if any: systemctl status mysql | grep -o ".\{0,0\}user.\{0,50\}" | cut -d '=' -f2 | cut -d ' ' -f1
Hi @NLT33, Linpeas enumerates processes and prints in red "root" (so you can check that there) and also reads the file debian.cnf where the user running mysql should be configured and prints it. However, I have added also that one, hopefully it will be completely clear now (it's true that this is a very common privesc in CTFs). Thanks for the code snippet.
Hey again @carlospolop , It does indeed but in my case you were not able to see any other processes than your own, so in the end it's better just to have another alternative.