Add linpeas privilege escalation checks from: HTB Nocturnal: IDOR → Command Injection → Root via ISPConfig (CVE‑2023‑46818)

2025-12-12 15:49:51 -08:00 · 2025-08-27 19:33:09 +00:00
parent cc5ab76991
commit fd5a5919e4
3 changed files with 61 additions and 1 deletions
--- a/build_lists/sensitive_files.yaml
+++ b/build_lists/sensitive_files.yaml
@@ -3941,3 +3941,27 @@ search:
                type: f
                search_in: 
                  - common
+
+  - name: ISPConfig
+    value:
+        config:
+          auto_check: True
+
+        files:
+          - name: "config.inc.php"
+            value:
+                bad_regex: "db_|dbhost|dbuser|dbpass|db_name|db_user|db_password|db_host"
+                only_bad_lines: True
+                type: f
+                check_extra_path: "/usr/local/ispconfig"
+                search_in:
+                  - common
+
+          - name: "mysql_clientdb.conf"
+            value:
+                bad_regex: "user|pass|password|database|host"
+                only_bad_lines: True
+                type: f
+                check_extra_path: "/usr/local/ispconfig"
+                search_in:
+                  - common
--- a/linPEAS/TODO.md
+++ b/linPEAS/TODO.md
@@ -5,4 +5,5 @@
 - Mantain updated all the blacklists used to color the output
 - Improve the speed
 - Reduce the size of the script
- Generate automatically an obfuscated version
+- Generate automatically an obfuscated version
+- New: Detect root-owned php -S on 127.0.0.1 and ISPConfig installs; flag potential CVE-2023-46818 (Language Editor) risk.
--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/15_ISPConfig_local_root_web_CVE-2023-46818.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/15_ISPConfig_local_root_web_CVE-2023-46818.sh
@@ -0,0 +1,35 @@
+# Title: Processes & Cron & Services & Timers - Root localhost web + ISPConfig (CVE-2023-46818)
+# ID: PR_ISPConfig_local_root_web_CVE-2023-46818
+# Author: HT Bot
+# Last Update: 27-08-2025
+# Description: Detect root-owned localhost PHP built-in web servers and ISPConfig installs. If ISPConfig < 3.2.11p1 is detected, flag potential CVE-2023-46818 (Language Editor PHP code injection).
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_info
+# Initial Functions:
+# Generated Global Variables: $line
+# Global Variables: $SEARCH_IN_FOLDER, $SED_RED, $SED_YELLOW
+# Fat linpeas: 0
+# Small linpeas: 1
+
+if ! [ "$SEARCH_IN_FOLDER" ]; then
+  print_2title "Root-owned localhost web services and ISPConfig (CVE-2023-46818)"
+  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#web-servers-and-panels"
+  # List root-owned php -S on loopback
+  if command -v ps >/dev/null 2>&1; then
+    ps -eo user=,args= 2>/dev/null | grep -E "^root .*php .* -S 127\\.0\\.0\\.1:[0-9]+" | while read -r line; do
+      echo "  └─ $line" | sed "s,root,${SED_RED}," | sed -E "s,127\\.0\\.0\\.1:([0-9]+),${SED_YELLOW},"
+    done
+  fi
+  for d in /var/www/ispconfig /usr/local/ispconfig; do
+    if [ -d "$d" ]; then
+      echo "  └─ ISPConfig path found: $d"
+    fi
+  done
+fi
+  # Try to spot version strings in files
+  for d in /var/www/ispconfig /usr/local/ispconfig; do
+    if [ -d "$d" ]; then
+      grep -R -m1 -E "ISPConfig[[:space:]]*3\\.[0-9]+\\.[0-9]+p?[0-9]*|ISPC_APP_VERSION|ISPConfig Version" "$d" 2>/dev/null | head -n1 | sed "s/^/     └─ Version ref: /"
+    fi
+  done