Merge pull request #365 from sttlr/patch-1

Fix Timeout parameter in Peass Metasploit module

linPEAS/builder/linpeas_parts/6_users_information.sh

@@ -214,8 +214,7 @@ if [ "$EXTRA_CHECKS" ]; then
 fi
 
 #-- UI) Brute su
-EXISTS_SUDO="$(command -v sudo 2>/dev/null)"
-if ! [ "$FAST" ] && ! [ "$SUPERFAST" ] && [ "$TIMEOUT" ] && ! [ "$IAMROOT" ] && [ "$EXISTS_SUDO" ]; then
+if ! [ "$FAST" ] && ! [ "$SUPERFAST" ] && [ "$TIMEOUT" ] && ! [ "$IAMROOT" ]; then
   print_2title "Testing 'su' as other users with shell using as passwords: null pwd, the username and top2000pwds\n"$NC
   POSSIBE_SU_BRUTE=$(check_if_su_brute);
   if [ "$POSSIBE_SU_BRUTE" ]; then
@@ -228,6 +227,6 @@ if ! [ "$FAST" ] && ! [ "$SUPERFAST" ] && [ "$TIMEOUT" ] && ! [ "$IAMROOT" ] &&
     printf $GREEN"It's not possible to brute-force su.\n\n"$NC
   fi
 else
-  print_2title "Do not forget to test 'su' as any other user with shell: without password and with their names as password (I can't do it...)\n"$NC
+  print_2title "Do not forget to test 'su' as any other user with shell: without password and with their names as password (I don't do it in FAST mode...)\n"$NC
 fi
 print_2title "Do not forget to execute 'sudo -l' without password or with valid password (if you know it)!!\n"$NC

linPEAS/builder/linpeas_parts/linpeas_base.sh

@@ -74,6 +74,7 @@ THREADS="$( ( (grep -c processor /proc/cpuinfo 2>/dev/null) || ( (command -v lsc
 HELP=$GREEN"Enumerate and search Privilege Escalation vectors.
 ${NC}This tool enum and search possible misconfigurations$DG (known vulns, user, processes and file permissions, special file permissions, readable/writable files, bruteforce other users(top1000pwds), passwords...)$NC inside the host and highlight possible misconfigurations with colors.
       ${GREEN}  Checks:
+        ${YELLOW}    -a${BLUE} Perform all checks: 1 min of processes, su brute, and extra checks.
         ${YELLOW}    -o${BLUE} Only execute selected checks (peass{CHECKS}). Select a comma separated list.
         ${YELLOW}    -s${BLUE} Stealth & faster (don't check some time consuming checks)
         ${YELLOW}    -e${BLUE} Perform extra enumeration
@@ -745,8 +746,9 @@ su_brute_user_num (){
 }
 
 check_if_su_brute(){
+  EXISTS_SU="$(command -v su 2>/dev/null)"
   error=$(echo "" | timeout 1 su $(whoami) -c whoami 2>&1);
-  if ! echo $error | grep -q "must be run from a terminal"; then
+  if [ "$EXISTS_SU" ] && ! echo $error | grep -q "must be run from a terminal"; then
     echo "1"
   fi
 }

metasploit/peass.rb

@@ -191,14 +191,14 @@ class MetasploitModule < Msf::Post
         cmd_utf16le = cmd.encode("utf-16le")
         cmd_utf16le_b64 = Base64.encode64(cmd_utf16le).gsub(/\r?\n/, "")
         
-        tmpout << cmd_exec("powershell.exe", args="-ep bypass -WindowStyle hidden -nop -enc #{cmd_utf16le_b64}", time_out=datastore["TIMEOUT"])
+        tmpout << cmd_exec("powershell.exe", args="-ep bypass -WindowStyle hidden -nop -enc #{cmd_utf16le_b64}", time_out=datastore["TIMEOUT"].to_i)
       
         # If unix, then, suppose linpeas was loaded
       else
         cmd += "| #{decode_linpeass_cmd}"
         cmd += "| sh -s -- #{datastore['PARAMETERS']}"
         cmd += last_cmd
-        tmpout << cmd_exec(cmd, args=nil, time_out=datastore["TIMEOUT"])
+        tmpout << cmd_exec(cmd, args=nil, time_out=datastore["TIMEOUT"].to_i)
       end
 
       print "\n#{tmpout}\n\n"