tested

update azure apps
fix azure apps
2025-12-12 15:49:51 -08:00 · 2024-12-22 01:28:12 +01:00 · 2024-12-21 17:49:41 +01:00 · 2024-12-21 15:12:59 +01:00 · 2024-12-05 17:49:44 +01:00 · 2024-12-05 12:00:27 +01:00
11 changed files with 37 additions and 16 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,5 @@
 .vs/*
+.vscode/*
 winPEAS/winPEASexe/.vs/*
 v16/*
 winPEAS/winPEASexe/.vs/winPEAS/v16/*
@@ -24,6 +25,8 @@ __pycache__
 linPEAS/builder/__pycache__/*
 linPEAS/builder/src/__pycache__/*
 linPEAS/linpeas.sh
+linPEAS/builder/linpeas_base_tmp.sh
+build_lists/regexes.yaml
 sh2bin
 sh2bin/*
 .dccache
--- a/linPEAS/README.md
+++ b/linPEAS/README.md
@@ -22,7 +22,7 @@ Check how to **select the checks you want to build [in your own linpeas followin

 Note that by default, in the releases pages of this repository, you will find a **linpeas with all the checks**.

-## Differences between `linpeas_fat.sh`, `linpeas.sh` and `linpeas_small.sh`:
+## Differences between `linpeas_fat.sh`, `linpeas.sh` and `linpeas_small.sh`:

 - **linpeas_fat.sh**: Contains all checks, even third party applications in base64 embedded.
 - **linpeas.sh**: Contains all checks, but only the third party application `linux exploit suggester` is embedded. This is the default `linpeas.sh`.
--- a/linPEAS/builder/linpeas_parts/3_cloud/1_Check_if_in_cloud.sh
+++ b/linPEAS/builder/linpeas_parts/3_cloud/1_Check_if_in_cloud.sh
@@ -14,6 +14,7 @@


 printf "${YELLOW}Learn and practice cloud hacking techniques in ${BLUE}training.hacktricks.xyz\n"$NC
+echo ""

 print_list "GCP Virtual Machine? ................. $is_gcp_vm\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
 print_list "GCP Cloud Funtion? ................... $is_gcp_function\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
--- a/linPEAS/builder/linpeas_parts/3_cloud/7_Azure_VM.sh
+++ b/linPEAS/builder/linpeas_parts/3_cloud/7_Azure_VM.sh
@@ -32,21 +32,39 @@ if [ "$is_az_vm" = "Yes" ]; then
  if [ "$az_req" ]; then
    print_3title "Instance details"
    exec_with_jq eval $az_req "$URL/instance?api-version=$API_VERSION"
+    echo ""

    print_3title "Load Balancer details"
    exec_with_jq eval $az_req "$URL/loadbalancer?api-version=$API_VERSION"
+    echo ""
+
+    print_3title "User Data"
+    exec_with_jq eval $az_req "$URL/instance/compute/userData?api-version=$API_VERSION\&format=text" | base64 -d 2>/dev/null
+    echo ""
+
+    print_3title "Custom Data and other configs (root needed)"
+    (cat /var/lib/waagent/ovf-env.xml || cat /var/lib/waagent/CustomData/ovf-env.xml) 2>/dev/null | sed "s,CustomData.*,${SED_RED},"
+    echo ""

    print_3title "Management token"
+    print_info "It's possible to assign 1 system MI and several user MI to a VM. LinPEAS can only get the token from the default one. More info in https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#azure-vm"
    exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://management.azure.com/"
+    echo ""

    print_3title "Graph token"
+    print_info "It's possible to assign 1 system MI and several user MI to a VM. LinPEAS can only get the token from the default one. More info in https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#azure-vm"
    exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://graph.microsoft.com/"
+    echo ""
    
    print_3title "Vault token"
+    print_info "It's possible to assign 1 system MI and several user MI to a VM. LinPEAS can only get the token from the default one. More info in https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#azure-vm"
    exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://vault.azure.net/"
+    echo ""

    print_3title "Storage token"
+    print_info "It's possible to assign 1 system MI and several user MI to a VM. LinPEAS can only get the token from the default one. More info in https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#azure-vm"
    exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://storage.azure.com/"
+    echo ""
  fi
  echo ""
 fi
--- a/linPEAS/builder/linpeas_parts/3_cloud/8_Azure_app_service.sh
+++ b/linPEAS/builder/linpeas_parts/3_cloud/8_Azure_app_service.sh
@@ -13,13 +13,12 @@
 # Small linpeas: 0


-API_VERSION="2021-12-13" #https://learn.microsoft.com/en-us/azure/virtual-machines/instance-metadata-service?tabs=linux#supported-api-versions
+API_VERSION="2019-08-01" #https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp

 if [ "$is_az_app" = "Yes" ]; then
  print_2title "Azure App Service Enumeration"
-  echo "I haven't tested this one, if it doesn't work, please send a PR fixing and adding functionality :)"

-  HEADER="secret:$IDENTITY_HEADER"
+  HEADER="X-IDENTITY-HEADER:$IDENTITY_HEADER"

  az_req=""
  if [ "$(command -v curl || echo -n '')" ]; then
@@ -33,13 +32,13 @@ if [ "$is_az_app" = "Yes" ]; then
  if [ "$az_req" ]; then
    print_3title "Management token"
    exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://management.azure.com/"
-
+    echo
    print_3title "Graph token"
    exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://graph.microsoft.com/"
-    
+    echo
    print_3title "Vault token"
    exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://vault.azure.net/"
-
+    echo
    print_3title "Storage token"
    exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://storage.azure.com/"
  fi
--- a/linPEAS/builder/linpeas_parts/7_software_information/Mysql.sh
+++ b/linPEAS/builder/linpeas_parts/7_software_information/Mysql.sh
@@ -36,7 +36,7 @@ if [ "$PSTORAGE_MYSQL" ] || [ "$DEBUG" ]; then
      for f in $(find $d -name user.MYD 2>/dev/null); do
        if [ -r "$f" ]; then
          echo "We can read the Mysql Hashes from $f" | sed -${E} "s,.*,${SED_RED},"
-          grep -oaE "[-_\.\*a-Z0-9]{3,}" "$f" | grep -v "mysql_native_password"
+          grep -oaE "[-_\.\*a-zA-Z0-9]{3,}" "$f" | grep -v "mysql_native_password"
        fi
      done
      
--- a/linPEAS/builder/linpeas_parts/functions/check_aliyun_ecs.sh
+++ b/linPEAS/builder/linpeas_parts/functions/check_aliyun_ecs.sh
@@ -13,8 +13,7 @@
 # Small linpeas: 1


-
-check_aliyun_ecs () {
+check_aliyun_ecs(){
  is_aliyun_ecs="No"
  if [ -f "/etc/cloud/cloud.cfg.d/aliyun_cloud.cfg" ]; then 
    is_aliyun_ecs="Yes"
--- a/linPEAS/builder/linpeas_parts/functions/check_az_app.sh
+++ b/linPEAS/builder/linpeas_parts/functions/check_az_app.sh
@@ -16,7 +16,7 @@
 check_az_app(){
  is_az_app="No"

-  if [ -d "/opt/microsoft" ] && env | grep -q "IDENTITY_ENDPOINT"; then
+  if [ -d "/opt/microsoft" ] && env | grep -iq "azure"; then
    is_az_app="Yes"
  fi
 }
--- a/linPEAS/builder/linpeas_parts/functions/check_tencent_cvm.sh
+++ b/linPEAS/builder/linpeas_parts/functions/check_tencent_cvm.sh
@@ -16,7 +16,7 @@

 check_tencent_cvm () {
  is_tencent_cvm="No"
-  if [ -f "/etc/cloud/cloud.cfg.d/05_logging.cfg" ] || grep -qi Tencent /etc/cloud/cloud.cfg; then
+  if grep -qi Tencent /etc/cloud/cloud.cfg 2>/dev/null; then
      is_tencent_cvm="Yes"
  fi
 }
--- a/linPEAS/builder/src/linpeasBaseBuilder.py
+++ b/linPEAS/builder/src/linpeasBaseBuilder.py
@@ -66,7 +66,7 @@ class LinpeasBaseBuilder:
            self.linpeas_base += f"\nif echo $CHECKS | grep -q {section_info['name_check']}; then\n"
            self.linpeas_base += f'print_title "{section_name}"\n'

-            # Sort checks alphabetically to get them in the same order of they are in the folder
+            # Sort checks alphabetically to get them in the same order as they are in the folder
            section_info["checks"] = sorted(section_info["checks"], key=lambda x: int(os.path.basename(x.path).split('_')[0]) if os.path.basename(x.path).split('_')[0].isdigit() else 99)
            for check in section_info["checks"]:
                for func in check.initial_functions:
@@ -193,8 +193,9 @@ class LinpeasBaseBuilder:
    
    def get_funcs_deps(self, module, all_funcs):
        """Given 1 module and the list of modules return the functions recursively it depends on"""
-            
-        for func in module.functions_used:
+        
+        module_funcs = list(set(module.initial_functions + module.functions_used))
+        for func in module_funcs:
            func_module = self.find_func_module(func)
            #print(f"{module.id} has found {func} in {func_module.id}") #To find circular dependencies
            if not func_module.is_function:
--- a/linPEAS/builder/src/linpeasBuilder.py
+++ b/linPEAS/builder/src/linpeasBuilder.py
@@ -365,7 +365,7 @@ class LinpeasBuilder:
                    rb = requests.get(f"https://raw.githubusercontent.com/GTFOBins/GTFOBins.github.io/master/_gtfobins/{b}.md", timeout=5)
            if "sudo:" in rb.text:
                if len(b) <= 3:
-                    sudoVB.append("[^a-ZA-Z0-9]"+b+"$") # Less false possitives applied to small names
+                    sudoVB.append("[^a-zA-Z0-9]"+b+"$") # Less false possitives applied to small names
                else:
                    sudoVB.append(b+"$")
            if "suid:" in rb.text:
Author	SHA1	Message	Date
Carlos Polop	aa5f5c0e2f	tested	2024-12-22 01:28:12 +01:00
Carlos Polop	d576055342	update azure apps	2024-12-21 17:49:41 +01:00
Carlos Polop	a3e3e9799b	fix azure apps	2024-12-21 15:12:59 +01:00
Carlos Polop	2a71da4bb2	another linpeas fix	2024-12-05 17:49:44 +01:00
Carlos Polop	1e1a8a7c86	fix linpeas	2024-12-05 12:00:27 +01:00
Carlos Polop	186e659080	fix builder	2024-12-05 01:24:35 +01:00
Carlos Polop	3559a62d51	add more azure metadata info	2024-12-04 00:28:25 +01:00
Carlos Polop	ae49e7fa02	fix tencent	2024-12-03 19:51:16 +01:00
Carlos Polop	18f5b5ef96	f	2024-12-03 19:49:48 +01:00
SirBroccoli	4279b08991	Update README.md	2024-12-03 13:05:17 +01:00