add CVE-2021-4034

Update CONTRIBUTING.md

.github/FUNDING.yml

@@ -1 +1 @@
-custom: ['https://www.patreon.com/peass']
+custom: ['https://github.com/sponsors/carlospolop']

.github/ISSUE_TEMPLATE.md

@@ -1,4 +1,5 @@
 If you are going to suggest something, please remove the following template. 
+If your issue is related with WinPEAS.ps1 please mention https://github.com/RandolphConley
 
 #### Issue description
 

.github/workflows/CI-master_tests.yml

@@ -1,17 +1,21 @@
 name: CI-master_test
 
 on:
-  pull_request:
+  push:
     branches:
       - master
+      - main
+    paths-ignore:
+        - '.github/**'
+  
+  schedule:
+    - cron: "5 4 1 * *"
 
   workflow_dispatch:
 
 jobs:
-
   Build_and_test_winpeas_master:
     runs-on: windows-latest
-    needs: Build_and_test_linpeas_master
     
     # environment variables
     env:
@@ -24,10 +28,11 @@ jobs:
       - name: Checkout
         uses: actions/checkout@master
         with:
-          persist-credentials: false
-          # Otherwise, you will failed to push refs to dest repo.
-          fetch-depth: 0
-          ref: refs/heads/${{ github.head_ref }}
+          ref: ${{ github.head_ref }}
+      
+      - name: Download regexes
+        run: |
+          powershell.exe -ExecutionPolicy Bypass -File build_lists/download_regexes.ps1
             
       # Add  MSBuild to the PATH: https://github.com/microsoft/setup-msbuild
       - name: Setup MSBuild.exe
@@ -89,87 +94,360 @@ jobs:
       # copy the files
       - name: Copy Dotfuscator generated files
         run: |
-            cp $env:DotFuscatorGeneratedPath\x64\winPEASx64.exe "winPEAS\winPEASexe\binaries\Obfuscated Releases\winPEASx64.exe"            
-            cp $env:DotFuscatorGeneratedPath\x86\winPEASx86.exe "winPEAS\winPEASexe\binaries\Obfuscated Releases\winPEASx86.exe"
-            cp $env:DotFuscatorGeneratedPath\any\winPEASany.exe "winPEAS\winPEASexe\binaries\Obfuscated Releases\winPEASany.exe"
-      # Git add
-      - name: Create local changes
-        run: |
-            git add winPEAS\winPEASexe\binaries\Release\*
-            git add winPEAS\winPEASexe\binaries\x64\*
-            git add winPEAS\winPEASexe\binaries\x86\*
-            git add "winPEAS\winPEASexe\binaries\Obfuscated Releases\*.exe"
-      # Git commit
-      - name: Commit results to Github
-        run: |
-          git config --local user.email "ci@winpeas.com"
-          git config --global user.name "CI-winpeas"
-          git pull origin "${{ github.ref }}" --autostash --rebase -Xours
-          git commit -m "winpeas binaries auto update" -a --allow-empty
+            cp $env:DotFuscatorGeneratedPath\x64\winPEASx64.exe "winPEAS\winPEASexe\binaries\Obfuscated Releases\winPEASx64_ofs.exe"            
+            cp $env:DotFuscatorGeneratedPath\x86\winPEASx86.exe "winPEAS\winPEASexe\binaries\Obfuscated Releases\winPEASx86_ofs.exe"
+            cp $env:DotFuscatorGeneratedPath\any\winPEASany.exe "winPEAS\winPEASexe\binaries\Obfuscated Releases\winPEASany_ofs.exe"
       
-      # Git push
-      - name: Push changes
-        uses: ad-m/github-push-action@master
+      # Upload all the versions for the release
+      - name: Upload winpeasx64
+        uses: actions/upload-artifact@v4
         with:
-          branch: refs/heads/${{ github.head_ref }}
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          force: true
+          name: winPEASx64.exe
+          path: winPEAS\winPEASexe\binaries\x64\Release\winPEASx64.exe
+      
+      - name: Upload winpeasx86
+        uses: actions/upload-artifact@v4
+        with:
+          name: winPEASx86.exe
+          path: winPEAS\winPEASexe\binaries\x86\Release\winPEASx86.exe
+      
+      - name: Upload winpeasany
+        uses: actions/upload-artifact@v4
+        with:
+          name: winPEASany.exe
+          path: winPEAS\winPEASexe\binaries\Release\winPEASany.exe
+      
+      - name: Upload winpeasx64ofs
+        uses: actions/upload-artifact@v4
+        with:
+          name: winPEASx64_ofs.exe
+          path: winPEAS\winPEASexe\binaries\Obfuscated Releases\winPEASx64_ofs.exe
+      
+      - name: Upload winpeasx86ofs
+        uses: actions/upload-artifact@v4
+        with:
+          name: winPEASx86_ofs.exe
+          path: winPEAS\winPEASexe\binaries\Obfuscated Releases\winPEASx86_ofs.exe
+          
+      - name: Upload winpeasanyofs
+        uses: actions/upload-artifact@v4
+        with:
+          name: winPEASany_ofs.exe
+          path: winPEAS\winPEASexe\binaries\Obfuscated Releases\winPEASany_ofs.exe
+      
+      - name: Upload winpeas.bat
+        uses: actions/upload-artifact@v4
+        with:
+          name: winPEAS.bat
+          path: winPEAS\winPEASbat\winPEAS.bat
+          
+      # Git add
+      #- name: Create local changes
+      #  run: |
+      #      git add winPEAS\winPEASexe\binaries\Release\*
+      #      git add winPEAS\winPEASexe\binaries\x64\*
+      #      git add winPEAS\winPEASexe\binaries\x86\*
+      #      git add "winPEAS\winPEASexe\binaries\Obfuscated Releases\*.exe"
+      # Git commit
+      #- name: Commit results to Github
+      #  run: |
+      #    git config --local user.email "ci@winpeas.com"
+      #    git config --global user.name "CI-winpeas"
+      #    git pull origin "${{ github.ref }}" --autostash --rebase -Xours
+      #    git commit -m "winpeas binaries auto update" -a --allow-empty
+      # Git push
+      #- name: Push changes
+      #  uses: ad-m/github-push-action@master
+      #  with:
+      #    branch: ${{ github.head_ref }}
+      #    github_token: ${{ secrets.GITHUB_TOKEN }}
+      #    force: true
 
   Build_and_test_linpeas_master:
     runs-on: ubuntu-latest
 
     steps:
+      # Download repo
       - uses: actions/checkout@v2
         with:
-          persist-credentials: false
-          # Otherwise, you will failed to push refs to dest repo.
-          fetch-depth: 0
-          ref: refs/heads/${{ github.head_ref }}
-
+          ref: ${{ github.head_ref }}
+      
+      # Setup go
+      - uses: actions/setup-go@v2
+        with:
+          go-version: 1.17.0-rc1
+          stable: false
+      - run: go version
+      
+      # Build linpeas
       - name: Build linpeas
         run: |
           python3 -m pip install PyYAML
           cd linPEAS
-          python3 -m builder.linpeas_builder
-          
-      - name: Run linpeas help
-        run: linPEAS/linpeas.sh -h
-        
-      - name: Run linpeas
-        run: linPEAS/linpeas.sh -t
-
-      - name: Create local changes
-        run: git add linPEAS/linpeas.sh
-
-      - name: Commit results to Github
-        run: |
-          git config --local user.email ""
-          git config --global user.name "CI-linpeas-ubuntu"
-          git pull origin "${{ github.ref }}" --autostash --rebase -Xours
-          git commit -m "linpeas.sh auto update" -a --allow-empty
+          python3 -m builder.linpeas_builder --all --output linpeas_fat.sh
+          python3 -m builder.linpeas_builder --all-no-fat --output linpeas.sh
+          python3 -m builder.linpeas_builder --small --output linpeas_small.sh
       
-      - name: Push changes
-        uses: ad-m/github-push-action@master
+      # Build linpeas binaries
+      - name: Build linpeas binaries 
+        run: |
+          git clone https://github.com/carlospolop/sh2bin
+          cd sh2bin
+          bash build.sh ../linPEAS/linpeas.sh
+          mv builds/sh2bin_linux_386 builds/linpeas_linux_386
+          mv builds/sh2bin_linux_amd64 builds/linpeas_linux_amd64
+          mv builds/sh2bin_linux_arm builds/linpeas_linux_arm
+          mv builds/sh2bin_linux_arm64 builds/linpeas_linux_arm64
+          mv builds/sh2bin_darwin_amd64 builds/linpeas_darwin_amd64
+          mv builds/sh2bin_darwin_arm64 builds/linpeas_darwin_arm64
+          ls -lR ./ 
+            
+      # Run linpeas help as quick test
+      - name: Run linpeas help
+        run: linPEAS/linpeas_fat.sh -h && linPEAS/linpeas.sh -h && linPEAS/linpeas_small.sh -h
+      
+      # Run linpeas as a test
+      - name: Run linpeas system_information
+        run: linPEAS/linpeas_fat.sh -o system_information -a
+      
+      - name: Run linpeas container
+        run: linPEAS/linpeas_fat.sh -o container -a
+      
+      - name: Run linpeas cloud
+        run: linPEAS/linpeas_fat.sh -o cloud -a
+      
+      - name: Run linpeas procs_crons_timers_srvcs_sockets
+        run: linPEAS/linpeas_fat.sh -o procs_crons_timers_srvcs_sockets -a
+      
+      - name: Run linpeas network_information
+        run: linPEAS/linpeas_fat.sh -o network_information -t -a
+      
+      - name: Run linpeas users_information
+        run: linPEAS/linpeas_fat.sh -o users_information -a
+      
+      - name: Run linpeas software_information
+        run: linPEAS/linpeas_fat.sh -o software_information -a
+      
+      - name: Run linpeas interesting_perms_files
+        run: linPEAS/linpeas_fat.sh -o interesting_perms_files -a
+      
+      - name: Run linpeas interesting_files
+        run: linPEAS/linpeas_fat.sh -o interesting_files -a
+      
+      # Too much time
+      #- name: Run linpeas api_keys_regex
+      #  run: linPEAS/linpeas.sh -o api_keys_regex -r
+      
+      # Upload files for release
+      - name: Upload linpeas.sh
+        uses: actions/upload-artifact@v4
         with:
-          branch: refs/heads/${{ github.head_ref }}
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          force: true
+          name: linpeas.sh
+          path: linPEAS/linpeas.sh
+      
+      - name: Upload linpeas_fat.sh
+        uses: actions/upload-artifact@v4
+        with:
+          name: linpeas_fat.sh
+          path: linPEAS/linpeas_fat.sh
+      
+      - name: Upload linpeas_small.sh
+        uses: actions/upload-artifact@v4
+        with:
+          name: linpeas_small.sh
+          path: linPEAS/linpeas_small.sh
+      
+      ## Linux bins
+      - name: Upload linpeas_linux_386
+        uses: actions/upload-artifact@v4
+        with:
+          name: linpeas_linux_386
+          path: sh2bin/builds/linpeas_linux_386
+      
+      - name: Upload linpeas_linux_amd64
+        uses: actions/upload-artifact@v4
+        with:
+          name: linpeas_linux_amd64
+          path: sh2bin/builds/linpeas_linux_amd64
+      
+      - name: Upload linpeas_linux_arm
+        uses: actions/upload-artifact@v4
+        with:
+          name: linpeas_linux_arm
+          path: sh2bin/builds/linpeas_linux_arm
+          
+      - name: Upload linpeas_linux_arm64
+        uses: actions/upload-artifact@v4
+        with:
+          name: linpeas_linux_arm64
+          path: sh2bin/builds/linpeas_linux_arm64
+      
+      ## Darwin bins
+      - name: Upload linpeas_darwin_amd64
+        uses: actions/upload-artifact@v4
+        with:
+          name: linpeas_darwin_amd64
+          path: sh2bin/builds/linpeas_darwin_amd64
+          
+      - name: Upload linpeas_darwin_arm64
+        uses: actions/upload-artifact@v4
+        with:
+          name: linpeas_darwin_arm64
+          path: sh2bin/builds/linpeas_darwin_arm64
+      
+      # Clean sh2bin repo
+      - name: Cleaning sh2bin
+        run: rm -rf sh2bin
 
+     # - name: Create local changes
+     #   run: git add linPEAS/linpeas.sh
+     # - name: Commit results to Github
+     #   run: |
+     #     git config --local user.email ""
+     #     git config --global user.name "CI-linpeas-ubuntu"
+     #     git pull origin "${{ github.ref }}" --autostash --rebase -Xours
+     #     git commit -m "linpeas.sh auto update" -a --allow-empty
+     # - name: Push changes
+     #   uses: ad-m/github-push-action@master
+     #   with:
+     #     branch: ${{ github.head_ref }}
+     #     github_token: ${{ secrets.GITHUB_TOKEN }}
+     #     force: true
+  
   Build_and_test_macpeas_master:
     runs-on: macos-latest
 
     steps:
+      # Download repo
       - uses: actions/checkout@v2
-
+      
+      # Build linpeas
       - name: Build macpeas
         run: |
-          python3 -m pip install PyYAML
-          python3 -m pip install requests
+          python3 -m pip install PyYAML --break-system-packages
+          python3 -m pip install requests --break-system-packages
           cd linPEAS
-          python3 -m builder.linpeas_builder
+          python3 -m builder.linpeas_builder --all --output linpeas_fat.sh
       
+      # Run linpeas help as quick test
       - name: Run macpeas help
-        run: linPEAS/linpeas.sh -h
+        run: linPEAS/linpeas_fat.sh -h
       
-      - name: Run macpeas
-        run: linPEAS/linpeas.sh -o SysI,Container,Devs,AvaSof,ProCronSrvcsTmrsSocks,Net,UsrI,SofI
+      # Run macpeas parts to test it
+      #- name: Run macpeas
+      #  run: linPEAS/linpeas.sh -D -o system_information,container,procs_crons_timers_srvcs_sockets,network_information,users_information,software_information
+
+     
+  Publish_release:
+    runs-on: ubuntu-latest
+    needs: [Build_and_test_winpeas_master, Build_and_test_linpeas_master, Build_and_test_macpeas_master]
+
+    steps:
+    # Download files to release
+    - name: Download winpeasx64ofs
+      uses: actions/download-artifact@v4.1.7
+      with:
+        name: winPEASx64_ofs.exe
+
+    - name: Download winpeasx86ofs
+      uses: actions/download-artifact@v4.1.7
+      with:
+        name: winPEASx86_ofs.exe
+
+    - name: Download winpeasanyofs
+      uses: actions/download-artifact@v4.1.7
+      with:
+        name: winPEASany_ofs.exe
+
+    - name: Download winpeasx64
+      uses: actions/download-artifact@v4.1.7
+      with:
+        name: winPEASx64.exe
+    
+    - name: Download winpeasx86
+      uses: actions/download-artifact@v4.1.7
+      with:
+        name: winPEASx86.exe
+
+    - name: Download winpeasany
+      uses: actions/download-artifact@v4.1.7
+      with:
+        name: winPEASany.exe
+    
+    - name: Download winpeas.bat
+      uses: actions/download-artifact@v4.1.7
+      with:
+        name: winPEAS.bat
+
+    - name: Download linpeas.sh
+      uses: actions/download-artifact@v4.1.7
+      with:
+        name: linpeas.sh
+    
+    - name: Download linpeas_fat.sh
+      uses: actions/download-artifact@v4.1.7
+      with:
+        name: linpeas_fat.sh
+    
+    - name: Download linpeas_small.sh
+      uses: actions/download-artifact@v4.1.7
+      with:
+        name: linpeas_small.sh
+
+    - name: Download linpeas_linux_386
+      uses: actions/download-artifact@v4.1.7
+      with:
+        name: linpeas_linux_386
+
+    - name: Download linpeas_linux_amd64
+      uses: actions/download-artifact@v4.1.7
+      with:
+        name: linpeas_linux_amd64
+
+    - name: Download linpeas_linux_arm
+      uses: actions/download-artifact@v4.1.7
+      with:
+        name: linpeas_linux_arm
+
+    - name: Download linpeas_linux_arm64
+      uses: actions/download-artifact@v4.1.7
+      with:
+        name: linpeas_linux_arm64
+
+    - name: Download linpeas_darwin_amd64
+      uses: actions/download-artifact@v4.1.7
+      with:
+        name: linpeas_darwin_amd64
+
+    - name: Download linpeas_darwin_arm64
+      uses: actions/download-artifact@v4.1.7
+      with:
+        name: linpeas_darwin_arm64
+    
+    - name: Get current date
+      id: date
+      run: echo "::set-output name=date::$(date +'%Y%m%d')"
+    
+    - name: Generate random
+      id: random_n
+      run: echo "::set-output name=some_rand::$(openssl rand -hex 4)"
+    
+    # Create the release
+    - name: Create Release
+      id: create_release
+      uses: actions/create-release@v1
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        tag_name: ${{steps.date.outputs.date}}-${{steps.random_n.outputs.some_rand}}
+        release_name: Release ${{ github.ref }} ${{steps.date.outputs.date}}-${{steps.random_n.outputs.some_rand}}
+        draft: false
+        prerelease: false
+        
+    - id: upload_release_assets
+      uses: dwenegar/upload-release-assets@v1
+      with:
+        release_id: ${{ steps.create_release.outputs.id }}
+        assets_path: .
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/artifacts_cleanup.yml

@@ -0,0 +1,14 @@
+name: 'nightly artifacts cleanup'
+on:
+  schedule:
+    - cron: '0 6 * * 2' # At 6am on Tuesdays
+  workflow_dispatch:
+
+jobs:
+  delete-artifacts:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: kolpav/purge-artifacts-action@v1
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          expire-in: 1days # Set this to 0 to delete all artifacts

.gitignore

@@ -2,6 +2,7 @@
 winPEAS/winPEASexe/.vs/*
 v16/*
 winPEAS/winPEASexe/.vs/winPEAS/v16/*
+winPEAS/winPEASexe/binaries/**/*.exe
 Debug/*
 winPEAS/winPEASexe/winPEAS/bin/Debug/*
 .DS_Store
@@ -21,4 +22,11 @@ __pycache__
 */__pycache__
 **/__pycache__
 linPEAS/builder/__pycache__/*
-linPEAS/builder/src/__pycache__/*
+linPEAS/builder/src/__pycache__/*
+linPEAS/linpeas.sh
+sh2bin
+sh2bin/*
+.dccache
+./*/.dccache
+regexes.yaml
+build_lists/regexes.yaml

CONTRIBUTING.md

@@ -1,16 +1,19 @@
 # Contributing to this repository
 
 ## Making Suggestions 
-If you wan tto make a suggestion for linpeas or winpeas please use **[github issues](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/issues)**
+If you want to make a suggestion for linpeas or winpeas please use **[github issues](https://github.com/peass-ng/PEASS-ng/issues)**
+
+## Do don't know how to help?
+Check out the **[TODO](https://github.com/peass-ng/PEASS-ng/blob/master/TODO.md) page**
 
 ## Searching for files with sensitive information
-From the PEASS-ng release **winpeas and linpeas are auto-built** and will search for files containing sensitive information specified in the **[sesitive_files.yaml](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/master/build_lists/sensitive_files.yaml)** file.
+From the PEASS-ng release **winpeas and linpeas are auto-built** and will search for files containing sensitive information specified in the **[sesitive_files.yaml](https://github.com/peass-ng/PEASS-ng/blob/master/build_lists/sensitive_files.yaml)** file.
 
-If you want to **contribute adding the search of new files that can contain sensitive information**, please, just update **[sesitive_files.yaml](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/master/build_lists/sensitive_files.yaml)** and create a **PR to master** (*linpeas and winpeas will be auto-built in this PR*). You can find examples of how to contribute to this file inside the file.
+If you want to **contribute adding the search of new files that can contain sensitive information**, please, just update **[sesitive_files.yaml](https://github.com/peass-ng/PEASS-ng/blob/master/build_lists/sensitive_files.yaml)** and create a **PR to master** (*linpeas and winpeas will be auto-built in this PR*). You can find examples of how to contribute to this file inside the file.
 Also, in the comments of this PR, put links to pages where and example of the file containing sensitive information can be foud.
 
 ## Specific LinPEAS additions
-From the PEASS-ng release **linpeas is auto-build from [linpeas_base.sh](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/master/linPEAS/builder/linpeas_base.sh)**. Therefore, if you want to contribute adding any new check for linpeas/macpeas, please **add it in this file and create a PR to master**.
+From the PEASS-ng release **linpeas is auto-build from [linpeas/builder](https://github.com/peass-ng/PEASS-ng/blob/master/linPEAS/builder/)**. Therefore, if you want to contribute adding any new check for linpeas/macpeas, please **add it in this directory and create a PR to master**. *Note that some code is auto-generated in the python but most of it it's just written in different files that will be merged into linpeas.sh*.
 The new linpeas.sh script will be auto-generated in the PR.
 
 ## Specific WinPEAS additions

LICENSE

@@ -1,21 +1,347 @@
-MIT License
+COPYING -- Describes the terms under which peass-ng is distributed. A copy
+of the GNU General Public License (GPL) is appended to this file.
 
-Copyright (c) 2019 Carlos Polop
+peass-ng is (C) 2019-2024 Carlos Polop Martin.
 
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
+This program is free software; you may redistribute and/or modify it under
+the terms of the GNU General Public License as published by the Free
+Software Foundation; Version 2 (or later) with the clarifications and
+exceptions described below. This guarantees your right to use, modify, and
+redistribute this software under certain conditions. If you wish to embed
+peass-ng technology into proprietary software, we sell alternative licenses
+(contact me via email, telegram or github issue).
 
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
+Note that the GPL places important restrictions on "derived works", yet it
+does not provide a detailed definition of that term. To avoid
+misunderstandings, we interpret that term as broadly as copyright law
+allows. For example, we consider an application to constitute a "derived
+work" for the purpose of this license if it does any of the following:
+* Integrates source code from peass-ng.
+* Reads or includes peass-ng copyrighted files or any file in this repository
+* Executes peass-ng and parses the results (as opposed to typical shell or
+  execution-menu apps, which simply display raw peass-ng output and so are
+  not derivative works).
+* Integrates/includes/aggregates peass-ng into a proprietary executable
+  installer, such as those produced by InstallShield.
+* Links to a library or executes a program that does any of the above
 
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+The term "peass-ng" should be taken to also include any portions or derived
+works of peass-ng. This list is not exclusive, but is meant to clarify our
+interpretation of derived works with some common examples. Our
+interpretation applies only to peass-ng - we do not speak for other people's
+GPL works.
+
+This license does not apply to the third-party components.
+
+If you have any questions about the GPL licensing restrictions on using
+peass-ng in non-GPL works, we would be happy to help. As mentioned above,
+we also offer alternative license to integrate peass-ng into proprietary
+applications and appliances.
+
+If you received these files with a written license agreement or contract
+stating terms other than the terms above, then that alternative license
+agreement takes precedence over these comments.
+
+Source is provided to this software because we believe users have a right
+to know exactly what a program is going to do before they run it.
+
+Source code also allows you to fix bugs and add new features. You are
+highly encouraged to send your changes for possible
+incorporation into the main distribution. By sending these changes to the
+peass-ng developers or via Git pull request, checking them into the peass-ng
+source code repository, it is understood (unless you specify otherwise)
+that you are offering the peass-ng project the unlimited, non-exclusive
+right to reuse, modify, and relicense the code. peass-ng will always be
+available Open Source, but this is important because the inability to
+relicense code has caused devastating problems for other Free Software
+projects (such as KDE and NASM). If you wish to specify special license
+conditions of your contributions, just say so when you send them.
+
+This program is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+General Public License v2.0 for more details at
+http://www.gnu.org/licenses/gpl-2.0.html, or below
+
+****************************************************************************
+
+                    GNU GENERAL PUBLIC LICENSE
+                       Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+                            Preamble
+
+  The licenses for most software are designed to take away your
+freedom to share and change it.  By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users.  This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it.  (Some other Free Software Foundation software is covered by
+the GNU Lesser General Public License instead.)  You can apply it to
+your programs, too.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+  To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have.  You must make sure that they, too, receive or can get the
+source code.  And you must show them these terms so they know their
+rights.
+
+  We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+  Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software.  If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+  Finally, any free program is threatened constantly by software
+patents.  We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary.  To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+                    GNU GENERAL PUBLIC LICENSE
+   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+  0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License.  The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language.  (Hereinafter, translation is included without limitation in
+the term "modification".)  Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope.  The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+  1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+  2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+    a) You must cause the modified files to carry prominent notices
+    stating that you changed the files and the date of any change.
+
+    b) You must cause any work that you distribute or publish, that in
+    whole or in part contains or is derived from the Program or any
+    part thereof, to be licensed as a whole at no charge to all third
+    parties under the terms of this License.
+
+    c) If the modified program normally reads commands interactively
+    when run, you must cause it, when started running for such
+    interactive use in the most ordinary way, to print or display an
+    announcement including an appropriate copyright notice and a
+    notice that there is no warranty (or else, saying that you provide
+    a warranty) and that users may redistribute the program under
+    these conditions, and telling the user how to view a copy of this
+    License.  (Exception: if the Program itself is interactive but
+    does not normally print such an announcement, your work based on
+    the Program is not required to print an announcement.)
+
+These requirements apply to the modified work as a whole.  If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works.  But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+  3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+    a) Accompany it with the complete corresponding machine-readable
+    source code, which must be distributed under the terms of Sections
+    1 and 2 above on a medium customarily used for software interchange; or,
+
+    b) Accompany it with a written offer, valid for at least three
+    years, to give any third party, for a charge no more than your
+    cost of physically performing source distribution, a complete
+    machine-readable copy of the corresponding source code, to be
+    distributed under the terms of Sections 1 and 2 above on a medium
+    customarily used for software interchange; or,
+
+    c) Accompany it with the information you received as to the offer
+    to distribute corresponding source code.  (This alternative is
+    allowed only for noncommercial distribution and only if you
+    received the program in object code or executable form with such
+    an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it.  For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable.  However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+  4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License.  Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+  5. You are not required to accept this License, since you have not
+signed it.  However, nothing else grants you permission to modify or
+distribute the Program or its derivative works.  These actions are
+prohibited by law if you do not accept this License.  Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+  6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions.  You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+  7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all.  For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices.  Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+  8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded.  In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+  9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number.  If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation.  If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+  10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission.  For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this.  Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+                            NO WARRANTY
+
+  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+                     END OF TERMS AND CONDITIONS

README.md

@@ -1,42 +1,40 @@
-# PEASS-ng - Privilege Escalation Awesome Scripts SUITE new generation
-
-![](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/raw/master/linPEAS/images/peass.png)
-
-![](https://img.shields.io/badge/Black-Arch-black) ![](https://img.shields.io/badge/Arch-AUR-brightgreen) ![](https://img.shields.io/badge/Black%20Hat%20Arsenal-Asia%202020-red)
-
-# Basic Tutorial
-[![Tutorial](https://img.youtube.com/vi/2Ey1WQXNp3w/0.jpg)](https://www.youtube.com/watch?v=9_fJv_weLU0&list=PL9fPq3eQfaaDxjpXaDYApfVA_IB8T14w7)
-
-
-Here you will find **privilege escalation tools for Windows and Linux/Unix\* and MacOS**.
-
-These tools search for possible **local privilege escalation paths** that you could exploit and print them to you **with nice colors** so you can recognize the misconfigurations easily.
-
-- Check the **Local Windows Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/windows/checklist-windows-privilege-escalation)**
-- **[WinPEAS](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS) - Windows local Privilege Escalation Awesome Script (C#.exe and .bat)**
-
-- Check the **Local Linux Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/linux-unix/linux-privilege-escalation-checklist)**
-- **[LinPEAS](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS) - Linux local Privilege Escalation Awesome Script (.sh)**
-
-## Let's improve PEASS together
-
-If you want to **add something** and have **any cool idea** related to this project, please let me know it in the **telegram group https://t.me/peass** or contribute reading the **[CONTRIBUTING.md](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/master/CONTRIBUTING.md)** file.
-
-## Please, if this tool has been useful for you consider to donate
-
-[![paypal](https://www.paypalobjects.com/en_US/i/btn/btn_donateCC_LG.gif)](https://www.patreon.com/peass)
-
-## PEASS Style
-
-Are you a PEASS fan? Get now our merch at **[PEASS Shop](https://teespring.com/stores/peass)** and show your love for our favorite peas
-
-## Advisory
-
-All the scripts/binaries of the PEAS suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
-
-
-## License
-
-MIT License
-
-By Polop<sup>(TM)</sup>
+# PEASS-ng - Privilege Escalation Awesome Scripts SUITE new generation
+
+![](https://github.com/peass-ng/PEASS-ng/raw/master/linPEAS/images/peass.png)
+
+![](https://img.shields.io/badge/Black-Arch-black) ![](https://img.shields.io/badge/Arch-AUR-brightgreen) ![](https://img.shields.io/badge/Black%20Hat%20Arsenal-Asia%202020-red)
+
+# Basic Tutorial
+[![Tutorial](https://img.youtube.com/vi/2Ey1WQXNp3w/0.jpg)](https://www.youtube.com/watch?v=9_fJv_weLU0&list=PL9fPq3eQfaaDxjpXaDYApfVA_IB8T14w7)
+
+
+Here you will find **privilege escalation tools for Windows and Linux/Unix\* and MacOS**.
+
+These tools search for possible **local privilege escalation paths** that you could exploit and print them to you **with nice colors** so you can recognize the misconfigurations easily.
+
+- Check the **Local Windows Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation)**
+- **[WinPEAS](https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS) - Windows local Privilege Escalation Awesome Script (C#.exe and .bat)**
+
+- Check the **Local Linux Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist)**
+- **[LinPEAS](https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS) - Linux local Privilege Escalation Awesome Script (.sh)**
+
+## Quick Start
+Find the **latest versions of all the scripts and binaries in [the releases page](https://github.com/peass-ng/PEASS-ng/releases/latest)**.
+
+## JSON, HTML & PDF output
+Check the **[parsers](./parsers/)** directory to **transform PEASS outputs to JSON, HTML and PDF**
+
+## Join us!
+
+If you are a **PEASS & Hacktricks enthusiast**, you can get your hands now on **our [custom swag](https://peass.creator-spring.com/) and show how much you like our projects!**
+
+You can also, join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) to learn about latest news in cybersecurity and meet other cybersecurity enthusiasts, or follow me on Twitter 🐦 [@hacktricks_live](https://twitter.com/hacktricks_live).
+
+## Let's improve PEASS together
+
+If you want to **add something** and have **any cool idea** related to this project, please let me know it in the **telegram group https://t.me/peass** or contribute reading the **[CONTRIBUTING.md](https://github.com/peass-ng/PEASS-ng/blob/master/CONTRIBUTING.md)** file.
+
+## Advisory
+
+All the scripts/binaries of the PEAS suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own machines and/or with the owner's permission.
+

TODO.md

@@ -0,0 +1,28 @@
+# TODO
+
+### Generate Nice Reports
+- [x] Create a parser from linpeas and winpeas.exe output to JSON. You can fin it [here](https://github.com/peass-ng/PEASS-ng/tree/master/parser).
+- [ ] Create a python script that generates a nice HTML/PDF from the JSON output
+
+### Generate a DB of Known Vulnerable Binaries
+- [ ] Create a DB of the md5/sha1 of binaries known to be vulnerable to command execution/Privilege Escalation
+
+### Maintain Updated LinPEAS's known SUID exploits 
+- [ ] Maintain updated LinPEAS's known SUID exploits 
+
+### Network Capabilities for WinPEAS
+- [ ] Give to WinPEAS network host discover capabilities and port scanner capabilities (like LinPEAS has)
+
+### Add More checks to LinPEAS and WinPEAS
+- [ ] Add more checks in LinPEAS
+- [ ] Add more checks in WinPEAS
+
+### Find a way to minify and/or obfuscate LinPEAS automatically
+- [ ] Find a way to minify and/or obfuscate linpeas.sh automatically. If you know a way contact me in Telegram or via github issues
+
+### Create a PEASS-ng Web Page were the project is properly presented
+- [ ] Let me know in Telegram or github issues if you are interested in helping with this
+
+### Relate LinPEAS and WinPEAS with the Att&ck matrix
+- [ ] In the title of each check of LinPEAS and WinPEAS indicate between parenthesis and in grey the Tactic used. Example: **Enumerating something** (*T1234*)
+- [ ] Once the previous task is done, modify LinPEAS and WinPEAS to be able to indicate just the Tactic(s) that want to be executed so the scripts only execute the checks related to those tactics. Example: `linpeas.sh -T T1590,T1591`

build_lists/download_regexes.ps1

@@ -0,0 +1,5 @@
+$scriptDir = Split-Path -Parent $MyInvocation.MyCommand.Path
+$filePath = Join-Path $scriptDir "regexes.yaml"
+$url = "https://raw.githubusercontent.com/JaimePolop/RExpository/main/regex.yaml"
+
+Invoke-WebRequest $url -OutFile $filePath

build_lists/download_regexes.py

@@ -0,0 +1,24 @@
+#!/usr/bin/env python3
+
+import os
+import requests
+from pathlib import Path
+
+
+def download_regexes():
+    print("[+] Downloading regexes...")
+    url = "https://raw.githubusercontent.com/JaimePolop/RExpository/main/regex.yaml"
+    response = requests.get(url)
+    if response.status_code == 200:
+        # Save the content of the response to a file
+        script_folder = Path(os.path.dirname(os.path.abspath(__file__)))
+        target_file = script_folder / 'regexes.yaml'
+
+        with open(target_file, "w") as file:
+            file.write(response.text)
+        print(f"Downloaded and saved in '{target_file}' successfully!")
+    else:
+        print("Error: Unable to download the regexes file.")
+        exit(1)
+
+download_regexes()

build_lists/regexes.yaml

@@ -0,0 +1,3 @@
+# This is a placeholder
+# It will be replaced by the actual regexes.yaml file
+# generated by download-regexes.py or download-regexes.ps1 (execute it before building the tools)

linPEAS/TODO.md

@@ -0,0 +1,8 @@
+- Add more checks
+- Add more potential files with passwords to sensitive_files.yaml
+- Add more regex of interesting APIs to regexes.yaml
+- Mantain updated the list of vulnerable SUID binaries
+- Mantain updated all the blacklists used to color the output
+- Improve the speed
+- Reduce the size of the script
+- Generate automatically an obfuscated version

linPEAS/builder/README.md

@@ -0,0 +1,78 @@
+# Build you own linpeas!
+
+You can **build you own linpeas which will contain only the checks you want**. This is useful to reduce the time it takes to run linpeas and to make linpeas more stealth and modular.
+
+## Quick start building linpeas.sh
+
+It's possible to indicate the params `--all`, `--all-no-fat` and `--small` to build the classic `linpeas_fat.sh`, `linpeas.sh` and `linpeas_small.sh`:
+
+- **linpeas_fat.sh**: Contains all checks, even third party applications in base64 embedded.
+- **linpeas.sh**: Contains all checks, but only the third party application `linux exploit suggester` is embedded. This is the default `linpeas.sh`.
+- **linpeas_small.sh**: Contains only the most *important* checks making its size smaller.
+
+However, in order to indicate only some specific checks, you can use the `--include` and `--exclude` params. These arguments supports a comma separated list of modules to add or remove from the final linpeas. Note that the matchs are done by checking **if the module path string contains any of the words** indicated in those params. Therefore, if you want to inde all the tests from the `linpeas_parts/3_cloud` it's enough to indicate `--include "cloud"`. Or if you want to include only the check `linpeas_parts/3_cloud/1_Check_if_in_Cloud` you can indicate `--include "Check_if_in_Cloud"`.
+
+```bash
+# Run this commands from 1 level above the builder folder. From here: cd ..
+# Build linpeas_fat (linpeas with all checks, even third party applications in base64 embedded)
+python3 -m builder.linpeas_builder --all --output /tmp/linpeas_fat.sh
+
+# Build regular linpeas
+python3 -m builder.linpeas_builder --all-no-fat --output /tmp/linpeas.sh
+
+# Build small linpeas
+python3 -m builder.linpeas_builder --small --output /tmp/linpeas_small.sh
+
+# Build linpeas only with container and cloud checks
+python3 -m builder.linpeas_builder --include "container,cloud" --output /tmp/linpeas_custom.sh
+
+# Build linpeas only with regexes
+python3 -m builder.linpeas_builder --include "api_keys_regex" --output /tmp/linpeas_custom.sh
+
+# Build linpeas only with some specific modules
+## You can customize it as much as you want
+python3 -m builder.linpeas_builder --include "CPU_info,Sudo_version,Clipboard_highlighted_text" --output /tmp/linpeas_custom.sh
+
+# Build linpeas excluding some specific modules
+python3 -m builder.linpeas_builder --exclude "CPU_info,Sudo_version,Clipboard_highlighted_text" --output /tmp/linpeas_custom.sh
+```
+
+## How to add new modules
+
+Adding new modules is very easy. You just need to create a new file in the `linpeas_parts/<corresponding section>` folder with the following structure with the bash code to run. Note that every new module should have some specific metadata at the beggining of the file. This metadata is used by the builder to generate the final linpeas.
+
+Metadata example:
+
+```bash
+# Title: Cloud - Check if in cloud
+# ID: CL_Check_if_in_cloud
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Check if the current system is inside a cloud environment
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: check_aws_codebuild, check_aws_ec2, check_aws_ecs, check_aws_lambda, check_az_app, check_az_vm, check_do, check_gcp, check_ibm_vm, check_tencent_cvm, print_list
+# Global Variables: $is_aws_codebuild, $is_aws_ecs, $is_aws_ec2, , $is_aws_lambda, $is_az_app, $is_az_vm, $is_do, $is_gcp_vm, $is_gcp_function, $is_ibm_vm, $is_aws_ec2_beanstalk, $is_aliyun_ecs, $is_tencent_cvm
+# Initial Functions: check_gcp, check_aws_ecs, check_aws_ec2, check_aws_lambda, check_aws_codebuild, check_do, check_ibm_vm, check_az_vm, check_az_app, check_aliyun_ecs, check_tencent_cvm
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+<code>
+```
+
+### Metadata parts explained
+
+- **Title**: Title of the module
+- **ID**: Unique identifier of the module. It has to be the same as the filename without the extension and with the section identifier as prefix (in this case `CL`)
+- **Author**: Author of the module
+- **Last Update**: Last update of the module
+- **Description**: Description of the module
+- **License**: License of the module
+- **Version**: Version of the module
+- **Functions Used**: Functions used by the module inside the bash code. If your module is using a function not defined here, linpeas won't be built.
+- **Global Variables**: Global variables used by the module inside the bash code. If your module is using a global variable not defined here, linpeas won't be built.
+- **Initial Functions**: Functions that are called at the beggining of the module. If your module is using a function not defined here, linpeas won't be built.
+- **Generated Global Variables**: Global variables generated (given a relevant value) by the module. If your module is generating a global variable not defined here, linpeas won't be built.
+- **Fat linpeas**: Set only as 1 if the module is loading a third party app, if not 0.
+- **Small linpeas**: Set as 1 if it's a quick check, if not 0.

linPEAS/builder/linpeas_builder.py

@@ -1,19 +1,55 @@
 from .src.peasLoaded import PEASLoaded
 from .src.linpeasBuilder import LinpeasBuilder
-from .src.yamlGlobals import FINAL_LINPEAS_PATH
+from .src.linpeasBaseBuilder import LinpeasBaseBuilder
+from .src.yamlGlobals import FINAL_FAT_LINPEAS_PATH, FINAL_LINPEAS_PATH, TEMPORARY_LINPEAS_BASE_PATH
 
 import os
 import stat
+import argparse
 
-#python3 -m builder.linpeas_builder
-def main():
+# python3 -m builder.linpeas_builder
+def main(all_modules, all_no_fat_modules, no_network_scanning, small, include_modules, exclude_modules, output):
+    # Load configuration
     ploaded = PEASLoaded()
+
+    # Build temporary linpeas_base.sh file
+    lbasebuilder = LinpeasBaseBuilder(all_modules, all_no_fat_modules, no_network_scanning, small, include_modules, exclude_modules)
+    lbasebuilder.build()
+
+    # Build final linpeas.sh
     lbuilder = LinpeasBuilder(ploaded)
     lbuilder.build()
-    lbuilder.write_linpeas(FINAL_LINPEAS_PATH)
-    st = os.stat(FINAL_LINPEAS_PATH)
-    os.chmod(FINAL_LINPEAS_PATH, st.st_mode | stat.S_IEXEC)
-
+    lbuilder.write_linpeas(output)
+    os.remove(TEMPORARY_LINPEAS_BASE_PATH) # Remove the built linpeas_base_temp.sh file
+    
+    st = os.stat(output)
+    os.chmod(output, st.st_mode | stat.S_IEXEC)
 
 if __name__ == "__main__":
-    main()
+    parser = argparse.ArgumentParser(description='Build you own linpeas.sh')
+    parser.add_argument('--all', action='store_true', help='Build linpeas with all modules (linpeas_fat).')
+    parser.add_argument('--all-no-fat', action='store_true', help='Build linpeas with all modules except fat ones.')
+    parser.add_argument('--no-network-scanning', action='store_true', help='Build linpeas without network scanning.')
+    parser.add_argument('--small', action='store_true', help='Build small version of linpeas.')
+    parser.add_argument('--include', type=str, help='Build linpeas only with the modules indicated you can indicate section names or module IDs).')
+    parser.add_argument('--exclude', type=str, help='Exclude the given modules (you can indicate section names or module IDs).')
+    parser.add_argument('--output', required=True, type=str, help='Parth to write the final linpeas file to.')
+    args = parser.parse_args()
+
+    all_modules = args.all
+    all_no_fat_modules = args.all_no_fat
+    no_network_scanning = args.no_network_scanning
+    small = args.small
+    include_modules = args.include.split(",") if args.include else []
+    include_modules = [m.strip().lower() for m in include_modules]
+    exclude_modules = args.exclude.split(",") if args.exclude else []
+    exclude_modules = [m.strip().lower() for m in exclude_modules]
+    output = args.output
+
+    # If not all, all-no-fat, small or include, exit
+    if not args.all and not args.all_no_fat and not args.small and not args.include:
+        print("You must specify one of the following options: --all, --all-no-fat, --small or --include")
+        parser.print_help()
+        exit(1)
+    
+    main(all_modules, all_no_fat_modules, no_network_scanning, small, include_modules, exclude_modules, output)

linPEAS/builder/linpeas_parts/10_api_keys_regex/regexes.sh

@@ -0,0 +1,20 @@
+# Title: API Keys Regex - Regexes
+# ID: RX_regexes
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Regexes
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, search_for_regex
+# Global Variables: $REGEXES, $TIMEOUT
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+if [ "$REGEXES" ] && [ "$TIMEOUT" ]; then
+    peass{REGEXES}
+else
+    echo "Regexes to search for API keys aren't activated, use param '-r' "
+fi

linPEAS/builder/linpeas_parts/1_system_information/10_Enviroment.sh

@@ -0,0 +1,19 @@
+# Title: System Information - Enviroment
+# ID: SY_Enviroment
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Get Information inside environment variables
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: echo_not_found, print_2title, print_info
+# Global Variables:
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+print_2title "Environment"
+print_info "Any private information inside environment variables?"
+(env || printenv || set) 2>/dev/null | grep -v "RELEVANT*|FIND*|^VERSION=|dbuslistG|mygroups|ldsoconfdG|pwd_inside_history|kernelDCW_Ubuntu_Precise|kernelDCW_Ubuntu_Trusty|kernelDCW_Ubuntu_Xenial|kernelDCW_Rhel|^sudovB=|^rootcommon=|^mounted=|^mountG=|^notmounted=|^mountpermsB=|^mountpermsG=|^kernelB=|^C=|^RED=|^GREEN=|^Y=|^B=|^NC=|TIMEOUT=|groupsB=|groupsVB=|knw_grps=|sidG|sidB=|sidVB=|sidVB2=|sudoB=|sudoG=|sudoVB=|timersG=|capsB=|notExtensions=|Wfolders=|writeB=|writeVB=|_usrs=|compiler=|PWD=|LS_COLORS=|pathshG=|notBackup=|processesDump|processesB|commonrootdirs|USEFUL_SOFTWARE|PSTORAGE_" | sed -${E} "s,[pP][wW][dD]|[pP][aA][sS][sS][wW]|[aA][pP][iI][kK][eE][yY]|[aA][pP][iI][_][kK][eE][yY]|KRB5CCNAME,${SED_RED},g" || echo_not_found "env || set"
+echo ""

linPEAS/builder/linpeas_parts/1_system_information/11_Dmesg.sh

@@ -0,0 +1,21 @@
+# Title: System Information - Dmesg
+# ID: SY_Dmesg
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Searching Signature verification failed in dmesg
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: echo_not_found, print_2title, print_info
+# Global Variables: $DEBUG
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+if [ "$(command -v dmesg 2>/dev/null || echo -n '')" ] || [ "$DEBUG" ]; then
+    print_2title "Searching Signature verification failed in dmesg"
+    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#dmesg-signature-verification-failed"
+    (dmesg 2>/dev/null | grep "signature") || echo_not_found "dmesg"
+    echo ""
+fi

linPEAS/builder/linpeas_parts/1_system_information/12_Macos_os_checks.sh

@@ -0,0 +1,31 @@
+# Title: System Information - MacOS OS checks
+# ID: SY_Macos_os_checks
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Macos OS checks
+# License: GNU GPL
+# Version: 1.0
+# Functions Used:macosNotSigned, print_2title
+# Global Variables: $MACPEAS
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+if [ "$MACPEAS" ]; then
+    print_2title "Kernel Extensions not belonging to apple"
+    kextstat 2>/dev/null | grep -Ev " com.apple."
+    echo ""
+
+    print_2title "Unsigned Kernel Extensions"
+    macosNotSigned /Library/Extensions
+    macosNotSigned /System/Library/Extensions
+    echo ""
+fi
+
+if [ "$MACPEAS" ] && [ "$(command -v brew 2>/dev/null || echo -n '')" ]; then
+    print_2title "Brew Doctor Suggestions"
+    brew doctor
+    echo ""
+fi

linPEAS/builder/linpeas_parts/1_system_information/13_Linux_exploit_suggester.sh

@@ -0,0 +1,22 @@
+# Title: System Information - Linux Exploit Suggester
+# ID: SY_Linux_exploit_suggester
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Linux Exploit Suggester tool execution
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_info
+# Global Variables: $MACPEAS
+# Initial Functions:
+# Generated Global Variables: $les_b64
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+if [ "$(command -v bash 2>/dev/null || echo -n '')" ] && ! [ "$MACPEAS" ]; then
+    print_2title "Executing Linux Exploit Suggester"
+    print_info "https://github.com/mzet-/linux-exploit-suggester"
+    les_b64="peass{https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh}"
+    echo $les_b64 | base64 -d | bash | sed "s,$(printf '\033')\\[[0-9;]*[a-zA-Z],,g" | grep -i "\[CVE" -A 10 | grep -Ev "^\-\-$" | sed -${E} "s/\[(CVE-[0-9]+-[0-9]+,?)+\].*/${SED_RED}/g"
+    echo ""
+fi

linPEAS/builder/linpeas_parts/1_system_information/14_Linux_exploit_suggester_2.sh

@@ -0,0 +1,22 @@
+# Title: System Information - Linux Exploit Suggester 2 
+# ID: SY_Linux_exploit_suggester_2
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Linux Exploit Suggester 2 tool execution
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_info
+# Global Variables:
+# Initial Functions:
+# Generated Global Variables: $les2_b64
+# Fat linpeas: 1
+# Small linpeas: 0
+
+
+if [ "$(command -v perl 2>/dev/null || echo -n '')" ] && ! [ "$MACPEAS" ]; then
+    print_2title "Executing Linux Exploit Suggester 2"
+    print_info "https://github.com/jondonas/linux-exploit-suggester-2"
+    les2_b64="peass{https://raw.githubusercontent.com/jondonas/linux-exploit-suggester-2/master/linux-exploit-suggester-2.pl}"
+    echo $les2_b64 | base64 -d | perl 2>/dev/null | sed "s,$(printf '\033')\\[[0-9;]*[a-zA-Z],,g" | grep -iE "CVE" -B 1 -A 10 | grep -Ev "^\-\-$" | sed -${E} "s,CVE-[0-9]+-[0-9]+,${SED_RED},g"
+    echo ""
+fi

linPEAS/builder/linpeas_parts/1_system_information/15_Protections.sh

@@ -0,0 +1,115 @@
+# Title: System Information - Kernel Extensions
+# ID: SY_Protections
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Kernel Extensions
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: echo_not_found, print_2title, print_list, warn_exec
+# Global Variables:
+# Initial Functions:
+# Generated Global Variables: $ASLR, $hypervisorflag, $detectedvirt
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+#-- SY) AppArmor
+print_2title "Protections"
+print_list "AppArmor enabled? .............. "$NC
+if [ "$(command -v aa-status 2>/dev/null || echo -n '')" ]; then
+    aa-status 2>&1 | sed "s,disabled,${SED_RED},"
+elif [ "$(command -v apparmor_status 2>/dev/null || echo -n '')" ]; then
+    apparmor_status 2>&1 | sed "s,disabled,${SED_RED},"
+elif [ "$(ls -d /etc/apparmor* 2>/dev/null)" ]; then
+    ls -d /etc/apparmor*
+else
+    echo_not_found "AppArmor"
+fi
+
+#-- SY) AppArmor2
+print_list "AppArmor profile? .............. "$NC
+(cat /proc/self/attr/current 2>/dev/null || echo "unconfined") | sed "s,unconfined,${SED_RED}," | sed "s,kernel,${SED_GREEN},"
+
+#-- SY) LinuxONE
+print_list "is linuxONE? ................... "$NC
+( (uname -a | grep "s390x" >/dev/null 2>&1) && echo "Yes" || echo_not_found "s390x")
+
+#-- SY) grsecurity
+print_list "grsecurity present? ............ "$NC
+( (uname -r | grep "\-grsec" >/dev/null 2>&1 || grep "grsecurity" /etc/sysctl.conf >/dev/null 2>&1) && echo "Yes" || echo_not_found "grsecurity")
+
+#-- SY) PaX
+print_list "PaX bins present? .............. "$NC
+(command -v paxctl-ng paxctl >/dev/null 2>&1 && echo "Yes" || echo_not_found "PaX")
+
+#-- SY) Execshield
+print_list "Execshield enabled? ............ "$NC
+(grep "exec-shield" /etc/sysctl.conf 2>/dev/null || echo_not_found "Execshield") | sed "s,=0,${SED_RED},"
+
+#-- SY) SElinux
+print_list "SELinux enabled? ............... "$NC
+(sestatus 2>/dev/null || echo_not_found "sestatus") | sed "s,disabled,${SED_RED},"
+
+#-- SY) Seccomp
+print_list "Seccomp enabled? ............... "$NC
+([ "$(grep Seccomp /proc/self/status 2>/dev/null | grep -v 0)" ] && echo "enabled" || echo "disabled") | sed "s,disabled,${SED_RED}," | sed "s,enabled,${SED_GREEN},"
+
+#-- SY) AppArmor
+print_list "User namespace? ................ "$NC
+if [ "$(cat /proc/self/uid_map 2>/dev/null)" ]; then echo "enabled" | sed "s,enabled,${SED_GREEN},"; else echo "disabled" | sed "s,disabled,${SED_RED},"; fi
+
+#-- SY) cgroup2
+print_list "Cgroup2 enabled? ............... "$NC
+([ "$(grep cgroup2 /proc/filesystems 2>/dev/null)" ] && echo "enabled" || echo "disabled") | sed "s,disabled,${SED_RED}," | sed "s,enabled,${SED_GREEN},"
+
+#-- SY) Gatekeeper
+if [ "$MACPEAS" ]; then
+    print_list "Gatekeeper enabled? .......... "$NC
+    (spctl --status 2>/dev/null || echo_not_found "sestatus") | sed "s,disabled,${SED_RED},"
+
+    print_list "sleepimage encrypted? ........ "$NC
+    (sysctl vm.swapusage | grep "encrypted" | sed "s,encrypted,${SED_GREEN},") || echo_no
+
+    print_list "XProtect? .................... "$NC
+    (system_profiler SPInstallHistoryDataType 2>/dev/null | grep -A 4 "XProtectPlistConfigData" | tail -n 5 | grep -Iv "^$") || echo_no
+
+    print_list "SIP enabled? ................. "$NC
+    csrutil status | sed "s,enabled,${SED_GREEN}," | sed "s,enabled,${SED_GREEN}," | sed "s,disabled,${SED_RED}," || echo_no
+
+    print_list "Sealed Snapshot? ............. "$NC
+    diskutil apfs list | grep "Snapshot Sealed" | awk -F: '{print $2}' | tr -d '[:space:]' | sed "s,Yes,${SED_GREEN}," | sed "s,No,${SED_RED}," || echo_not_found
+
+    print_list "Sealed Snapshot (2nd)? ....... "$NC
+    csrutil authenticated-root status | sed "s,enabled,${SED_GREEN}," | sed "s,disabled,${SED_RED}," || echo_no
+
+
+    print_list "Connected to JAMF? ........... "$NC
+    warn_exec jamf checkJSSConnection
+
+    print_list "Connected to AD? ............. "$NC
+    dsconfigad -show && echo "" || echo_no
+fi
+
+#-- SY) ASLR
+print_list "Is ASLR enabled? ............... "$NC
+ASLR=$(cat /proc/sys/kernel/randomize_va_space 2>/dev/null)
+if [ -z "$ASLR" ]; then
+    echo_not_found "/proc/sys/kernel/randomize_va_space";
+else
+    if [ "$ASLR" -eq "0" ]; then printf $RED"No"$NC; else printf $GREEN"Yes"$NC; fi
+    echo ""
+fi
+
+#-- SY) Printer
+print_list "Printer? ....................... "$NC
+(lpstat -a || system_profiler SPPrintersDataType || echo_no) 2>/dev/null
+
+#-- SY) Running in a virtual environment
+print_list "Is this a virtual machine? ..... "$NC
+hypervisorflag=$(grep flags /proc/cpuinfo 2>/dev/null | grep hypervisor)
+if [ "$(command -v systemd-detect-virt 2>/dev/null || echo -n '')" ]; then
+    detectedvirt=$(systemd-detect-virt)
+    if [ "$hypervisorflag" ]; then printf $RED"Yes ($detectedvirt)"$NC; else printf $GREEN"No"$NC; fi
+else
+    if [ "$hypervisorflag" ]; then printf $RED"Yes"$NC; else printf $GREEN"No"$NC; fi
+fi

linPEAS/builder/linpeas_parts/1_system_information/1_Operative_system.sh

@@ -0,0 +1,22 @@
+# Title: System Information - Operative System
+# ID: SY_Operative_system
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Get Information about the Operative system
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_info, warn_exec
+# Global Variables: $MACPEAS, $kernelDCW_Ubuntu_Precise_1, $kernelB, $kernelDCW_Ubuntu_Precise_2, $kernelDCW_Ubuntu_Precise_3, $kernelDCW_Ubuntu_Precise_4, $kernelDCW_Ubuntu_Precise_5, $kernelDCW_Ubuntu_Precise_6, $kernelDCW_Rhel5_1, $kernelDCW_Rhel5_2, $kernelDCW_Rhel5_3, $kernelDCW_Rhel6_1, $kernelDCW_Rhel6_2, $kernelDCW_Rhel6_3, $kernelDCW_Rhel6_4, $kernelDCW_Rhel7, $kernelDCW_Ubuntu_Trusty_1, $kernelDCW_Ubuntu_Trusty_2, $kernelDCW_Ubuntu_Trusty_3, $kernelDCW_Ubuntu_Trusty_4, $kernelDCW_Ubuntu_Xenial
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+print_2title "Operative system"
+print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits"
+(cat /proc/version || uname -a ) 2>/dev/null | sed -${E} "s,$kernelDCW_Ubuntu_Precise_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_4,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_5,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_6,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_4,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Xenial,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel5_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel5_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel5_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_4,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel7,${SED_RED_YELLOW}," | sed -${E} "s,$kernelB,${SED_RED},"
+warn_exec lsb_release -a 2>/dev/null
+if [ "$MACPEAS" ]; then
+    warn_exec system_profiler SPSoftwareDataType
+fi
+echo ""

linPEAS/builder/linpeas_parts/1_system_information/2_Sudo_version.sh

@@ -0,0 +1,22 @@
+# Title: System Information - Sudo Version
+# ID: SY_Sudo_version
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Get Information about the Sudo Version
+# License: GNU GPL
+# Version: 1.0 
+# Functions Used: echo_not_found, print_2title, print_info
+# Global Variables: $sudovB
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+print_2title "Sudo version"
+if [ "$(command -v sudo 2>/dev/null || echo -n '')" ]; then
+print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-version"
+sudo -V 2>/dev/null | grep "Sudo ver" | sed -${E} "s,$sudovB,${SED_RED},"
+else echo_not_found "sudo"
+fi
+echo ""

linPEAS/builder/linpeas_parts/1_system_information/3_USBCreator.sh

@@ -0,0 +1,33 @@
+# Title: System Information - USBCreator
+# ID: SY_USBCreator
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Get Information about the USBCreator
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_info
+# Global Variables: $DEBUG
+# Initial Functions:
+# Generated Global Variables: $pc_version, $pc_length, $pc_major, $pc_minor
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+if (busctl list 2>/dev/null | grep -q com.ubuntu.USBCreator) || [ "$DEBUG" ]; then
+    print_2title "USBCreator"
+    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation"
+
+    pc_version=$(dpkg -l 2>/dev/null | grep policykit-desktop-privileges | grep -oP "[0-9][0-9a-zA-Z\.]+")
+    if [ -z "$pc_version" ]; then
+        pc_version=$(apt-cache policy policykit-desktop-privileges 2>/dev/null | grep -oP "\*\*\*.*" | cut -d" " -f2)
+    fi
+    if [ -n "$pc_version" ]; then
+        pc_length=${#pc_version}
+        pc_major=$(echo "$pc_version" | cut -d. -f1)
+        pc_minor=$(echo "$pc_version" | cut -d. -f2)
+        if [ "$pc_length" -eq 4 ] && [ "$pc_major" -eq 0 ] && [ "$pc_minor"  -lt 21 ]; then
+            echo "Vulnerable!!" | sed -${E} "s,.*,${SED_RED},"
+        fi
+    fi
+fi
+echo ""

linPEAS/builder/linpeas_parts/1_system_information/4_Path.sh

@@ -0,0 +1,25 @@
+# Title: System Information - Path
+# ID: SY_Path
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Get Information about the Path
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_info
+# Global Variables: $DEBUG, $IAMROOT, $OLDPATH, $PATH, $Wfolders
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+print_2title "PATH"
+print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-path-abuses"
+if ! [ "$IAMROOT" ]; then
+    echo "$OLDPATH" 2>/dev/null | sed -${E} "s,$Wfolders|\./|\.:|:\.,${SED_RED_YELLOW},g"
+fi
+
+if [ "$DEBUG" ]; then
+     echo "New path exported: $PATH"
+fi
+echo ""

linPEAS/builder/linpeas_parts/1_system_information/5_Date.sh

@@ -0,0 +1,19 @@
+# Title: System Information - Date
+# ID: SY_Date
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Get Information about the Date
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, warn_exec
+# Global Variables:
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+print_2title "Date & uptime"
+warn_exec date 2>/dev/null
+warn_exec uptime 2>/dev/null
+echo ""

linPEAS/builder/linpeas_parts/1_system_information/6_CPU_info.sh

@@ -0,0 +1,20 @@
+# Title: System Information - CPU info
+# ID: SY_CPU_info
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Get Information about the CPU
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, warn_exec
+# Global Variables: $DEBUG, $EXTRA_CHECKS
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+if [ "$EXTRA_CHECKS" ] || [ "$DEBUG" ]; then
+    print_2title "CPU info"
+    warn_exec lscpu 2>/dev/null
+    echo ""
+fi

linPEAS/builder/linpeas_parts/1_system_information/7_Mounts.sh

@@ -0,0 +1,21 @@
+# Title: System Information - Mounts
+# ID: SY_Mounts
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Get Information about the mounts
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_info
+# Global Variables: $DEBUG, $mountG, $mountpermsB, $mountpermsG, $notmounted, $Wfolders, $mounted
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+if [ -f "/etc/fstab" ] || [ "$DEBUG" ]; then
+    print_2title "Unmounted file-system?"
+    print_info "Check if you can mount umounted devices"
+    grep -v "^#" /etc/fstab 2>/dev/null | grep -Ev "\W+\#|^#" | sed -${E} "s,$mountG,${SED_GREEN},g" | sed -${E} "s,$notmounted,${SED_RED},g" | sed -${E} "s%$mounted%${SED_BLUE}%g" | sed -${E} "s,$Wfolders,${SED_RED}," | sed -${E} "s,$mountpermsB,${SED_RED},g" | sed -${E} "s,$mountpermsG,${SED_GREEN},g"
+    echo ""
+fi

linPEAS/builder/linpeas_parts/1_system_information/8_Disks.sh

@@ -0,0 +1,27 @@
+# Title: System Information - Disks
+# ID: SY_Disks
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Get Information about the disks
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, warn_exec
+# Global Variables: $DEBUG
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+if [ -d "/dev" ] || [ "$DEBUG" ] ; then
+    print_2title "Any sd*/disk* disk in /dev? (limit 20)"
+    ls /dev 2>/dev/null | grep -Ei "^sd|^disk" | sed "s,crypt,${SED_RED}," | head -n 20
+    echo ""
+fi
+
+
+if [ "$(command -v smbutil 2>/dev/null || echo -n '')" ] || [ "$DEBUG" ]; then
+    print_2title "Mounted SMB Shares"
+    warn_exec smbutil statshares -a
+    echo ""
+fi

linPEAS/builder/linpeas_parts/1_system_information/9_Disks_extra.sh

@@ -0,0 +1,27 @@
+# Title: System Information - Disks
+# ID: SY_Disks_extra
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Get Information about the disks
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, warn_exec
+# Global Variables: $DEBUG, $EXTRA_CHECKS
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+if ([ "$(command -v diskutil 2>/dev/null || echo -n '')" ] || [ "$DEBUG" ]) && [ "$EXTRA_CHECKS" ]; then
+    print_2title "Mounted disks information"
+    warn_exec diskutil list
+    echo ""
+fi
+
+if [ "$EXTRA_CHECKS" ] || [ "$DEBUG" ]; then
+    print_2title "System stats"
+    (df -h || lsblk) 2>/dev/null || echo_not_found "df and lsblk"
+    warn_exec free 2>/dev/null
+    echo ""
+fi

linPEAS/builder/linpeas_parts/2_container/1_Container_tools.sh

@@ -0,0 +1,22 @@
+# Title: Container - Container Tools
+# ID: CT_Container_tools
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Find container related tools in the PATH of the system
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title
+# Global Variables:
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+print_2title "Container related tools present (if any):"
+command -v docker || echo -n ''
+command -v lxc || echo -n ''
+command -v rkt || echo -n ''
+command -v kubectl || echo -n ''
+command -v podman || echo -n ''
+command -v runc || echo -n ''

linPEAS/builder/linpeas_parts/2_container/2_List_mounted_tokens.sh

@@ -0,0 +1,32 @@
+# Title: Container - List mounted tokens
+# ID: CT_List_mounted_tokens
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: List tokens mounted in the system if any
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_info
+# Global Variables:
+# Initial Functions:
+# Generated Global Variables: $ALREADY_TOKENS, $TEMP_TOKEN
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+if [ "$(mount | sed -n '/secret/ s/^tmpfs on \(.*default.*\) type tmpfs.*$/\1\/namespace/p')" ]; then
+  print_2title "Listing mounted tokens"
+  print_info "https://book.hacktricks.xyz/cloud-security/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod"
+  ALREADY_TOKENS="IinItialVaaluE"
+  for i in $(mount | sed -n '/secret/ s/^tmpfs on \(.*default.*\) type tmpfs.*$/\1\/namespace/p'); do
+      TEMP_TOKEN=$(cat $(echo $i | sed 's/.namespace$/\/token/'))
+      if ! [ $(echo $TEMP_TOKEN | grep -E $ALREADY_TOKENS) ]; then
+          ALREADY_TOKENS="$ALREADY_TOKENS|$TEMP_TOKEN"
+          echo "Directory: $i"
+          echo "Namespace: $(cat $i)"
+          echo ""
+          echo $TEMP_TOKEN
+          echo "================================================================================"
+          echo ""
+      fi
+  done
+fi

linPEAS/builder/linpeas_parts/2_container/3_Container_details.sh

@@ -0,0 +1,40 @@
+# Title: Container - Container details
+# ID: CT_Container_details
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Get container details
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: containerCheck, echo_no, print_2title, print_list
+# Global Variables: $containerType
+# Initial Functions: containerCheck
+# Generated Global Variables: $dockercontainers, $podmancontainers, $lxccontainers, $rktcontainers, $containerCounts
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+print_2title "Container details"
+print_list "Is this a container? ...........$NC $containerType"
+
+print_list "Any running containers? ........ "$NC
+# Get counts of running containers for each platform
+dockercontainers=$(docker ps --format "{{.Names}}" 2>/dev/null | wc -l)
+podmancontainers=$(podman ps --format "{{.Names}}" 2>/dev/null | wc -l)
+lxccontainers=$(lxc list -c n --format csv 2>/dev/null | wc -l)
+rktcontainers=$(rkt list 2>/dev/null | tail -n +2  | wc -l)
+if [ "$dockercontainers" -eq "0" ] && [ "$lxccontainers" -eq "0" ] && [ "$rktcontainers" -eq "0" ] && [ "$podmancontainers" -eq "0" ]; then
+    echo_no
+else
+    containerCounts=""
+    if [ "$dockercontainers" -ne "0" ]; then containerCounts="${containerCounts}docker($dockercontainers) "; fi
+    if [ "$podmancontainers" -ne "0" ]; then containerCounts="${containerCounts}podman($podmancontainers) "; fi
+    if [ "$lxccontainers" -ne "0" ]; then containerCounts="${containerCounts}lxc($lxccontainers) "; fi
+    if [ "$rktcontainers" -ne "0" ]; then containerCounts="${containerCounts}rkt($rktcontainers) "; fi
+    echo "Yes $containerCounts" | sed -${E} "s,.*,${SED_RED},"
+    
+    # List any running containers
+    if [ "$dockercontainers" -ne "0" ]; then echo "Running Docker Containers" | sed -${E} "s,.*,${SED_RED},"; docker ps | tail -n +2 2>/dev/null; echo ""; fi
+    if [ "$podmancontainers" -ne "0" ]; then echo "Running Podman Containers" | sed -${E} "s,.*,${SED_RED},"; podman ps | tail -n +2 2>/dev/null; echo ""; fi
+    if [ "$lxccontainers" -ne "0" ]; then echo "Running LXC Containers" | sed -${E} "s,.*,${SED_RED},"; lxc list 2>/dev/null; echo ""; fi
+    if [ "$rktcontainers" -ne "0" ]; then echo "Running RKT Containers" | sed -${E} "s,.*,${SED_RED},"; rkt list 2>/dev/null; echo ""; fi
+fi

linPEAS/builder/linpeas_parts/2_container/4_Docker_container_details.sh

@@ -0,0 +1,37 @@
+# Title: Container - Docker Container details
+# ID: CT_Docker_container_details
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Get docker Container details from the inside
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: checkDockerRootless, checkDockerVersionExploits, containerCheck, enumerateDockerSockets, inDockerGroup, print_2title, print_list
+# Global Variables: $containerType, $DOCKER_GROUP, $DOCKER_ROOTLESS, $dockerVersion, $inContainer, $VULN_CVE_2019_5736, $VULN_CVE_2019_13139, $VULN_CVE_2021_41091
+# Initial Functions: containerCheck
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+#If docker
+if echo "$containerType" | grep -qi "docker"; then
+    print_2title "Docker Container details"
+    inDockerGroup
+    print_list "Am I inside Docker group .......$NC $DOCKER_GROUP\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
+    print_list "Looking and enumerating Docker Sockets (if any):\n"$NC
+    enumerateDockerSockets
+    print_list "Docker version .................$NC$dockerVersion"
+    checkDockerVersionExploits
+    print_list "Vulnerable to CVE-2019-5736 ....$NC$VULN_CVE_2019_5736"$NC | sed -${E} "s,Yes,${SED_RED_YELLOW},"
+    print_list "Vulnerable to CVE-2019-13139 ...$NC$VULN_CVE_2019_13139"$NC | sed -${E} "s,Yes,${SED_RED_YELLOW},"
+    print_list "Vulnerable to CVE-2021-41091 ...$NC$VULN_CVE_2021_41091"$NC | sed -${E} "s,Yes,${SED_RED_YELLOW},"
+    if [ "$inContainer" ]; then
+        checkDockerRootless
+        print_list "Rootless Docker? ............... $DOCKER_ROOTLESS\n"$NC | sed -${E} "s,No,${SED_RED}," | sed -${E} "s,Yes,${SED_GREEN},"
+        echo ""
+    fi
+    if df -h | grep docker; then
+        print_2title "Docker Overlays"
+        df -h | grep docker
+    fi
+fi

linPEAS/builder/linpeas_parts/2_container/5_Container_breakout.sh

@@ -0,0 +1,134 @@
+# Title: Container - Container & breakout enumeration
+# ID: CT_Container_breakout
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Container breakout enumeration to see if in case we are inside a container we could escape
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: checkContainerExploits, checkProcSysBreakouts, containerCheck, echo_no, echo_not_found, print_2title, print_3title, print_info, print_list
+# Global Variables: $binfmt_misc_breakout, $containercapsB, $containerType, $core_pattern_breakout, $dev_mounted, $efi_efivars_writable, $efi_vars_writable, $GREP_IGNORE_MOUNTS, $inContainer, $kallsyms_readable, $kcore_readable, $kmem_readable, $kmem_writable, $kmsg_readable, $mem_readable, $mem_writable, $modprobe_present, $mountinfo_readable, $panic_on_oom_dos, $panic_sys_fs_dos, $proc_configgz_readable, $proc_mounted, $run_unshare, $release_agent_breakout1, $release_agent_breakout2, $release_agent_breakout3, $sched_debug_readable, $security_present, $security_writable, $sysreq_trigger_dos,  $uevent_helper_breakout, $vmcoreinfo_readable, $VULN_CVE_2019_5021, $self_mem_readable
+# Initial Functions: containerCheck
+# Generated Global Variables: $defautl_docker_caps
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+if [ "$inContainer" ]; then
+    echo ""
+    print_2title "Container & breakout enumeration"
+    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout"
+    print_list "Container ID ...................$NC $(cat /etc/hostname && echo -n '\n')"
+    if [ -f "/proc/1/cpuset" ] && echo "$containerType" | grep -qi "docker"; then
+        print_list "Container Full ID ..............$NC $(basename $(cat /proc/1/cpuset))\n"
+    fi
+    print_list "Seccomp enabled? ............... "$NC
+    ([ "$(grep Seccomp /proc/self/status | grep -v 0)" ] && echo "enabled" || echo "disabled") | sed "s,disabled,${SED_RED}," | sed "s,enabled,${SED_GREEN},"
+
+    print_list "AppArmor profile? .............. "$NC
+    (cat /proc/self/attr/current 2>/dev/null || echo "disabled") | sed "s,disabled,${SED_RED}," | sed "s,kernel,${SED_GREEN},"
+
+    print_list "User proc namespace? ........... "$NC
+    if [ "$(cat /proc/self/uid_map 2>/dev/null)" ]; then (printf "enabled"; cat /proc/self/uid_map) | sed "s,enabled,${SED_GREEN},"; else echo "disabled" | sed "s,disabled,${SED_RED},"; fi
+
+    checkContainerExploits
+    print_list "Vulnerable to CVE-2019-5021 .... $VULN_CVE_2019_5021\n"$NC | sed -${E} "s,Yes,${SED_RED_YELLOW},"
+
+    print_3title "Breakout via mounts"
+    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation/sensitive-mounts"
+    
+    checkProcSysBreakouts
+    print_list "/proc mounted? ................. $proc_mounted\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
+    print_list "/dev mounted? .................. $dev_mounted\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
+    print_list "Run unshare .................... $run_unshare\n" | sed -${E} "s,Yes,${SED_RED},"
+    print_list "release_agent breakout 1........ $release_agent_breakout1\n" | sed -${E} "s,Yes,${SED_RED},"
+    print_list "release_agent breakout 2........ $release_agent_breakout2\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
+    print_list "release_agent breakout 3........ $release_agent_breakout3\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
+    print_list "core_pattern breakout .......... $core_pattern_breakout\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
+    print_list "binfmt_misc breakout ........... $binfmt_misc_breakout\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
+    print_list "uevent_helper breakout ......... $uevent_helper_breakout\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
+    print_list "is modprobe present ............ $modprobe_present\n" | sed -${E} "s,/.*,${SED_RED},"
+    print_list "DoS via panic_on_oom ........... $panic_on_oom_dos\n" | sed -${E} "s,Yes,${SED_RED},"
+    print_list "DoS via panic_sys_fs ........... $panic_sys_fs_dos\n" | sed -${E} "s,Yes,${SED_RED},"
+    print_list "DoS via sysreq_trigger_dos ..... $sysreq_trigger_dos\n" | sed -${E} "s,Yes,${SED_RED},"
+    print_list "/proc/config.gz readable ....... $proc_configgz_readable\n" | sed -${E} "s,Yes,${SED_RED},"
+    print_list "/proc/sched_debug readable ..... $sched_debug_readable\n" | sed -${E} "s,Yes,${SED_RED},"
+    print_list "/proc/*/mountinfo readable ..... $mountinfo_readable\n" | sed -${E} "s,Yes,${SED_RED},"
+    print_list "/sys/kernel/security present ... $security_present\n" | sed -${E} "s,Yes,${SED_RED},"
+    print_list "/sys/kernel/security writable .. $security_writable\n" | sed -${E} "s,Yes,${SED_RED},"
+    if [ "$EXTRA_CHECKS" ]; then
+      print_list "/proc/kmsg readable ............ $kmsg_readable\n" | sed -${E} "s,Yes,${SED_RED},"
+      print_list "/proc/kallsyms readable ........ $kallsyms_readable\n" | sed -${E} "s,Yes,${SED_RED},"
+      print_list "/proc/self/mem readable ........ $self_mem_readable\n" | sed -${E} "s,Yes,${SED_RED},"
+      print_list "/proc/kcore readable ........... $kcore_readable\n" | sed -${E} "s,Yes,${SED_RED},"
+      print_list "/proc/kmem readable ............ $kmem_readable\n" | sed -${E} "s,Yes,${SED_RED},"
+      print_list "/proc/kmem writable ............ $kmem_writable\n" | sed -${E} "s,Yes,${SED_RED},"
+      print_list "/proc/mem readable ............. $mem_readable\n" | sed -${E} "s,Yes,${SED_RED},"
+      print_list "/proc/mem writable ............. $mem_writable\n" | sed -${E} "s,Yes,${SED_RED},"
+      print_list "/sys/kernel/vmcoreinfo readable  $vmcoreinfo_readable\n" | sed -${E} "s,Yes,${SED_RED},"
+      print_list "/sys/firmware/efi/vars writable  $efi_vars_writable\n" | sed -${E} "s,Yes,${SED_RED},"
+      print_list "/sys/firmware/efi/efivars writable $efi_efivars_writable\n" | sed -${E} "s,Yes,${SED_RED},"
+    fi
+    
+    echo ""
+    print_3title "Namespaces"
+    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/namespaces"
+    ls -l /proc/self/ns/
+
+    if echo "$containerType" | grep -qi "kubernetes"; then
+        print_list "Kubernetes namespace ...........$NC $(cat /run/secrets/kubernetes.io/serviceaccount/namespace /var/run/secrets/kubernetes.io/serviceaccount/namespace /secrets/kubernetes.io/serviceaccount/namespace 2>/dev/null)\n"
+        print_list "Kubernetes token ...............$NC $(cat /run/secrets/kubernetes.io/serviceaccount/token /var/run/secrets/kubernetes.io/serviceaccount/token /secrets/kubernetes.io/serviceaccount/token 2>/dev/null)\n"
+        echo ""
+        
+        print_2title "Kubernetes Information"
+        print_info "https://book.hacktricks.xyz/cloud-security/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod"
+        
+        
+        print_3title "Kubernetes service account folder"
+        ls -lR /run/secrets/kubernetes.io/ /var/run/secrets/kubernetes.io/ /secrets/kubernetes.io/ 2>/dev/null
+        echo ""
+        
+        print_3title "Kubernetes env vars"
+        (env | set) | grep -Ei "kubernetes|kube" | grep -Ev "^WF=|^Wfolders=|^mounted=|^USEFUL_SOFTWARE='|^INT_HIDDEN_FILES=|^containerType="
+        echo ""
+
+        print_3title "Current sa user k8s permissions"
+        print_info "https://book.hacktricks.xyz/cloud-security/pentesting-kubernetes/hardening-roles-clusterroles"
+        kubectl auth can-i --list 2>/dev/null || curl -s -k -d "$(echo \"eyJraW5kIjoiU2VsZlN1YmplY3RSdWxlc1JldmlldyIsImFwaVZlcnNpb24iOiJhdXRob3JpemF0aW9uLms4cy5pby92MSIsIm1ldGFkYXRhIjp7ImNyZWF0aW9uVGltZXN0YW1wIjpudWxsfSwic3BlYyI6eyJuYW1lc3BhY2UiOiJlZXZlZSJ9LCJzdGF0dXMiOnsicmVzb3VyY2VSdWxlcyI6bnVsbCwibm9uUmVzb3VyY2VSdWxlcyI6bnVsbCwiaW5jb21wbGV0ZSI6ZmFsc2V9fQo=\"|base64 -d)" \
+          "https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT_HTTPS}/apis/authorization.k8s.io/v1/selfsubjectrulesreviews" \
+            -X 'POST' -H 'Content-Type: application/json' \
+            --header "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" | sed "s,secrets|exec|create|patch|impersonate|\"*\",${SED_RED},"
+
+    fi
+    echo ""
+
+    print_2title "Container Capabilities"
+    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation#capabilities-abuse-escape"
+    if [ "$(command -v capsh || echo -n '')" ]; then 
+      capsh --print 2>/dev/null | sed -${E} "s,$containercapsB,${SED_RED},g"
+    else
+      defautl_docker_caps="00000000a80425fb=cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap"
+      cat /proc/self/status | tr '\t' ' ' | grep Cap | sed -${E} "s, .*,${SED_RED},g" | sed -${E} "s/00000000a80425fb/$defautl_docker_caps/g" | sed -${E} "s,0000000000000000|00000000a80425fb,${SED_GREEN},g"
+      echo $ITALIC"Run capsh --decode=<hex> to decode the capabilities"$NC
+    fi
+    echo ""
+
+    print_2title "Privilege Mode"
+    if [ -x "$(command -v fdisk || echo -n '')" ]; then
+        if [ "$(fdisk -l 2>/dev/null | wc -l)" -gt 0 ]; then
+            echo "Privilege Mode is enabled"| sed -${E} "s,enabled,${SED_RED_YELLOW},"
+        else
+            echo "Privilege Mode is disabled"| sed -${E} "s,disabled,${SED_GREEN},"
+        fi
+    else
+        echo_not_found
+    fi
+    echo ""
+
+    print_2title "Interesting Files Mounted"
+    (mount -l || cat /proc/self/mountinfo || cat /proc/1/mountinfo || cat /proc/mounts || cat /proc/self/mounts || cat /proc/1/mounts )2>/dev/null | grep -Ev "$GREP_IGNORE_MOUNTS" | sed -${E} "s,.sock,${SED_RED}," | sed -${E} "s,docker.sock,${SED_RED_YELLOW}," | sed -${E} "s,/dev/,${SED_RED},g"
+    echo ""
+
+    print_2title "Possible Entrypoints"
+    ls -lah /*.sh /*entrypoint* /**/entrypoint* /**/*.sh /deploy* 2>/dev/null | sort | uniq
+    echo ""
+fi

linPEAS/builder/linpeas_parts/2_container/6_Am_I_contained.sh

@@ -0,0 +1,20 @@
+# Title: Container - Am I Containered 
+# ID: CT_Am_I_contained
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Am I Containered tool
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, execBin
+# Global Variables:
+# Initial Functions:
+# Generated Global Variables: $FAT_LINPEAS_AMICONTAINED
+# Fat linpeas: 1
+# Small linpeas: 0
+
+
+if [ "$$FAT_LINPEAS_AMICONTAINED" ]; then
+  print_2title "Am I Containered?"
+  FAT_LINPEAS_AMICONTAINED="peass{https://github.com/genuinetools/amicontained/releases/latest/download/amicontained-linux-amd64}"
+  execBin "AmIContainered" "https://github.com/genuinetools/amicontained" "$FAT_LINPEAS_AMICONTAINED"
+fi

linPEAS/builder/linpeas_parts/3_cloud/10_IBM_Cloud.sh

@@ -0,0 +1,52 @@
+# Title: Cloud - IBM Cloud
+# ID: CL_IBM_Cloud
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: IBM Cloud Enumeration
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: check_ibm_vm, print_2title, print_3title
+# Global Variables: $IBM_TOKEN, $is_ibm_vm
+# Initial Functions: check_ibm_vm
+# Generated Global Variables: $TOKEN_HEADER, $ACCEPT_HEADER, $URL, $ibm_req
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+if [ "$is_ibm_vm" = "Yes" ]; then
+  print_2title "IBM Cloud Enumeration"
+
+  if ! [ "$IBM_TOKEN" ]; then
+    echo "Couldn't get the metadata token:("
+
+  else
+    TOKEN_HEADER="Authorization: Bearer $IBM_TOKEN"
+    ACCEPT_HEADER="Accept: application/json"
+    URL="http://169.254.169.254/latest/meta-data"
+    
+    ibm_req=""
+    if [ "$(command -v curl || echo -n '')" ]; then
+        ibm_req="curl -s -f -L -H '$TOKEN_HEADER' -H '$ACCEPT_HEADER'"
+    elif [ "$(command -v wget || echo -n '')" ]; then
+        ibm_req="wget -q -O - -H '$TOKEN_HEADER' -H '$ACCEPT_HEADER'"
+    else 
+        echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
+    fi
+
+    if [ "$ibm_req" ]; then
+      print_3title "Instance Details"
+      exec_with_jq eval $ibm_req "http://169.254.169.254/metadata/v1/instance?version=2022-03-01"
+
+      print_3title "Keys and User data"
+      exec_with_jq eval $ibm_req "http://169.254.169.254/metadata/v1/instance/initialization?version=2022-03-01"
+      exec_with_jq eval $ibm_req "http://169.254.169.254/metadata/v1/keys?version=2022-03-01"
+
+      print_3title "Placement Groups"
+      exec_with_jq eval $ibm_req "http://169.254.169.254/metadata/v1/placement_groups?version=2022-03-01"
+
+      print_3title "IAM credentials"
+      exec_with_jq eval $ibm_req -X POST "http://169.254.169.254/instance_identity/v1/iam_token?version=2022-03-01"
+    fi
+  fi
+  echo ""
+fi

linPEAS/builder/linpeas_parts/3_cloud/11_Ali_Cloud.sh

@@ -0,0 +1,98 @@
+# Title: Cloud - Ali Cloud
+# ID: CL_Ali_Cloud
+# Author: Esonhugh
+# Last Update: 22-01-2024
+# Description: Ali Cloud Platform Enumeration
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_3title, print_info
+# Global Variables: $is_aliyun_ecs
+# Initial Functions: check_aliyun_ecs
+# Generated Global Variables: $aliyun_req, $aliyun_token, $i_hostname, $i_instance_id, $i_instance_name, $i_instance_type, $i_aliyun_owner_account, $i_region_id, $i_zone_id, $i_pub_ipv4, $i_priv_ipv4, $net_dns, $mac, $sa, $key
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+
+if [ "$is_aliyun_ecs" = "Yes" ]; then
+  aliyun_req=""
+  aliyun_token=""
+  if [ "$(command -v curl)" ]; then 
+    aliyun_token=$(curl -X PUT "http://100.100.100.200/latest/api/token" -H "X-aliyun-ecs-metadata-token-ttl-seconds:1000")
+    aliyun_req='curl -s -f -L -H "X-aliyun-ecs-metadata-token: $aliyun_token"'
+  elif [ "$(command -v wget)" ]; then
+    aliyun_token=$(wget -q -O - --method PUT "http://100.100.100.200/latest/api/token" --header "X-aliyun-ecs-metadata-token-ttl-seconds:1000")
+    aliyun_req='wget -q -O --header "X-aliyun-ecs-metadata-token: $aliyun_token"'
+  else 
+    echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
+  fi
+
+  if [ "$aliyun_token" ]; then
+    print_2title "Aliyun ECS Enumeration"
+    print_info "https://help.aliyun.com/zh/ecs/user-guide/view-instance-metadata"
+
+    echo ""
+    print_3title "Instance Info"
+    i_hostname=$(eval $aliyun_req http://100.100.100.200/latest/meta-data/hostname)
+    [ "$i_hostname" ] && echo "Hostname: $i_hostname"
+    i_instance_id=$(eval $aliyun_req http://100.100.100.200/latest/meta-data/instance-id)
+    [ "$i_instance_id" ] && echo "Instance ID: $i_instance_id"
+    # no dup of hostname if in ACK it possibly leaks aliyun cluster service ClusterId
+    i_instance_name=$(eval $aliyun_req http://100.100.100.200/latest/meta-data/instance/instance-name)
+    [ "$i_instance_name" ] && echo "Instance Name: $i_instance_name"
+    i_instance_type=$(eval $aliyun_req http://100.100.100.200/latest/meta-data/instance/instance-type)
+    [ "$i_instance_type" ] && echo "Instance Type: $i_instance_type"
+    i_aliyun_owner_account=$(eval $aliyun_req http://i00.100.100.200/latest/meta-data/owner-account-id)
+    [ "$i_aliyun_owner_account" ] && echo "Aliyun Owner Account: $i_aliyun_owner_account"
+    i_region_id=$(eval $aliyun_req http://100.100.100.200/latest/meta-data/region-id)
+    [ "$i_region_id" ] && echo "Region ID: $i_region_id"
+    i_zone_id=$(eval $aliyun_req http://100.100.100.200/latest/meta-data/zone-id)
+    [ "$i_zone_id" ] && echo "Zone ID: $i_zone_id"
+
+    echo ""
+    print_3title "Network Info"
+    i_pub_ipv4=$(eval $aliyun_req http://100.100.100.200/latest/meta-data/public-ipv4)
+    [ "$i_pub_ipv4" ] && echo "Public IPv4: $i_pub_ipv4"
+    i_priv_ipv4=$(eval $aliyun_req http://100.100.100.200/latest/meta-data/private-ipv4)
+    [ "$i_priv_ipv4" ] && echo "Private IPv4: $i_priv_ipv4"
+    net_dns=$(eval $aliyun_req  http://100.100.100.200/latest/meta-data/dns-conf/nameservers)
+    [ "$net_dns" ] && echo "DNS: $net_dns"
+    
+    echo "========"
+    for mac in $(eval $aliyun_req  http://100.100.100.200/latest/meta-data/network/interfaces/macs/); do
+      echo "  Mac: $mac"
+      echo "  Mac interface id: "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/network-interface-id)
+      echo "  Mac netmask: "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/netmask)
+      echo "  Mac vpc id: "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/vpc-id)
+      echo "  Mac vpc cidr: "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/vpc-cidr-block)
+      echo "  Mac vpc cidr (v6): "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/vpc-ipv6-cidr-blocks)
+      echo "  Mac vswitch id: "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/vswitch-id)
+      echo "  Mac vswitch cidr: "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/vswitch-cidr-block)
+      echo "  Mac vswitch cidr (v6): "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/vswitch-ipv6-cidr-block)
+      echo "  Mac private ips: "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/private-ipv4s)
+      echo "  Mac private ips (v6): "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/ipv6s)
+      echo "  Mac gateway: "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/gateway)
+      echo "  Mac gateway (v6): "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/ipv6-gateway)
+      echo "======="
+    done
+
+    echo ""
+    print_3title "Service account "
+    for sa in $(eval $aliyun_req "http://100.100.100.200/latest/meta-data/ram/security-credentials/"); do 
+      echo "  Name: $sa"
+      echo "  STS Token: "$(eval $aliyun_req "http://100.100.100.200/latest/meta-data/ram/security-credentials/$sa")
+      echo "  =============="
+    done
+
+    echo ""
+    print_3title "Possbile admin ssh Public keys"
+    for key in $(eval $aliyun_req "http://100.100.100.200/latest/meta-data/public-keys/"); do
+      echo "  Name: $key"
+      echo "  Key: "$(eval $aliyun_req "http://100.100.100.200/latest/meta-data/public-keys/${key}openssh-key")
+      echo "  =============="
+    done
+
+
+  fi
+fi
+

linPEAS/builder/linpeas_parts/3_cloud/12_Tencent_Cloud.sh

@@ -0,0 +1,88 @@
+# Title: Cloud - Tencent Cloud
+# ID: CL_Tencent_Cloud
+# Author: Shadowabi
+# Last Update: 22-01-2024
+# Description: Tencent Cloud Platform Enumeration
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_3title, print_info
+# Global Variables: $is_tencent_cvm
+# Initial Functions: check_tencent_cvm
+# Generated Global Variables: $tencent_req, $i_tencent_owner_account, $i_hostname, $i_instance_id, $i_instance_name, $i_instance_type, $i_region_id, $i_zone_id, $mac_tencent, $lipv4, $sa_tencent, $key_tencent
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+if [ "$is_tencent_cvm" = "Yes" ]; then
+  tencent_req=""
+  if [ "$(command -v curl)" ]; then 
+    tencent_req='curl --connect-timeout 2 -sfkG'
+  elif [ "$(command -v wget)" ]; then
+    tencent_req='wget -q --timeout 2 --tries 1  -O -'
+  else 
+    echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
+  fi
+
+  
+    print_2title "Tencent CVM Enumeration"
+    print_info "https://cloud.tencent.com/document/product/213/4934"
+    # Todo: print_info "Hacktricks Documents needs to be updated"
+
+    echo ""
+    print_3title "Instance Info"
+    i_tencent_owner_account=$(eval $tencent_req http://169.254.0.23/latest/meta-data/app-id)
+    [ "$i_tencent_owner_account" ] && echo "Tencent Owner Account: $i_tencent_owner_account"
+    i_hostname=$(eval $tencent_req http://169.254.0.23/latest/meta-data/hostname)
+    [ "$i_hostname" ] && echo "Hostname: $i_hostname"
+    i_instance_id=$(eval $tencent_req http://169.254.0.23/latest/meta-data/instance-id)
+    [ "$i_instance_id" ] && echo "Instance ID: $i_instance_id"
+    i_instance_id=$(eval $tencent_req http://169.254.0.23/latest/meta-data/uuid)
+    [ "$i_instance_id" ] && echo "Instance ID: $i_instance_id"
+    i_instance_name=$(eval $tencent_req http://169.254.0.23/latest/meta-data/instance-name)
+    [ "$i_instance_name" ] && echo "Instance Name: $i_instance_name"
+    i_instance_type=$(eval $tencent_req http://169.254.0.23/latest/meta-data/instance/instance-type)
+    [ "$i_instance_type" ] && echo "Instance Type: $i_instance_type"
+    i_region_id=$(eval $tencent_req http://169.254.0.23/latest/meta-data/placement/region)
+    [ "$i_region_id" ] && echo "Region ID: $i_region_id"
+    i_zone_id=$(eval $tencent_req http://169.254.0.23/latest/meta-data/placement/zone)
+    [ "$i_zone_id" ] && echo "Zone ID: $i_zone_id"
+
+    echo ""
+    print_3title "Network Info"
+    for mac_tencent in $(eval $tencent_req http://169.254.0.23/latest/meta-data/network/interfaces/macs/); do
+      echo "  Mac: $mac_tencent"
+      echo "  Primary IPv4: "$(eval $tencent_req http://169.254.0.23/latest/meta-data/network/interfaces/macs/$mac_tencent/primary-local-ipv4)
+      echo "  Mac public ips: "$(eval $tencent_req http://169.254.0.23/latest/meta-data/network/interfaces/macs/$mac_tencent/public-ipv4s)
+      echo "  Mac vpc id: "$(eval $tencent_req http://169.254.0.23/latest/meta-data/network/interfaces/macs/$mac_tencent/vpc-id)
+      echo "  Mac subnet id: "$(eval $tencent_req http://169.254.0.23/latest/meta-data/network/interfaces/macs/$mac_tencent/subnet-id)
+      
+      for lipv4 in $(eval $tencent_req  http://169.254.0.23/latest/meta-data/network/interfaces/macs/$mac_tencent/local-ipv4s); do
+        echo "  Mac local ips: "$(eval $tencent_req http://169.254.0.23/latest/meta-data/network/interfaces/macs/$mac_tencent/local-ipv4s/$lipv4/local-ipv4)
+        echo "  Mac gateways: "$(eval $tencent_req http://169.254.0.23/latest/meta-data/network/interfaces/macs/$mac_tencent/local-ipv4s/$lipv4/gateway)
+        echo "  Mac public ips: "$(eval $tencent_req http://169.254.0.23/latest/meta-data/network/interfaces/macs/$mac_tencent/local-ipv4s/$lipv4/public-ipv4)
+        echo "  Mac public ips mode: "$(eval $tencent_req http://169.254.0.23/latest/meta-data/network/interfaces/macs/$mac_tencent/local-ipv4s/$lipv4/public-ipv4-mode)
+        echo "  Mac subnet mask: "$(eval $tencent_req http://169.254.0.23/latest/meta-data/network/interfaces/macs/$mac_tencent/local-ipv4s/$lipv4/subnet-mask)
+      done
+    echo "======="
+    done
+
+    echo ""
+    print_3title "Service account "
+    for sa_tencent in $(eval $tencent_req "http://169.254.0.23/latest/meta-data/cam/security-credentials/"); do 
+      echo "  Name: $sa_tencent"
+      echo "  STS Token: "$(eval $tencent_req "http://169.254.0.23/latest/meta-data/cam/security-credentials/$sa_tencent")
+      echo "  =============="
+    done
+
+    echo ""
+    print_3title "Possbile admin ssh Public keys"
+    for key_tencent in $(eval $tencent_req "http://169.254.0.23/latest/meta-data/public-keys/"); do
+      echo "  Name: $key_tencent"
+      echo "  Key: "$(eval $tencent_req "http://169.254.0.23/latest/meta-data/public-keys/${key_tencent}openssh-key")
+      echo "  =============="
+    done
+
+    echo ""
+    print_3title "User Data"
+    eval $tencent_req http://169.254.0.23/latest/user-data; echo ""
+fi

linPEAS/builder/linpeas_parts/3_cloud/1_Check_if_in_cloud.sh

@@ -0,0 +1,30 @@
+# Title: Cloud - Check if in cloud
+# ID: CL_Check_if_in_cloud
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Check if the current system is inside a cloud environment
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: check_aws_codebuild, check_aws_ec2, check_aws_ecs, check_aws_lambda, check_az_app, check_az_vm, check_do, check_gcp, check_ibm_vm, check_tencent_cvm, print_list
+# Global Variables: $is_aws_codebuild, $is_aws_ecs, $is_aws_ec2, , $is_aws_lambda, $is_az_app, $is_az_vm, $is_do, $is_gcp_vm, $is_gcp_function, $is_ibm_vm, $is_aws_ec2_beanstalk, $is_aliyun_ecs, $is_tencent_cvm
+# Initial Functions: check_gcp, check_aws_ecs, check_aws_ec2, check_aws_lambda, check_aws_codebuild, check_do, check_ibm_vm, check_az_vm, check_az_app, check_aliyun_ecs, check_tencent_cvm
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+print_list "GCP Virtual Machine? ................. $is_gcp_vm\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
+print_list "GCP Cloud Funtion? ................... $is_gcp_function\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
+print_list "AWS ECS? ............................. $is_aws_ecs\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
+print_list "AWS EC2? ............................. $is_aws_ec2\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
+print_list "AWS EC2 Beanstalk? ................... $is_aws_ec2_beanstalk\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
+print_list "AWS Lambda? .......................... $is_aws_lambda\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
+print_list "AWS Codebuild? ....................... $is_aws_codebuild\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
+print_list "DO Droplet? .......................... $is_do\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
+print_list "IBM Cloud VM? ........................ $is_ibm_vm\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
+print_list "Azure VM? ............................ $is_az_vm\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
+print_list "Azure APP? ........................... $is_az_app\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
+print_list "Aliyun ECS? .......................... $is_aliyun_ecs\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
+print_list "Tencent CVM? ......................... $is_tencent_cvm\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
+
+echo ""

linPEAS/builder/linpeas_parts/3_cloud/2_AWS_EC2.sh

@@ -0,0 +1,79 @@
+# Title: Cloud - AWS EC2
+# ID: CL_AWS_EC2
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: AWS EC2 Enumeration
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: check_aws_ec2, exec_with_jq, print_2title, print_3title
+# Global Variables: $is_aws_ec2
+# Initial Functions: check_aws_ec2
+# Generated Global Variables: $aws_req, $HEADER, $URL, $mac, $role
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+if [ "$is_aws_ec2" = "Yes" ]; then
+    print_2title "AWS EC2 Enumeration"
+    
+    HEADER="X-aws-ec2-metadata-token: "
+    URL="http://169.254.169.254/latest/meta-data"
+    
+    aws_req=""
+    if [ "$(command -v curl || echo -n '')" ]; then
+        aws_req="curl -s -f -L -H '$HEADER'"
+    elif [ "$(command -v wget || echo -n '')" ]; then
+        aws_req="wget -q -O - -H '$HEADER'"
+    else 
+        echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
+    fi
+  
+    if [ "$aws_req" ]; then
+        printf "ami-id: "; eval $aws_req "$URL/ami-id"; echo ""
+        printf "instance-action: "; eval $aws_req "$URL/instance-action"; echo ""
+        printf "instance-id: "; eval $aws_req "$URL/instance-id"; echo ""
+        printf "instance-life-cycle: "; eval $aws_req "$URL/instance-life-cycle"; echo ""
+        printf "instance-type: "; eval $aws_req "$URL/instance-type"; echo ""
+        printf "region: "; eval $aws_req "$URL/placement/region"; echo ""
+
+        echo ""
+        print_3title "Account Info"
+        exec_with_jq eval $aws_req "$URL/identity-credentials/ec2/info"; echo ""
+
+        echo ""
+        print_3title "Network Info"
+        for mac in $(eval $aws_req "$URL/network/interfaces/macs/" 2>/dev/null); do 
+          echo "Mac: $mac"
+          printf "Owner ID: "; eval $aws_req "$URL/network/interfaces/macs/$mac/owner-id"; echo ""
+          printf "Public Hostname: "; eval $aws_req "$URL/network/interfaces/macs/$mac/public-hostname"; echo ""
+          printf "Security Groups: "; eval $aws_req "$URL/network/interfaces/macs/$mac/security-groups"; echo ""
+          echo "Private IPv4s:"; eval $aws_req "$URL/network/interfaces/macs/$mac/ipv4-associations/"; echo ""
+          printf "Subnet IPv4: "; eval $aws_req "$URL/network/interfaces/macs/$mac/subnet-ipv4-cidr-block"; echo ""
+          echo "PrivateIPv6s:"; eval $aws_req "$URL/network/interfaces/macs/$mac/ipv6s"; echo ""
+          printf "Subnet IPv6: "; eval $aws_req "$URL/network/interfaces/macs/$mac/subnet-ipv6-cidr-blocks"; echo ""
+          echo "Public IPv4s:"; eval $aws_req "$URL/network/interfaces/macs/$mac/public-ipv4s"; echo ""
+          echo ""
+        done
+
+        echo ""
+        print_3title "IAM Role"
+        exec_with_jq eval $aws_req "$URL/iam/info"; echo ""
+        for role in $(eval $aws_req "$URL/iam/security-credentials/" 2>/dev/null); do 
+          echo "Role: $role"
+          exec_with_jq eval $aws_req "$URL/iam/security-credentials/$role"; echo ""
+          echo ""
+        done
+        
+        echo ""
+        print_3title "User Data"
+        eval $aws_req "http://169.254.169.254/latest/user-data"; echo ""
+        
+        echo ""
+        print_3title "EC2 Security Credentials"
+        exec_with_jq eval $aws_req "$URL/identity-credentials/ec2/security-credentials/ec2-instance"; echo ""
+        
+        print_3title "SSM Runnig"
+        ps aux 2>/dev/null | grep "ssm-agent" | grep -Ev "grep|sed s,ssm-agent" | sed "s,ssm-agent,${SED_RED},"
+    fi
+    echo ""
+fi

linPEAS/builder/linpeas_parts/3_cloud/3_AWS_ECS.sh

@@ -0,0 +1,48 @@
+# Title: Cloud - AWS ECS
+# ID: CL_AWS_ECS
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: AWS ECS Enumeration
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: check_aws_ecs, exec_with_jq, print_2title, print_3title
+# Global Variables: $aws_ecs_metadata_uri, $aws_ecs_service_account_uri, $is_aws_ecs
+# Initial Functions: check_aws_ecs
+# Generated Global Variables: $aws_ecs_req
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+if [ "$is_aws_ecs" = "Yes" ]; then
+    print_2title "AWS ECS Enumeration"
+    
+    aws_ecs_req=""
+    if [ "$(command -v curl || echo -n '')" ]; then
+        aws_ecs_req='curl -s -f'
+    elif [ "$(command -v wget || echo -n '')" ]; then
+        aws_ecs_req='wget -q -O -'
+    else 
+        echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
+    fi
+
+    if [ "$aws_ecs_metadata_uri" ]; then
+        print_3title "Container Info"
+        exec_with_jq eval $aws_ecs_req "$aws_ecs_metadata_uri"
+        echo ""
+        
+        print_3title "Task Info"
+        exec_with_jq eval $aws_ecs_req "$aws_ecs_metadata_uri/task"
+        echo ""
+    else
+        echo "I couldn't find ECS_CONTAINER_METADATA_URI env var to get container info"
+    fi
+
+    if [ "$aws_ecs_service_account_uri" ]; then
+        print_3title "IAM Role"
+        exec_with_jq eval $aws_ecs_req "$aws_ecs_service_account_uri"
+        echo ""
+    else
+        echo "I couldn't find AWS_CONTAINER_CREDENTIALS_RELATIVE_URI env var to get IAM role info (the task is running without a task role probably)"
+    fi
+    echo ""
+fi

linPEAS/builder/linpeas_parts/3_cloud/4_AWS_Lambda.sh

@@ -0,0 +1,27 @@
+# Title: Cloud - AWS Lambda
+# ID: CL_AWS_Lambda
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: AWS Lambda Enumeration
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: check_aws_lambda, print_2title
+# Global Variables: $is_aws_lambda
+# Initial Functions: check_aws_lambda
+# Generated Global Variables: 
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+if [ "$is_aws_lambda" = "Yes" ]; then
+  print_2title "AWS Lambda Enumeration"
+  printf "Function name: "; env | grep AWS_LAMBDA_FUNCTION_NAME
+  printf "Region: "; env | grep AWS_REGION
+  printf "Secret Access Key: "; env | grep AWS_SECRET_ACCESS_KEY
+  printf "Access Key ID: "; env | grep AWS_ACCESS_KEY_ID
+  printf "Session token: "; env | grep AWS_SESSION_TOKEN
+  printf "Security token: "; env | grep AWS_SECURITY_TOKEN
+  printf "Runtime API: "; env | grep AWS_LAMBDA_RUNTIME_API
+  printf "Event data: "; (curl -s "http://${AWS_LAMBDA_RUNTIME_API}/2018-06-01/runtime/invocation/next" 2>/dev/null || wget -q -O - "http://${AWS_LAMBDA_RUNTIME_API}/2018-06-01/runtime/invocation/next")
+  echo ""
+fi

linPEAS/builder/linpeas_parts/3_cloud/5_AWS_Codebuild.sh

@@ -0,0 +1,40 @@
+# Title: Cloud - AWS Codebuild
+# ID: CL_AWS_Codebuild
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: AWS Codebuild Enumeration
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: check_aws_codebuild, exec_with_jq, print_2title, print_3title
+# Global Variables: $is_aws_codebuild
+# Initial Functions: check_aws_codebuild
+# Generated Global Variables: $aws_req, $METADATA_URL, $CREDS_PATH, $URL_CREDS
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+if [ "$is_aws_codebuild" = "Yes" ]; then
+  print_2title "AWS Codebuild Enumeration"
+
+  aws_req=""
+  if [ "$(command -v curl || echo -n '')" ]; then
+      aws_req="curl -s -f"
+  elif [ "$(command -v wget || echo -n '')" ]; then
+      aws_req="wget -q -O -"
+  else 
+      echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
+      echo "The addresses are in /codebuild/output/tmp/env.sh"
+  fi
+
+  if [ "$aws_req" ]; then
+    print_3title "Credentials"
+    CREDS_PATH=$(cat /codebuild/output/tmp/env.sh | grep "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" | cut -d "'" -f 2)
+    URL_CREDS="http://169.254.170.2$CREDS_PATH" # Already has a / at the begginig
+    exec_with_jq eval $aws_req "$URL_CREDS"; echo ""
+
+    print_3title "Container Info"
+    METADATA_URL=$(cat /codebuild/output/tmp/env.sh | grep "ECS_CONTAINER_METADATA_URI" | cut -d "'" -f 2)
+    exec_with_jq eval $aws_req "$METADATA_URL"; echo ""
+  fi
+  echo ""
+fi

linPEAS/builder/linpeas_parts/3_cloud/6_Google_cloud_function.sh

@@ -0,0 +1,57 @@
+# Title: Cloud - Google Cloud Function
+# ID: CL_Google_cloud_function
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Google Cloud Function Enumeration
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: check_gcp, print_2title, print_3title, print_info
+# Global Variables: $is_gcp_function, $GCP_GOOD_SCOPES, $GCP_BAD_SCOPES
+# Initial Functions: check_gcp
+# Generated Global Variables: $gcp_req, $p_id, $p_num, $inst_id, $inst_zone, $mtls_info
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+if [ "$is_gcp_function" = "Yes" ]; then
+    gcp_req=""
+    if [ "$(command -v curl)" ]; then
+        gcp_req='curl -s -f -L -H "Metadata-Flavor: Google"'
+    elif [ "$(command -v wget)" ]; then
+        gcp_req='wget -q -O - --header "Metadata-Flavor: Google"'
+    else 
+        echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
+    fi
+
+    # GCP Enumeration
+    if [ "$gcp_req" ]; then
+        print_2title "Google Cloud Platform Enumeration"
+        print_info "https://cloud.hacktricks.xyz/pentesting-cloud/gcp-security"
+
+        ## GC Project Info
+        p_id=$(eval $gcp_req 'http://metadata.google.internal/computeMetadata/v1/project/project-id')
+        [ "$p_id" ] && echo "Project-ID: $p_id"
+        p_num=$(eval $gcp_req 'http://metadata.google.internal/computeMetadata/v1/project/numeric-project-id')
+        [ "$p_num" ] && echo "Project Number: $p_num"
+
+        # Instance Info
+        inst_id=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/id)
+        [ "$inst_id" ] && echo "Instance ID: $inst_id"
+        mtls_info=$(eval $gcp_req http://metadata/computeMetadata/v1/instance/platform-security/auto-mtls-configuration)
+        [ "$mtls_info" ] && echo "MTLS info: $mtls_info"
+        inst_zone=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/zone)
+        [ "$inst_zone" ] && echo "Zone: $inst_zone"
+
+        echo ""
+        print_3title "Service Accounts"
+        for sa in $(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/"); do 
+            echo "  Name: $sa"
+            echo "  Email: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/${sa}email")
+            echo "  Aliases: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/${sa}aliases")
+            echo "  Identity: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/${sa}identity")
+            echo "  Scopes: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/${sa}scopes") | sed -${E} "s,${GCP_GOOD_SCOPES},${SED_GREEN},g" | sed -${E} "s,${GCP_BAD_SCOPES},${SED_RED},g"
+            echo "  Token: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/${sa}token")
+            echo "  ==============  "
+        done
+    fi
+fi

linPEAS/builder/linpeas_parts/3_cloud/6_Google_cloud_vm.sh

@@ -0,0 +1,111 @@
+# Title: Cloud - Google Cloud VM
+# ID: CL_Google_cloud_vm
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Google Cloud VM Enumeration
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: check_gcp, print_2title, print_3title, print_info
+# Global Variables: $is_gcp_vm, $GCP_GOOD_SCOPES, $GCP_BAD_SCOPES
+# Initial Functions: check_gcp
+# Generated Global Variables: $gcp_req, $p_id, $p_num, $pssh_k, $p_attrs, $osl_u, $osl_g, $osl_sk, $osl_au, $inst_d, $inst_hostn, $inst_id, $inst_img, $inst_mt, $inst_n, $inst_tag, $inst_zone, $inst_k8s_loc, $inst_k8s_name, $inst_k8s_osl_e, $inst_k8s_klab, $inst_k8s_kubec, $inst_k8s_kubenv, $iface
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+if [ "$is_gcp_vm" = "Yes" ]; then
+    gcp_req=""
+    if [ "$(command -v curl || echo -n '')" ]; then
+        gcp_req='curl -s -f -L -H "Metadata-Flavor: Google"'
+    elif [ "$(command -v wget || echo -n '')" ]; then
+        gcp_req='wget -q -O - --header "Metadata-Flavor: Google"'
+    else 
+        echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
+    fi
+
+
+    if [ "$gcp_req" ]; then
+        print_2title "Google Cloud Platform Enumeration"
+        print_info "https://book.hacktricks.xyz/cloud-security/gcp-security"
+
+        ## GC Project Info
+        p_id=$(eval $gcp_req 'http://metadata.google.internal/computeMetadata/v1/project/project-id')
+        [ "$p_id" ] && echo "Project-ID: $p_id"
+        p_num=$(eval $gcp_req 'http://metadata.google.internal/computeMetadata/v1/project/numeric-project-id')
+        [ "$p_num" ] && echo "Project Number: $p_num"
+        pssh_k=$(eval $gcp_req 'http://metadata.google.internal/computeMetadata/v1/project/attributes/ssh-keys')
+        [ "$pssh_k" ] && echo "Project SSH-Keys: $pssh_k"
+        p_attrs=$(eval $gcp_req 'http://metadata.google.internal/computeMetadata/v1/project/attributes/?recursive=true')
+        [ "$p_attrs" ] && echo "All Project Attributes: $p_attrs"
+
+        # OSLogin Info
+        osl_u=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/oslogin/users)
+        [ "$osl_u" ] && echo "OSLogin users: $osl_u"
+        osl_g=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/oslogin/groups)
+        [ "$osl_g" ] && echo "OSLogin Groups: $osl_g"
+        osl_sk=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/oslogin/security-keys)
+        [ "$osl_sk" ] && echo "OSLogin Security Keys: $osl_sk"
+        osl_au=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/oslogin/authorize)
+        [ "$osl_au" ] && echo "OSLogin Authorize: $osl_au"
+
+        # Instance Info
+        inst_d=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/description)
+        [ "$inst_d" ] && echo "Instance Description: "
+        inst_hostn=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/hostname)
+        [ "$inst_hostn" ] && echo "Hostname: $inst_hostn"
+        inst_id=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/id)
+        [ "$inst_id" ] && echo "Instance ID: $inst_id"
+        inst_img=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/image)
+        [ "$inst_img" ] && echo "Instance Image: $inst_img"
+        inst_mt=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/machine-type)
+        [ "$inst_mt" ] && echo "Machine Type: $inst_mt"
+        inst_n=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/name)
+        [ "$inst_n" ] && echo "Instance Name: $inst_n"
+        inst_tag=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/scheduling/tags)
+        [ "$inst_tag" ] && echo "Instance tags: $inst_tag"
+        inst_zone=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/zone)
+        [ "$inst_zone" ] && echo "Zone: $inst_zone"
+
+        inst_k8s_loc=$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/attributes/cluster-location")
+        [ "$inst_k8s_loc" ] && echo "K8s Cluster Location: $inst_k8s_loc"
+        inst_k8s_name=$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/attributes/cluster-name")
+        [ "$inst_k8s_name" ] && echo "K8s Cluster name: $inst_k8s_name"
+        inst_k8s_osl_e=$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/attributes/enable-oslogin")
+        [ "$inst_k8s_osl_e" ] && echo "K8s OSLoging enabled: $inst_k8s_osl_e"
+        inst_k8s_klab=$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/attributes/kube-labels")
+        [ "$inst_k8s_klab" ] && echo "K8s Kube-labels: $inst_k8s_klab"
+        inst_k8s_kubec=$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/attributes/kubeconfig")
+        [ "$inst_k8s_kubec" ] && echo "K8s Kubeconfig: $inst_k8s_kubec"
+        inst_k8s_kubenv=$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/attributes/kube-env")
+        [ "$inst_k8s_kubenv" ] && echo "K8s Kube-env: $inst_k8s_kubenv"
+
+        echo ""
+        print_3title "Interfaces"
+        for iface in $(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/"); do 
+            echo "  IP: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$iface/ip")
+            echo "  Subnetmask: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$iface/subnetmask")
+            echo "  Gateway: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$iface/gateway")
+            echo "  DNS: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$iface/dns-servers")
+            echo "  Network: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$iface/network")
+            echo "  ==============  "
+        done
+        
+        echo ""
+        print_3title "User Data"
+        echo $(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/attributes/startup-script")
+        echo ""
+
+        echo ""
+        print_3title "Service Accounts"
+        for sa in $(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/"); do 
+            echo "  Name: $sa"
+            echo "  Email: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/$sa/email")
+            echo "  Aliases: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/$sa/aliases")
+            echo "  Identity: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/$sa/identity")
+            echo "  Scopes: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/$sa/scopes") | sed -${E} "s,${GCP_GOOD_SCOPES},${SED_GREEN},g" | sed -${E} "s,${GCP_BAD_SCOPES},${SED_RED},g"
+            echo "  Token: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/$sa/token")
+            echo "  ==============  "
+        done
+    fi
+    echo ""
+fi

linPEAS/builder/linpeas_parts/3_cloud/7_Azure_VM.sh

@@ -0,0 +1,52 @@
+# Title: Cloud - Azure VM
+# ID: CL_Azure_VM
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Azure VM Enumeration
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: check_az_vm, exec_with_jq, print_2title, print_3title
+# Global Variables: $is_az_vm
+# Initial Functions: check_az_vm
+# Generated Global Variables: $API_VERSION, $HEADER, $az_req, $URL
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+if [ "$is_az_vm" = "Yes" ]; then
+  print_2title "Azure VM Enumeration"
+
+  HEADER="Metadata:true"
+  URL="http://169.254.169.254/metadata"
+  API_VERSION="2021-12-13" #https://learn.microsoft.com/en-us/azure/virtual-machines/instance-metadata-service?tabs=linux#supported-api-versions
+  
+  az_req=""
+  if [ "$(command -v curl || echo -n '')" ]; then
+      az_req="curl -s -f -L -H '$HEADER'"
+  elif [ "$(command -v wget || echo -n '')" ]; then
+      az_req="wget -q -O - -H '$HEADER'"
+  else 
+      echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
+  fi
+
+  if [ "$az_req" ]; then
+    print_3title "Instance details"
+    exec_with_jq eval $az_req "$URL/instance?api-version=$API_VERSION"
+
+    print_3title "Load Balancer details"
+    exec_with_jq eval $az_req "$URL/loadbalancer?api-version=$API_VERSION"
+
+    print_3title "Management token"
+    exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://management.azure.com/"
+
+    print_3title "Graph token"
+    exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://graph.microsoft.com/"
+    
+    print_3title "Vault token"
+    exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://vault.azure.net/"
+
+    print_3title "Storage token"
+    exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://storage.azure.com/"
+  fi
+  echo ""
+fi

linPEAS/builder/linpeas_parts/3_cloud/8_Azure_app_service.sh

@@ -0,0 +1,47 @@
+# Title: Cloud - Azure App Service 
+# ID: CL_Azure_app_service
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Azure App Service Enumeration
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: check_az_app, exec_with_jq, print_2title, print_3title
+# Global Variables: $is_az_app,
+# Initial Functions: check_az_app
+# Generated Global Variables: $API_VERSION, $HEADER, $az_req
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+API_VERSION="2021-12-13" #https://learn.microsoft.com/en-us/azure/virtual-machines/instance-metadata-service?tabs=linux#supported-api-versions
+
+if [ "$is_az_app" = "Yes" ]; then
+  print_2title "Azure App Service Enumeration"
+  echo "I haven't tested this one, if it doesn't work, please send a PR fixing and adding functionality :)"
+
+  HEADER="secret:$IDENTITY_HEADER"
+
+  az_req=""
+  if [ "$(command -v curl || echo -n '')" ]; then
+      az_req="curl -s -f -L -H '$HEADER'"
+  elif [ "$(command -v wget || echo -n '')" ]; then
+      az_req="wget -q -O - -H '$HEADER'"
+  else 
+      echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
+  fi
+
+  if [ "$az_req" ]; then
+    print_3title "Management token"
+    exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://management.azure.com/"
+
+    print_3title "Graph token"
+    exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://graph.microsoft.com/"
+    
+    print_3title "Vault token"
+    exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://vault.azure.net/"
+
+    print_3title "Storage token"
+    exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://storage.azure.com/"
+  fi
+  echo ""
+fi

linPEAS/builder/linpeas_parts/3_cloud/9_DO_Droplet.sh

@@ -0,0 +1,42 @@
+# Title: Cloud - DO Droplet
+# ID: CL_DO_Droplet
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: DO Droplet Enumeration
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: check_do, print_2title
+# Global Variables: $is_do
+# Initial Functions: check_do
+# Generated Global Variables: $do_req, $URL
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+if [ "$is_do" = "Yes" ]; then
+  print_2title "DO Droplet Enumeration"
+
+  do_req=""
+  if [ "$(command -v curl || echo -n '')" ]; then
+      do_req='curl -s -f -L '
+  elif [ "$(command -v wget || echo -n '')" ]; then
+      do_req='wget -q -O - '
+  else 
+      echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
+  fi
+
+  if [ "$do_req" ]; then
+    URL="http://169.254.169.254/metadata"
+    printf "Id: "; eval $do_req "$URL/v1/id"; echo ""
+    printf "Region: "; eval $do_req "$URL/v1/region"; echo ""
+    printf "Public keys: "; eval $do_req "$URL/v1/public-keys"; echo ""
+    printf "User data: "; eval $do_req "$URL/v1/user-data"; echo ""
+    printf "Dns: "; eval $do_req "$URL/v1/dns/nameservers" | tr '\n' ','; echo ""
+    printf "Interfaces: "; eval $do_req "$URL/v1.json" | jq ".interfaces";
+    printf "Floating_ip: "; eval $do_req "$URL/v1.json" | jq ".floating_ip";
+    printf "Reserved_ip: "; eval $do_req "$URL/v1.json" | jq ".reserved_ip";
+    printf "Tags: "; eval $do_req "$URL/v1.json" | jq ".tags";
+    printf "Features: "; eval $do_req "$URL/v1.json" | jq ".features";
+  fi
+  echo ""
+fi

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/10_System_timers.sh

@@ -0,0 +1,21 @@
+# Title: Processes & Cron & Services & Timers - System Timers
+# ID: PR_System_timers
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: System Timers
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: echo_not_found, print_2title, print_info
+# Global Variables: $SEARCH_IN_FOLDER, $timersG
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+if ! [ "$SEARCH_IN_FOLDER" ]; then
+  print_2title "System timers"
+  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers"
+  (systemctl list-timers --all 2>/dev/null | grep -Ev "(^$|timers listed)" | sed -${E} "s,$timersG,${SED_GREEN},") || echo_not_found
+  echo ""
+fi

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/11_Timer_files.sh

@@ -0,0 +1,33 @@
+# Title: Processes & Cron & Services & Timers - .timer files
+# ID: PR_Timer_files
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: .timer files
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_info
+# Global Variables: $IAMROOT, $SEARCH_IN_FOLDER
+# Initial Functions:
+# Generated Global Variables: $timerbinpaths, $relpath
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+print_2title "Analyzing .timer files"
+print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers"
+printf "%s\n" "$PSTORAGE_TIMER" | while read t; do
+  if ! [ "$IAMROOT" ] && [ -w "$t" ] && ! [ "$SEARCH_IN_FOLDER" ]; then
+    echo "$t" | sed -${E} "s,.*,${SED_RED},g"
+  fi
+  timerbinpaths=$(grep -Po '^Unit=*(.*?$)' $t 2>/dev/null | cut -d '=' -f2)
+  printf "%s\n" "$timerbinpaths" | while read tb; do
+    if [ -w "$tb" ]; then
+      echo "$t timer is calling this writable executable: $tb" | sed "s,writable.*,${SED_RED},g"
+    fi
+  done
+  #relpath="`grep -Po '^Unit=[^/].*' \"$t\" 2>/dev/null`"
+  #for rp in "$relpath"; do
+  #  echo "$t is calling a relative path: $rp" | sed "s,relative.*,${SED_RED},g"
+  #done
+done
+echo ""

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/12_Services.sh

@@ -0,0 +1,23 @@
+# Title: Processes & Cron & Services & Timers - Services
+# ID: PR_Services
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Services outdated versions
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: echo_not_found, print_2title, print_info
+# Global Variables: $EXTRA_CHECKS, $SEARCH_IN_FOLDER
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+if ! [ "$SEARCH_IN_FOLDER" ]; then
+  if [ "$EXTRA_CHECKS" ]; then
+    print_2title "Services"
+    print_info "Search for outdated versions"
+    (service --status-all || service -e || chkconfig --list || rc-status || launchctl list) 2>/dev/null || echo_not_found "service|chkconfig|rc-status|launchctl"
+    echo ""
+  fi
+fi

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/13_Service_files.sh

@@ -0,0 +1,42 @@
+# Title: Processes & Cron & Services & Timers - Analyzing .service files
+# ID: PR_Service_files
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Analyze .service files
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_info
+# Global Variables: $IAMROOT, $SEARCH_IN_FOLDER, $WRITABLESYSTEMDPATH
+# Initial Functions:
+# Generated Global Variables: $relpath1, $relpath2, $servicebinpaths
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+#TODO: .service files in MACOS are folders
+print_2title "Analyzing .service files"
+print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#services"
+printf "%s\n" "$PSTORAGE_SYSTEMD" | while read s; do
+  if [ ! -O "" ] || [ "$SEARCH_IN_FOLDER" ]; then #Remove services that belongs to the current user or if firmware see everything
+    if ! [ "$IAMROOT" ] && [ -w "$s" ] && [ -f "$s" ] && ! [ "$SEARCH_IN_FOLDER" ]; then
+      echo "$s" | sed -${E} "s,.*,${SED_RED_YELLOW},g"
+    fi
+    servicebinpaths=$(grep -Eo '^Exec.*?=[!@+-]*[a-zA-Z0-9_/\-]+' "$s" 2>/dev/null | cut -d '=' -f2 | sed 's,^[@\+!-]*,,') #Get invoked paths
+    printf "%s\n" "$servicebinpaths" | while read sp; do
+      if [ -w "$sp" ]; then
+        echo "$s is calling this writable executable: $sp" | sed "s,writable.*,${SED_RED_YELLOW},g"
+      fi
+    done
+    relpath1=$(grep -E '^Exec.*=(?:[^/]|-[^/]|\+[^/]|![^/]|!![^/]|)[^/@\+!-].*' "$s" 2>/dev/null | grep -Iv "=/")
+    relpath2=$(grep -E '^Exec.*=.*/bin/[a-zA-Z0-9_]*sh ' "$s" 2>/dev/null)
+    if [ "$relpath1" ] || [ "$relpath2" ]; then
+      if [ "$WRITABLESYSTEMDPATH" ]; then
+        echo "$s could be executing some relative path" | sed -${E} "s,.*,${SED_RED},";
+      else
+        echo "$s could be executing some relative path"
+      fi
+    fi
+  fi
+done
+if [ ! "$WRITABLESYSTEMDPATH" ]; then echo "You can't write on systemd PATH" | sed -${E} "s,.*,${SED_GREEN},"; fi
+echo ""

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/14_Socket_files.sh

@@ -0,0 +1,38 @@
+# Title: Processes & Cron & Services & Timers - .socket files
+# ID: PR_Socket_files
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: .socket files
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_info
+# Global Variables: $IAMROOT, $SEARCH_IN_FOLDER
+# Initial Functions:
+# Generated Global Variables: $socketsbinpaths, $socketslistpaths
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+#TODO: .socket files in MACOS are folders
+if ! [ "$IAMROOT" ]; then
+  print_2title "Analyzing .socket files"
+  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets"
+  printf "%s\n" "$PSTORAGE_SOCKET" | while read s; do
+    if ! [ "$IAMROOT" ] && [ -w "$s" ] && [ -f "$s" ] && ! [ "$SEARCH_IN_FOLDER" ]; then
+      echo "Writable .socket file: $s" | sed "s,/.*,${SED_RED},g"
+    fi
+    socketsbinpaths=$(grep -Eo '^(Exec).*?=[!@+-]*/[a-zA-Z0-9_/\-]+' "$s" 2>/dev/null | cut -d '=' -f2 | sed 's,^[@\+!-]*,,')
+    printf "%s\n" "$socketsbinpaths" | while read sb; do
+      if [ -w "$sb" ]; then
+        echo "$s is calling this writable executable: $sb" | sed "s,writable.*,${SED_RED},g"
+      fi
+    done
+    socketslistpaths=$(grep -Eo '^(Listen).*?=[!@+-]*/[a-zA-Z0-9_/\-]+' "$s" 2>/dev/null | cut -d '=' -f2 | sed 's,^[@\+!-]*,,')
+    printf "%s\n" "$socketslistpaths" | while read sl; do
+      if [ -w "$sl" ]; then
+        echo "$s is calling this writable listener: $sl" | sed "s,writable.*,${SED_RED},g";
+      fi
+    done
+  done
+  echo ""
+fi

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/15_Unix_sockets_listening.sh

@@ -0,0 +1,72 @@
+# Title: Processes & Cron & Services & Timers - Unix Sockets Listening
+# ID: PR_Unix_sockets_listening
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Unix Sockets Listening
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_info
+# Global Variables: $EXTRA_CHECKS, $groupsB, $groupsVB, $IAMROOT, $idB, $knw_grps, $knw_usrs, $nosh_usrs, $SEARCH_IN_FOLDER, $sh_usrs, $USER
+# Initial Functions:
+# Generated Global Variables: $unix_scks_list, $unix_scks_list2, $unix_scks_list3, $perms, $socketcurl, $owner, $CANNOT_CONNECT_TO_SOCKET
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+#TODO: .socket files in MACOS are folders
+if ! [ "$IAMROOT" ]; then
+  if ! [ "$SEARCH_IN_FOLDER" ]; then
+    print_2title "Unix Sockets Listening"
+    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets"
+    # Search sockets using netstat and ss
+    unix_scks_list=$(ss -xlp -H state listening 2>/dev/null | grep -Eo "/.* " | cut -d " " -f1)
+    if ! [ "$unix_scks_list" ];then
+      unix_scks_list=$(ss -l -p -A 'unix' 2>/dev/null | grep -Ei "listen|Proc" | grep -Eo "/[a-zA-Z0-9\._/\-]+")
+    fi
+    if ! [ "$unix_scks_list" ];then
+      unix_scks_list=$(netstat -a -p --unix 2>/dev/null | grep -Ei "listen|PID" | grep -Eo "/[a-zA-Z0-9\._/\-]+" | tail -n +2)
+    fi
+      unix_scks_list3=$(lsof -U 2>/dev/null | awk '{print $9}' | grep "/") 
+  fi
+  
+  if ! [ "$SEARCH_IN_FOLDER" ]; then
+    # But also search socket files
+    unix_scks_list2=$(find / -type s 2>/dev/null)
+  else
+    unix_scks_list2=$(find "SEARCH_IN_FOLDER" -type s 2>/dev/null)
+  fi
+
+  # Detele repeated dockets and check permissions
+  (printf "%s\n" "$unix_scks_list" && printf "%s\n" "$unix_scks_list2" && printf "%s\n" "$unix_scks_list3") | sort | uniq | while read l; do
+    perms=""
+    if [ -r "$l" ]; then
+      perms="Read "
+    fi
+    if [ -w "$l" ];then
+      perms="${perms}Write"
+    fi
+    
+    if [ "$EXTRA_CHECKS" ] && [ "$(command -v curl || echo -n '')" ]; then
+      CANNOT_CONNECT_TO_SOCKET="$(curl -v --unix-socket "$l" --max-time 1 http:/linpeas 2>&1 | grep -i 'Permission denied')"
+      if ! [ "$CANNOT_CONNECT_TO_SOCKET" ]; then
+        perms="${perms} - Can Connect"
+      else
+        perms="${perms} - Cannot Connect"
+      fi
+    fi
+    
+    if ! [ "$perms" ]; then echo "$l" | sed -${E} "s,$l,${SED_GREEN},g";
+    else 
+      echo "$l" | sed -${E} "s,$l,${SED_RED},g"
+      echo "  └─(${RED}${perms}${NC})" | sed -${E} "s,Cannot Connect,${SED_GREEN},g"
+      # Try to contact the socket
+      socketcurl=$(curl --max-time 2 --unix-socket "$s" http:/index 2>/dev/null)
+      if [ $? -eq 0 ]; then
+        owner=$(ls -l "$s" | cut -d ' ' -f 3)
+        echo "Socket $s owned by $owner uses HTTP. Response to /index: (limt 30)" | sed -${E} "s,$groupsB,${SED_RED},g" | sed -${E} "s,$groupsVB,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,root,${SED_RED}," | sed -${E} "s,$knw_grps,${SED_GREEN},g" | sed -${E} "s,$idB,${SED_RED},g"
+        echo "$socketcurl" | head -n 30
+      fi
+    fi
+  done
+  echo ""
+fi

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/16_DBus_service_objects_list.sh

@@ -0,0 +1,33 @@
+# Title: Processes & Cron & Services & Timers - D-Bus Service Objects list
+# ID: PR_DBus_service_objects_list
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Enumerate D-Bus Service Objects list
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: echo_not_found, print_2title, print_info
+# Global Variables:  $dbuslistG, $knw_usrs, $nosh_usrs, $rootcommon, $SEARCH_IN_FOLDER, $USER
+# Initial Functions:
+# Generated Global Variables: $dbuslist, $srvc_object, $srvc_object_info
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+if ! [ "$SEARCH_IN_FOLDER" ]; then
+  print_2title "D-Bus Service Objects list"
+  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus"
+  dbuslist=$(busctl list 2>/dev/null)
+  if [ "$dbuslist" ]; then
+    busctl list | while read l; do
+      echo "$l" | sed -${E} "s,$dbuslistG,${SED_GREEN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$rootcommon,${SED_GREEN}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},";
+      if ! echo "$l" | grep -qE "$dbuslistG"; then
+        srvc_object=$(echo $l | cut -d " " -f1)
+        srvc_object_info=$(busctl status "$srvc_object" 2>/dev/null | grep -E "^UID|^EUID|^OwnerUID" | tr '\n' ' ')
+        if [ "$srvc_object_info" ]; then
+          echo " -- $srvc_object_info" | sed "s,UID=0,${SED_RED},"
+        fi
+      fi
+    done
+  else echo_not_found "busctl"
+  fi
+fi

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/17_DBus_config_files.sh

@@ -0,0 +1,40 @@
+# Title: Processes & Cron & Services & Timers - D-Bus config files
+# ID: PR_DBus_config_files
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Enumerate D-Bus config files
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_info
+# Global Variables: $IAMROOT, $mygroups, $nosh_usrs, $SEARCH_IN_FOLDER, $sh_usrs, $USER
+# Initial Functions:
+# Generated Global Variables: $genpol, $userpol, $grppol
+# Fat linpeas: 0
+# Small linpeas: 0
+
+print_2title "D-Bus config files"
+print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus"
+if [ "$PSTORAGE_DBUS" ]; then
+  printf "%s\n" "$PSTORAGE_DBUS" | while read d; do
+    for f in $d/*; do
+      if ! [ "$IAMROOT" ] && [ -w "$f" ] && ! [ "$SEARCH_IN_FOLDER" ]; then
+        echo "Writable $f" | sed -${E} "s,.*,${SED_RED},g"
+      fi
+
+      genpol=$(grep "<policy>" "$f" 2>/dev/null)
+      if [ "$genpol" ]; then printf "Weak general policy found on $f ($genpol)\n" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_RED},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$mygroups,${SED_RED},g"; fi
+      #if [ "`grep \"<policy user=\\\"$USER\\\">\" \"$f\" 2>/dev/null`" ]; then printf "Possible weak user policy found on $f () \n" | sed "s,$USER,${SED_RED},g"; fi
+
+      userpol=$(grep "<policy user=" "$f" 2>/dev/null | grep -v "root")
+      if [ "$userpol" ]; then printf "Possible weak user policy found on $f ($userpol)\n" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_RED},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$mygroups,${SED_RED},g"; fi
+      #for g in `groups`; do
+      #  if [ "`grep \"<policy group=\\\"$g\\\">\" \"$f\" 2>/dev/null`" ]; then printf "Possible weak group ($g) policy found on $f\n" | sed "s,$g,${SED_RED},g"; fi
+      #done
+      grppol=$(grep "<policy group=" "$f" 2>/dev/null | grep -v "root")
+      if [ "$grppol" ]; then printf "Possible weak user policy found on $f ($grppol)\n" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_RED},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$mygroups,${SED_RED},g"; fi
+
+      #TODO: identify allows in context="default"
+    done
+  done
+fi
+echo ""

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/1_List_processes.sh

@@ -0,0 +1,46 @@
+# Title: Processes & Cron & Services & Timers - List proccesses
+# ID: PR_List_processes
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: List running proccesses removing the ones that aren't interesting
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_info, print_ps
+# Global Variables: $capsB, $knw_usrs, $nosh_usrs, $NOUSEPS, $processesB, $processesDump, $processesVB, $rootcommon, $SEARCH_IN_FOLDER, $sh_usrs, $USER, $Wfolders
+# Initial Functions:
+# Generated Global Variables: $pslist, $cpid, $caphex, $psline
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+if ! [ "$SEARCH_IN_FOLDER" ]; then
+  print_2title "Running processes (cleaned)"
+
+  if [ "$NOUSEPS" ]; then
+    printf ${BLUE}"[i]$GREEN Looks like ps is not finding processes, going to read from /proc/ and not going to monitor 1min of processes\n"$NC
+  fi
+  print_info "Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes"
+
+  if [ -f "/etc/fstab" ] && cat /etc/fstab | grep -q "hidepid=2"; then
+    echo "Looks like /etc/fstab has hidepid=2, so ps will not show processes of other users"
+  fi
+
+  if [ "$NOUSEPS" ]; then
+    print_ps | grep -v 'sed-Es' | sed -${E} "s,$Wfolders,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$rootcommon,${SED_GREEN}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED}," | sed -${E} "s,$processesVB,${SED_RED_YELLOW},g" | sed "s,$processesB,${SED_RED}," | sed -${E} "s,$processesDump,${SED_RED},"
+    pslist=$(print_ps)
+  else
+    (ps fauxwww || ps auxwww | sort ) 2>/dev/null | grep -v "\[" | grep -v "%CPU" | while read psline; do
+      echo "$psline"  | sed -${E} "s,$Wfolders,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$rootcommon,${SED_GREEN}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED}," | sed -${E} "s,$processesVB,${SED_RED_YELLOW},g" | sed "s,$processesB,${SED_RED}," | sed -${E} "s,$processesDump,${SED_RED},"
+      if [ "$(command -v capsh || echo -n '')" ] && ! echo "$psline" | grep -q root; then
+        cpid=$(echo "$psline" | awk '{print $2}')
+        caphex=0x"$(cat /proc/$cpid/status 2> /dev/null | grep CapEff | awk '{print $2}')"
+        if [ "$caphex" ] && [ "$caphex" != "0x" ] && echo "$caphex" | grep -qv '0x0000000000000000'; then
+          printf "  └─(${DG}Caps${NC}) "; capsh --decode=$caphex 2>/dev/null | grep -v "WARNING:" | sed -${E} "s,$capsB,${SED_RED},g"
+        fi
+      fi
+    done
+    pslist=$(ps auxwww)
+    echo ""
+  fi
+  echo ""
+fi

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/2_Process_cred_in_memory.sh

@@ -0,0 +1,26 @@
+# Title: Processes & Cron & Services & Timers - Processes with credentials inside memory
+# ID: PR_Process_cred_in_memory
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Processes with credentials inside memory
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: echo_not_found, print_2title, print_info
+# Global Variables: $pslist, $SEARCH_IN_FOLDER
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+if ! [ "$SEARCH_IN_FOLDER" ]; then
+  print_2title "Processes with credentials in memory (root req)"
+  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#credentials-from-process-memory"
+  if echo "$pslist" | grep -q "gdm-password"; then echo "gdm-password process found (dump creds from memory as root)" | sed "s,gdm-password process,${SED_RED},"; else echo_not_found "gdm-password"; fi
+  if echo "$pslist" | grep -q "gnome-keyring-daemon"; then echo "gnome-keyring-daemon process found (dump creds from memory as root)" | sed "s,gnome-keyring-daemon,${SED_RED},"; else echo_not_found "gnome-keyring-daemon"; fi
+  if echo "$pslist" | grep -q "lightdm"; then echo "lightdm process found (dump creds from memory as root)" | sed "s,lightdm,${SED_RED},"; else echo_not_found "lightdm"; fi
+  if echo "$pslist" | grep -q "vsftpd"; then echo "vsftpd process found (dump creds from memory as root)" | sed "s,vsftpd,${SED_RED},"; else echo_not_found "vsftpd"; fi
+  if echo "$pslist" | grep -q "apache2"; then echo "apache2 process found (dump creds from memory as root)" | sed "s,apache2,${SED_RED},"; else echo_not_found "apache2"; fi
+  if echo "$pslist" | grep -q "sshd:"; then echo "sshd: process found (dump creds from memory as root)" | sed "s,sshd:,${SED_RED},"; else echo_not_found "sshd"; fi
+  echo ""
+fi

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/3_Process_binaries_perms.sh

@@ -0,0 +1,29 @@
+# Title: Processes & Cron & Services & Timers - Process binaries permissions
+# ID: PR_Process_binaries_perms
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Check the permissions of the binaries of the running processes
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_info
+# Global Variables: $knw_usrs, $nosh_usrs, $NOUSEPS, $SEARCH_IN_FOLDER, $sh_usrs, $USER, $Wfolders
+# Initial Functions:
+# Generated Global Variables: $binW, $bpath
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+if ! [ "$SEARCH_IN_FOLDER" ]; then
+  if [ "$NOUSEPS" ]; then
+    print_2title "Binary processes permissions (non 'root root' and not belonging to current user)"
+    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes"
+    binW="IniTialiZZinnggg"
+    ps auxwww 2>/dev/null | awk '{print $11}' | while read bpath; do
+      if [ -w "$bpath" ]; then
+        binW="$binW|$bpath"
+      fi
+    done
+    ps auxwww 2>/dev/null | awk '{print $11}' | xargs ls -la 2>/dev/null |awk '!x[$0]++' 2>/dev/null | grep -v " root root " | grep -v " $USER " | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$binW,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_RED}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," | sed "s,root,${SED_GREEN},"
+    echo ""
+  fi
+fi

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/4_Processes_PPID_different_user.sh

@@ -0,0 +1,36 @@
+# Title: Processes & Cron & Services & Timers - Process opened by other users
+# ID: PR_Processes_PPID_different_user
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Processes whose PPID belongs to a different user (not root)
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_info
+# Global Variables: $nosh_usrs, $NOUSEPS, $SEARCH_IN_FOLDER, $sh_usrs, $USER
+# Initial Functions:
+# Generated Global Variables: $ppid_user, $pid, $ppid, $user
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+if ! [ "$SEARCH_IN_FOLDER" ] && ! [ "$NOUSEPS" ]; then
+  print_2title "Processes whose PPID belongs to a different user (not root)"
+  print_info "You will know if a user can somehow spawn processes as a different user"
+  
+  # Function to get user by PID
+  get_user_by_pid() {
+    ps -p "$1" -o user | grep -v "USER"
+  }
+
+  # Find processes with PPID and user info, then filter those where PPID's user is different from the process's user
+  ps -eo pid,ppid,user | grep -v "PPID" | while read -r pid ppid user; do
+    if [ "$ppid" = "0" ]; then
+      continue
+    fi
+    ppid_user=$(get_user_by_pid "$ppid")
+    if echo "$user" | grep -Eqv "$ppid_user|root$"; then
+      echo "Proc $pid with ppid $ppid is run by user $user but the ppid user is $ppid_user" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED},"
+    fi
+  done
+  echo ""
+fi

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/5_Files_open_process_other_user.sh

@@ -0,0 +1,23 @@
+# Title: Processes & Cron & Services & Timers - Files opened by processes belonging to other users
+# ID: PR_Files_open_process_other_user
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Files opened by processes belonging to other users
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_info
+# Global Variables: $IAMROOT, $nosh_usrs, $SEARCH_IN_FOLDER, $sh_usrs, $USER
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+if ! [ "$SEARCH_IN_FOLDER" ]; then
+  if ! [ "$IAMROOT" ]; then
+    print_2title "Files opened by processes belonging to other users"
+    print_info "This is usually empty because of the lack of privileges to read other user processes information"
+    lsof 2>/dev/null | grep -v "$USER" | grep -iv "permission denied" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED},"
+    echo ""
+  fi
+fi

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/6_Different_procs_1min.sh

@@ -0,0 +1,30 @@
+# Title: Processes & Cron & Services & Timers - Different processes 1 min
+# ID: PR_Different_procs_1min
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Different processes executed during 1 min
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_info
+# Global Variables: $nosh_usrs, $sh_usrs, $Wfolders
+# Initial Functions:
+# Generated Global Variables: $temp_file
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+if ! [ "$SEARCH_IN_FOLDER" ]; then
+  if ! [ "$FAST" ] && ! [ "$SUPERFAST" ]; then
+    print_2title "Different processes executed during 1 min (interesting is low number of repetitions)"
+    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#frequent-cron-jobs"
+    temp_file=$(mktemp)
+    if [ "$(ps -e -o user,command 2>/dev/null)" ]; then 
+      for i in $(seq 1 1210); do 
+        ps -e -o user,command >> "$temp_file" 2>/dev/null; sleep 0.05; 
+      done;
+      sort "$temp_file" 2>/dev/null | uniq -c | grep -v "\[" | sed '/^.\{200\}./d' | sort -r -n | grep -E -v "\s*[1-9][0-9][0-9][0-9]" | sed -${E} "s,$Wfolders,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED},"; 
+      rm "$temp_file";
+    fi
+    echo ""
+  fi
+fi

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/7_Systemd_path.sh

@@ -0,0 +1,22 @@
+# Title: Processes & Cron & Services & Timers - Systemd PATH
+# ID: PR_Systemd_path
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Systemd PATH
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_info
+# Global Variables: $SEARCH_IN_FOLDER, $Wfolders
+# Initial Functions:
+# Generated Global Variables: $WRITABLESYSTEMDPATH
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+if ! [ "$SEARCH_IN_FOLDER" ]; then
+  print_2title "Systemd PATH"
+  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#systemd-path-relative-paths"
+  systemctl show-environment 2>/dev/null | grep "PATH" | sed -${E} "s,$Wfolders\|\./\|\.:\|:\.,${SED_RED_YELLOW},g"
+  WRITABLESYSTEMDPATH=$(systemctl show-environment 2>/dev/null | grep "PATH" | grep -E "$Wfolders")
+  echo ""
+fi

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/8_Cron_jobs.sh

@@ -0,0 +1,33 @@
+# Title: Processes & Cron & Services & Timers - Cron jobs
+# ID: PR_Cron_jobs
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Enumerate system cron jobs
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: echo_not_found, print_2title, print_info
+# Global Variables: $cronjobsG, $nosh_usrs, $SEARCH_IN_FOLDER, $sh_usrs, $USER, $Wfolders, $cronjobsB
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+if ! [ "$SEARCH_IN_FOLDER" ]; then
+  print_2title "Cron jobs"
+  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs"
+  command -v crontab 2>/dev/null || echo_not_found "crontab"
+  crontab -l 2>/dev/null | tr -d "\r" | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED},"
+  command -v incrontab 2>/dev/null || echo_not_found "incrontab"
+  incrontab -l 2>/dev/null
+  ls -alR /etc/cron* /var/spool/cron/crontabs /var/spool/anacron 2>/dev/null | sed -${E} "s,$cronjobsG,${SED_GREEN},g" | sed "s,$cronjobsB,${SED_RED},g"
+  cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/* /etc/incron.d/* /var/spool/incron/* 2>/dev/null | tr -d "\r" | grep -v "^#" | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE},"  | sed "s,root,${SED_RED},"
+  crontab -l -u "$USER" 2>/dev/null | tr -d "\r"
+  ls -lR /usr/lib/cron/tabs/ /private/var/at/jobs /var/at/tabs/ /etc/periodic/ 2>/dev/null | sed -${E} "s,$cronjobsG,${SED_GREEN},g" | sed "s,$cronjobsB,${SED_RED},g" #MacOS paths
+  atq 2>/dev/null
+else
+  print_2title "Cron jobs"
+  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs"
+  find "$SEARCH_IN_FOLDER" '(' -type d -or -type f ')' '(' -name "cron*" -or -name "anacron" -or -name "anacrontab" -or -name "incron.d" -or -name "incron" -or -name "at" -or -name "periodic" ')' -exec echo {} \; -exec ls -lR {} \;
+fi
+echo ""

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/9_Macos_launch_agents_daemons.sh

@@ -0,0 +1,55 @@
+# Title: Processes & Cron & Services & Timers - Third party LaunchAgents & LaunchDemons
+# ID: PR_Macos_launch_agents_daemons
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Third party LaunchAgents & LaunchDemons
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_info
+# Global Variables: $MACPEAS, $SEARCH_IN_FOLDER
+# Initial Functions:
+# Generated Global Variables: $program
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+if ! [ "$SEARCH_IN_FOLDER" ]; then
+  if [ "$MACPEAS" ]; then
+    print_2title "Third party LaunchAgents & LaunchDemons"
+    print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#launchd"
+    ls -l /Library/LaunchAgents/ /Library/LaunchDaemons/ ~/Library/LaunchAgents/ ~/Library/LaunchDaemons/ 2>/dev/null
+    echo ""
+
+    print_2title "Writable System LaunchAgents & LaunchDemons"
+    find /System/Library/LaunchAgents/ /System/Library/LaunchDaemons/ /Library/LaunchAgents/ /Library/LaunchDaemons/ | grep ".plist" | while read f; do
+      program=""
+      program=$(defaults read "$f" Program 2>/dev/null)
+      if ! [ "$program" ]; then
+        program=$(defaults read "$f" ProgramArguments | grep -Ev "^\(|^\)" | cut -d '"' -f 2)
+      fi
+      if [ -w "$program" ]; then
+        echo "$program" is writable | sed -${E} "s,.*,${SED_RED_YELLOW},";
+      fi
+    done
+    echo ""
+
+    print_2title "StartupItems"
+    print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#startup-items"
+    ls -l /Library/StartupItems/ /System/Library/StartupItems/ 2>/dev/null
+    echo ""
+
+    print_2title "Login Items"
+    print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#login-items"
+    osascript -e 'tell application "System Events" to get the name of every login item' 2>/dev/null
+    echo ""
+
+    print_2title "SPStartupItemDataType"
+    system_profiler SPStartupItemDataType
+    echo ""
+
+    print_2title "Emond scripts"
+    print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#emond"
+    ls -l /private/var/db/emondClients
+    echo ""
+  fi
+fi

linPEAS/builder/linpeas_parts/5_network_information/10_Macos_hardware_ports.sh

@@ -0,0 +1,40 @@
+# Title: Network Information - MacOS hardware ports
+# ID: NT_Macos_hardware_ports
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Enumerate macOS hardware ports
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title
+# Global Variables: $EXTRA_CHECKS, $MACPEAS
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+if [ "$MACPEAS" ] && [ "$EXTRA_CHECKS" ]; then
+  print_2title "Hardware Ports"
+  networksetup -listallhardwareports
+  echo ""
+
+  print_2title "VLANs"
+  networksetup -listVLANs
+  echo ""
+
+  print_2title "Wifi Info"
+  networksetup -getinfo Wi-Fi
+  echo ""
+
+  print_2title "Check Enabled Proxies"
+  scutil --proxy
+  echo ""
+
+  print_2title "Wifi Proxy URL"
+  networksetup -getautoproxyurl Wi-Fi
+  echo ""
+  
+  print_2title "Wifi Web Proxy"
+  networksetup -getwebproxy Wi-Fi
+  echo ""
+fi

linPEAS/builder/linpeas_parts/5_network_information/11_Internet_access.sh

@@ -0,0 +1,24 @@
+# Title: Network Information - Internet access
+# ID: NT_Internet_access
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Check for internet access
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: check_dns, check_icmp, check_tcp_443, check_tcp_80, print_2title
+# Global Variables: $FAST, $TIMEOUT
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+if ! [ "$FAST" ] && [ "$TIMEOUT" ] && [ -f "/bin/bash" ]; then
+  print_2title "Internet Access?"
+  check_tcp_80 2>/dev/null &
+  check_tcp_443 2>/dev/null &
+  check_icmp 2>/dev/null &
+  check_dns 2>/dev/null &
+  wait
+  echo ""
+fi

linPEAS/builder/linpeas_parts/5_network_information/1_Network_interfaces.sh

@@ -0,0 +1,19 @@
+# Title: Network Information - Network interfaces
+# ID: NT_Network_interfaces
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Check network interfaces
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title
+# Global Variables:
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+print_2title "Interfaces"
+cat /etc/networks 2>/dev/null
+(ifconfig || ip a || (cat /proc/net/dev; cat /proc/net/fib_trie; cat /proc/net/fib_trie6)) 2>/dev/null
+echo ""

linPEAS/builder/linpeas_parts/5_network_information/2_Hostname_hosts_dns.sh

@@ -0,0 +1,19 @@
+# Title: Network Information - Hostname, hosts and DNS
+# ID: NT_Hostname_hosts_dns
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Get hostname, hosts and DNS
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, warn_exec
+# Global Variables:
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+print_2title "Hostname, hosts and DNS"
+cat /etc/hostname /etc/hosts /etc/resolv.conf 2>/dev/null | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null
+warn_exec dnsdomainname 2>/dev/null
+echo ""

linPEAS/builder/linpeas_parts/5_network_information/3_Network_neighbours.sh

@@ -0,0 +1,25 @@
+# Title: Network Information - Network neighbours
+# ID: NT_Network_neighbours
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Networks and neighbours
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title
+# Global Variables: $EXTRA_CHECKS, $MACPEAS
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+if [ "$EXTRA_CHECKS" ]; then
+  print_2title "Networks and neighbours"
+  if [ "$MACPEAS" ]; then
+    netstat -rn 2>/dev/null
+  else
+    (route || ip n || cat /proc/net/route) 2>/dev/null
+  fi
+  (arp -e || arp -a || cat /proc/net/arp) 2>/dev/null
+  echo ""
+fi

linPEAS/builder/linpeas_parts/5_network_information/4_Open_ports.sh

@@ -0,0 +1,19 @@
+# Title: Network Information - Open ports
+# ID: NT_Open_ports
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Enumerate open ports
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_info
+# Global Variables:
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+print_2title "Active Ports"
+print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports"
+( (netstat -punta || ss -nltpu || netstat -anv) | grep -i listen) 2>/dev/null | sed -${E} "s,127.0.[0-9]+.[0-9]+|:::|::1:|0\.0\.0\.0,${SED_RED},g"
+echo ""

linPEAS/builder/linpeas_parts/5_network_information/5_Macos_network_capabilities.sh

@@ -0,0 +1,20 @@
+# Title: Network Information - MacOS network capabilities
+# ID: NT_Macos_network_capabilities
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: MacOS network Capabilities
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, warn_exec
+# Global Variables: $MACPEAS
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+if [ "$MACPEAS" ]; then
+  print_2title "Network Capabilities"
+  warn_exec system_profiler SPNetworkDataType
+  echo ""
+fi

linPEAS/builder/linpeas_parts/5_network_information/6_Macos_network_services.sh

@@ -0,0 +1,46 @@
+# Title: Network Information - MacOS Network Services
+# ID: NT_Macos_network_services
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Enumerate macos network services
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, warn_exec
+# Global Variables: $EXTRA_CHECKS, $MACPEAS
+# Initial Functions:
+# Generated Global Variables: $rmMgmt, $scrShrng, $flShrng, $rLgn, $rAE, $bmM
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+if [ "$MACPEAS" ]; then
+  print_2title "Any MacOS Sharing Service Enabled?"
+  rmMgmt=$(netstat -na | grep LISTEN | grep tcp46 | grep "*.3283" | wc -l);
+  scrShrng=$(netstat -na | grep LISTEN | grep -E 'tcp4|tcp6' | grep "*.5900" | wc -l);
+  flShrng=$(netstat -na | grep LISTEN | grep -E 'tcp4|tcp6' | grep -E "\*.88|\*.445|\*.548" | wc -l);
+  rLgn=$(netstat -na | grep LISTEN | grep -E 'tcp4|tcp6' | grep "*.22" | wc -l);
+  rAE=$(netstat -na | grep LISTEN | grep -E 'tcp4|tcp6' | grep "*.3031" | wc -l);
+  bmM=$(netstat -na | grep LISTEN | grep -E 'tcp4|tcp6' | grep "*.4488" | wc -l);
+  printf "\nThe following services are OFF if '0', or ON otherwise:\nScreen Sharing: %s\nFile Sharing: %s\nRemote Login: %s\nRemote Mgmt: %s\nRemote Apple Events: %s\nBack to My Mac: %s\n\n" "$scrShrng" "$flShrng" "$rLgn" "$rmMgmt" "$rAE" "$bmM";
+  echo ""
+  print_2title "VPN Creds"
+  system_profiler SPNetworkLocationDataType | grep -A 5 -B 7 ": Password"  | sed -${E} "s,Password|Authorization Name.*,${SED_RED},"
+  echo ""
+  print_2title "Firewall status"
+  warn_exec system_profiler SPFirewallDataType
+  echo ""
+
+  if [ "$EXTRA_CHECKS" ]; then
+    print_2title "Bluetooth Info"
+    warn_exec system_profiler SPBluetoothDataType
+    echo ""
+
+    print_2title "Ethernet Info"
+    warn_exec system_profiler SPEthernetDataType
+    echo ""
+
+    print_2title "USB Info"
+    warn_exec system_profiler SPUSBDataType
+    echo ""
+  fi
+fi

linPEAS/builder/linpeas_parts/5_network_information/7_Tcpdump.sh

@@ -0,0 +1,23 @@
+# Title: Network Information - Tcpdump
+# ID: NT_Tcpdump
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Can I sniff with tcpdump?
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: echo_no, print_2title, print_info
+# Global Variables:
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+print_2title "Can I sniff with tcpdump?"
+timeout 1 tcpdump >/dev/null 2>&1
+if [ $? -eq 124 ]; then #If 124, then timed out == It worked
+    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sniffing"
+    echo "You can sniff with tcpdump!" | sed -${E} "s,.*,${SED_RED},"
+else echo_no
+fi
+echo ""

linPEAS/builder/linpeas_parts/5_network_information/8_Iptables.sh

@@ -0,0 +1,20 @@
+# Title: Network Information - Iptables
+# ID: NT_Iptables
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Enumerate iptables rules
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: echo_not_found, print_2title
+# Global Variables: $EXTRA_CHECKS
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+if [ "$EXTRA_CHECKS" ]; then
+  print_2title "Iptables rules"
+  (timeout 1 iptables -L 2>/dev/null; cat /etc/iptables/* | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null) 2>/dev/null || echo_not_found "iptables rules"
+  echo ""
+fi

linPEAS/builder/linpeas_parts/5_network_information/9_Inetdconf.sh

@@ -0,0 +1,20 @@
+# Title: Network Information - Inetconf
+# ID: NT_Inetdconf
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Check content of /etc/inetd.conf & /etc/xinetd.conf
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: echo_not_found, print_2title 
+# Global Variables: $EXTRA_CHECKS
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+if [ "$EXTRA_CHECKS" ]; then
+  print_2title "Content of /etc/inetd.conf & /etc/xinetd.conf"
+  (cat /etc/inetd.conf /etc/xinetd.conf 2>/dev/null | grep -v "^$" | grep -Ev "\W+\#|^#" 2>/dev/null) || echo_not_found "/etc/inetd.conf"
+  echo ""
+fi

linPEAS/builder/linpeas_parts/6_users_information/10_Pkexec.sh

@@ -0,0 +1,19 @@
+# Title: Users Information - Pkexec
+# ID: UG_Pkexec
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Check Pkexec policy
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: echo_not_found, print_2title, print_info
+# Global Variables: $Groups, $groupsB, $groupsVB,$nosh_usrs, $sh_usrs, $USER
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+print_2title "Checking Pkexec policy"
+print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#pe-method-2"
+(cat /etc/polkit-1/localauthority.conf.d/* 2>/dev/null | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null | sed -${E} "s,$groupsB,${SED_RED}," | sed -${E} "s,$groupsVB,${SED_RED}," | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,$USER,${SED_RED_YELLOW}," | sed -${E} "s,$Groups,${SED_RED_YELLOW},") || echo_not_found "/etc/polkit-1/localauthority.conf.d"
+echo ""

linPEAS/builder/linpeas_parts/6_users_information/11_Superusers.sh

@@ -0,0 +1,18 @@
+# Title: Users Information - Superusers
+# ID: UG_Superusers
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Superusers
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title
+# Global Variables:$knw_usrs ,$nosh_usrs,$sh_usrs, $USER
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+print_2title "Superusers"
+awk -F: '($3 == "0") {print}' /etc/passwd 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED_YELLOW}," | sed "s,root,${SED_RED},"
+echo ""

linPEAS/builder/linpeas_parts/6_users_information/12_Users_with_console.sh

@@ -0,0 +1,44 @@
+# Title: Users Information - Users with console
+# ID: UG_Users_with_console
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Users with console
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title
+# Global Variables: $MACPEAS, $sh_usrs, $USER 
+# Initial Functions:
+# Generated Global Variables: $ushell, $no_shells, $unexpected_shells
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+print_2title "Users with console"
+if [ "$MACPEAS" ]; then
+  dscl . list /Users | while read un; do
+    ushell=$(dscl . -read "/Users/$un" UserShell | cut -d " " -f2)
+    if grep -q "$ushell" /etc/shells; then #Shell user
+      dscl . -read "/Users/$un" UserShell RealName RecordName Password NFSHomeDirectory 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"
+      echo ""
+    fi
+  done
+else
+  no_shells=$(grep -Ev "sh$" /etc/passwd 2>/dev/null | cut -d ':' -f 7 | sort | uniq)
+  unexpected_shells=""
+  printf "%s\n" "$no_shells" | while read f; do
+    if $f -c 'whoami' 2>/dev/null | grep -q "$USER"; then
+      unexpected_shells="$f\n$unexpected_shells"
+    fi
+  done
+  grep "sh$" /etc/passwd 2>/dev/null | sort | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"
+  if [ "$unexpected_shells" ]; then
+    printf "%s" "These unexpected binaries are acting like shells:\n$unexpected_shells" | sed -${E} "s,/.*,${SED_RED},g"
+    echo "Unexpected users with shells:"
+    printf "%s\n" "$unexpected_shells" | while read f; do
+      if [ "$f" ]; then
+        grep -E "${f}$" /etc/passwd | sed -${E} "s,/.*,${SED_RED},g"
+      fi
+    done
+  fi
+fi
+echo ""

linPEAS/builder/linpeas_parts/6_users_information/13_Users_groups.sh

@@ -0,0 +1,22 @@
+# Title: Users Information - Users & groups
+# ID: UG_Users_groups
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Get all users & groups
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title
+# Global Variables: $groupsB, $groupsVB, $knw_grps, $knw_usrs, $MACPEAS, $nosh_usrs, $sh_usrs, $USER
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+print_2title "All users & groups"
+if [ "$MACPEAS" ]; then
+  dscl . list /Users | while read i; do id $i;done 2>/dev/null | sort | sed -${E} "s,$groupsB,${SED_RED},g" | sed -${E} "s,$groupsVB,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,root,${SED_RED}," | sed -${E} "s,$knw_grps,${SED_GREEN},g"
+else
+  cut -d":" -f1 /etc/passwd 2>/dev/null| while read i; do id $i;done 2>/dev/null | sort | sed -${E} "s,$groupsB,${SED_RED},g" | sed -${E} "s,$groupsVB,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,root,${SED_RED}," | sed -${E} "s,$knw_grps,${SED_GREEN},g"
+fi
+echo ""

linPEAS/builder/linpeas_parts/6_users_information/14_Login_now.sh

@@ -0,0 +1,18 @@
+# Title: Users Information - Login now
+# ID: UG_Login_now
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Login now
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title
+# Global Variables: $knw_usrs, $nosh_usrs, $sh_usrs, $USER
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+print_2title "Login now"
+(w || who || finger || users) 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"
+echo ""

linPEAS/builder/linpeas_parts/6_users_information/15_Last_logons.sh

@@ -0,0 +1,18 @@
+# Title: Users Information - Last logons
+# ID: UG_Last_logons
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Last logons
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title
+# Global Variables: $knw_usrs, $nosh_usrs, $sh_usrs, $USER
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+print_2title "Last logons"
+(last -Faiw || last) 2>/dev/null | tail | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_RED}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"
+echo ""

linPEAS/builder/linpeas_parts/6_users_information/16_Login_info.sh

@@ -0,0 +1,29 @@
+# Title: Users Information - Login info
+# ID: UG_Login_info
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Last time logon each user
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title
+# Global Variables: $knw_usrs, $MACPEAS, $nosh_usrs, $sh_usrs, $USER
+# Initial Functions:
+# Generated Global Variables: EXISTS_FINGER, ushell
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+print_2title "Last time logon each user"
+lastlog 2>/dev/null | grep -v "Never" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"
+
+EXISTS_FINGER="$(command -v finger 2>/dev/null || echo -n '')"
+if [ "$MACPEAS" ] && [ "$EXISTS_FINGER" ]; then
+  dscl . list /Users | while read un; do
+    ushell=$(dscl . -read "/Users/$un" UserShell | cut -d " " -f2)
+    if grep -q "$ushell" /etc/shells; then #Shell user
+      finger "$un" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"
+      echo ""
+    fi
+  done
+fi
+echo ""

linPEAS/builder/linpeas_parts/6_users_information/17_Password_policy.sh

@@ -0,0 +1,32 @@
+# Title: Users Information - Password policy
+# ID: UG_Password_policy
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Get assword policy
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: echo_not_found, print_2title
+# Global Variables: $EXTRA_CHECKS, $MACPEAS
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+if [ "$EXTRA_CHECKS" ]; then
+  print_2title "Password policy"
+  grep "^PASS_MAX_DAYS\|^PASS_MIN_DAYS\|^PASS_WARN_AGE\|^ENCRYPT_METHOD" /etc/login.defs 2>/dev/null || echo_not_found "/etc/login.defs"
+  echo ""
+
+  if [ "$MACPEAS" ]; then
+    print_2title "Relevant last user info and user configs"
+    defaults read /Library/Preferences/com.apple.loginwindow.plist 2>/dev/null
+    echo ""
+
+    print_2title "Guest user status"
+    sysadminctl -afpGuestAccess status | sed -${E} "s,enabled,${SED_RED}," | sed -${E} "s,disabled,${SED_GREEN},"
+    sysadminctl -guestAccount status | sed -${E} "s,enabled,${SED_RED}," | sed -${E} "s,disabled,${SED_GREEN},"
+    sysadminctl -smbGuestAccess status | sed -${E} "s,enabled,${SED_RED}," | sed -${E} "s,disabled,${SED_GREEN},"
+    echo ""
+  fi
+fi

linPEAS/builder/linpeas_parts/6_users_information/18_Brute_su.sh

@@ -0,0 +1,31 @@
+# Title: Users Information - Brute su
+# ID: UG_Brute_su
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Brute su
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: check_if_su_brute, print_2title, su_brute_user_num
+# Global Variables: $IAMROOT, $PASSTRY, $TIMEOUT
+# Initial Functions:
+# Generated Global Variables: $SHELLUSERS, $POSSIBE_SU_BRUTE
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+if ! [ "$FAST" ] && ! [ "$SUPERFAST" ] && [ "$TIMEOUT" ] && ! [ "$IAMROOT" ]; then
+  print_2title "Testing 'su' as other users with shell using as passwords: null pwd, the username and top2000pwds\n"$NC
+  POSSIBE_SU_BRUTE=$(check_if_su_brute);
+  if [ "$POSSIBE_SU_BRUTE" ]; then
+    SHELLUSERS=$(cat /etc/passwd 2>/dev/null | grep -i "sh$" | cut -d ":" -f 1)
+    printf "%s\n" "$SHELLUSERS" | while read u; do
+      echo "  Bruteforcing user $u..."
+      su_brute_user_num "$u" $PASSTRY
+    done
+  else
+    printf $GREEN"It's not possible to brute-force su.\n\n"$NC
+  fi
+else
+  print_2title "Do not forget to test 'su' as any other user with shell: without password and with their names as password (I don't do it in FAST mode...)\n"$NC
+fi
+print_2title "Do not forget to execute 'sudo -l' without password or with valid password (if you know it)!!\n"$NC

linPEAS/builder/linpeas_parts/6_users_information/1_Macos_my_user_hooks.sh

@@ -0,0 +1,20 @@
+# Title: Users Information - MacOS my user hooks
+# ID: UG_Macos_my_user_hooks
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Get current user Login and Logout hooks
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title
+# Global Variables: $HOME, $MACPEAS
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+if [ "$MACPEAS" ];then
+  print_2title "Current user Login and Logout hooks"
+  defaults read $HOME/Library/Preferences/com.apple.loginwindow.plist 2>/dev/null | grep -e "Hook"
+  echo ""
+fi

linPEAS/builder/linpeas_parts/6_users_information/1_My_user.sh

@@ -0,0 +1,19 @@
+# Title: Users Information - My User
+# ID: UG_My_user
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: My User
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_info
+# Global Variables: $groupsB, $groupsVB, $idB, $knw_grps , $knw_usrs, $nosh_usrs,$sh_usrs, $USER
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+print_2title "My user"
+print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#users"
+(id || (whoami && groups)) 2>/dev/null | sed -${E} "s,$groupsB,${SED_RED},g" | sed -${E} "s,$groupsVB,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,root,${SED_RED}," | sed -${E} "s,$knw_grps,${SED_GREEN},g" | sed -${E} "s,$idB,${SED_RED},g"
+echo ""

linPEAS/builder/linpeas_parts/6_users_information/2_Macos_user_hooks.sh

@@ -0,0 +1,22 @@
+# Title: Users Information - MacOS user hooks
+# ID: UG_Macos_user_hooks
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Enumerate all users login and logout hooks
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title
+# Global Variables: $MACPEAS 
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+if [ "$MACPEAS" ];then
+  print_2title "All Login and Logout hooks"
+  defaults read /Users/*/Library/Preferences/com.apple.loginwindow.plist 2>/dev/null | grep -e "Hook"
+  defaults read /private/var/root/Library/Preferences/com.apple.loginwindow.plist
+  echo ""
+
+fi

linPEAS/builder/linpeas_parts/6_users_information/3_Macos_keychains.sh

@@ -0,0 +1,21 @@
+# Title: Users Information - Macos systemKey
+# ID: UG_Macos_keychains
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Get macOS systemKey
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title
+# Global Variables: $MACPEAS
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+if [ "$MACPEAS" ];then
+  print_2title "Keychains"
+  print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#chainbreaker"
+  security list-keychains
+  echo ""
+fi

linPEAS/builder/linpeas_parts/6_users_information/4_Macos_systemkey.sh

@@ -0,0 +1,24 @@
+# Title: Users Information - Macos systemKey
+# ID: UG_Macos_systemkey
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Get macOS systemKey
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title
+# Global Variables: $MACPEAS
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 0
+
+
+if [ "$MACPEAS" ];then
+  print_2title "SystemKey"
+  ls -l /var/db/SystemKey
+  if [ -r "/var/db/SystemKey" ]; then
+    echo "You can read /var/db/SystemKey" | sed -${E} "s,.*,${SED_RED_YELLOW},";
+    hexdump -s 8 -n 24 -e '1/1 "%.2x"' /var/db/SystemKey | sed -${E} "s,.*,${SED_RED_YELLOW},";
+  fi
+  echo ""
+fi

linPEAS/builder/linpeas_parts/6_users_information/5_Pgp_keys.sh

@@ -0,0 +1,22 @@
+# Title: Users Information - PGP keys
+# ID: UG_Pgp_keys
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: PGP keys
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: echo_not_found, print_2title
+# Global Variables: 
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+print_2title "Do I have PGP keys?"
+command -v gpg 2>/dev/null || echo_not_found "gpg"
+gpg --list-keys 2>/dev/null
+command -v netpgpkeys 2>/dev/null || echo_not_found "netpgpkeys"
+netpgpkeys --list-keys 2>/dev/null
+command -v netpgp 2>/dev/null || echo_not_found "netpgp"
+echo ""

linPEAS/builder/linpeas_parts/6_users_information/6_Clipboard_highlighted_text.sh

@@ -0,0 +1,29 @@
+# Title: Users Information - Clipboard and highlighted text
+# ID: UG_Clipboard_highlighted_text
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Clipboard and highlighted text
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: echo_not_found, print_2title
+# Global Variables: $DEBUG, $pwd_inside_history
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+if [ "$(command -v xclip 2>/dev/null || echo -n '')" ] || [ "$(command -v xsel 2>/dev/null || echo -n '')" ] || [ "$(command -v pbpaste 2>/dev/null || echo -n '')" ] || [ "$DEBUG" ]; then
+  print_2title "Clipboard or highlighted text?"
+  if [ "$(command -v xclip 2>/dev/null || echo -n '')" ]; then
+    echo "Clipboard: "$(xclip -o -selection clipboard 2>/dev/null) | sed -${E} "s,$pwd_inside_history,${SED_RED},"
+    echo "Highlighted text: "$(xclip -o 2>/dev/null) | sed -${E} "s,$pwd_inside_history,${SED_RED},"
+  elif [ "$(command -v xsel 2>/dev/null || echo -n '')" ]; then
+    echo "Clipboard: "$(xsel -ob 2>/dev/null) | sed -${E} "s,$pwd_inside_history,${SED_RED},"
+    echo "Highlighted text: "$(xsel -o 2>/dev/null) | sed -${E} "s,$pwd_inside_history,${SED_RED},"
+  elif [ "$(command -v pbpaste 2>/dev/null || echo -n '')" ]; then
+    echo "Clipboard: "$(pbpaste) | sed -${E} "s,$pwd_inside_history,${SED_RED},"
+  else echo_not_found "xsel and xclip"
+  fi
+  echo ""
+fi

linPEAS/builder/linpeas_parts/6_users_information/7_Sudo_l.sh

@@ -0,0 +1,32 @@
+# Title: Users Information - Sudo -l
+# ID: UG_Sudo_l
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: echo_not_found, print_2title, print_info
+# Global Variables:$IAMROOT, $PASSWORD, $sudoB, $sudoG, $sudoVB1, $sudoVB2 
+# Initial Functions:
+# Generated Global Variables:
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+print_2title "Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d"
+print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid"
+(echo '' | timeout 1 sudo -S -l | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,\!root,${SED_RED},") 2>/dev/null || echo_not_found "sudo"
+if [ "$PASSWORD" ]; then
+  (echo "$PASSWORD" | timeout 1 sudo -S -l | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g") 2>/dev/null  || echo_not_found "sudo"
+fi
+( grep -Iv "^$" cat /etc/sudoers | grep -v "#" | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,pwfeedback,${SED_RED},g" ) 2>/dev/null  || echo_not_found "/etc/sudoers"
+if ! [ "$IAMROOT" ] && [ -w '/etc/sudoers.d/' ]; then
+  echo "You can create a file in /etc/sudoers.d/ and escalate privileges" | sed -${E} "s,.*,${SED_RED_YELLOW},"
+fi
+for f in /etc/sudoers.d/*; do
+  if [ -r "$f" ]; then
+    echo "Sudoers file: $f is readable" | sed -${E} "s,.*,${SED_RED},g"
+    grep -Iv "^$" "$f" | grep -v "#" | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,pwfeedback,${SED_RED},g"
+  fi
+done
+echo ""

linPEAS/builder/linpeas_parts/6_users_information/8_Sudo_tokens.sh

@@ -0,0 +1,43 @@
+# Title: Users Information - Sudo tokens
+# ID: UG_Sudo_tokens
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Checking Sudo tokens
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_info
+# Global Variables: $HOME, $CURRENT_USER_PIVOT_PID
+# Initial Functions: get_current_user_privot_pid
+# Generated Global Variables: $ptrace_scope
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+print_2title "Checking sudo tokens"
+print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#reusing-sudo-tokens"
+ptrace_scope="$(cat /proc/sys/kernel/yama/ptrace_scope 2>/dev/null)"
+if [ "$ptrace_scope" ] && [ "$ptrace_scope" -eq 0 ]; then
+  echo "ptrace protection is disabled (0), so sudo tokens could be abused" | sed "s,is disabled,${SED_RED},g";
+
+  if [ "$(command -v gdb 2>/dev/null || echo -n '')" ]; then
+    echo "gdb was found in PATH" | sed -${E} "s,.*,${SED_RED},g";
+  fi
+
+  if [ "$CURRENT_USER_PIVOT_PID" ]; then
+    echo "The current user proc $CURRENT_USER_PIVOT_PID is the parent of a different user proccess" | sed -${E} "s,.*,${SED_RED},g";
+  fi
+
+  if [ -f "$HOME/.sudo_as_admin_successful" ]; then
+    echo "Current user has .sudo_as_admin_successful file, so he can execute with sudo" | sed -${E} "s,.*,${SED_RED},";
+  fi
+
+  if ps -eo pid,command -u "$(id -u)" | grep -v "$PPID" | grep -v " " | grep -qE '(ash|ksh|csh|dash|bash|zsh|tcsh|sh)$'; then
+    echo "Current user has other interactive shells running: " | sed -${E} "s,.*,${SED_RED},g";
+    ps -eo pid,command -u "$(id -u)" | grep -v "$PPID" | grep -v " " | grep -E '(ash|ksh|csh|dash|bash|zsh|tcsh|sh)$'
+  fi
+
+else
+  echo "ptrace protection is enabled ($ptrace_scope)" | sed "s,is enabled,${SED_GREEN},g";
+
+fi
+echo ""

linPEAS/builder/linpeas_parts/6_users_information/9_Doas.sh

@@ -0,0 +1,24 @@
+# Title: Users Information - Doas
+# ID: UG_Doas
+# Author: Carlos Polop
+# Last Update: 22-08-2023
+# Description: Checking doas.conf
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: echo_not_found, print_2title
+# Global Variables: $DEBUG, $nosh_usrs,  $sh_usrs, $USER
+# Initial Functions:
+# Generated Global Variables: $doas_dir_name
+# Fat linpeas: 0
+# Small linpeas: 1
+
+
+if [ -f "/etc/doas.conf" ] || [ "$DEBUG" ]; then
+  print_2title "Checking doas.conf"
+  doas_dir_name=$(dirname "$(command -v doas || echo -n '')" 2>/dev/null)
+  if [ "$(cat /etc/doas.conf $doas_dir_name/doas.conf $doas_dir_name/../etc/doas.conf $doas_dir_name/etc/doas.conf 2>/dev/null)" ]; then
+    cat /etc/doas.conf "$doas_dir_name/doas.conf" "$doas_dir_name/../etc/doas.conf" "$doas_dir_name/etc/doas.conf" 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_RED}," | sed "s,root,${SED_RED}," | sed "s,nopass,${SED_RED}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,$USER,${SED_RED_YELLOW},"
+  else echo_not_found "doas.conf"
+  fi
+  echo ""
+fi