change url

.gitignore

@@ -25,4 +25,6 @@ linPEAS/builder/__pycache__/*
 linPEAS/builder/src/__pycache__/*
 linPEAS/linpeas.sh
 sh2bin
-sh2bin/*
+sh2bin/*
+.dccache
+./*/.dccache

README.md

@@ -12,10 +12,10 @@ Here you will find **privilege escalation tools for Windows and Linux/Unix\* and
 
 These tools search for possible **local privilege escalation paths** that you could exploit and print them to you **with nice colors** so you can recognize the misconfigurations easily.
 
-- Check the **Local Windows Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/windows/checklist-windows-privilege-escalation)**
+- Check the **Local Windows Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation)**
 - **[WinPEAS](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS) - Windows local Privilege Escalation Awesome Script (C#.exe and .bat)**
 
-- Check the **Local Linux Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/linux-unix/linux-privilege-escalation-checklist)**
+- Check the **Local Linux Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist)**
 - **[LinPEAS](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS) - Linux local Privilege Escalation Awesome Script (.sh)**
 
 ## Quick Start

linPEAS/README.md

@@ -2,9 +2,9 @@
 
 ![](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/raw/master/linPEAS/images/linpeas.png)
 
-**LinPEAS is a script that search for possible paths to escalate privileges on Linux/Unix\*/MacOS hosts. The checks are explained on [book.hacktricks.xyz](https://book.hacktricks.xyz/linux-unix/privilege-escalation)**
+**LinPEAS is a script that search for possible paths to escalate privileges on Linux/Unix\*/MacOS hosts. The checks are explained on [book.hacktricks.xyz](https://book.hacktricks.xyz/linux-hardening/privilege-escalation)**
 
-Check the **Local Linux Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/linux-unix/linux-privilege-escalation-checklist)**.
+Check the **Local Linux Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist)**.
 
 [![asciicast](https://asciinema.org/a/250532.png)](https://asciinema.org/a/309566)
 

linPEAS/builder/linpeas_parts/1_system_information.sh

@@ -4,7 +4,7 @@
 
 #-- SY) OS
 print_2title "Operative system"
-print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#kernel-exploits"
+print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits"
 (cat /proc/version || uname -a ) 2>/dev/null | sed -${E} "s,$kernelDCW_Ubuntu_Precise_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_4,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_5,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_6,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_4,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Xenial,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel5_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel5_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel5_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_4,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel7,${SED_RED_YELLOW}," | sed -${E} "s,$kernelB,${SED_RED},"
 warn_exec lsb_release -a 2>/dev/null
 if [ "$MACPEAS" ]; then
@@ -15,7 +15,7 @@ echo ""
 #-- SY) Sudo
 print_2title "Sudo version"
 if [ "$(command -v sudo 2>/dev/null)" ]; then
-print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-version"
+print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-version"
 sudo -V 2>/dev/null | grep "Sudo ver" | sed -${E} "s,$sudovB,${SED_RED},"
 else echo_not_found "sudo"
 fi
@@ -51,7 +51,7 @@ echo ""
 #--SY) USBCreator
 if (busctl list 2>/dev/null | grep -q com.ubuntu.USBCreator) || [ "$DEBUG" ]; then
     print_2title "USBCreator"
-    print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation"
+    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation"
 
     pc_version=$(dpkg -l 2>/dev/null | grep policykit-desktop-privileges | grep -oP "[0-9][0-9a-zA-Z\.]+")
     if [ -z "$pc_version" ]; then
@@ -70,7 +70,7 @@ echo ""
 
 #-- SY) PATH
 print_2title "PATH"
-print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-path-abuses"
+print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-path-abuses"
 echo "$OLDPATH" 2>/dev/null | sed -${E} "s,$Wfolders|\./|\.:|:\.,${SED_RED_YELLOW},g"
 echo "New path exported: $PATH" 2>/dev/null | sed -${E} "s,$Wfolders|\./|\.:|:\. ,${SED_RED_YELLOW},g"
 echo ""
@@ -130,7 +130,7 @@ echo ""
 #-- SY) Dmesg
 if [ "$(command -v dmesg 2>/dev/null)" ] || [ "$DEBUG" ]; then
     print_2title "Searching Signature verification failed in dmesg"
-    print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#dmesg-signature-verification-failed"
+    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#dmesg-signature-verification-failed"
     (dmesg 2>/dev/null | grep "signature") || echo_not_found "dmesg"
     echo ""
 fi

linPEAS/builder/linpeas_parts/2_container.sh

@@ -187,7 +187,7 @@ fi
 if [ "$inContainer" ]; then
     echo ""
     print_2title "Container & breakout enumeration"
-    print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation/docker-breakout"
+    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout"
     print_list "Container ID ...................$NC $(cat /etc/hostname && echo '')"
     if echo "$containerType" | grep -qi "docker"; then
         print_list "Container Full ID ..............$NC $(basename $(cat /proc/1/cpuset))\n"

linPEAS/builder/linpeas_parts/3_procs_crons_timers_srvcs_sockets.sh

@@ -8,7 +8,7 @@ print_2title "Cleaned processes"
 if [ "$NOUSEPS" ]; then
   printf ${BLUE}"[i]$GREEN Looks like ps is not finding processes, going to read from /proc/ and not going to monitor 1min of processes\n"$NC
 fi
-print_info "Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-unix/privilege-escalation#processes"
+print_info "Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes"
 
 if [ "$NOUSEPS" ]; then
   print_ps | sed -${E} "s,$Wfolders,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$rootcommon,${SED_GREEN}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED}," | sed -${E} "s,$processesVB,${SED_RED_YELLOW},g" | sed "s,$processesB,${SED_RED}," | sed -${E} "s,$processesDump,${SED_RED},"
@@ -29,7 +29,7 @@ else
 
   #-- PCS) Binary processes permissions
   print_2title "Binary processes permissions (non 'root root' and not belonging to current user)"
-  print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#processes"
+  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes"
   binW="IniTialiZZinnggg"
   ps auxwww 2>/dev/null | awk '{print $11}' | while read bpath; do
     if [ -w "$bpath" ]; then
@@ -50,7 +50,7 @@ fi
 
 #-- PCS) Processes with credentials inside memory
 print_2title "Processes with credentials in memory (root req)"
-print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#credentials-from-process-memory"
+print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#credentials-from-process-memory"
 if echo "$pslist" | grep -q "gdm-password"; then echo "gdm-password process found (dump creds from memory as root)" | sed "s,gdm-password process,${SED_RED},"; else echo_not_found "gdm-password"; fi
 if echo "$pslist" | grep -q "gnome-keyring-daemon"; then echo "gnome-keyring-daemon process found (dump creds from memory as root)" | sed "s,gnome-keyring-daemon,${SED_RED},"; else echo_not_found "gnome-keyring-daemon"; fi
 if echo "$pslist" | grep -q "lightdm"; then echo "lightdm process found (dump creds from memory as root)" | sed "s,lightdm,${SED_RED},"; else echo_not_found "lightdm"; fi
@@ -62,15 +62,15 @@ echo ""
 #-- PCS) Different processes 1 min
 if ! [ "$FAST" ] && ! [ "$SUPERFAST" ]; then
   print_2title "Different processes executed during 1 min (interesting is low number of repetitions)"
-  print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#frequent-cron-jobs"
+  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#frequent-cron-jobs"
   temp_file=$(mktemp)
   if [ "$(ps -e -o command 2>/dev/null)" ]; then for i in $(seq 1 1250); do ps -e -o command >> "$temp_file" 2>/dev/null; sleep 0.05; done; sort "$temp_file" 2>/dev/null | uniq -c | grep -v "\[" | sed '/^.\{200\}./d' | sort -r -n | grep -E -v "\s*[1-9][0-9][0-9][0-9]"; rm "$temp_file"; fi
   echo ""
 fi
 
 #-- PCS) Cron
 print_2title "Cron jobs"
-print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#scheduled-cron-jobs"
+print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs"
 command -v crontab 2>/dev/null || echo_not_found "crontab"
 crontab -l 2>/dev/null | tr -d "\r" | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED},"
 command -v incrontab 2>/dev/null || echo_not_found "incrontab"
@@ -131,15 +131,15 @@ fi
 
 #-- PSC) systemd PATH
 print_2title "Systemd PATH"
-print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#systemd-path-relative-paths"
+print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#systemd-path-relative-paths"
 systemctl show-environment 2>/dev/null | grep "PATH" | sed -${E} "s,$Wfolders\|\./\|\.:\|:\.,${SED_RED_YELLOW},g"
 WRITABLESYSTEMDPATH=$(systemctl show-environment 2>/dev/null | grep "PATH" | grep -E "$Wfolders")
 echo ""
 
 #-- PSC) .service files
 #TODO: .service files in MACOS are folders
 print_2title "Analyzing .service files"
-print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#services"
+print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#services"
 printf "%s\n" "$PSTORAGE_SYSTEMD" | while read s; do
   if [ ! -O "$s" ]; then #Remove services that belongs to the current user
     if ! [ "$IAMROOT" ] && [ -w "$s" ] && [ -f "$s" ]; then
@@ -167,13 +167,13 @@ echo ""
 
 #-- PSC) Timers
 print_2title "System timers"
-print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#timers"
+print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers"
 (systemctl list-timers --all 2>/dev/null | grep -Ev "(^$|timers listed)" | sed -${E} "s,$timersG,${SED_GREEN},") || echo_not_found
 echo ""
 
 #-- PSC) .timer files
 print_2title "Analyzing .timer files"
-print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#timers"
+print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers"
 printf "%s\n" "$PSTORAGE_TIMER" | while read t; do
   if ! [ "$IAMROOT" ] && [ -w "$t" ]; then
     echo "$t" | sed -${E} "s,.*,${SED_RED},g"
@@ -195,7 +195,7 @@ echo ""
 #TODO: .socket files in MACOS are folders
 if ! [ "$IAMROOT" ]; then
   print_2title "Analyzing .socket files"
-  print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#sockets"
+  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets"
   printf "%s\n" "$PSTORAGE_SOCKET" | while read s; do
     if ! [ "$IAMROOT" ] && [ -w "$s" ] && [ -f "$s" ]; then
       echo "Writable .socket file: $s" | sed "s,/.*,${SED_RED},g"
@@ -214,15 +214,15 @@ if ! [ "$IAMROOT" ]; then
     done
   done
   if ! [ "$IAMROOT" ] && [ -w "/var/run/docker.sock" ]; then
-    echo "Docker socket /var/run/docker.sock is writable (https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-docker-socket)" | sed "s,/var/run/docker.sock is writable,${SED_RED_YELLOW},g"
+    echo "Docker socket /var/run/docker.sock is writable (https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-docker-socket)" | sed "s,/var/run/docker.sock is writable,${SED_RED_YELLOW},g"
   fi
   if ! [ "$IAMROOT" ] && [ -w "/run/docker.sock" ]; then
-    echo "Docker socket /run/docker.sock is writable (https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-docker-socket)" | sed "s,/var/run/docker.sock is writable,${SED_RED_YELLOW},g"
+    echo "Docker socket /run/docker.sock is writable (https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-docker-socket)" | sed "s,/var/run/docker.sock is writable,${SED_RED_YELLOW},g"
   fi
   echo ""
 
   print_2title "Unix Sockets Listening"
-  print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#sockets"
+  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets"
   # Search sockets using netstat and ss
   unix_scks_list=$(ss -xlp -H state listening 2>/dev/null | grep -Eo "/.* " | cut -d " " -f1)
   if ! [ "$unix_scks_list" ];then
@@ -262,7 +262,7 @@ fi
 
 #-- PSC) Writable and weak policies in D-Bus config files
 print_2title "D-Bus config files"
-print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#d-bus"
+print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus"
 if [ "$PSTORAGE_DBUS" ]; then
   printf "%s\n" "$PSTORAGE_DBUS" | while read d; do
     for f in $d/*; do
@@ -289,7 +289,7 @@ fi
 echo ""
 
 print_2title "D-Bus Service Objects list"
-print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#d-bus"
+print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus"
 dbuslist=$(busctl list 2>/dev/null)
 if [ "$dbuslist" ]; then
   busctl list | while read line; do

linPEAS/builder/linpeas_parts/4_network_information.sh

@@ -53,7 +53,7 @@ fi
 
 #-- NI) Ports
 print_2title "Active Ports"
-print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-ports"
+print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports"
 ( (netstat -punta || ss -nltpu || netstat -anv) | grep -i listen) 2>/dev/null | sed -${E} "s,127.0.[0-9]+.[0-9]+|:::|::1:|0\.0\.0\.0,${SED_RED},"
 echo ""
 
@@ -92,7 +92,7 @@ fi
 print_2title "Can I sniff with tcpdump?"
 timeout 1 tcpdump >/dev/null 2>&1
 if [ $? -eq 124 ]; then #If 124, then timed out == It worked
-    print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#sniffing"
+    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sniffing"
     echo "You can sniff with tcpdump!" | sed -${E} "s,.*,${SED_RED},"
 else echo_no
 fi

linPEAS/builder/linpeas_parts/5_users_information.sh

@@ -4,7 +4,7 @@
 
 #-- UI) My user
 print_2title "My user"
-print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#users"
+print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#users"
 (id || (whoami && groups)) 2>/dev/null | sed -${E} "s,$groupsB,${SED_RED},g" | sed -${E} "s,$groupsVB,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,root,${SED_RED}," | sed -${E} "s,$knw_grps,${SED_GREEN},g" | sed -${E} "s,$idB,${SED_RED},g"
 echo ""
 
@@ -59,7 +59,7 @@ fi
 
 #-- UI) Sudo -l
 print_2title "Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d"
-print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid"
+print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid"
 (echo '' | timeout 1 sudo -S -l | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoB,${SED_RED},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed "s,\!root,${SED_RED},") 2>/dev/null || echo_not_found "sudo"
 if [ "$PASSWORD" ]; then
   (echo "$PASSWORD" | timeout 1 sudo -S -l | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoB,${SED_RED},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW},") 2>/dev/null  || echo_not_found "sudo"
@@ -78,7 +78,7 @@ echo ""
 
 #-- UI) Sudo tokens
 print_2title "Checking sudo tokens"
-print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#reusing-sudo-tokens"
+print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#reusing-sudo-tokens"
 ptrace_scope="$(cat /proc/sys/kernel/yama/ptrace_scope 2>/dev/null)"
 if [ "$ptrace_scope" ] && [ "$ptrace_scope" -eq 0 ]; then echo "ptrace protection is disabled (0)" | sed "s,is disabled,${SED_RED},g";
 else echo "ptrace protection is enabled ($ptrace_scope)" | sed "s,is enabled,${SED_GREEN},g";
@@ -117,7 +117,7 @@ fi
 
 #-- UI) Pkexec policy
 print_2title "Checking Pkexec policy"
-print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation/interesting-groups-linux-pe#pe-method-2"
+print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#pe-method-2"
 (cat /etc/polkit-1/localauthority.conf.d/* 2>/dev/null | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null | sed -${E} "s,$groupsB,${SED_RED}," | sed -${E} "s,$groupsVB,${SED_RED}," | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,$USER,${SED_RED_YELLOW}," | sed -${E} "s,$Groups,${SED_RED_YELLOW},") || echo_not_found "/etc/polkit-1/localauthority.conf.d"
 echo ""