Skip to content

[LINPEAS] Add privilege escalation check: Metasploit Wrap-Up 11/28/2025 #524

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
carlospolop wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[LINPEAS] Add privilege escalation check: Metasploit Wrap-Up 11/28/2025 #524

carlospolop wants to merge 1 commit into from

Conversation

@carlospolop
Copy link
Collaborator

@carlospolop carlospolop commented Nov 29, 2025

🔧 Automated Privilege Escalation Check Addition

🤔 Privilege Escalation Reasoning

The blog describes a local privilege escalation path on IGEL OS (a Linux-based thin client platform) that abuses misconfigured SUID-root binaries (setup and date) to gain root via systemd/NetworkManager service manipulation.

Key aspects that make this suitable for linpeas:

  • It is a local privilege escalation technique on a Linux-derived OS (IGEL OS).
  • The technique relies on generic misconfigurations that linpeas already hunts for in other contexts: SUID-root binaries that allow modification of systemd/NetworkManager configuration and service restart. The core pattern is not a one-off custom CTF script but an OS vendor configuration: IGEL ships setup/date with SUID and exposes network/system config editing capabilities through them.
  • The method is: from a low-privilege user, use these SUID binaries to write/modify NetworkManager or systemd unit files so that ExecStart (or hooks) points to an attacker-controlled executable, then trigger a service restart using the same SUID binary, leading to code execution as root. This is a recognizable, generalizable privesc pattern (SUID-assisted service config tampering → service restart → root code exec).
  • Although it is vendor-specific (IGEL), IGEL is a real-world commercial thin client OS, not an artificial CTF service, and these SUID binaries/registry mechanisms are part of its standard environment. This is within the kind of OS-/vendor-specific checks that linpeas already includes (e.g., sudoers quirks, common appliance misconfigs) and is more broadly useful than a custom single-host script.

Other items in the blog (FortiWeb RCE, Flowise RCE, SMB→MSSQL relay, Notepad++ DLL persistence, RISC-V chmod payloads) are remote exploitation or persistence/lateral-movement techniques rather than local privesc enumeration targets for linpeas/winpeas, so they are out of scope for this decision. The IGEL persistence (registry startup) and dump modules are post-exploitation behaviors that are highly IGEL-specific and less useful as generic linpeas checks, but the underlying SUID-misuse privesc pattern is directly relevant.

🤖 Implementation Details

PEASS linpeas agent completed successfully with 110 items. Agent Comment: Summary of updates

  • New IGEL OS SUID privesc module (linPEAS/builder/linpeas_parts/8_interesting_perms_files/16_IGEL_OS_SUID.sh): Adds detection for the Metasploit-documented IGEL OS privilege escalation chain that abuses the SUID setup/date binaries to rewrite NetworkManager or systemd configs and restart services as root. It first fingerprints IGEL OS via /etc/os-release, /etc/issue, and IGEL-specific directories, then lists any SUID-root setup/date binaries on standard appliance paths. When triggered (and outside SUPERFAST mode) it highlights writable NetworkManager profiles and systemd unit files (bounded depth/line counts) so operators can immediately see if the service-hijack prerequisite is satisfied. The output includes exploitation guidance referencing the linux/local/igel_network_priv_esc module.
  • Documentation touch-up (linPEAS/README.md): Added a short note in the “Basic Information” section mentioning that linPEAS now covers IGEL OS SUID setup/date misconfigurations, keeping the public documentation aligned with the new detection.

Tests

  • bash -n linPEAS/builder/linpeas_parts/8_interesting_perms_files/16_IGEL_OS_SUID.sh

These changes ensure linPEAS alerts operators whenever an IGEL appliance exposes the newly publicized SUID/service-restart abuse path and makes the enhancement discoverable through the README.

🏗️ Builder Agent Response

LinPEAS build agent completed successfully with 59 items. Agent Comment: ✅ LinPEAS build fixed and verified

  • Navigated to /tmp/hacktricks_update_kandqghs/repo/linPEAS and ran the official build command python3 -m builder.linpeas_builder --all --output /tmp/linpeas_fat.sh.
  • Initial failure came from the new module builder/linpeas_parts/8_interesting_perms_files/16_IGEL_OS_SUID.sh:
    • Its metadata # ID: didn’t match the filename once the numeric prefix was stripped.
    • The module also omitted the locally generated variables from the # Generated Global Variables metadata, which the builder now enforces.
  • Updated the module so the ID now reads IP_IGEL_OS_SUID, and documented every module-scoped variable (igel_markers, writable_nm, etc.) inside # Generated Global Variables, keeping the functions/global-variable bookkeeping consistent with linPEAS conventions.
  • Re-ran the build command: it completed successfully, downloading auxiliary tooling and writing the final artifact to /tmp/linpeas_fat.sh with no remaining errors.

You’re all set—the LinPEAS build pipeline is green again.

This PR was automatically created by the HackTricks Feed Bot. Please review the implementation carefully and test thoroughly before merging.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

automation linpeas privilege-escalation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@carlospolop