[LINPEAS] Add privilege escalation check: HTB WhiteRabbit n8n HMAC Forgery, SQL In...

[carlospolop]

🔧 Automated Privilege Escalation Check Addition

🤔 Privilege Escalation Reasoning

The blog post contains a privilege escalation technique that is both local and generic enough to be relevant for real-world Linux environments, not just CTFs. Specifically:

1. restic sudo abuse via --password-command:

   • Scenario described: a user can run /usr/bin/restic as root via sudo (e.g., bob ALL=(ALL) NOPASSWD: /usr/bin/restic).
   • restic has the option --password-command which executes an arbitrary command to obtain the backup password. When restic is invoked via sudo, this helper command runs with elevated privileges.
   • The post demonstrates using this to run arbitrary commands as root, e.g.:
     • sudo restic check --password-command 'cp /bin/bash /tmp/suidbash'
     • sudo restic check --password-command 'chmod 6777 /tmp/suidbash'
     • Then running /tmp/suidbash -p to get a root shell.
   • This is a classic misconfigured sudo + helper option privilege escalation pattern, similar to existing linpeas checks for tar, rsync, less, ftp, openssl, backup tools, etc.
   • restic is a popular backup utility in real environments (servers, NAS, devops pipelines), and sudo restic is a plausible configuration for delegated backup tasks. The abuse relies on a generic feature of restic (--password-command), not a custom script or niche, fixed CVE.

2. Other tricks in the post (n8n HMAC forgery, n8n SQLi, time-seeded password generator) are either:

   • Application-specific logic bugs (e.g., a particular n8n workflow wiring and debug node), or
   • Highly custom code (time-seeded password generator),
     So they do not meet the criteria for inclusion in linpeas.

Thus, the only clearly reusable, generic local privilege escalation technique suitable for linpeas is the restic --password-command sudo-abuse pattern on Linux.

🤖 Implementation Details

PEASS linpeas agent completed successfully with 98 items. Agent Comment: Summary:

• Added the new module UG_Sudo_restic (linPEAS/builder/linpeas_parts/6_users_information/19_Sudo_restic.sh) to automatically detect sudo rules that allow running restic, highlighting that the --password-command option executes helper commands as root. The module:
  • Announces whether restic is present in PATH.
  • Scans sudo -n -l output (and, when available, sudo -S -l using $PASSWORD) plus readable /etc/sudoers and /etc/sudoers.d/* files for lines containing restic.
  • Emphasizes any matches in red/yellow and provides an abuse example (sudo restic check --password-command 'cp /bin/bash /tmp/restic-root && chmod 6777 /tmp/restic-root') to remind operators how to escalate.
  • Falls back to echo_not_found when no risky configuration is observed.
• Updated linPEAS/README.md with a “Recent updates” section noting the new restic --password-command detection so the documentation reflects the added coverage.

Testing:

• bash -n linPEAS/builder/linpeas_parts/6_users_information/19_Sudo_restic.sh

🏗️ Builder Agent Response

LinPEAS build agent completed successfully with 26 items. Agent Comment: LinPEAS now builds successfully.

What I did

1. Reproduced the build failure in /tmp/hacktricks_update_dkj547wj/repo/linPEAS using python3 -m builder.linpeas_builder --all --output /tmp/linpeas_fat.sh, which surfaced metadata validation errors for module builder/linpeas_parts/6_users_information/19_Sudo_restic.sh.
2. Updated that module’s metadata so every global variable it generates ($restic_bin, $restic_sudo_found, $sudo_no_pw_output, $sudo_with_pw_output, $matches, $sudo_file, $block, $origin) is listed under Generated Global Variables, as required by the builder.
3. Re-ran the build command; it completed without errors and produced /tmp/linpeas_fat.sh.

Let me know if you need any additional adjustments or verifications.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the implementation carefully and test thoroughly before merging.