update

deepce.sh

@@ -195,7 +195,7 @@ printTip() {
   if [ "$quiet" ]; then
     return
   fi
-  printer "$DG" "$1" | fold -s -w 95
+    printer "$DG" "$1" | fold -s -w 95
   nl
 }
 
@@ -369,7 +369,7 @@ userCheck() {
   printQuestion "User ...................."
   if [ "$(id -u)" = 0 ]; then
     isUserRoot="1"
-    printSuccess "root"
+    printEx "root"
   else
     printSuccess "$(whoami)"
   fi
@@ -377,6 +377,29 @@ userCheck() {
   printQuestion "Groups .................."
   groups=$(groups| sed "s/\($DANGEROUS_GROUPS\)/${LG}${EX}&${NC}${DG}/g")
   printStatus "$groups" "None"
+
+  if ! [ $isUserRoot ]; then
+    printQuestion "Sudo ...................."
+    if [ -x "$(command -v sudo)" ]; then
+      if sudo -n -l 2>/dev/null; then
+        printEx "Passwordless Sudo"
+        isUserHasSudo="1"
+      else
+        printError "Password required"
+      fi
+    else
+      printError "sudo not found"
+    fi
+  else
+    printQuestion "Sudoers ................."
+    if [ -r /etc/sudoers ]; then
+      sudoers=$(grep -v "#\|^$\|^Defaults\|@include" /etc/sudoers)
+      printYes
+      printStatus "$sudoers"
+    else
+      printNo
+    fi
+  fi
 }
 
 dockerSockCheck() {
@@ -443,9 +466,7 @@ enumerateContainer() {
 
 containerID() {
   # Get container ID
-  containerID="$(cat /etc/hostname)"
+  containerID="$(cat /etc/hostname || uname -n || hostname)"
-  #containerID="$(hostname)"
-  #containerID="$(uname -n)"
   # Get container full ID
   printResult "Container ID ............" "$containerID" "Unknown"
 
@@ -499,13 +520,13 @@ containerName() {
     # Requires containerIP
     if [ "$containerIP" ]; then
         if [ -x "$(command -v host)" ]; then
-        containerName=$(host "$containerIP" | rev | cut -d' ' -f1 | rev)
+          containerName=$(host "$containerIP" | rev | cut -d' ' -f1 | rev)
         elif [ -x "$(command -v dig)" ]; then
-        containerName=$(dig -x "$containerIP" +noall +answer | grep 'PTR' | rev | cut -f1 | rev)
+          containerName=$(dig -x "$containerIP" +noall +answer | grep 'PTR' | rev | cut -f1 | rev)
         elif [ -x "$(command -v nslookup)" ]; then
-        containerName=$(nslookup "$containerIP" 2>/dev/null | grep 'name = ' | rev | cut -d' ' -f1 | rev)
+          containerName=$(nslookup "$containerIP" 2>/dev/null | grep 'name = ' | rev | cut -d' ' -f1 | rev)
         else
-        missingTools="1"
+          missingTools="1"
         fi
     fi
   else
@@ -807,16 +828,17 @@ findInterestingFiles() {
     printNo
   fi
 
-  hashes=$(cut -d':' -f2 < /etc/shadow 2>/dev/null | grep -v '^*$\|^!')
   printQuestion "Hashes in shadow file ..............."
-  if [ "$hashes" ]; then
+  if test -r /etc/shadow; then
-    printYes
+    hashes=$(cut -d':' -f2 < /etc/shadow 2>/dev/null | grep -v '^*$\|^!')
-    printStatus "$hashes"
+    if [ "$hashes" ]; then
-  elif test -r /etc/shadow; then
+      printYes
-    # Cannot check...
+      printStatus "$hashes"
-    printFail "No permissions"
+    else
+      printNo
+    fi
   else
-    printNo
+    printFail "Not readable"
   fi
 
   # TODO: Check this file /run/secrets/
@@ -829,7 +851,6 @@ findInterestingFiles() {
       printMsg "$(ls -lAh "$p")"
     fi
   done
-
 }
 
 checkDockerRootless() {

lse.sh

@@ -5,7 +5,7 @@
 # Author: Diego Blanco <diego.blanco@treitos.com>
 # GitHub: https://github.com/diego-treitos/linux-smart-enumeration
 #
-lse_version="4.13nw"
+lse_version="4.14nw"
 
 ##( Colors
 #
@@ -89,7 +89,7 @@ lse_procmon_lock=`mktemp`
 lse_cve_tmp=''
 
 # printf
-printf "%s" "$reset" | grep -q '\\' && alias printf="env printf"
+printf "$reset" | grep -q '\\' && alias printf="env printf"
 
 #( internal data
 lse_common_setuid="
@@ -262,7 +262,7 @@ cecho() { #(
     printf "%b" "$@"
   else
     # If color is disabled we remove it
-    printf "%b" "$@" | sed 's/\x1B\[[0-9;]\+[A-Za-z]//g'
+    printf "%b" "$@" | sed -r 's/(\x1B|\\e)\[[0-9;:]+[A-Za-z]//g'
   fi
 } #)
 lse_recolor() { #(
@@ -381,6 +381,8 @@ lse_test() { #(
   local deps="$5"
   # Variable name where to store the output
   local var="$6"
+  # Flags affecting the execution of certain tests
+  local flags="$7"
 
   # Define colors
   local l="${lred}!"
@@ -408,6 +410,12 @@ lse_test() { #(
     printf "."
   done
 
+  # Check if test should be skipped when running as root
+  if [ "$lse_user_id" -eq 0 ] && [ "$flags" = "rootskip" ]; then
+    cecho " ${grey}skip\n"
+    return 1
+  fi
+
   # Check dependencies
   local non_met_deps=""
   for d in $deps; do
@@ -482,6 +490,10 @@ lse_show_info() { #(
   echo
   cecho  "${green}=====================(${yellow} Current Output Verbosity Level: ${cyan}$lse_level ${green})======================${reset}"
   echo
+  if [ "$lse_user_id" -eq 0 ]; then
+    cecho  "${green}============(${yellow} Already running as ${red}root${yellow}, some tests will be skipped! ${green})============${reset}"
+    echo
+  fi
 } #)
 lse_serve() { #(
   # get port
@@ -778,7 +790,8 @@ lse_run_tests_filesystem() {
     # Add symlinks owned by the user (so the user can change where they point)
     find  / -path "$lse_home" -prune -o $lse_find_opts -type l -user $lse_user -print' \
     "" \
-    "lse_user_writable"
+    "lse_user_writable" \
+    "rootskip"
 
   #get setuid binaries
   lse_test "fst010" "1" \
@@ -906,7 +919,8 @@ lse_run_tests_filesystem() {
   #files owned by user
   lse_test "fst500" "2" \
     "Files owned by user '$lse_user'" \
-    'find / $lse_find_opts -user $lse_user -type f -exec ls -al {} \;'
+    'find / $lse_find_opts -user $lse_user -type f -exec ls -al {} \;' \
+    "" "" "rootskip"
 
   #check for SSH files anywhere
   lse_test "fst510" "2" \
@@ -1356,6 +1370,11 @@ lse_run_tests_software() {
     "Can we access MongoDB databases without credentials?" \
     'echo "show dbs" | mongo --quiet | grep -E "(admin|config|local)"'
 
+  #find kerberos credentials
+  lse_test "sof180" "0" \
+    "Can we access any Kerberos credentials?" \
+    'find / $lse_find_opts -name "*.so" -prune -o \( -name "krb5cc*" -o -name "*.ccache" -o -name "*.kirbi" -o -name "*.keytab" \) -type f -readable -exec ls -lh {} +'
+
   #sudo version - check to see if there are any known vulnerabilities with this
   lse_test "sof500" "2" \
     "Sudo version" \

rev_shell.py

@@ -98,6 +98,8 @@ class ShellListener:
                             print("RECV first prompt")
                     else:
                         self.raw_output += data
+                        for callback in self.on_message:
+                            callback(data)
 
             print("[-] Disconnected")
             self.connection = None

util.py

@@ -314,11 +314,12 @@ def rpad(x, n, b=b"\x00"):
     return pad(x, n, b, "r")
 
 def pad(x, n, b=b"\x00", s="r"):
-    if len(x) % n != 0:
+    pad_len = len(x) % n
+    if pad_len != 0:
         if s == "r":
-            x += (n-(len(x)%n))*b
+            x += b * (n - pad_len)
         elif s == "l":
-            x = (n-(len(x)%n))*b + x
+            x = b * (n - pad_len) + x
     return x
 
 def xor(a, b, *args):

win/winPEAS.bat

@@ -363,7 +363,7 @@ CALL :T_Progress 1
 
 :WifiCreds
 CALL :ColorLine " %E%33m[+]%E%97m WIFI"
-for /f "tokens=4 delims=: " %%a in ('netsh wlan show profiles ^| find "Profile "') do (netsh wlan show profiles name=%%a key=clear | findstr "SSID Cipher Content" | find /v "Number" & ECHO.)
+for /f "tokens=3,* delims=: " %%a in ('netsh wlan show profiles ^| find "Profile "') do (netsh wlan show profiles name=%%b key=clear | findstr "SSID Cipher Content" | find /v "Number" & ECHO.)
 CALL :T_Progress 1
 
 :BasicUserInfo