Project Update

This commit is contained in:
Roman Hergenreder 2022-02-16 14:18:54 +01:00
parent f640b45acf
commit 1f55516c59
12 changed files with 3197 additions and 2248 deletions

BIN
chisel64

Binary file not shown.

@ -347,7 +347,7 @@ containerCheck() {
# Are we inside kubenetes? # Are we inside kubenetes?
if grep "/kubepod" /proc/1/cgroup -qa; then if grep "/kubepod" /proc/1/cgroup -qa; then
inContainer="1" inContainer="1"
containerType="kubentes" containerType="kubernetes"
fi fi
# Are we inside LXC? # Are we inside LXC?

@ -86,6 +86,8 @@ class FileServerRequestHandler(BaseHTTPRequestHandler):
if path in self.server.dumpRequests: if path in self.server.dumpRequests:
headers["Access-Control-Allow-Origin"] = "*" headers["Access-Control-Allow-Origin"] = "*"
headers["Content-Length"] = len(data)
if len(headers) == 0: if len(headers) == 0:
self.send_response(status_code) self.send_response(status_code)
else: else:
@ -149,11 +151,14 @@ class HttpFileServer(HTTPServer):
if isinstance(data, str): if isinstance(data, str):
data = data.encode("UTF-8") data = data.encode("UTF-8")
# return 200 - OK and data headers = {
"Access-Control-Allow-Origin": "*",
}
if mimeType: if mimeType:
self.addRoute(name, lambda req: (200, data, { "Content-Type": mimeType })) headers["Content-Type"] = headers
else:
self.addRoute(name, lambda req: (200, data)) # return 200 - OK and data
self.addRoute(name, lambda req: (200, data, headers))
def dumpRequest(self, name): def dumpRequest(self, name):
self.dumpRequests.append(self.cleanPath(name)) self.dumpRequests.append(self.cleanPath(name))

5405
linpeas.sh Executable file → Normal file

File diff suppressed because one or more lines are too long

@ -1490,6 +1490,17 @@ exploit-db: https://www.exploit-db.com/exploits/41154
EOF EOF
) )
EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2021-4034]${txtrst} PwnKit
Reqs: pkg=polkit|policykit-1,ver<=0.105-31
Tags: ubuntu=10|11|12|13|14|15|16|17|18|19|20|21,debian=7|8|9|10|11,fedora,manjaro
Rank: 1
analysis-url: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
src-url: https://codeload.github.com/berdav/CVE-2021-4034/zip/main
author: berdav
EOF
)
########################################################### ###########################################################
## security related HW/kernel features ## security related HW/kernel features
########################################################### ###########################################################

10
lse.sh

@ -5,7 +5,7 @@
# Author: Diego Blanco <diego.blanco@treitos.com> # Author: Diego Blanco <diego.blanco@treitos.com>
# GitHub: https://github.com/diego-treitos/linux-smart-enumeration # GitHub: https://github.com/diego-treitos/linux-smart-enumeration
# #
lse_version="3.7" lse_version="3.9"
#( Colors #( Colors
# #
@ -502,7 +502,8 @@ lse_serve() {
cecho "${green} * ${white}wget ${reset} '$ip:$port' -O lse.sh; chmod 755 lse.sh\n" cecho "${green} * ${white}wget ${reset} '$ip:$port' -O lse.sh; chmod 755 lse.sh\n"
cecho "${green} * ${white}exec 3<>/dev/tcp/${reset}$ip/$port;printf '\\\\n'>&3;cat<&3>lse.sh;exec 3<&-;chmod 755 lse.sh\n" cecho "${green} * ${white}exec 3<>/dev/tcp/${reset}$ip/$port;printf '\\\\n'>&3;cat<&3>lse.sh;exec 3<&-;chmod 755 lse.sh\n"
done done
nc -l -q0 -p "$port" < "$0" >/dev/null # try nc with '-N' (openbsd), then ncat and then use '-q0' (traditional)
nc -l -N -p "$port" < "$0" >/dev/null 2>/dev/null || nc -l --send-only -p "$port" < "$0" >/dev/null 2>/dev/null || nc -l -q0 -p "$port" < "$0" >/dev/null
} }
lse_header() { lse_header() {
local id="$1" local id="$1"
@ -1262,6 +1263,11 @@ lse_run_tests_software() {
"Can we write to screen session sockets from other users?" \ "Can we write to screen session sockets from other users?" \
'find /run/screen -type s -writable -regex "/run/screen/S-.+/.+" ! -user $lse_user -exec ls -l {} +' 'find /run/screen -type s -writable -regex "/run/screen/S-.+/.+" ! -user $lse_user -exec ls -l {} +'
#check connection to mongoDB
lse_test "sof170" "1" \
"Can we access MongoDB databases without credentials?" \
'echo "show dbs" | mongo --quiet | grep -E "(admin|config|local)"'
#sudo version - check to see if there are any known vulnerabilities with this #sudo version - check to see if there are any known vulnerabilities with this
lse_test "sof500" "2" \ lse_test "sof500" "2" \
"Sudo version" \ "Sudo version" \

@ -193,7 +193,7 @@ if __name__ == "__main__":
output = set_exif_data(payload, _in, _out, tag) output = set_exif_data(payload, _in, _out, tag)
sys.stdout.buffer.write(output) sys.stdout.buffer.write(output)
sys.stdout.flush() sys.stdout.flush()
elif command == "help": else:
print("Usage: %s [command]" % bin) print("Usage: %s [command]" % bin)
print("Available commands:") print("Available commands:")
print(" help, getAddress, pad, exifImage") print(" help, getAddress, pad, exifImage")

Binary file not shown.

Binary file not shown.

@ -237,7 +237,7 @@ CALL :T_Progress 2
:RemodeDeskCredMgr :RemodeDeskCredMgr
CALL :ColorLine " %E%33m[+]%E%97m Remote Desktop Credentials Manager" CALL :ColorLine " %E%33m[+]%E%97m Remote Desktop Credentials Manager"
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#remote-desktop-credential-manager ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#remote-desktop-credential-manager
IF exist "%AppLocal%\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings" ECHO.Found: RDCMan.settings in %AppLocal%\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings, check for credentials in .rdg files IF exist "%LOCALAPPDATA%\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings" ECHO.Found: RDCMan.settings in %AppLocal%\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings, check for credentials in .rdg files
ECHO. ECHO.
CALL :T_Progress 1 CALL :T_Progress 1

Binary file not shown.

Binary file not shown.