mirror of
https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite.git
synced 2025-12-29 19:29:00 +00:00
Compare commits
36 Commits
20230417-d
...
20230629-3
| Author | SHA1 | Date | |
|---|---|---|---|
|
cdd342fb26 | ||
|
7f4965c0b7 | ||
|
|
898b29b0fa | ||
|
|
e36d5a5736 | ||
|
|
11cfe79ad0 | ||
|
|
a1552d61df | ||
|
|
71ec9c7d31 | ||
|
|
d4ff43b604 | ||
|
|
56a193df60 | ||
|
f67bedda4f | ||
|
|
f988d8b05f | ||
|
|
78c932f1af | ||
|
|
7e7738ab98 | ||
|
|
68cd1c28df | ||
|
58719a6075 | ||
|
|
2a4868c0eb | ||
|
e4b9ae6479 | ||
|
|
7b096cd930 | ||
|
|
a9ae25cdc3 | ||
|
|
e7617700b3 | ||
|
|
96c821193e | ||
|
|
7bb66d2182 | ||
|
|
711d9f1a95 | ||
|
a36c2c9107 | ||
|
|
2963e47866 | ||
|
|
d20699ed51 | ||
|
|
df4f122a53 | ||
|
|
7f8ea5fa44 | ||
|
|
7e9c9b4e5b | ||
|
fad2771dfb | ||
|
3e213bd8fd | ||
|
|
5356d3f2ec | ||
|
|
2ac2debc59 | ||
|
|
bb47a172b3 | ||
|
3bec4c4b52 | ||
|
|
5b96594c3c |
1
.github/ISSUE_TEMPLATE.md
vendored
1
.github/ISSUE_TEMPLATE.md
vendored
@@ -1,4 +1,5 @@
|
||||
If you are going to suggest something, please remove the following template.
|
||||
If your issue is related with WinPEAS.ps1 please mention https://github.com/RandolphConley
|
||||
|
||||
#### Issue description
|
||||
|
||||
|
||||
12
.github/workflows/CI-master_tests.yml
vendored
12
.github/workflows/CI-master_tests.yml
vendored
@@ -47,9 +47,9 @@ jobs:
|
||||
- name: run MSBuild
|
||||
run: msbuild $env:Solution_Path
|
||||
|
||||
# Execute all unit tests in the solution
|
||||
- name: Execute unit tests
|
||||
run: dotnet test $env:Solution_Path
|
||||
# Execute all unit tests in the solution - It's broken :(
|
||||
#- name: Execute unit tests
|
||||
# run: dotnet test $env:Solution_Path
|
||||
|
||||
# Build & update all versions
|
||||
- name: Build all versions
|
||||
@@ -137,6 +137,12 @@ jobs:
|
||||
with:
|
||||
name: winPEAS.bat
|
||||
path: winPEAS\winPEASbat\winPEAS.bat
|
||||
|
||||
- name: Upload winpeas.ps1
|
||||
uses: actions/upload-artifact@v2
|
||||
with:
|
||||
name: winPEAS.ps1
|
||||
path: winPEAS\winPEASps1\winPEAS.ps1
|
||||
|
||||
# Git add
|
||||
#- name: Create local changes
|
||||
|
||||
@@ -30,7 +30,7 @@ Do you want to have **access the latest version of Hacktricks and PEASS**, obtai
|
||||
|
||||
**LinPEAS, WinPEAS and MacPEAS** aren’t enough for you? Welcome [**The PEASS Family**](https://opensea.io/collection/the-peass-family/), a limited collection of [**exclusive NFTs**](https://opensea.io/collection/the-peass-family/) of our favourite PEASS in disguise, designed by my team. Go **get your favourite and make it yours!** And if you are a **PEASS & Hacktricks enthusiast**, you can get your hands now on **our [custom swag](https://peass.creator-spring.com/) and show how much you like our projects!**
|
||||
|
||||
You can also, join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) to learn about latest news in cybersecurity and meet other cybersecurity enthusiasts, or follow me on Twitter 🐦 [@carlospolopm](https://twitter.com/carlospolopm).
|
||||
You can also, join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) to learn about latest news in cybersecurity and meet other cybersecurity enthusiasts, or follow me on Twitter 🐦 [@hacktricks_live](https://twitter.com/hacktricks_live).
|
||||
|
||||
## Let's improve PEASS together
|
||||
|
||||
|
||||
@@ -1141,6 +1141,15 @@ search:
|
||||
- name: "authorized_keys"
|
||||
value:
|
||||
good_regex: 'from=[\w\._\-]+'
|
||||
bad_regex: "command=.*"
|
||||
type: f
|
||||
search_in:
|
||||
- common
|
||||
|
||||
- name: "*.pub"
|
||||
value:
|
||||
bad_regex: "command=.*"
|
||||
only_bad_lines: True
|
||||
type: f
|
||||
search_in:
|
||||
- common
|
||||
@@ -1376,6 +1385,12 @@ search:
|
||||
search_in:
|
||||
- common
|
||||
|
||||
- name: "ErrorRecords" #Azure logs can contain creentials
|
||||
value:
|
||||
type: d
|
||||
search_in:
|
||||
- common
|
||||
|
||||
- name: "TokenCache.dat"
|
||||
value:
|
||||
bad_regex: ".*"
|
||||
@@ -1699,7 +1714,31 @@ search:
|
||||
files:
|
||||
- name: "sip.conf"
|
||||
value:
|
||||
bad_regex: "secret.*"
|
||||
bad_regex: "secret.*|allowguest.*=.*true"
|
||||
remove_empty_lines: True
|
||||
type: f
|
||||
search_in:
|
||||
- common
|
||||
|
||||
- name: "amportal.conf"
|
||||
value:
|
||||
bad_regex: ".*PASS.*=.*"
|
||||
remove_empty_lines: True
|
||||
type: f
|
||||
search_in:
|
||||
- common
|
||||
|
||||
- name: "FreePBX.conf"
|
||||
value:
|
||||
bad_regex: ".*AMPDB.*=.*"
|
||||
only_bad_lines: True
|
||||
type: f
|
||||
search_in:
|
||||
- common
|
||||
|
||||
- name: "Elastix.conf"
|
||||
value:
|
||||
bad_regex: ".*pwd.*=.*"
|
||||
remove_empty_lines: True
|
||||
type: f
|
||||
search_in:
|
||||
|
||||
@@ -246,7 +246,7 @@ print_support () {
|
||||
| ${BLUE}Do you like PEASS?${GREEN} |
|
||||
|---------------------------------------------------------------------------------|
|
||||
| ${YELLOW}Get the latest version${GREEN} : ${RED}https://github.com/sponsors/carlospolop${GREEN} |
|
||||
| ${YELLOW}Follow on Twitter${GREEN} : ${RED}@carlospolopm${GREEN} |
|
||||
| ${YELLOW}Follow on Twitter${GREEN} : ${RED}@hacktricks_live${GREEN} |
|
||||
| ${YELLOW}Respect on HTB${GREEN} : ${RED}SirBroccoli ${GREEN} |
|
||||
|---------------------------------------------------------------------------------|
|
||||
| ${BLUE}Thank you! ${GREEN} |
|
||||
@@ -3378,7 +3378,7 @@ peass{NFS Exports}
|
||||
kadmin_exists="$(command -v kadmin)"
|
||||
klist_exists="$(command -v klist)"
|
||||
kinit_exists="$(command -v kinit)"
|
||||
if [ "$kadmin_exists" ] || [ "$klist_exists" ] || [ "$kinit_exists" ] || [ "$PSTORAGE_KERBEROS" ] || [ "$DEBUG" ]; then
|
||||
if [ "$kadmin_exists" ] || [ "$klist_exists" ] || [ "$kinit_exists" ] || [ "$PSTORAGE_KERBEROS" ] || [ "$DEBUG" ]; then
|
||||
print_2title "Searching kerberos conf files and tickets"
|
||||
print_info "http://book.hacktricks.xyz/linux-hardening/privilege-escalation/linux-active-directory"
|
||||
|
||||
@@ -3925,7 +3925,7 @@ echo ""
|
||||
##-- IPF) Misconfigured ld.so
|
||||
if ! [ "$SEARCH_IN_FOLDER" ] && ! [ "$IAMROOT" ]; then
|
||||
print_2title "Checking misconfigurations of ld.so"
|
||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#ld-so"
|
||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#ld.so"
|
||||
if [ -f "/etc/ld.so.conf" ] && [ -w "/etc/ld.so.conf" ]; then
|
||||
echo "You have write privileges over /etc/ld.so.conf" | sed -${E} "s,.*,${SED_RED_YELLOW},";
|
||||
printf $RED$ITALIC"/etc/ld.so.conf\n"$NC;
|
||||
|
||||
@@ -128,7 +128,7 @@ if [ "$(command -v bash 2>/dev/null)" ]; then
|
||||
print_2title "Executing Linux Exploit Suggester"
|
||||
print_info "https://github.com/mzet-/linux-exploit-suggester"
|
||||
les_b64="peass{LES}"
|
||||
echo $les_b64 | base64 -d | bash | sed "s,$(printf '\033')\\[[0-9;]*[a-zA-Z],,g" | grep -i "\[CVE" -A 10 | grep -Ev "^\-\-$" | sed -${E} "s,\[CVE-[0-9]+-[0-9]+\].*,${SED_RED},g"
|
||||
echo $les_b64 | base64 -d | bash | sed "s,$(printf '\033')\\[[0-9;]*[a-zA-Z],,g" | grep -i "\[CVE" -A 10 | grep -Ev "^\-\-$" | sed -${E} "s/\[(CVE-[0-9]+-[0-9]+,?)+\].*/${SED_RED}/g"
|
||||
echo ""
|
||||
fi
|
||||
|
||||
|
||||
@@ -90,6 +90,33 @@ check_aws_lambda(){
|
||||
fi
|
||||
}
|
||||
|
||||
check_aws_codebuild(){
|
||||
is_aws_codebuild="No"
|
||||
|
||||
if [ -f "/codebuild/output/tmp/env.sh" ] && grep -q "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" "/codebuild/output/tmp/env.sh" ; then
|
||||
is_aws_codebuild="Yes"
|
||||
fi
|
||||
}
|
||||
|
||||
check_az_vm(){
|
||||
is_az_vm="No"
|
||||
|
||||
if [ -d "/var/log/azure/" ]; then
|
||||
is_az_vm="Yes"
|
||||
|
||||
elif cat /etc/resolv.conf 2>/dev/null | grep -q "search reddog.microsoft.com"; then
|
||||
is_az_vm="Yes"
|
||||
fi
|
||||
}
|
||||
|
||||
check_az_app(){
|
||||
is_az_app="No"
|
||||
|
||||
if [ -d "/opt/microsoft" ] && env | grep -q "IDENTITY_ENDPOINT"; then
|
||||
is_az_app="Yes"
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
check_gcp
|
||||
print_list "Google Cloud Platform? ............... $is_gcp\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
|
||||
@@ -100,10 +127,16 @@ print_list "AWS EC2? ............................. $is_aws_ec2\n"$NC | sed "s,Ye
|
||||
print_list "AWS EC2 Beanstalk? ................... $is_aws_ec2_beanstalk\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
|
||||
check_aws_lambda
|
||||
print_list "AWS Lambda? .......................... $is_aws_lambda\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
|
||||
check_aws_codebuild
|
||||
print_list "AWS Codebuild? ....................... $is_aws_codebuild\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
|
||||
check_do
|
||||
print_list "DO Droplet? .......................... $is_do\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
|
||||
check_ibm_vm
|
||||
print_list "IBM Cloud VM? ........................ $is_ibm_vm\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
|
||||
check_az_vm
|
||||
print_list "Azure VM? ............................ $is_az_vm\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
|
||||
check_az_app
|
||||
print_list "Azure APP? ........................... $is_az_app\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
|
||||
|
||||
echo ""
|
||||
|
||||
@@ -313,6 +346,31 @@ if [ "$is_aws_lambda" = "Yes" ]; then
|
||||
printf "Event data: "; (curl -s "http://${AWS_LAMBDA_RUNTIME_API}/2018-06-01/runtime/invocation/next" 2>/dev/null || wget -q -O - "http://${AWS_LAMBDA_RUNTIME_API}/2018-06-01/runtime/invocation/next")
|
||||
fi
|
||||
|
||||
if [ "$is_aws_codebuild" = "Yes" ]; then
|
||||
print_2title "AWS Codebuild Enumeration"
|
||||
|
||||
aws_req=""
|
||||
if [ "$(command -v curl)" ]; then
|
||||
aws_req="curl -s -f"
|
||||
elif [ "$(command -v wget)" ]; then
|
||||
aws_req="wget -q -O -"
|
||||
else
|
||||
echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
|
||||
echo "The addresses are in /codebuild/output/tmp/env.sh"
|
||||
fi
|
||||
|
||||
if [ "$aws_req" ]; then
|
||||
print_3title "Credentials"
|
||||
CREDS_PATH=$(cat /codebuild/output/tmp/env.sh | grep "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" | cut -d "'" -f 2)
|
||||
URL_CREDS="http://169.254.170.2$CREDS_PATH" # Already has a / at the begginig
|
||||
exec_with_jq eval $aws_req "$URL_CREDS"; echo ""
|
||||
|
||||
print_3title "Container Info"
|
||||
METADATA_URL=$(cat /codebuild/output/tmp/env.sh | grep "ECS_CONTAINER_METADATA_URI" | cut -d "'" -f 2)
|
||||
exec_with_jq eval $aws_req "$METADATA_URL"; echo ""
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$is_do" = "Yes" ]; then
|
||||
print_2title "DO Droplet Enumeration"
|
||||
|
||||
@@ -360,18 +418,87 @@ if [ "$is_ibm_vm" = "Yes" ]; then
|
||||
echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
|
||||
fi
|
||||
|
||||
print_3title "Instance Details"
|
||||
exec_with_jq eval $ibm_req "http://169.254.169.254/metadata/v1/instance?version=2022-03-01"
|
||||
if [ "$ibm_req" ]; then
|
||||
print_3title "Instance Details"
|
||||
exec_with_jq eval $ibm_req "http://169.254.169.254/metadata/v1/instance?version=2022-03-01"
|
||||
|
||||
print_3title "Keys and User data"
|
||||
exec_with_jq eval $ibm_req "http://169.254.169.254/metadata/v1/instance/initialization?version=2022-03-01"
|
||||
exec_with_jq eval $ibm_req "http://169.254.169.254/metadata/v1/keys?version=2022-03-01"
|
||||
print_3title "Keys and User data"
|
||||
exec_with_jq eval $ibm_req "http://169.254.169.254/metadata/v1/instance/initialization?version=2022-03-01"
|
||||
exec_with_jq eval $ibm_req "http://169.254.169.254/metadata/v1/keys?version=2022-03-01"
|
||||
|
||||
print_3title "Placement Groups"
|
||||
exec_with_jq eval $ibm_req "http://169.254.169.254/metadata/v1/placement_groups?version=2022-03-01"
|
||||
print_3title "Placement Groups"
|
||||
exec_with_jq eval $ibm_req "http://169.254.169.254/metadata/v1/placement_groups?version=2022-03-01"
|
||||
|
||||
print_3title "IAM credentials"
|
||||
exec_with_jq eval $ibm_req -X POST "http://169.254.169.254/instance_identity/v1/iam_token?version=2022-03-01"
|
||||
print_3title "IAM credentials"
|
||||
exec_with_jq eval $ibm_req -X POST "http://169.254.169.254/instance_identity/v1/iam_token?version=2022-03-01"
|
||||
fi
|
||||
fi
|
||||
|
||||
fi
|
||||
|
||||
if [ "$is_az_vm" = "Yes" ]; then
|
||||
print_2title "Azure VM Enumeration"
|
||||
|
||||
HEADER="Metadata:true"
|
||||
URL="http://169.254.169.254/metadata"
|
||||
API_VERSION="2021-12-13" #https://learn.microsoft.com/en-us/azure/virtual-machines/instance-metadata-service?tabs=linux#supported-api-versions
|
||||
|
||||
az_req=""
|
||||
if [ "$(command -v curl)" ]; then
|
||||
az_req="curl -s -f -H '$HEADER'"
|
||||
elif [ "$(command -v wget)" ]; then
|
||||
az_req="wget -q -O - -H '$HEADER'"
|
||||
else
|
||||
echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
|
||||
fi
|
||||
|
||||
if [ "$az_req" ]; then
|
||||
print_3title "Instance details"
|
||||
exec_with_jq eval $az_req "$URL/instance?api-version=$API_VERSION"
|
||||
|
||||
print_3title "Load Balancer details"
|
||||
exec_with_jq eval $az_req "$URL/loadbalancer?api-version=$API_VERSION"
|
||||
|
||||
print_3title "Management token"
|
||||
exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://management.azure.com/"
|
||||
|
||||
print_3title "Graph token"
|
||||
exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://graph.microsoft.com/"
|
||||
|
||||
print_3title "Vault token"
|
||||
exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://vault.azure.net/"
|
||||
|
||||
print_3title "Storage token"
|
||||
exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://storage.azure.com/"
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$check_az_app" = "Yes" ]; then
|
||||
print_2title "Azure App Service Enumeration"
|
||||
echo "I haven't tested this one, if it doesn't work, please send a PR fixing and adding functionality :)"
|
||||
|
||||
HEADER="secret:$IDENTITY_HEADER"
|
||||
|
||||
az_req=""
|
||||
if [ "$(command -v curl)" ]; then
|
||||
az_req="curl -s -f -H '$HEADER'"
|
||||
elif [ "$(command -v wget)" ]; then
|
||||
az_req="wget -q -O - -H '$HEADER'"
|
||||
else
|
||||
echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
|
||||
fi
|
||||
|
||||
if [ "$az_req" ]; then
|
||||
print_3title "Management token"
|
||||
exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://management.azure.com/"
|
||||
|
||||
print_3title "Graph token"
|
||||
exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://graph.microsoft.com/"
|
||||
|
||||
print_3title "Vault token"
|
||||
exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://vault.azure.net/"
|
||||
|
||||
print_3title "Storage token"
|
||||
exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://storage.azure.com/"
|
||||
fi
|
||||
fi
|
||||
|
||||
@@ -25,7 +25,7 @@ if [ "$MACPEAS" ];then
|
||||
|
||||
print_2title "SystemKey"
|
||||
ls -l /var/db/SystemKey
|
||||
if [ -r "/var/db/SystemKey" ]; then
|
||||
if [ -r "/var/db/SystemKey" ]; then
|
||||
echo "You can read /var/db/SystemKey" | sed -${E} "s,.*,${SED_RED_YELLOW},";
|
||||
hexdump -s 8 -n 24 -e '1/1 "%.2x"' /var/db/SystemKey | sed -${E} "s,.*,${SED_RED_YELLOW},";
|
||||
fi
|
||||
@@ -71,7 +71,7 @@ fi
|
||||
for filename in /etc/sudoers.d/*; do
|
||||
if [ -r "$filename" ]; then
|
||||
echo "Sudoers file: $filename is readable" | sed -${E} "s,.*,${SED_RED},g"
|
||||
grep -Iv "^$" "$filename" | grep -v "#" | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,pwfeedback,${SED_RED},g"
|
||||
grep -Iv "^$" "$filename" | grep -v "#" | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,pwfeedback,${SED_RED},g"
|
||||
fi
|
||||
done
|
||||
echo ""
|
||||
@@ -80,17 +80,17 @@ echo ""
|
||||
print_2title "Checking sudo tokens"
|
||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#reusing-sudo-tokens"
|
||||
ptrace_scope="$(cat /proc/sys/kernel/yama/ptrace_scope 2>/dev/null)"
|
||||
if [ "$ptrace_scope" ] && [ "$ptrace_scope" -eq 0 ]; then
|
||||
if [ "$ptrace_scope" ] && [ "$ptrace_scope" -eq 0 ]; then
|
||||
echo "ptrace protection is disabled (0), so sudo tokens could be abused" | sed "s,is disabled,${SED_RED},g";
|
||||
|
||||
if [ "$(command -v gdb 2>/dev/null)" ]; then
|
||||
|
||||
if [ "$(command -v gdb 2>/dev/null)" ]; then
|
||||
echo "gdb was found in PATH" | sed -${E} "s,.*,${SED_RED},g";
|
||||
fi
|
||||
|
||||
if [ "$CURRENT_USER_PIVOT_PID" ]; then
|
||||
|
||||
if [ "$CURRENT_USER_PIVOT_PID" ]; then
|
||||
echo "The current user proc $CURRENT_USER_PIVOT_PID is the parent of a different user proccess" | sed -${E} "s,.*,${SED_RED},g";
|
||||
fi
|
||||
|
||||
|
||||
if [ -f "$HOME/.sudo_as_admin_successful" ]; then
|
||||
echo "Current user has .sudo_as_admin_successful file, so he can execute with sudo" | sed -${E} "s,.*,${SED_RED},";
|
||||
fi
|
||||
@@ -100,7 +100,7 @@ if [ "$ptrace_scope" ] && [ "$ptrace_scope" -eq 0 ]; then
|
||||
ps -eo pid,command -u "$(id -u)" | grep -v "$PPID" | grep -v " " | grep -E '(ash|ksh|csh|dash|bash|zsh|tcsh|sh)$'
|
||||
fi
|
||||
|
||||
else
|
||||
else
|
||||
echo "ptrace protection is enabled ($ptrace_scope)" | sed "s,is enabled,${SED_GREEN},g";
|
||||
|
||||
fi
|
||||
@@ -110,7 +110,7 @@ echo ""
|
||||
if [ -f "/etc/doas.conf" ] || [ "$DEBUG" ]; then
|
||||
print_2title "Checking doas.conf"
|
||||
doas_dir_name=$(dirname "$(command -v doas)" 2>/dev/null)
|
||||
if [ "$(cat /etc/doas.conf $doas_dir_name/doas.conf $doas_dir_name/../etc/doas.conf $doas_dir_name/etc/doas.conf 2>/dev/null)" ]; then
|
||||
if [ "$(cat /etc/doas.conf $doas_dir_name/doas.conf $doas_dir_name/../etc/doas.conf $doas_dir_name/etc/doas.conf 2>/dev/null)" ]; then
|
||||
cat /etc/doas.conf "$doas_dir_name/doas.conf" "$doas_dir_name/../etc/doas.conf" "$doas_dir_name/etc/doas.conf" 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_RED}," | sed "s,root,${SED_RED}," | sed "s,nopass,${SED_RED}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,$USER,${SED_RED_YELLOW},"
|
||||
else echo_not_found "doas.conf"
|
||||
fi
|
||||
@@ -214,8 +214,7 @@ if [ "$EXTRA_CHECKS" ]; then
|
||||
fi
|
||||
|
||||
#-- UI) Brute su
|
||||
EXISTS_SUDO="$(command -v sudo 2>/dev/null)"
|
||||
if ! [ "$FAST" ] && ! [ "$SUPERFAST" ] && [ "$TIMEOUT" ] && ! [ "$IAMROOT" ] && [ "$EXISTS_SUDO" ]; then
|
||||
if ! [ "$FAST" ] && ! [ "$SUPERFAST" ] && [ "$TIMEOUT" ] && ! [ "$IAMROOT" ]; then
|
||||
print_2title "Testing 'su' as other users with shell using as passwords: null pwd, the username and top2000pwds\n"$NC
|
||||
POSSIBE_SU_BRUTE=$(check_if_su_brute);
|
||||
if [ "$POSSIBE_SU_BRUTE" ]; then
|
||||
@@ -228,6 +227,6 @@ if ! [ "$FAST" ] && ! [ "$SUPERFAST" ] && [ "$TIMEOUT" ] && ! [ "$IAMROOT" ] &&
|
||||
printf $GREEN"It's not possible to brute-force su.\n\n"$NC
|
||||
fi
|
||||
else
|
||||
print_2title "Do not forget to test 'su' as any other user with shell: without password and with their names as password (I can't do it...)\n"$NC
|
||||
print_2title "Do not forget to test 'su' as any other user with shell: without password and with their names as password (I don't do it in FAST mode...)\n"$NC
|
||||
fi
|
||||
print_2title "Do not forget to execute 'sudo -l' without password or with valid password (if you know it)!!\n"$NC
|
||||
|
||||
@@ -326,7 +326,7 @@ peass{NFS Exports}
|
||||
kadmin_exists="$(command -v kadmin)"
|
||||
klist_exists="$(command -v klist)"
|
||||
kinit_exists="$(command -v kinit)"
|
||||
if [ "$kadmin_exists" ] || [ "$klist_exists" ] || [ "$kinit_exists" ] || [ "$PSTORAGE_KERBEROS" ] || [ "$DEBUG" ]; then
|
||||
if [ "$kadmin_exists" ] || [ "$klist_exists" ] || [ "$kinit_exists" ] || [ "$PSTORAGE_KERBEROS" ] || [ "$DEBUG" ]; then
|
||||
print_2title "Searching kerberos conf files and tickets"
|
||||
print_info "http://book.hacktricks.xyz/linux-hardening/privilege-escalation/linux-active-directory"
|
||||
|
||||
|
||||
@@ -177,7 +177,7 @@ echo ""
|
||||
##-- IPF) Misconfigured ld.so
|
||||
if ! [ "$SEARCH_IN_FOLDER" ] && ! [ "$IAMROOT" ]; then
|
||||
print_2title "Checking misconfigurations of ld.so"
|
||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#ld-so"
|
||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#ld.so"
|
||||
if [ -f "/etc/ld.so.conf" ] && [ -w "/etc/ld.so.conf" ]; then
|
||||
echo "You have write privileges over /etc/ld.so.conf" | sed -${E} "s,.*,${SED_RED_YELLOW},";
|
||||
printf $RED$ITALIC"/etc/ld.so.conf\n"$NC;
|
||||
|
||||
@@ -74,6 +74,7 @@ THREADS="$( ( (grep -c processor /proc/cpuinfo 2>/dev/null) || ( (command -v lsc
|
||||
HELP=$GREEN"Enumerate and search Privilege Escalation vectors.
|
||||
${NC}This tool enum and search possible misconfigurations$DG (known vulns, user, processes and file permissions, special file permissions, readable/writable files, bruteforce other users(top1000pwds), passwords...)$NC inside the host and highlight possible misconfigurations with colors.
|
||||
${GREEN} Checks:
|
||||
${YELLOW} -a${BLUE} Perform all checks: 1 min of processes, su brute, and extra checks.
|
||||
${YELLOW} -o${BLUE} Only execute selected checks (peass{CHECKS}). Select a comma separated list.
|
||||
${YELLOW} -s${BLUE} Stealth & faster (don't check some time consuming checks)
|
||||
${YELLOW} -e${BLUE} Perform extra enumeration
|
||||
@@ -81,20 +82,20 @@ ${NC}This tool enum and search possible misconfigurations$DG (known vulns, user,
|
||||
${YELLOW} -r${BLUE} Enable Regexes (this can take from some mins to hours)
|
||||
${YELLOW} -P${BLUE} Indicate a password that will be used to run 'sudo -l' and to bruteforce other users accounts via 'su'
|
||||
${YELLOW} -D${BLUE} Debug mode
|
||||
|
||||
|
||||
${GREEN} Network recon:
|
||||
${YELLOW} -t${BLUE} Automatic network scan & Internet conectivity checks - This option writes to files
|
||||
${YELLOW} -d <IP/NETMASK>${BLUE} Discover hosts using fping or ping.$DG Ex: -d 192.168.0.1/24
|
||||
${YELLOW} -p <PORT(s)> -d <IP/NETMASK>${BLUE} Discover hosts looking for TCP open ports (via nc). By default ports 22,80,443,445,3389 and another one indicated by you will be scanned (select 22 if you don't want to add more). You can also add a list of ports.$DG Ex: -d 192.168.0.1/24 -p 53,139
|
||||
${YELLOW} -i <IP> [-p <PORT(s)>]${BLUE} Scan an IP using nc. By default (no -p), top1000 of nmap will be scanned, but you can select a list of ports instead.$DG Ex: -i 127.0.0.1 -p 53,80,443,8000,8080
|
||||
$GREEN Notice${BLUE} that if you specify some network scan (options -d/-p/-i but NOT -t), no PE check will be performed
|
||||
|
||||
|
||||
${GREEN} Port forwarding (reverse connection):
|
||||
${YELLOW} -F LOCAL_IP:LOCAL_PORT:REMOTE_IP:REMOTE_PORT${BLUE} Execute linpeas to forward a port from a your host (LOCAL_IP:LOCAL_PORT) to a remote IP (REMOTE_IP:REMOTE_PORT)
|
||||
|
||||
|
||||
${GREEN} Firmware recon:
|
||||
${YELLOW} -f </FOLDER/PATH>${BLUE} Execute linpeas to search passwords/file permissions misconfigs inside a folder
|
||||
|
||||
|
||||
${GREEN} Misc:
|
||||
${YELLOW} -h${BLUE} To show this message
|
||||
${YELLOW} -w${BLUE} Wait execution between big blocks of checks
|
||||
@@ -124,12 +125,12 @@ while getopts "h?asd:p:i:P:qo:LMwNDterf:F:" opt; do
|
||||
r) REGEXES="1";;
|
||||
f) SEARCH_IN_FOLDER=$OPTARG;
|
||||
if ! [ "$(echo -n $SEARCH_IN_FOLDER | tail -c 1)" = "/" ]; then #Make sure firmware folder ends with "/"
|
||||
SEARCH_IN_FOLDER="${SEARCH_IN_FOLDER}/";
|
||||
SEARCH_IN_FOLDER="${SEARCH_IN_FOLDER}/";
|
||||
fi;
|
||||
ROOT_FOLDER=$SEARCH_IN_FOLDER;
|
||||
REGEXES="1";
|
||||
CHECKS="procs_crons_timers_srvcs_sockets,software_information,interesting_perms_files,interesting_files,api_keys_regex";;
|
||||
|
||||
|
||||
F) PORT_FORWARD=$OPTARG;;
|
||||
esac
|
||||
done
|
||||
@@ -244,9 +245,9 @@ print_support () {
|
||||
printf """
|
||||
${GREEN}/---------------------------------------------------------------------------------\\
|
||||
| ${BLUE}Do you like PEASS?${GREEN} |
|
||||
|---------------------------------------------------------------------------------|
|
||||
|---------------------------------------------------------------------------------|
|
||||
| ${YELLOW}Get the latest version${GREEN} : ${RED}https://github.com/sponsors/carlospolop${GREEN} |
|
||||
| ${YELLOW}Follow on Twitter${GREEN} : ${RED}@carlospolopm${GREEN} |
|
||||
| ${YELLOW}Follow on Twitter${GREEN} : ${RED}@hacktricks_live${GREEN} |
|
||||
| ${YELLOW}Respect on HTB${GREEN} : ${RED}SirBroccoli ${GREEN} |
|
||||
|---------------------------------------------------------------------------------|
|
||||
| ${BLUE}Thank you! ${GREEN} |
|
||||
@@ -315,7 +316,7 @@ idB="euid|egid$baduid"
|
||||
sudovB="[01].[012345678].[0-9]+|1.9.[01234]|1.9.5p1"
|
||||
|
||||
mounted=$( (cat /proc/self/mountinfo || cat /proc/1/mountinfo) 2>/dev/null | cut -d " " -f5 | grep "^/" | tr '\n' '|')$(cat /etc/fstab 2>/dev/null | grep -v "#" | grep -E '\W/\W' | awk '{print $1}')
|
||||
if ! [ "$mounted" ]; then
|
||||
if ! [ "$mounted" ]; then
|
||||
mounted=$( (mount -l || cat /proc/mounts || cat /proc/self/mounts || cat /proc/1/mounts) 2>/dev/null | grep "^/" | cut -d " " -f1 | tr '\n' '|')$(cat /etc/fstab 2>/dev/null | grep -v "#" | grep -E '\W/\W' | awk '{print $1}')
|
||||
fi
|
||||
if ! [ "$mounted" ]; then mounted="ImPoSSssSiBlEee"; fi #Don't let any blacklist to be empty
|
||||
@@ -552,7 +553,7 @@ commonrootdirsMacG="^/$|/.DocumentRevisions-V100|/.fseventsd|/.PKInstallSandboxM
|
||||
ldsoconfdG="/lib32|/lib/x86_64-linux-gnu|/usr/lib32|/usr/lib/oracle/19.6/client64/lib/|/usr/lib/x86_64-linux-gnu/libfakeroot|/usr/lib/x86_64-linux-gnu|/usr/local/lib/x86_64-linux-gnu|/usr/local/lib"
|
||||
|
||||
dbuslistG="^:1\.[0-9\.]+|com.hp.hplip|com.intel.tss2.Tabrmd|com.redhat.ifcfgrh1|com.redhat.NewPrinterNotification|com.redhat.PrinterDriversInstaller|com.redhat.RHSM1|com.redhat.RHSM1.Facts|com.redhat.tuned|com.ubuntu.LanguageSelector|com.ubuntu.SoftwareProperties|com.ubuntu.SystemService|com.ubuntu.USBCreator|com.ubuntu.WhoopsiePreferences|io.netplan.Netplan|io.snapcraft.SnapdLoginService|fi.epitest.hostap.WPASupplicant|fi.w1.wpa_supplicant1|NAME|net.hadess.SwitcherooControl|org.blueman.Mechanism|org.bluez|org.debian.apt|org.fedoraproject.FirewallD1|org.fedoraproject.Setroubleshootd|org.fedoraproject.SetroubleshootFixit|org.fedoraproject.SetroubleshootPrivileged|org.freedesktop.Accounts|org.freedesktop.Avahi|org.freedesktop.bolt|org.freedesktop.ColorManager|org.freedesktop.DBus|org.freedesktop.DisplayManager|org.freedesktop.fwupd|org.freedesktop.GeoClue2|org.freedesktop.hostname1|org.freedesktop.import1|org.freedesktop.locale1|org.freedesktop.login1|org.freedesktop.machine1|org.freedesktop.ModemManager1|org.freedesktop.NetworkManager|org.freedesktop.network1|org.freedesktop.nm_dispatcher|org.freedesktop.nm_priv_helper|org.freedesktop.PackageKit|org.freedesktop.PolicyKit1|org.freedesktop.portable1|org.freedesktop.realmd|org.freedesktop.RealtimeKit1|org.freedesktop.SystemToolsBackends|org.freedesktop.SystemToolsBackends.[a-zA-Z0-9_]+|org.freedesktop.resolve1|org.freedesktop.systemd1|org.freedesktop.thermald|org.freedesktop.timedate1|org.freedesktop.timesync1|org.freedesktop.UDisks2|org.freedesktop.UPower|org.gnome.DisplayManager|org.opensuse.CupsPkHelper.Mechanism"
|
||||
USEFUL_SOFTWARE="authbind aws base64 ctr curl doas docker fetch g++ gcc gdb kubectl lxc make nc nc.traditional ncat netcat nmap perl php ping podman python python2 python2.6 python2.7 python3 python3.6 python3.7 pwsh rkt ruby runc socat sudo wget xterm"
|
||||
USEFUL_SOFTWARE="authbind aws az base64 ctr curl doas docker fetch g++ gcc gcloud gdb kubectl lxc make nc nc.traditional ncat netcat nmap perl php ping podman python python2 python2.6 python2.7 python3 python3.6 python3.7 pwsh rkt ruby runc socat sudo wget xterm"
|
||||
TIP_DOCKER_ROOTLESS="In rootless mode privilege escalation to root will not be possible."
|
||||
GREP_DOCKER_SOCK_INFOS="Architecture|OSType|Name|DockerRootDir|NCPU|OperatingSystem|KernelVersion|ServerVersion"
|
||||
GREP_DOCKER_SOCK_INFOS_IGNORE="IndexConfig"
|
||||
@@ -672,7 +673,7 @@ print_title(){
|
||||
printf "╚"
|
||||
for i in $(seq 1 $title_len); do printf "═"; done; printf "═";
|
||||
printf "╝"
|
||||
|
||||
|
||||
printf $NC
|
||||
echo ""
|
||||
}
|
||||
@@ -745,8 +746,9 @@ su_brute_user_num (){
|
||||
}
|
||||
|
||||
check_if_su_brute(){
|
||||
EXISTS_SU="$(command -v su 2>/dev/null)"
|
||||
error=$(echo "" | timeout 1 su $(whoami) -c whoami 2>&1);
|
||||
if ! echo $error | grep -q "must be run from a terminal"; then
|
||||
if [ "$EXISTS_SU" ] && ! echo $error | grep -q "must be run from a terminal"; then
|
||||
echo "1"
|
||||
fi
|
||||
}
|
||||
@@ -1133,7 +1135,7 @@ elif echo $CHECKS | grep -q procs_crons_timers_srvcs_sockets || echo $CHECKS | g
|
||||
|
||||
wait # Always wait at the end
|
||||
CONT_THREADS=0 #Reset the threads counter
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$SEARCH_IN_FOLDER" ] || echo $CHECKS | grep -q procs_crons_timers_srvcs_sockets || echo $CHECKS | grep -q software_information || echo $CHECKS | grep -q interesting_files; then
|
||||
#GENERATE THE STORAGES OF THE FOUND FILES
|
||||
|
||||
@@ -26,7 +26,7 @@ msf6 post(multi/gather/peass) > show info
|
||||
Rank: Normal
|
||||
|
||||
Provided by:
|
||||
Carlos Polop <@carlospolopm>
|
||||
Carlos Polop <@hacktricks_live>
|
||||
|
||||
Compatible session types:
|
||||
Meterpreter
|
||||
|
||||
@@ -25,7 +25,7 @@ class MetasploitModule < Msf::Post
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Carlos Polop <@carlospolopm>'
|
||||
'Carlos Polop <@hacktricks_live>'
|
||||
],
|
||||
'Platform' => %w{ bsd linux osx unix win },
|
||||
'SessionTypes' => ['shell', 'meterpreter'],
|
||||
@@ -220,6 +220,20 @@ class MetasploitModule < Msf::Post
|
||||
print_good("PEASS script sent")
|
||||
end
|
||||
|
||||
def fetch(uri_str, limit = 10)
|
||||
raise 'Invalid URL, too many HTTP redirects' if limit == 0
|
||||
response = Net::HTTP.get_response(URI(uri_str))
|
||||
case response
|
||||
when Net::HTTPSuccess then
|
||||
response
|
||||
when Net::HTTPRedirection then
|
||||
location = response['location']
|
||||
fetch(location, limit - 1)
|
||||
else
|
||||
response.value
|
||||
end
|
||||
end
|
||||
|
||||
def load_peass
|
||||
# Load the PEASS script from a local file or from Internet
|
||||
peass_script = ""
|
||||
@@ -230,7 +244,7 @@ class MetasploitModule < Msf::Post
|
||||
raise 'Invalid URL' unless target.scheme =~ /https?/
|
||||
raise 'Invalid URL' if target.host.to_s.eql? ''
|
||||
|
||||
res = Net::HTTP.get_response(target)
|
||||
res = fetch(target)
|
||||
peass_script = res.body
|
||||
|
||||
raise "Something failed downloading PEASS script from #{url_peass}" if peass_script.length < 500
|
||||
|
||||
@@ -9,10 +9,12 @@ Check more **information about how to exploit** found misconfigurations in **[bo
|
||||
## Quick Start
|
||||
Find the **latest versions of all the scripts and binaries in [the releases page](https://github.com/carlospolop/PEASS-ng/releases/latest)**.
|
||||
|
||||
## WinPEAS .exe and .bat
|
||||
- [Link to WinPEAS .bat project](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS/winPEASbat)
|
||||
- [Link to WinPEAS C# project (.exe)](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS/winPEASexe) (.Net >= 4.5.2 required)
|
||||
## WinPEAS Flavours
|
||||
- [Link to WinPEAS C# .exe project](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS/winPEASexe) (.Net >= 4.5.2 required)
|
||||
- **Please, read the Readme of that folder to learn how to execute winpeas from memory or how make colors work among other tricks**
|
||||
- [Link to WinPEAS .ps1 project](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS/winPEASps1)
|
||||
- [Link to WinPEAS .bat project](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS/winPEASbat)
|
||||
|
||||
|
||||
## PEASS Style
|
||||
|
||||
|
||||
@@ -565,7 +565,7 @@ CALL :T_Progress 2
|
||||
|
||||
:AppCMD
|
||||
CALL :ColorLine " %E%33m[+]%E%97m AppCmd"
|
||||
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#appcmd-exe
|
||||
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#appcmd.exe
|
||||
IF EXIST %systemroot%\system32\inetsrv\appcmd.exe ECHO.%systemroot%\system32\inetsrv\appcmd.exe exists.
|
||||
ECHO.
|
||||
CALL :T_Progress 2
|
||||
|
||||
@@ -318,6 +318,74 @@ namespace winPEAS.Checks
|
||||
Console.WriteLine(string.Format("Key = {0}, Value = {1}", kvp.Key, kvp.Value));
|
||||
}*/
|
||||
|
||||
//double pb = 0;
|
||||
//using (var progress = new ProgressBar())
|
||||
//{
|
||||
// CheckRunner.Run(() =>
|
||||
// {
|
||||
// int num_threads = 8;
|
||||
// try
|
||||
// {
|
||||
// num_threads = Environment.ProcessorCount;
|
||||
// }
|
||||
// catch (Exception ex) { }
|
||||
|
||||
// Parallel.ForEach(files, new ParallelOptions { MaxDegreeOfParallelism = num_threads }, f =>
|
||||
// {
|
||||
|
||||
// foreach (var regex_obj in config.regular_expresions)
|
||||
// {
|
||||
// foreach (var regex in regex_obj.regexes)
|
||||
// {
|
||||
// if (regex.disable != null && regex.disable.ToLower().Contains("winpeas"))
|
||||
// {
|
||||
// continue;
|
||||
// }
|
||||
|
||||
// List<string> results = new List<string> { };
|
||||
|
||||
// var timer = new Stopwatch();
|
||||
// if (Checks.IsDebug)
|
||||
// {
|
||||
// timer.Start();
|
||||
// }
|
||||
|
||||
|
||||
// try
|
||||
// {
|
||||
// string text = File.ReadAllText(f.FullPath);
|
||||
|
||||
// results = SearchContent(text, regex.regex, (bool)regex.caseinsensitive);
|
||||
// if (results.Count > 0)
|
||||
// {
|
||||
// if (!foundRegexes.ContainsKey(regex_obj.name)) foundRegexes[regex_obj.name] = new Dictionary<string, Dictionary<string, List<string>>> { };
|
||||
// if (!foundRegexes[regex_obj.name].ContainsKey(regex.name)) foundRegexes[regex_obj.name][regex.name] = new Dictionary<string, List<string>> { };
|
||||
|
||||
// foundRegexes[regex_obj.name][regex.name][f.FullPath] = results;
|
||||
// }
|
||||
// }
|
||||
// catch (System.IO.IOException)
|
||||
// {
|
||||
// // Cannot read the file
|
||||
// }
|
||||
|
||||
// if (Checks.IsDebug)
|
||||
// {
|
||||
// timer.Stop();
|
||||
|
||||
// TimeSpan timeTaken = timer.Elapsed;
|
||||
// if (timeTaken.TotalMilliseconds > 20000)
|
||||
// Beaprint.PrintDebugLine($"\nThe regex {regex.regex} took {timeTaken.TotalMilliseconds}s in {f.FullPath}");
|
||||
// }
|
||||
// }
|
||||
// }
|
||||
// pb += (double)100 / files.Count;
|
||||
// progress.Report(pb / 100); //Value must be in [0..1] range
|
||||
// });
|
||||
// }, Checks.IsDebug);
|
||||
//}
|
||||
|
||||
|
||||
double pb = 0;
|
||||
using (var progress = new ProgressBar())
|
||||
{
|
||||
@@ -332,7 +400,6 @@ namespace winPEAS.Checks
|
||||
|
||||
Parallel.ForEach(files, new ParallelOptions { MaxDegreeOfParallelism = num_threads }, f =>
|
||||
{
|
||||
|
||||
foreach (var regex_obj in config.regular_expresions)
|
||||
{
|
||||
foreach (var regex in regex_obj.regexes)
|
||||
@@ -342,7 +409,7 @@ namespace winPEAS.Checks
|
||||
continue;
|
||||
}
|
||||
|
||||
List<string> results = new List<string> { };
|
||||
Dictionary<string, List<string>> fileResults = new Dictionary<string, List<string>>();
|
||||
|
||||
var timer = new Stopwatch();
|
||||
if (Checks.IsDebug)
|
||||
@@ -350,18 +417,31 @@ namespace winPEAS.Checks
|
||||
timer.Start();
|
||||
}
|
||||
|
||||
|
||||
try
|
||||
{
|
||||
string text = File.ReadAllText(f.FullPath);
|
||||
using (StreamReader sr = new StreamReader(f.FullPath))
|
||||
{
|
||||
string line;
|
||||
while ((line = sr.ReadLine()) != null)
|
||||
{
|
||||
List<string> results = SearchContent(line, regex.regex, (bool)regex.caseinsensitive);
|
||||
if (results.Count > 0)
|
||||
{
|
||||
if (!fileResults.ContainsKey(f.FullPath))
|
||||
{
|
||||
fileResults[f.FullPath] = new List<string>();
|
||||
}
|
||||
fileResults[f.FullPath].AddRange(results);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
results = SearchContent(text, regex.regex, (bool)regex.caseinsensitive);
|
||||
if (results.Count > 0)
|
||||
if (fileResults.Count > 0)
|
||||
{
|
||||
if (!foundRegexes.ContainsKey(regex_obj.name)) foundRegexes[regex_obj.name] = new Dictionary<string, Dictionary<string, List<string>>> { };
|
||||
if (!foundRegexes[regex_obj.name].ContainsKey(regex.name)) foundRegexes[regex_obj.name][regex.name] = new Dictionary<string, List<string>> { };
|
||||
|
||||
foundRegexes[regex_obj.name][regex.name][f.FullPath] = results;
|
||||
foundRegexes[regex_obj.name][regex.name] = fileResults;
|
||||
}
|
||||
}
|
||||
catch (System.IO.IOException)
|
||||
@@ -385,6 +465,7 @@ namespace winPEAS.Checks
|
||||
}, Checks.IsDebug);
|
||||
}
|
||||
|
||||
|
||||
// Print results
|
||||
foreach (KeyValuePair<string, Dictionary<string, Dictionary<string, List<string>>>> item in foundRegexes)
|
||||
{
|
||||
|
||||
@@ -307,7 +307,7 @@ namespace winPEAS.Checks
|
||||
try
|
||||
{
|
||||
Beaprint.MainPrint("Looking AppCmd.exe");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#appcmd-exe");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#appcmd.exe");
|
||||
|
||||
var appCmdPath = Environment.ExpandEnvironmentVariables(@"%systemroot%\system32\inetsrv\appcmd.exe");
|
||||
|
||||
|
||||
@@ -82,7 +82,7 @@ namespace winPEAS.Helpers
|
||||
| {1}Do you like PEASS?{0} |
|
||||
|---------------------------------------------------------------------------------|
|
||||
| {3}Get the latest version{0} : {2}https://github.com/sponsors/carlospolop{0} |
|
||||
| {3}Follow on Twitter{0} : {2}@carlospolopm{0} |
|
||||
| {3}Follow on Twitter{0} : {2}@hacktricks_live{0} |
|
||||
| {3}Respect on HTB{0} : {2}SirBroccoli {0} |
|
||||
|---------------------------------------------------------------------------------|
|
||||
| {1}Thank you!{0} |
|
||||
@@ -98,7 +98,7 @@ namespace winPEAS.Helpers
|
||||
PrintBanner();
|
||||
}
|
||||
|
||||
Console.WriteLine(YELLOW + " WinPEAS-ng" + NOCOLOR + YELLOW + " by @carlospolopm" + NOCOLOR);
|
||||
Console.WriteLine(YELLOW + " WinPEAS-ng" + NOCOLOR + YELLOW + " by @hacktricks_live" + NOCOLOR);
|
||||
|
||||
PrintMarketingBanner();
|
||||
|
||||
|
||||
@@ -5,6 +5,8 @@ using System.IO;
|
||||
using System.Linq;
|
||||
using System.Text.RegularExpressions;
|
||||
using System.Threading.Tasks;
|
||||
using FileInfo = Alphaleonis.Win32.Filesystem.FileInfo;
|
||||
using DirectoryInfo = Alphaleonis.Win32.Filesystem.DirectoryInfo;
|
||||
|
||||
namespace winPEAS.Helpers.Search
|
||||
{
|
||||
@@ -37,14 +39,133 @@ namespace winPEAS.Helpers.Search
|
||||
".bmp", ".emf", ".gif", ".pm",
|
||||
".jif", ".jfi", ".jfif", ".jpe", ".jpeg", ".jpg",
|
||||
".png", ".psd", ".raw", ".svg", ".svgz", ".tif", ".tiff", ".webp",
|
||||
};
|
||||
};
|
||||
|
||||
//public static List<CustomFileInfo> GetFilesFast(string folder, string pattern = "*", HashSet<string> excludedDirs = null, bool isFoldersIncluded = false)
|
||||
//{
|
||||
// ConcurrentBag<CustomFileInfo> files = new ConcurrentBag<CustomFileInfo>();
|
||||
// IEnumerable<DirectoryInfo> startDirs = GetStartDirectories(folder, files, pattern, isFoldersIncluded);
|
||||
// IList<DirectoryInfo> startDirsExcluded = new List<DirectoryInfo>();
|
||||
// IList<string> known_dirs = new List<string>();
|
||||
|
||||
// if (excludedDirs != null)
|
||||
// {
|
||||
// foreach (var startDir in startDirs)
|
||||
// {
|
||||
// bool shouldAdd = true;
|
||||
// string startDirLower = startDir.FullName.ToLower();
|
||||
|
||||
// shouldAdd = !excludedDirs.Contains(startDirLower);
|
||||
|
||||
// if (shouldAdd)
|
||||
// {
|
||||
// startDirsExcluded.Add(startDir);
|
||||
// }
|
||||
// }
|
||||
// }
|
||||
// else
|
||||
// {
|
||||
// startDirsExcluded = startDirs.ToList();
|
||||
// }
|
||||
|
||||
// Parallel.ForEach(startDirsExcluded, (d) =>
|
||||
// {
|
||||
// Parallel.ForEach(GetStartDirectories(d.FullName, files, pattern, isFoldersIncluded), (dir) =>
|
||||
// {
|
||||
// GetFiles(dir.FullName, pattern).ForEach(
|
||||
// (f) =>
|
||||
// {
|
||||
// if (!StaticExtensions.Contains(f.Extension.ToLower()))
|
||||
// {
|
||||
// // It should always be lesss than 260, but some times it isn't so this will bypass that file
|
||||
// //if (Checks.Checks.IsLongPath || f.FullName.Length <= 260)
|
||||
// //{
|
||||
// CustomFileInfo file_info = new CustomFileInfo(f.Name, f.Extension, f.FullName, f.Length, false);
|
||||
// files.Add(file_info);
|
||||
|
||||
// CustomFileInfo file_dir = new CustomFileInfo(f.Directory.Name, "", f.Directory.FullName, 0, true);
|
||||
// if (!known_dirs.Contains(file_dir.FullPath))
|
||||
// {
|
||||
// known_dirs.Add(file_dir.FullPath);
|
||||
// files.Add(file_dir);
|
||||
// }
|
||||
// //}
|
||||
// //else if (f.FullName.Length > 260)
|
||||
// //Beaprint.LongPathWarning(f.FullName);
|
||||
// }
|
||||
// }
|
||||
// );
|
||||
// });
|
||||
// });
|
||||
|
||||
// return files.ToList();
|
||||
//}
|
||||
|
||||
//private static List<FileInfo> GetFiles(string folder, string pattern = "*")
|
||||
//{
|
||||
// DirectoryInfo dirInfo;
|
||||
// DirectoryInfo[] directories;
|
||||
// try
|
||||
// {
|
||||
// dirInfo = new DirectoryInfo(folder);
|
||||
// directories = dirInfo.GetDirectories();
|
||||
|
||||
// if (directories.Length == 0)
|
||||
// {
|
||||
// return new List<FileInfo>(dirInfo.GetFiles(pattern));
|
||||
// }
|
||||
// }
|
||||
// catch (UnauthorizedAccessException)
|
||||
// {
|
||||
// return new List<FileInfo>();
|
||||
// }
|
||||
// catch (PathTooLongException)
|
||||
// {
|
||||
// return new List<FileInfo>();
|
||||
// }
|
||||
// catch (DirectoryNotFoundException)
|
||||
// {
|
||||
// return new List<FileInfo>();
|
||||
// }
|
||||
// catch (Exception)
|
||||
// {
|
||||
// return new List<FileInfo>();
|
||||
// }
|
||||
|
||||
// List<FileInfo> result = new List<FileInfo>();
|
||||
|
||||
// foreach (var d in directories)
|
||||
// {
|
||||
// result.AddRange(GetFiles(d.FullName, pattern));
|
||||
// }
|
||||
|
||||
// try
|
||||
// {
|
||||
// result.AddRange(dirInfo.GetFiles(pattern));
|
||||
// }
|
||||
// catch (UnauthorizedAccessException)
|
||||
// {
|
||||
// }
|
||||
// catch (PathTooLongException)
|
||||
// {
|
||||
// }
|
||||
// catch (DirectoryNotFoundException)
|
||||
// {
|
||||
// }
|
||||
// catch (Exception)
|
||||
// {
|
||||
// }
|
||||
|
||||
// return result;
|
||||
//}
|
||||
|
||||
|
||||
public static List<CustomFileInfo> GetFilesFast(string folder, string pattern = "*", HashSet<string> excludedDirs = null, bool isFoldersIncluded = false)
|
||||
{
|
||||
ConcurrentBag<CustomFileInfo> files = new ConcurrentBag<CustomFileInfo>();
|
||||
IEnumerable<DirectoryInfo> startDirs = GetStartDirectories(folder, files, pattern, isFoldersIncluded);
|
||||
IList<DirectoryInfo> startDirsExcluded = new List<DirectoryInfo>();
|
||||
IList<string> known_dirs = new List<string>();
|
||||
ConcurrentDictionary<string, byte> known_dirs = new ConcurrentDictionary<string, byte>();
|
||||
|
||||
if (excludedDirs != null)
|
||||
{
|
||||
@@ -68,37 +189,27 @@ namespace winPEAS.Helpers.Search
|
||||
|
||||
Parallel.ForEach(startDirsExcluded, (d) =>
|
||||
{
|
||||
Parallel.ForEach(GetStartDirectories(d.FullName, files, pattern, isFoldersIncluded), (dir) =>
|
||||
var foundFiles = GetFiles(d.FullName, pattern);
|
||||
foreach (var f in foundFiles)
|
||||
{
|
||||
GetFiles(dir.FullName, pattern).ForEach(
|
||||
(f) =>
|
||||
if (f != null && !StaticExtensions.Contains(f.Extension.ToLower()))
|
||||
{
|
||||
CustomFileInfo file_info = new CustomFileInfo(f.Name, f.Extension, f.FullName, f.Length, false);
|
||||
files.Add(file_info);
|
||||
|
||||
CustomFileInfo file_dir = new CustomFileInfo(f.Directory.Name, "", f.Directory.FullName, 0, true);
|
||||
if (known_dirs.TryAdd(file_dir.FullPath, 0))
|
||||
{
|
||||
if (!StaticExtensions.Contains(f.Extension.ToLower()))
|
||||
{
|
||||
// It should always be lesss than 260, but some times it isn't so this will bypass that file
|
||||
if (Checks.Checks.IsLongPath || f.FullName.Length <= 260)
|
||||
{
|
||||
CustomFileInfo file_info = new CustomFileInfo(f.Name, f.Extension, f.FullName, f.Length, false);
|
||||
files.Add(file_info);
|
||||
|
||||
CustomFileInfo file_dir = new CustomFileInfo(f.Directory.Name, "", f.Directory.FullName, 0, true);
|
||||
if (!known_dirs.Contains(file_dir.FullPath))
|
||||
{
|
||||
known_dirs.Add(file_dir.FullPath);
|
||||
files.Add(file_dir);
|
||||
}
|
||||
}
|
||||
else if (f.FullName.Length > 260)
|
||||
Beaprint.LongPathWarning(f.FullName);
|
||||
}
|
||||
files.Add(file_dir);
|
||||
}
|
||||
);
|
||||
});
|
||||
}
|
||||
}
|
||||
});
|
||||
|
||||
return files.ToList();
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
|
||||
private static List<FileInfo> GetFiles(string folder, string pattern = "*")
|
||||
{
|
||||
DirectoryInfo dirInfo;
|
||||
@@ -130,16 +241,22 @@ namespace winPEAS.Helpers.Search
|
||||
return new List<FileInfo>();
|
||||
}
|
||||
|
||||
List<FileInfo> result = new List<FileInfo>();
|
||||
ConcurrentBag<FileInfo> result = new ConcurrentBag<FileInfo>();
|
||||
|
||||
foreach (var d in directories)
|
||||
Parallel.ForEach(directories, (d) =>
|
||||
{
|
||||
result.AddRange(GetFiles(d.FullName, pattern));
|
||||
}
|
||||
foreach (var file in GetFiles(d.FullName, pattern))
|
||||
{
|
||||
result.Add(file);
|
||||
}
|
||||
});
|
||||
|
||||
try
|
||||
{
|
||||
result.AddRange(dirInfo.GetFiles(pattern));
|
||||
foreach (var file in dirInfo.GetFiles(pattern))
|
||||
{
|
||||
result.Add(file);
|
||||
}
|
||||
}
|
||||
catch (UnauthorizedAccessException)
|
||||
{
|
||||
@@ -154,7 +271,7 @@ namespace winPEAS.Helpers.Search
|
||||
{
|
||||
}
|
||||
|
||||
return result;
|
||||
return result.ToList();
|
||||
}
|
||||
|
||||
private static IEnumerable<DirectoryInfo> GetStartDirectories(string folder, ConcurrentBag<CustomFileInfo> files, string pattern, bool isFoldersIncluded = false)
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
using System;
|
||||
using System.Diagnostics;
|
||||
using System.Collections.Generic;
|
||||
using System.Globalization;
|
||||
using System.IO;
|
||||
@@ -7,9 +8,11 @@ using System.Management;
|
||||
using System.Net;
|
||||
using System.Net.NetworkInformation;
|
||||
using System.Windows.Forms;
|
||||
using System.Text.RegularExpressions;
|
||||
using winPEAS.Helpers;
|
||||
using winPEAS.Helpers.Registry;
|
||||
|
||||
|
||||
namespace winPEAS.Info.SystemInfo
|
||||
{
|
||||
class SystemInfo
|
||||
@@ -44,11 +47,65 @@ namespace winPEAS.Info.SystemInfo
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
|
||||
//From Seatbelt
|
||||
public static Dictionary<string, string> GetBasicOSInfo()
|
||||
{
|
||||
Dictionary<string, string> results = new Dictionary<string, string>();
|
||||
|
||||
// Systeminfo from cmd to be able to use wes-ng
|
||||
///////////////////////////////////////////////
|
||||
|
||||
Process process = new Process();
|
||||
|
||||
// Configure the process to run the systeminfo command
|
||||
process.StartInfo.FileName = "systeminfo.exe";
|
||||
process.StartInfo.UseShellExecute = false;
|
||||
process.StartInfo.RedirectStandardOutput = true;
|
||||
|
||||
// Start the process
|
||||
process.Start();
|
||||
|
||||
// Read the output of the command
|
||||
string output = process.StandardOutput.ReadToEnd();
|
||||
|
||||
// Wait for the command to finish
|
||||
process.WaitForExit();
|
||||
|
||||
|
||||
// Split the output by newline characters
|
||||
string[] lines = output.Split(new[] { '\n' }, StringSplitOptions.RemoveEmptyEntries);
|
||||
|
||||
string osname = @".*?Microsoft[\(R\)]{0,3} Windows[\(R\)?]{0,3} ?(Serverr? )?(\d+\.?\d?( R2)?|XP|VistaT).*";
|
||||
string osversion = @".*?((\d+\.?){3}) ((Service Pack (\d)|N\/\w|.+) )?[ -\xa5]+ (\d+).*";
|
||||
// Iterate over each line and add key-value pairs to the dictionary
|
||||
foreach (string line in lines)
|
||||
{
|
||||
int index = line.IndexOf(':');
|
||||
if (index != -1)
|
||||
{
|
||||
string key = line.Substring(0, index).Trim();
|
||||
string value = line.Substring(index + 1).Trim();
|
||||
if (Regex.IsMatch(value, osname, RegexOptions.IgnoreCase))
|
||||
{
|
||||
results["OS Name"] = value;
|
||||
}
|
||||
//I have to find a better way. Maybe use regex from wes-ng
|
||||
if (Regex.IsMatch(value, osversion, RegexOptions.IgnoreCase))
|
||||
{
|
||||
results["OS Version"] = value;
|
||||
}
|
||||
|
||||
if (value.Contains("based PC"))
|
||||
{
|
||||
results["System Type"] = value;
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
// ENDING Systeminfo from cmd to be able to use wes-ng
|
||||
///////////////////////////////////////////////
|
||||
try
|
||||
{
|
||||
string ProductName = RegistryHelper.GetRegValue("HKLM", "Software\\Microsoft\\Windows NT\\CurrentVersion", "ProductName");
|
||||
|
||||
@@ -129,6 +129,24 @@ namespace winPEAS.KnownFileCreds
|
||||
else
|
||||
{
|
||||
string[] subKeys = RegistryHelper.GetRegSubkeys("HKCU", "Software\\SimonTatham\\PuTTY\\Sessions\\");
|
||||
RegistryKey selfKey = Registry.CurrentUser.OpenSubKey(@"Software\\SimonTatham\\PuTTY\\Sessions"); // extract own Sessions registry keys
|
||||
|
||||
if (selfKey != null)
|
||||
{
|
||||
string[] subKeyNames = selfKey.GetValueNames();
|
||||
foreach (string name in subKeyNames)
|
||||
{
|
||||
Dictionary<string, string> putty_sess_key = new Dictionary<string, string>()
|
||||
{
|
||||
{ "RegKey Name", name },
|
||||
{ "RegKey Value", (string)selfKey.GetValue(name) },
|
||||
};
|
||||
|
||||
results.Add(putty_sess_key);
|
||||
}
|
||||
selfKey.Close();
|
||||
}
|
||||
|
||||
foreach (string sessionName in subKeys)
|
||||
{
|
||||
Dictionary<string, string> putty_sess = new Dictionary<string, string>()
|
||||
|
||||
4
winPEAS/winPEASexe/winPEAS/packages.config
Normal file
4
winPEAS/winPEASexe/winPEAS/packages.config
Normal file
@@ -0,0 +1,4 @@
|
||||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<packages>
|
||||
<package id="AlphaFS" version="2.2.6" targetFramework="net452" />
|
||||
</packages>
|
||||
@@ -114,12 +114,16 @@
|
||||
</StartupObject>
|
||||
</PropertyGroup>
|
||||
<ItemGroup>
|
||||
<Reference Include="AlphaFS, Version=2.2.0.0, Culture=neutral, PublicKeyToken=4d31a58f7d7ad5c9, processorArchitecture=MSIL">
|
||||
<HintPath>..\packages\AlphaFS.2.2.6\lib\net452\AlphaFS.dll</HintPath>
|
||||
</Reference>
|
||||
<Reference Include="System" />
|
||||
<Reference Include="System.Core" />
|
||||
<Reference Include="System.DirectoryServices.AccountManagement" />
|
||||
<Reference Include="System.Management" />
|
||||
<Reference Include="System.Security" />
|
||||
<Reference Include="System.ServiceProcess" />
|
||||
<Reference Include="System.Transactions" />
|
||||
<Reference Include="System.Web.Extensions" />
|
||||
<Reference Include="System.Windows.Forms" />
|
||||
<Reference Include="System.Xml.Linq" />
|
||||
@@ -696,6 +700,7 @@
|
||||
<Link>sensitive_files.yaml</Link>
|
||||
</EmbeddedResource>
|
||||
<None Include="App.config" />
|
||||
<None Include="packages.config" />
|
||||
<None Include="TaskScheduler\V1\TaskSchedulerV1Schema.xsd">
|
||||
<SubType>Designer</SubType>
|
||||
</None>
|
||||
|
||||
26
winPEAS/winPEASps1/README.md
Executable file
26
winPEAS/winPEASps1/README.md
Executable file
@@ -0,0 +1,26 @@
|
||||
# Windows Privilege Escalation Awesome Script (.ps1)
|
||||
|
||||
|
||||
|
||||
**WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on [book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation)**
|
||||
|
||||
Check also the **Local Windows Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation)**
|
||||
|
||||
## Mantainer
|
||||
|
||||
The official **maintainer of this script is [RandolphConley](https://github.com/RandolphConley)**.
|
||||
|
||||
## Quick Start
|
||||
|
||||
Download the **[latest releas from here](https://github.com/carlospolop/PEASS-ng/releases/latest)**.
|
||||
|
||||
```bash
|
||||
powershell "IEX(New-Object Net.WebClient).downloadString('https://raw.githubusercontent.com/carlospolop/PEASS-ng/master/winPEAS/winPEASps1/WinPeas.ps1')"
|
||||
```
|
||||
|
||||
## Advisory
|
||||
|
||||
All the scripts/binaries of the PEAS Suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
|
||||
|
||||
|
||||
By Polop
|
||||
1223
winPEAS/winPEASps1/winPEAS.ps1
Normal file
1223
winPEAS/winPEASps1/winPEAS.ps1
Normal file
File diff suppressed because it is too large
Load Diff
Reference in New Issue
Block a user