Update 3_cloud.sh

Add try-except for PrintCachedCreds

build_lists/regexes.yaml

@@ -1,2 +1,3 @@
-# This is a placeholder.
+# This is a placeholder
-# To fill this yaml execute one of the scripts download_regexes.py or download_regexes.ps1
+# It will be replaced by the actual regexes.yaml file
+# generated by download-regexes.py or download-regexes.ps1 (execute it before building the tools)

linPEAS/builder/linpeas_parts/3_cloud.sh

@@ -17,9 +17,15 @@ exec_with_jq(){
 }
 
 check_gcp(){
-  is_gcp="No"
+  is_gcp_vm="No"
+  is_gcp_function="No"
   if grep -q metadata.google.internal /etc/hosts 2>/dev/null || (curl --connect-timeout 2 metadata.google.internal >/dev/null 2>&1 && [ "$?" -eq "0" ]) || (wget --timeout 2 --tries 1 metadata.google.internal >/dev/null 2>&1 && [ "$?" -eq "0" ]); then
-    is_gcp="Yes"
+    is_gcp_vm="Yes"
+  fi
+  # CHeck if /workspace exists
+  if [ -d "/workspace" ] && [ -d "/layers" ]; then
+    is_gcp_vm="No"
+    is_gcp_function="Yes"
   fi
 }
 
@@ -37,6 +43,13 @@ check_aliyun_ecs () {
   fi
 }
 
+check_tencent_cvm () {
+  is_tencent_cvm="No"
+  if [ -f "/etc/cloud/cloud.cfg.d/05_logging.cfg" ] || grep -qi Tencent /etc/cloud/cloud.cfg; then
+      is_tencent_cvm="Yes"
+  fi
+}
+
 check_ibm_vm(){
   is_ibm_vm="No"
   if grep -q "nameserver 161.26.0.10" "/etc/resolv.conf" && grep -q "nameserver 161.26.0.11" "/etc/resolv.conf"; then
@@ -126,7 +139,8 @@ check_az_app(){
 
 
 check_gcp
-print_list "Google Cloud Platform? ............... $is_gcp\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
+print_list "GCP Virtual Machine? ................. $is_gcp_vm\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
+print_list "GCP Cloud Funtion? ................... $is_gcp_function\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
 check_aws_ecs
 print_list "AWS ECS? ............................. $is_aws_ecs\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
 check_aws_ec2
@@ -140,6 +154,8 @@ check_do
 print_list "DO Droplet? .......................... $is_do\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
 check_aliyun_ecs
 print_list "Aliyun ECS? .......................... $is_aliyun_ecs\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
+#check_tencent_cvm
+print_list "Tencent CVM? .......................... $is_tencent_cvm\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
 check_ibm_vm
 print_list "IBM Cloud VM? ........................ $is_ibm_vm\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
 check_az_vm
@@ -149,6 +165,80 @@ print_list "Azure APP? ........................... $is_az_app\n"$NC | sed "s,Yes
 
 echo ""
 
+if [ "$is_tencent_cvm" = "Yes" ]; then
+  tencent_req=""
+  if [ "$(command -v curl)" ]; then 
+    tencent_req='curl -sfkG'
+  elif [ "$(command -v wget)" ]; then
+    tencent_req='wget -q -O '
+  else 
+    echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
+  fi
+
+  
+    print_2title "Tencent CVM Enumeration"
+    print_info "https://cloud.tencent.com/document/product/213/4934"
+    # Todo: print_info "Hacktricks Documents needs to be updated"
+
+    echo ""
+    print_3title "Instance Info"
+    i_tencent_owner_account=$(eval $tencent_req http://169.254.0.23/latest/meta-data/app-id)
+    [ "$i_tencent_owner_account" ] && echo "Tencent Owner Account: $i_tencent_owner_account"
+    i_hostname=$(eval $tencent_req http://169.254.0.23/latest/meta-data/hostname)
+    [ "$i_hostname" ] && echo "Hostname: $i_hostname"
+    i_instance_id=$(eval $tencent_req http://169.254.0.23/latest/meta-data/instance-id)
+    [ "$i_instance_id" ] && echo "Instance ID: $i_instance_id"
+    i_instance_id=$(eval $tencent_req http://169.254.0.23/latest/meta-data/uuid)
+    [ "$i_instance_id" ] && echo "Instance ID: $i_instance_id"
+    i_instance_name=$(eval $tencent_req http://169.254.0.23/latest/meta-data/instance-name)
+    [ "$i_instance_name" ] && echo "Instance Name: $i_instance_name"
+    i_instance_type=$(eval $tencent_req http://169.254.0.23/latest/meta-data/instance/instance-type)
+    [ "$i_instance_type" ] && echo "Instance Type: $i_instance_type"
+    i_region_id=$(eval $tencent_req http://169.254.0.23/latest/meta-data/placement/region)
+    [ "$i_region_id" ] && echo "Region ID: $i_region_id"
+    i_zone_id=$(eval $tencent_req http://169.254.0.23/latest/meta-data/placement/zone)
+    [ "$i_zone_id" ] && echo "Zone ID: $i_zone_id"
+
+    echo ""
+    print_3title "Network Info"
+    i_pri_ipv4=$(eval $tencent_req http://169.254.0.23/latest/meta-data/network/interfaces/macs/$mac/primary-local-ipv4)
+    [ "$i_pri_ipv4" ] && echo "Primary IPv4: $i_pri_ipv4"
+
+    
+    echo "========"
+    for mac in $(eval $tencent_req  http://169.254.0.23/latest/meta-data/network/interfaces/macs/); do
+      echo "  Mac: $mac"
+      echo "  Mac public ips: "$(eval $tencent_req http://169.254.0.23/latest/meta-data/network/interfaces/macs/$mac/public-ipv4s)
+      echo "  Mac vpc id: "$(eval $tencent_req http://169.254.0.23/latest/meta-data/network/interfaces/macs/$mac/vpc-id)
+      echo "  Mac subnet id: "$(eval $tencent_req http://169.254.0.23/latest/meta-data/network/interfaces/macs/$mac/subnet-id)
+      
+      for lipv4 in $(eval $tencent_req  http://169.254.0.23/latest/meta-data/network/interfaces/macs/$mac/local-ipv4s); do
+        echo "  Mac local ips: "$(eval $tencent_req http://169.254.0.23/latest/meta-data/network/interfaces/macs/$mac/local-ipv4s/$lipv4/local-ipv4)
+        echo "  Mac gateways: "$(eval $tencent_req http://169.254.0.23/latest/meta-data/network/interfaces/macs/$mac/local-ipv4s/$lipv4/gateway)
+        echo "  Mac public ips: "$(eval $tencent_req http://169.254.0.23/latest/meta-data/network/interfaces/macs/$mac/local-ipv4s/$lipv4/public-ipv4)
+        echo "  Mac public ips mode: "$(eval $tencent_req http://169.254.0.23/latest/meta-data/network/interfaces/macs/$mac/local-ipv4s/$lipv4/public-ipv4-mode)
+        echo "  Mac subnet mask: "$(eval $tencent_req http://169.254.0.23/latest/meta-data/network/interfaces/macs/$mac/local-ipv4s/$lipv4/subnet-mask)
+      done
+    echo "======="
+    done
+
+    echo ""
+    print_3title "Service account "
+    for sa in $(eval $tencent_req "http://169.254.0.23/latest/meta-data/cam/security-credentials/"); do 
+      echo "  Name: $sa"
+      echo "  STS Token: "$(eval $tencent_req "http://169.254.0.23/latest/meta-data/cam/security-credentials/$sa")
+      echo "  =============="
+    done
+
+    echo ""
+    print_3title "Possbile admin ssh Public keys"
+    for key in $(eval $tencent_req "http://169.254.0.23/latest/meta-data/public-keys/"); do
+      echo "  Name: $key"
+      echo "  Key: "$(eval $tencent_req "http://169.254.0.23/latest/meta-data/public-keys/${key}openssh-key")
+      echo "  =============="
+    done
+fi
+
 if [ "$is_aliyun_ecs" = "Yes" ]; then
   aliyun_req=""
   aliyun_token=""
@@ -232,12 +322,12 @@ if [ "$is_aliyun_ecs" = "Yes" ]; then
   fi
 fi
 
-if [ "$is_gcp" = "Yes" ]; then
+if [ "$is_gcp_vm" = "Yes" ]; then
     gcp_req=""
     if [ "$(command -v curl)" ]; then
-        gcp_req='curl -s -f  -H "X-Google-Metadata-Request: True"'
+        gcp_req='curl -s -f  -H "Metadata-Flavor: Google"'
     elif [ "$(command -v wget)" ]; then
-        gcp_req='wget -q -O - --header "X-Google-Metadata-Request: True"'
+        gcp_req='wget -q -O - --header "Metadata-Flavor: Google"'
     else 
         echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
     fi
@@ -328,6 +418,53 @@ if [ "$is_gcp" = "Yes" ]; then
     fi
 fi
 
+# Check if the script is running in a GCP Cloud Function
+if [ "$is_gcp_function" = "Yes" ]; then
+    gcp_req=""
+    if [ "$(command -v curl)" ]; then
+        gcp_req='curl -s -f  -H "Metadata-Flavor: Google"'
+    elif [ "$(command -v wget)" ]; then
+        gcp_req='wget -q -O - --header "Metadata-Flavor: Google"'
+    else 
+        echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
+    fi
+
+    # GCP Enumeration
+    if [ "$gcp_req" ]; then
+        print_2title "Google Cloud Platform Enumeration"
+        print_info "https://cloud.hacktricks.xyz/pentesting-cloud/gcp-security"
+
+        ## GC Project Info
+        p_id=$(eval $gcp_req 'http://metadata.google.internal/computeMetadata/v1/project/project-id')
+        [ "$p_id" ] && echo "Project-ID: $p_id"
+        p_num=$(eval $gcp_req 'http://metadata.google.internal/computeMetadata/v1/project/numeric-project-id')
+        [ "$p_num" ] && echo "Project Number: $p_num"
+
+        # Instance Info
+        inst_id=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/id)
+        [ "$inst_id" ] && echo "Instance ID: $inst_id"
+        mtls_info=$(eval $gcp_req http://metadata/computeMetadata/v1/instance/platform-security/auto-mtls-configuration)
+        [ "$mtls_info" ] && echo "MTLS info: $mtls_info"
+        inst_zone=$(eval $gcp_req http://metadata.google.internal/computeMetadata/v1/instance/zone)
+        [ "$inst_zone" ] && echo "Zone: $inst_zone"
+
+        echo ""
+        print_3title "Service Accounts"
+        for sa in $(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/"); do 
+            echo "  Name: $sa"
+            echo "  Email: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/${sa}email")
+            echo "  Aliases: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/${sa}aliases")
+            echo "  Identity: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/${sa}identity")
+            echo "  Scopes: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/${sa}scopes") | sed -${E} "s,${GCP_GOOD_SCOPES},${SED_GREEN},g" | sed -${E} "s,${GCP_BAD_SCOPES},${SED_RED},g"
+            echo "  Token: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/${sa}token")
+            echo "  ==============  "
+        done
+    fi
+fi
+
+
+curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/405423052163-compute@developer.gserviceaccount.com/email"
+
 # AWS ECS Enumeration
 if [ "$is_aws_ecs" = "Yes" ]; then
     print_2title "AWS ECS Enumeration"

winPEAS/winPEASexe/winPEAS/Checks/FileAnalysis.cs

@@ -158,16 +158,19 @@ namespace winPEAS.Checks
                 bool is_re_match = false;
                 try
                 {
+                    // Escape backslashes in the regex string
+                    string escapedRegex = regex_str.Trim().Replace(@"\", @"\\");
+                    
                     // Use "IsMatch" because it supports timeout, if exception is thrown exit the func to avoid ReDoS in "rgx.Matches"
                     if (caseinsensitive)
                     {
-                        is_re_match = Regex.IsMatch(text, regex_str.Trim(), RegexOptions.IgnoreCase, TimeSpan.FromSeconds(120));
+                        is_re_match = Regex.IsMatch(text, escapedRegex, RegexOptions.IgnoreCase, TimeSpan.FromSeconds(120));
-                        rgx = new Regex(regex_str.Trim(), RegexOptions.IgnoreCase);
+                        rgx = new Regex(escapedRegex, RegexOptions.IgnoreCase);
                     }
                     else
                     {
-                        is_re_match = Regex.IsMatch(text, regex_str.Trim(), RegexOptions.None, TimeSpan.FromSeconds(120));
+                        is_re_match = Regex.IsMatch(text, escapedRegex, RegexOptions.None, TimeSpan.FromSeconds(120));
-                        rgx = new Regex(regex_str.Trim());
+                        rgx = new Regex(escapedRegex);
                     }
                 }
                 catch (RegexMatchTimeoutException e)

winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs

@@ -387,21 +387,28 @@ namespace winPEAS.Checks
 
         static void PrintCachedCreds()
         {
-            Beaprint.MainPrint("Cached Creds");
+            try
-            Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#cached-credentials", "If > 0, credentials will be cached in the registry and accessible by SYSTEM user");
-            string cachedlogonscount = RegistryHelper.GetRegValue("HKLM", @"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "CACHEDLOGONSCOUNT");
-            if (!string.IsNullOrEmpty(cachedlogonscount))
             {
-                int clc = Int16.Parse(cachedlogonscount);
+                Beaprint.MainPrint("Cached Creds");
-                if (clc > 0)
+                Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#cached-credentials", "If > 0, credentials will be cached in the registry and accessible by SYSTEM user");
+                string cachedlogonscount = RegistryHelper.GetRegValue("HKLM", @"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "CACHEDLOGONSCOUNT");
+                if (!string.IsNullOrEmpty(cachedlogonscount))
                 {
-                    Beaprint.BadPrint("    cachedlogonscount is " + cachedlogonscount);
+                    int clc = Int16.Parse(cachedlogonscount);
-                }
+                    if (clc > 0)
-                else
+                    {
-                {
+                        Beaprint.BadPrint("    cachedlogonscount is " + cachedlogonscount);
-                    Beaprint.BadPrint("    cachedlogonscount is " + cachedlogonscount);
+                    }
+                    else
+                    {
+                        Beaprint.BadPrint("    cachedlogonscount is " + cachedlogonscount);
+                    }
                 }
             }
+            catch (Exception ex)
+            {
+                Beaprint.PrintException(ex.Message);
+            }
         }
 
         static void PrintUserEV()