List browser profiles in user homes

Merge pull request #554 from peass-ng/fix-pr-failure-dispatch-context-2
Fix pr failure dispatch context 2
2026-01-21 05:19:03 +00:00 · 2026-01-20 18:02:08 +01:00 · 2026-01-20 17:46:27 +01:00 · 2026-01-20 13:59:32 +01:00 · 2026-01-18 23:11:38 +00:00
5 changed files with 82 additions and 9 deletions
--- a/linPEAS/builder/linpeas_parts/7_software_information/Browser_profiles.sh
+++ b/linPEAS/builder/linpeas_parts/7_software_information/Browser_profiles.sh
@@ -0,0 +1,64 @@
+# Title: Software Information - Browser Profiles
+# ID: SW_Browser_Profiles
+# Author: Carlos Polop
+# Last Update: 10-03-2025
+# Description: List browser profiles that may store credentials/cookies
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_3title, print_info
+# Global Variables: $HOMESEARCH, $SED_RED
+# Initial Functions:
+# Generated Global Variables: $h, $firefox_ini, $chrome_base, $profiles
+# Fat linpeas: 0
+# Small linpeas: 1
+
+print_2title "Browser Profiles"
+print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#browser-data"
+
+echo ""
+
+for h in $HOMESEARCH; do
+  [ -d "$h" ] || continue
+
+  firefox_ini="$h/.mozilla/firefox/profiles.ini"
+  if [ -f "$firefox_ini" ]; then
+    print_3title "Firefox profiles ($h)"
+    awk -F= '
+      /^\[Profile/ { in_profile=1 }
+      /^Path=/ { path=$2 }
+      /^IsRelative=/ { isrel=$2 }
+      /^$/ {
+        if (path != "") {
+          if (isrel == "1") {
+            print base "/.mozilla/firefox/" path
+          } else {
+            print path
+          }
+        }
+        path=""; isrel=""
+      }
+      END {
+        if (path != "") {
+          if (isrel == "1") {
+            print base "/.mozilla/firefox/" path
+          } else {
+            print path
+          }
+        }
+      }
+    ' base="$h" "$firefox_ini" 2>/dev/null | sed -${E} "s,.*,${SED_RED},"
+    echo ""
+  fi
+
+  for chrome_base in "$h/.config/google-chrome" "$h/.config/chromium" "$h/.config/BraveSoftware/Brave-Browser" "$h/.config/microsoft-edge" "$h/.config/microsoft-edge-beta" "$h/.config/microsoft-edge-dev"; do
+    if [ -d "$chrome_base" ]; then
+      profiles=$(find "$chrome_base" -maxdepth 1 -type d \( -name "Default" -o -name "Profile *" \) 2>/dev/null)
+      if [ "$profiles" ]; then
+        print_3title "Chromium profiles ($chrome_base)"
+        printf "%s\n" "$profiles" | sed -${E} "s,.*,${SED_RED},"
+        echo ""
+      fi
+    fi
+  done
+
+done
--- a/linPEAS/builder/linpeas_parts/functions/check_external_hostname.sh
+++ b/linPEAS/builder/linpeas_parts/functions/check_external_hostname.sh
@@ -17,10 +17,10 @@ check_external_hostname(){
  INTERNET_SEARCH_TIMEOUT=15
  # wget or curl?
  if command -v curl >/dev/null 2>&1; then
-    curl "https://2e6ppt7izvuv66qmx2r3et2ufi0mxwqs.lambda-url.us-east-1.on.aws/" -H "User-Agent: linpeas" -d "{\"hostname\":\"$(hostname)\"}" -H "Content-Type: application/json" --max-time "$INTERNET_SEARCH_TIMEOUT"
+    curl "https://tools.hacktricks.wiki/api/host-checker" -H "User-Agent: linpeas" -d "{\"hostname\":\"$(hostname)\"}" -H "Content-Type: application/json" --max-time "$INTERNET_SEARCH_TIMEOUT"
  elif command -v wget >/dev/null 2>&1; then
-    wget -q -O - "https://2e6ppt7izvuv66qmx2r3et2ufi0mxwqs.lambda-url.us-east-1.on.aws/" --header "User-Agent: linpeas" --post-data "{\"hostname\":\"$(hostname)\"}" -H "Content-Type: application/json" --timeout "$INTERNET_SEARCH_TIMEOUT"
+    wget -q -O - "https://tools.hacktricks.wiki/api/host-checker" --header "User-Agent: linpeas" --post-data "{\"hostname\":\"$(hostname)\"}" -H "Content-Type: application/json" --timeout "$INTERNET_SEARCH_TIMEOUT"
  else
    echo "wget or curl not found"
  fi
-}
+}
--- a/linPEAS/builder/linpeas_parts/functions/check_tcp_443_bin.sh
+++ b/linPEAS/builder/linpeas_parts/functions/check_tcp_443_bin.sh
@@ -15,11 +15,12 @@

 check_tcp_443_bin () {
  local TIMEOUT_INTERNET_SECONDS_443_BIN=$1
-  local url_lambda="https://2e6ppt7izvuv66qmx2r3et2ufi0mxwqs.lambda-url.us-east-1.on.aws/"
+  local url_lambda="https://tools.hacktricks.wiki/api/host-checker"

  if command -v curl >/dev/null 2>&1; then
    if curl -s --connect-timeout $TIMEOUT_INTERNET_SECONDS_443_BIN "$url_lambda" \
-         -H "User-Agent: linpeas" -H "Content-Type: application/json" >/dev/null 2>&1
+         -H "User-Agent: linpeas" -H "Content-Type: application/json" \
+         -d "{\"hostname\":\"$(hostname)\"}" >/dev/null 2>&1
    then
      echo "Port 443 is accessible with curl"
      return 0                      # ✅ success
@@ -30,7 +31,8 @@ check_tcp_443_bin () {

  elif command -v wget >/dev/null 2>&1; then
    if wget -q --timeout=$TIMEOUT_INTERNET_SECONDS_443_BIN -O - "$url_lambda" \
-         --header "User-Agent: linpeas" -H "Content-Type: application/json" >/dev/null 2>&1
+         --header "User-Agent: linpeas" -H "Content-Type: application/json" \
+         --post-data "{\"hostname\":\"$(hostname)\"}" >/dev/null 2>&1
    then
      echo "Port 443 is accessible with wget"
      return 0
--- a/winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/HostnameResolution.cs
+++ b/winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/HostnameResolution.cs
@@ -46,7 +46,7 @@ namespace winPEAS.Info.NetworkInfo

                // 4. Call external checker
                var resp = httpClient
-                    .PostAsync("https://2e6ppt7izvuv66qmx2r3et2ufi0mxwqs.lambda-url.us-east-1.on.aws/", payload)
+                    .PostAsync("https://tools.hacktricks.wiki/api/host-checker", payload)
                    .GetAwaiter().GetResult();

                if (resp.IsSuccessStatusCode)
--- a/winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/InternetConnectivity.cs
+++ b/winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/InternetConnectivity.cs
@@ -4,6 +4,8 @@ using System.Net.Http;
 using System.Net.Http.Headers;
 using System.Net.NetworkInformation;
 using System.Net.Sockets;
+using System.Text;
+using System.Text.Json;
 using System.Threading;

 namespace winPEAS.Info.NetworkInfo
@@ -48,7 +50,7 @@ namespace winPEAS.Info.NetworkInfo
            { "1.1.1.1", "8.8.8.8" };

        private const string LAMBDA_URL =
-            "https://2e6ppt7izvuv66qmx2r3et2ufi0mxwqs.lambda-url.us-east-1.on.aws/";
+            "https://tools.hacktricks.wiki/api/host-checker";

        // Shared HttpClient (kept for HTTP & Lambda checks)
        private static readonly HttpClient http = new HttpClient
@@ -118,7 +120,12 @@ namespace winPEAS.Info.NetworkInfo
                using var cts =
                    new CancellationTokenSource(TimeSpan.FromMilliseconds(HTTP_TIMEOUT_MS));

-                var req = new HttpRequestMessage(HttpMethod.Get, LAMBDA_URL);
+                var payload = new StringContent(
+                    JsonSerializer.Serialize(new { hostname = Environment.MachineName }),
+                    Encoding.UTF8,
+                    "application/json");
+                var req = new HttpRequestMessage(HttpMethod.Post, LAMBDA_URL);
+                req.Content = payload;
                req.Headers.UserAgent.ParseAdd("winpeas");
                req.Headers.Accept.Add(
                    new MediaTypeWithQualityHeaderValue("application/json"));
Author	SHA1	Message	Date
Carlos Polop	ac9613f0ee	List browser profiles in user homes	2026-01-20 18:02:08 +01:00
SirBroccoli	66c3d4e342	Merge pull request #554 from peass-ng/fix-pr-failure-dispatch-context-2 Fix pr failure dispatch context 2	2026-01-20 17:46:27 +01:00
Carlos Polop	21a967acb5	fix urls	2026-01-20 13:59:32 +01:00
SirBroccoli	89a55bde9b	Auto-merge PR #553 (Codex)	2026-01-18 23:11:38 +00:00