mirror of
https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite.git
synced 2026-01-21 05:19:03 +00:00
Compare commits
9 Commits
fix-pr-fai
...
fix/issue-
| Author | SHA1 | Date | |
|---|---|---|---|
|
6e73cfe8a2 | ||
|
|
66c3d4e342 | ||
|
|
917f88b76c | ||
|
|
21a967acb5 | ||
|
|
4155093e56 | ||
|
|
be1b0cdbd0 | ||
|
|
89a55bde9b | ||
|
|
4308caddf1 | ||
|
|
54fc62d29b |
51
.github/workflows/pr-failure-codex-dispatch.yml
vendored
51
.github/workflows/pr-failure-codex-dispatch.yml
vendored
@@ -10,7 +10,7 @@ jobs:
|
||||
if: >
|
||||
${{ github.event.workflow_run.conclusion == 'failure' &&
|
||||
github.event.workflow_run.pull_requests &&
|
||||
github.event.workflow_run.pull_requests[0].user.login == 'carlospolop' &&
|
||||
github.event.workflow_run.pull_requests[0] &&
|
||||
!startsWith(github.event.workflow_run.head_commit.message, 'Fix CI failures for PR #') }}
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
@@ -20,10 +20,33 @@ jobs:
|
||||
actions: read
|
||||
|
||||
steps:
|
||||
- name: Comment on PR with failure info
|
||||
uses: actions/github-script@v7
|
||||
- name: Resolve PR context
|
||||
id: pr_context
|
||||
env:
|
||||
PR_NUMBER: ${{ github.event.workflow_run.pull_requests[0].number }}
|
||||
GH_TOKEN: ${{ github.token }}
|
||||
run: |
|
||||
pr_author=$(gh api -H "Accept: application/vnd.github+json" \
|
||||
/repos/${{ github.repository }}/pulls/${PR_NUMBER} \
|
||||
--jq '.user.login')
|
||||
pr_head_repo=$(gh api -H "Accept: application/vnd.github+json" \
|
||||
/repos/${{ github.repository }}/pulls/${PR_NUMBER} \
|
||||
--jq '.head.repo.full_name')
|
||||
pr_head_branch=$(gh api -H "Accept: application/vnd.github+json" \
|
||||
/repos/${{ github.repository }}/pulls/${PR_NUMBER} \
|
||||
--jq '.head.ref')
|
||||
{
|
||||
echo "number=${PR_NUMBER}"
|
||||
echo "author=${pr_author}"
|
||||
echo "head_repo=${pr_head_repo}"
|
||||
echo "head_branch=${pr_head_branch}"
|
||||
} >> "$GITHUB_OUTPUT"
|
||||
|
||||
- name: Comment on PR with failure info
|
||||
if: ${{ steps.pr_context.outputs.author == 'carlospolop' }}
|
||||
uses: actions/github-script@v7
|
||||
env:
|
||||
PR_NUMBER: ${{ steps.pr_context.outputs.number }}
|
||||
RUN_URL: ${{ github.event.workflow_run.html_url }}
|
||||
WORKFLOW_NAME: ${{ github.event.workflow_run.name }}
|
||||
with:
|
||||
@@ -39,19 +62,22 @@ jobs:
|
||||
});
|
||||
|
||||
- name: Checkout PR head
|
||||
if: ${{ steps.pr_context.outputs.author == 'carlospolop' }}
|
||||
uses: actions/checkout@v5
|
||||
with:
|
||||
repository: ${{ github.event.workflow_run.head_repository.full_name }}
|
||||
repository: ${{ steps.pr_context.outputs.head_repo }}
|
||||
ref: ${{ github.event.workflow_run.head_sha }}
|
||||
fetch-depth: 0
|
||||
persist-credentials: true
|
||||
|
||||
- name: Configure git author
|
||||
if: ${{ steps.pr_context.outputs.author == 'carlospolop' }}
|
||||
run: |
|
||||
git config user.name "codex-action"
|
||||
git config user.email "codex-action@users.noreply.github.com"
|
||||
|
||||
- name: Fetch failure summary
|
||||
if: ${{ steps.pr_context.outputs.author == 'carlospolop' }}
|
||||
env:
|
||||
GH_TOKEN: ${{ github.token }}
|
||||
RUN_ID: ${{ github.event.workflow_run.id }}
|
||||
@@ -79,10 +105,11 @@ jobs:
|
||||
PY
|
||||
|
||||
- name: Create Codex prompt
|
||||
if: ${{ steps.pr_context.outputs.author == 'carlospolop' }}
|
||||
env:
|
||||
PR_NUMBER: ${{ github.event.workflow_run.pull_requests[0].number }}
|
||||
PR_NUMBER: ${{ steps.pr_context.outputs.number }}
|
||||
RUN_URL: ${{ github.event.workflow_run.html_url }}
|
||||
HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }}
|
||||
HEAD_BRANCH: ${{ steps.pr_context.outputs.head_branch }}
|
||||
run: |
|
||||
{
|
||||
echo "You are fixing CI failures for PR #${PR_NUMBER} in ${{ github.repository }}."
|
||||
@@ -98,6 +125,7 @@ jobs:
|
||||
} > codex_prompt.txt
|
||||
|
||||
- name: Run Codex
|
||||
if: ${{ steps.pr_context.outputs.author == 'carlospolop' }}
|
||||
id: run_codex
|
||||
uses: openai/codex-action@v1
|
||||
with:
|
||||
@@ -107,23 +135,26 @@ jobs:
|
||||
model: gpt-5.2-codex
|
||||
|
||||
- name: Commit and push if changed
|
||||
if: ${{ steps.pr_context.outputs.author == 'carlospolop' }}
|
||||
env:
|
||||
TARGET_BRANCH: ${{ github.event.workflow_run.head_branch }}
|
||||
PR_NUMBER: ${{ github.event.workflow_run.pull_requests[0].number }}
|
||||
TARGET_BRANCH: ${{ steps.pr_context.outputs.head_branch }}
|
||||
PR_NUMBER: ${{ steps.pr_context.outputs.number }}
|
||||
run: |
|
||||
if git diff --quiet; then
|
||||
echo "No changes to commit."
|
||||
exit 0
|
||||
fi
|
||||
rm -f codex_failure_summary.txt codex_prompt.txt
|
||||
git add -A
|
||||
git reset -- codex_failure_summary.txt codex_prompt.txt
|
||||
git commit -m "Fix CI failures for PR #${PR_NUMBER}"
|
||||
git push origin HEAD:${TARGET_BRANCH}
|
||||
|
||||
- name: Comment with Codex result
|
||||
if: steps.run_codex.outputs.final-message != ''
|
||||
if: ${{ steps.pr_context.outputs.author == 'carlospolop' && steps.run_codex.outputs.final-message != '' }}
|
||||
uses: actions/github-script@v7
|
||||
env:
|
||||
PR_NUMBER: ${{ github.event.workflow_run.pull_requests[0].number }}
|
||||
PR_NUMBER: ${{ steps.pr_context.outputs.number }}
|
||||
CODEX_MESSAGE: ${{ steps.run_codex.outputs.final-message }}
|
||||
with:
|
||||
github-token: ${{ github.token }}
|
||||
|
||||
@@ -127,6 +127,22 @@ else
|
||||
if [ "$ptrace_scope" -eq 0 ]; then echo "0" | sed -${E} "s,0,${SED_RED},"; else echo "$ptrace_scope" | sed -${E} "s,.*,${SED_GREEN},g"; fi
|
||||
fi
|
||||
|
||||
print_list "protected_symlinks? ............ "$NC
|
||||
protected_symlinks=$(cat /proc/sys/fs/protected_symlinks 2>/dev/null)
|
||||
if [ -z "$protected_symlinks" ]; then
|
||||
echo_not_found "/proc/sys/fs/protected_symlinks"
|
||||
else
|
||||
if [ "$protected_symlinks" -eq 0 ]; then echo "0" | sed -${E} "s,0,${SED_RED},"; else echo "$protected_symlinks" | sed -${E} "s,.*,${SED_GREEN},g"; fi
|
||||
fi
|
||||
|
||||
print_list "protected_hardlinks? ........... "$NC
|
||||
protected_hardlinks=$(cat /proc/sys/fs/protected_hardlinks 2>/dev/null)
|
||||
if [ -z "$protected_hardlinks" ]; then
|
||||
echo_not_found "/proc/sys/fs/protected_hardlinks"
|
||||
else
|
||||
if [ "$protected_hardlinks" -eq 0 ]; then echo "0" | sed -${E} "s,0,${SED_RED},"; else echo "$protected_hardlinks" | sed -${E} "s,.*,${SED_GREEN},g"; fi
|
||||
fi
|
||||
|
||||
print_list "perf_event_paranoid? ........... "$NC
|
||||
perf_event_paranoid=$(cat /proc/sys/kernel/perf_event_paranoid 2>/dev/null)
|
||||
if [ -z "$perf_event_paranoid" ]; then
|
||||
|
||||
@@ -4,6 +4,7 @@
|
||||
# Last Update: 07-03-2024
|
||||
# Description: Check for additional disk information and system resources relevant to privilege escalation:
|
||||
# - Disk utilization
|
||||
# - Inode usage
|
||||
# - System resources
|
||||
# - Storage statistics
|
||||
# - Common vulnerable scenarios:
|
||||
@@ -44,4 +45,8 @@ if [ "$EXTRA_CHECKS" ] || [ "$DEBUG" ]; then
|
||||
(df -h || lsblk) 2>/dev/null || echo_not_found "df and lsblk"
|
||||
warn_exec free 2>/dev/null
|
||||
echo ""
|
||||
fi
|
||||
|
||||
print_2title "Inode usage"
|
||||
warn_exec df -i 2>/dev/null
|
||||
echo ""
|
||||
fi
|
||||
|
||||
@@ -0,0 +1,25 @@
|
||||
# Title: Processes & Cron & Services & Timers - Deleted open files
|
||||
# ID: PR_Deleted_open_files
|
||||
# Author: Carlos Polop
|
||||
# Last Update: 2025-01-07
|
||||
# Description: Identify deleted files still held open by running processes
|
||||
# License: GNU GPL
|
||||
# Version: 1.0
|
||||
# Functions Used: print_2title, print_info
|
||||
# Global Variables: $DEBUG, $EXTRA_CHECKS, $E, $SED_RED
|
||||
# Initial Functions:
|
||||
# Generated Global Variables:
|
||||
# Fat linpeas: 0
|
||||
# Small linpeas: 1
|
||||
|
||||
if [ "$(command -v lsof 2>/dev/null || echo -n '')" ] || [ "$DEBUG" ]; then
|
||||
print_2title "Deleted files still open"
|
||||
print_info "Open deleted files can hide tools and still consume disk space"
|
||||
lsof +L1 2>/dev/null | sed -${E} "s,\\(deleted\\),${SED_RED},g"
|
||||
echo ""
|
||||
elif [ "$EXTRA_CHECKS" ] || [ "$DEBUG" ]; then
|
||||
print_2title "Deleted files still open"
|
||||
print_info "lsof not found, scanning /proc for deleted file descriptors"
|
||||
ls -l /proc/[0-9]*/fd 2>/dev/null | grep "(deleted)" | sed -${E} "s,\\(deleted\\),${SED_RED},g" | head -n 200
|
||||
echo ""
|
||||
fi
|
||||
@@ -23,6 +23,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||
incrontab -l 2>/dev/null
|
||||
ls -alR /etc/cron* /var/spool/cron/crontabs /var/spool/anacron 2>/dev/null | sed -${E} "s,$cronjobsG,${SED_GREEN},g" | sed "s,$cronjobsB,${SED_RED},g"
|
||||
cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/* /etc/incron.d/* /var/spool/incron/* 2>/dev/null | tr -d "\r" | grep -v "^#" | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED},"
|
||||
grep -Hn '^PATH=' /etc/crontab /etc/cron.d/* 2>/dev/null | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g"
|
||||
crontab -l -u "$USER" 2>/dev/null | tr -d "\r"
|
||||
ls -lR /usr/lib/cron/tabs/ /private/var/at/jobs /var/at/tabs/ /etc/periodic/ 2>/dev/null | sed -${E} "s,$cronjobsG,${SED_GREEN},g" | sed "s,$cronjobsB,${SED_RED},g" #MacOS paths
|
||||
atq 2>/dev/null
|
||||
@@ -247,4 +248,4 @@ else
|
||||
print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scheduledcron-jobs"
|
||||
find "$SEARCH_IN_FOLDER" '(' -type d -or -type f ')' '(' -name "cron*" -or -name "anacron" -or -name "anacrontab" -or -name "incron.d" -or -name "incron" -or -name "at" -or -name "periodic" ')' -exec echo {} \; -exec ls -lR {} \;
|
||||
fi
|
||||
echo ""
|
||||
echo ""
|
||||
|
||||
@@ -19,6 +19,16 @@ print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation
|
||||
if [ "$PASSWORD" ]; then
|
||||
(echo "$PASSWORD" | timeout 1 sudo -S -l | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g") 2>/dev/null || echo_not_found "sudo"
|
||||
fi
|
||||
(sudo -n -l 2>/dev/null | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,\!root,${SED_RED},") 2>/dev/null || echo "No cached sudo token (sudo -n -l)"
|
||||
|
||||
secure_path_line=$(sudo -l 2>/dev/null | grep -o "secure_path=[^,]*" | head -n 1 | cut -d= -f2)
|
||||
if [ "$secure_path_line" ]; then
|
||||
for p in $(echo "$secure_path_line" | tr ':' ' '); do
|
||||
if [ -w "$p" ]; then
|
||||
echo "Writable secure_path entry: $p" | sed -${E} "s,.*,${SED_RED},g"
|
||||
fi
|
||||
done
|
||||
fi
|
||||
( grep -Iv "^$" cat /etc/sudoers | grep -v "#" | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,pwfeedback,${SED_RED},g" ) 2>/dev/null || echo_not_found "/etc/sudoers"
|
||||
if ! [ "$IAMROOT" ] && [ -w '/etc/sudoers.d/' ]; then
|
||||
echo "You can create a file in /etc/sudoers.d/ and escalate privileges" | sed -${E} "s,.*,${SED_RED_YELLOW},"
|
||||
@@ -29,4 +39,4 @@ for f in /etc/sudoers.d/*; do
|
||||
grep -Iv "^$" "$f" | grep -v "#" | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,pwfeedback,${SED_RED},g"
|
||||
fi
|
||||
done
|
||||
echo ""
|
||||
echo ""
|
||||
|
||||
@@ -40,4 +40,18 @@ else
|
||||
echo "ptrace protection is enabled ($ptrace_scope)" | sed "s,is enabled,${SED_GREEN},g";
|
||||
|
||||
fi
|
||||
|
||||
if [ -d "/var/run/sudo/ts" ]; then
|
||||
echo "Sudo token directory perms:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
|
||||
ls -ld /var/run/sudo/ts 2>/dev/null
|
||||
if [ -w "/var/run/sudo/ts" ]; then
|
||||
echo "/var/run/sudo/ts is writable" | sed -${E} "s,.*,${SED_RED},g"
|
||||
fi
|
||||
if [ -f "/var/run/sudo/ts/$USER" ]; then
|
||||
ls -l "/var/run/sudo/ts/$USER" 2>/dev/null
|
||||
if [ -w "/var/run/sudo/ts/$USER" ]; then
|
||||
echo "User sudo token file is writable" | sed -${E} "s,.*,${SED_RED},g"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
echo ""
|
||||
|
||||
@@ -17,10 +17,10 @@ check_external_hostname(){
|
||||
INTERNET_SEARCH_TIMEOUT=15
|
||||
# wget or curl?
|
||||
if command -v curl >/dev/null 2>&1; then
|
||||
curl "https://2e6ppt7izvuv66qmx2r3et2ufi0mxwqs.lambda-url.us-east-1.on.aws/" -H "User-Agent: linpeas" -d "{\"hostname\":\"$(hostname)\"}" -H "Content-Type: application/json" --max-time "$INTERNET_SEARCH_TIMEOUT"
|
||||
curl "https://tools.hacktricks.wiki/api/host-checker" -H "User-Agent: linpeas" -d "{\"hostname\":\"$(hostname)\"}" -H "Content-Type: application/json" --max-time "$INTERNET_SEARCH_TIMEOUT"
|
||||
elif command -v wget >/dev/null 2>&1; then
|
||||
wget -q -O - "https://2e6ppt7izvuv66qmx2r3et2ufi0mxwqs.lambda-url.us-east-1.on.aws/" --header "User-Agent: linpeas" --post-data "{\"hostname\":\"$(hostname)\"}" -H "Content-Type: application/json" --timeout "$INTERNET_SEARCH_TIMEOUT"
|
||||
wget -q -O - "https://tools.hacktricks.wiki/api/host-checker" --header "User-Agent: linpeas" --post-data "{\"hostname\":\"$(hostname)\"}" -H "Content-Type: application/json" --timeout "$INTERNET_SEARCH_TIMEOUT"
|
||||
else
|
||||
echo "wget or curl not found"
|
||||
fi
|
||||
}
|
||||
}
|
||||
|
||||
@@ -15,11 +15,12 @@
|
||||
|
||||
check_tcp_443_bin () {
|
||||
local TIMEOUT_INTERNET_SECONDS_443_BIN=$1
|
||||
local url_lambda="https://2e6ppt7izvuv66qmx2r3et2ufi0mxwqs.lambda-url.us-east-1.on.aws/"
|
||||
local url_lambda="https://tools.hacktricks.wiki/api/host-checker"
|
||||
|
||||
if command -v curl >/dev/null 2>&1; then
|
||||
if curl -s --connect-timeout $TIMEOUT_INTERNET_SECONDS_443_BIN "$url_lambda" \
|
||||
-H "User-Agent: linpeas" -H "Content-Type: application/json" >/dev/null 2>&1
|
||||
-H "User-Agent: linpeas" -H "Content-Type: application/json" \
|
||||
-d "{\"hostname\":\"$(hostname)\"}" >/dev/null 2>&1
|
||||
then
|
||||
echo "Port 443 is accessible with curl"
|
||||
return 0 # ✅ success
|
||||
@@ -30,7 +31,8 @@ check_tcp_443_bin () {
|
||||
|
||||
elif command -v wget >/dev/null 2>&1; then
|
||||
if wget -q --timeout=$TIMEOUT_INTERNET_SECONDS_443_BIN -O - "$url_lambda" \
|
||||
--header "User-Agent: linpeas" -H "Content-Type: application/json" >/dev/null 2>&1
|
||||
--header "User-Agent: linpeas" -H "Content-Type: application/json" \
|
||||
--post-data "{\"hostname\":\"$(hostname)\"}" >/dev/null 2>&1
|
||||
then
|
||||
echo "Port 443 is accessible with wget"
|
||||
return 0
|
||||
|
||||
@@ -15,6 +15,5 @@
|
||||
|
||||
sidG1="/abuild-sudo$|/accton$|/allocate$|/ARDAgent$|/arping$|/atq$|/atrm$|/authpf$|/authpf-noip$|/authopen$|/batch$|/bbsuid$|/bsd-write$|/btsockstat$|/bwrap$|/cacaocsc$|/camel-lock-helper-1.2$|/ccreds_validate$|/cdrw$|/chage$|/check-foreground-console$|/chrome-sandbox$|/chsh$|/cons.saver$|/crontab$|/ct$|/cu$|/dbus-daemon-launch-helper$|/deallocate$|/desktop-create-kmenu$|/dma$|/dma-mbox-create$|/dmcrypt-get-device$|/doas$|/dotlockfile$|/dotlock.mailutils$|/dtaction$|/dtfile$|/eject$|/execabrt-action-install-debuginfo-to-abrt-cache$|/execdbus-daemon-launch-helper$|/execdma-mbox-create$|/execlockspool$|/execlogin_chpass$|/execlogin_lchpass$|/execlogin_passwd$|/execssh-keysign$|/execulog-helper$|/exim4|/expiry$|/fdformat$|/fstat$|/fusermount$|/fusermount3$"
|
||||
sidG2="/gnome-pty-helper$|/glines$|/gnibbles$|/gnobots2$|/gnome-suspend$|/gnometris$|/gnomine$|/gnotski$|/gnotravex$|/gpasswd$|/gpg$|/gpio$|/gtali|/.hal-mtab-lock$|/helper$|/imapd$|/inndstart$|/kismet_cap_nrf_51822$|/kismet_cap_nxp_kw41z$|/kismet_cap_ti_cc_2531$|/kismet_cap_ti_cc_2540$|/kismet_cap_ubertooth_one$|/kismet_capture$|/kismet_cap_linux_bluetooth$|/kismet_cap_linux_wifi$|/kismet_cap_nrf_mousejack$|/ksu$|/list_devices$|/load_osxfuse$|/locate$|/lock$|/lockdev$|/lockfile$|/login_activ$|/login_crypto$|/login_radius$|/login_skey$|/login_snk$|/login_token$|/login_yubikey$|/lpc$|/lpd$|/lpd-port$|/lppasswd$|/lpq$|/lpr$|/lprm$|/lpset$|/lxc-user-nic$|/mahjongg$|/mail-lock$|/mailq$|/mail-touchlock$|/mail-unlock$|/mksnap_ffs$|/mlocate$|/mlock$|/mount$|/mount.cifs$|/mount.ecryptfs_private$|/mount.nfs$|/mount.nfs4$|/mount_osxfuse$|/mtr$|/mutt_dotlock$"
|
||||
sidG3="/ncsa_auth$|/netpr$|/netkit-rcp$|/netkit-rlogin$|/netkit-rsh$|/netreport$|/netstat$|/newgidmap$|/newtask$|/newuidmap$|/nvmmctl$|/opieinfo$|/opiepasswd$|/pam_auth$|/pam_extrausers_chkpwd$|/pam_timestamp_check$|/pamverifier$|/pfexec$|/ping$|/ping6$|/pmconfig$|/pmap$|/polkit-agent-helper-1$|/polkit-explicit-grant-helper$|/polkit-grant-helper$|/polkit-grant-helper-pam$|/polkit-read-auth-helper$|/polkit-resolve-exe-helper$|/polkit-revoke-helper$|/polkit-set-default-helper$|/postdrop$|/postqueue$|/poweroff$|/ppp$|/procmail$|/pstat$|/pt_chmod$|/pwdb_chkpwd$|/quota$|/rcmd|/remote.unknown$|/rlogin$|/rmformat$|/rnews$|/run-mailcap$|/sacadm$|/same-gnome$|screen.real$|/security_authtrampoline$|/sendmail.sendmail$|/shutdown$|/skeyaudit$|/skeyinfo$|/skeyinit$|/sliplogin|/slocate$|/smbmnt$|/smbumount$|/smpatch$|/smtpctl$|/sperl5.8.8$|/ssh-agent$|/ssh-keysign$|/staprun$|/startinnfeed$|/stclient$|/su$|/suexec$|/sys-suspend$|/sysstat$|/systat$"
|
||||
sidG3="/ncsa_auth$|/netpr$|/netkit-rcp$|/netkit-rlogin$|/netkit-rsh$|/netreport$|/netstat$|/newgidmap$|/newtask$|/newuidmap$|/nvmmctl$|/opieinfo$|/opiepasswd$|/pam_auth$|/pam_extrausers_chkpwd$|/pam_timestamp_check$|/pamverifier$|/pfexec$|/hping3$|/ping$|/ping6$|/pmconfig$|/pmap$|/polkit-agent-helper-1$|/polkit-explicit-grant-helper$|/polkit-grant-helper$|/polkit-grant-helper-pam$|/polkit-read-auth-helper$|/polkit-resolve-exe-helper$|/polkit-revoke-helper$|/polkit-set-default-helper$|/postdrop$|/postqueue$|/poweroff$|/ppp$|/procmail$|/pstat$|/pt_chmod$|/pwdb_chkpwd$|/quota$|/rcmd|/remote.unknown$|/rlogin$|/rmformat$|/rnews$|/run-mailcap$|/sacadm$|/same-gnome$|screen.real$|/security_authtrampoline$|/sendmail.sendmail$|/shutdown$|/skeyaudit$|/skeyinfo$|/skeyinit$|/sliplogin|/slocate$|/smbmnt$|/smbumount$|/smpatch$|/smtpctl$|/sperl5.8.8$|/ssh-agent$|/ssh-keysign$|/staprun$|/startinnfeed$|/stclient$|/su$|/suexec$|/sys-suspend$|/sysstat$|/systat$"
|
||||
sidG4="/telnetlogin$|/timedc$|/tip$|/top$|/traceroute6$|/traceroute6.iputils$|/trpt$|/tsoldtlabel$|/tsoljdslabel$|/tsolxagent$|/ufsdump$|/ufsrestore$|/ulog-helper$|/umount.cifs$|/umount.nfs$|/umount.nfs4$|/unix_chkpwd$|/uptime$|/userhelper$|/userisdnctl$|/usernetctl$|/utempter$|/utmp_update$|/uucico$|/uuglist$|/uuidd$|/uuname$|/uusched$|/uustat$|/uux$|/uuxqt$|/VBoxHeadless$|/VBoxNetAdpCtl$|/VBoxNetDHCP$|/VBoxNetNAT$|/VBoxSDL$|/VBoxVolInfo$|/VirtualBoxVM$|/vmstat$|/vmware-authd$|/vmware-user-suid-wrapper$|/vmware-vmx$|/vmware-vmx-debug$|/vmware-vmx-stats$|/vncserver-x11$|/volrmmount$|/w$|/wall$|/whodo$|/write$|/X$|/Xorg.wrap$|/Xsun$|/Xvnc$|/yppasswd$"
|
||||
|
||||
|
||||
@@ -13,5 +13,5 @@
|
||||
# Small linpeas: 1
|
||||
|
||||
|
||||
sudoVB1=" \*|env_keep\W*\+=.*LD_PRELOAD|env_keep\W*\+=.*LD_LIBRARY_PATH|env_keep\W*\+=.*BASH_ENV|env_keep\W*\+=.* ENV|peass{SUDOVB1_HERE}"
|
||||
sudoVB1=" \*|env_keep\W*\+=.*LD_PRELOAD|env_keep\W*\+=.*LD_LIBRARY_PATH|env_keep\W*\+=.*BASH_ENV|env_keep\W*\+=.* ENV|env_keep\W*\+=.*PATH|!env_reset|!requiretty|peass{SUDOVB1_HERE}"
|
||||
sudoVB2="peass{SUDOVB2_HERE}"
|
||||
|
||||
@@ -46,7 +46,7 @@ namespace winPEAS.Info.NetworkInfo
|
||||
|
||||
// 4. Call external checker
|
||||
var resp = httpClient
|
||||
.PostAsync("https://2e6ppt7izvuv66qmx2r3et2ufi0mxwqs.lambda-url.us-east-1.on.aws/", payload)
|
||||
.PostAsync("https://tools.hacktricks.wiki/api/host-checker", payload)
|
||||
.GetAwaiter().GetResult();
|
||||
|
||||
if (resp.IsSuccessStatusCode)
|
||||
|
||||
@@ -4,6 +4,8 @@ using System.Net.Http;
|
||||
using System.Net.Http.Headers;
|
||||
using System.Net.NetworkInformation;
|
||||
using System.Net.Sockets;
|
||||
using System.Text;
|
||||
using System.Text.Json;
|
||||
using System.Threading;
|
||||
|
||||
namespace winPEAS.Info.NetworkInfo
|
||||
@@ -48,7 +50,7 @@ namespace winPEAS.Info.NetworkInfo
|
||||
{ "1.1.1.1", "8.8.8.8" };
|
||||
|
||||
private const string LAMBDA_URL =
|
||||
"https://2e6ppt7izvuv66qmx2r3et2ufi0mxwqs.lambda-url.us-east-1.on.aws/";
|
||||
"https://tools.hacktricks.wiki/api/host-checker";
|
||||
|
||||
// Shared HttpClient (kept for HTTP & Lambda checks)
|
||||
private static readonly HttpClient http = new HttpClient
|
||||
@@ -118,7 +120,12 @@ namespace winPEAS.Info.NetworkInfo
|
||||
using var cts =
|
||||
new CancellationTokenSource(TimeSpan.FromMilliseconds(HTTP_TIMEOUT_MS));
|
||||
|
||||
var req = new HttpRequestMessage(HttpMethod.Get, LAMBDA_URL);
|
||||
var payload = new StringContent(
|
||||
JsonSerializer.Serialize(new { hostname = Environment.MachineName }),
|
||||
Encoding.UTF8,
|
||||
"application/json");
|
||||
var req = new HttpRequestMessage(HttpMethod.Post, LAMBDA_URL);
|
||||
req.Content = payload;
|
||||
req.Headers.UserAgent.ParseAdd("winpeas");
|
||||
req.Headers.Accept.Add(
|
||||
new MediaTypeWithQualityHeaderValue("application/json"));
|
||||
|
||||
Reference in New Issue
Block a user