Merge pull request #411 from wowlolx/master

Fixed netsh command for spaces in SSIDs

linPEAS/builder/linpeas_parts/2_container.sh

@@ -324,7 +324,7 @@ if [ "$inContainer" ]; then
     checkProcSysBreakouts
     print_list "/proc mounted? ................. $proc_mounted\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
     print_list "/dev mounted? .................. $dev_mounted\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
-    print_list "Run ushare ..................... $run_unshare\n" | sed -${E} "s,Yes,${SED_RED},"
+    print_list "Run unshare .................... $run_unshare\n" | sed -${E} "s,Yes,${SED_RED},"
     print_list "release_agent breakout 1........ $release_agent_breakout1\n" | sed -${E} "s,Yes,${SED_RED},"
     print_list "release_agent breakout 2........ $release_agent_breakout2\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
     print_list "core_pattern breakout .......... $core_pattern_breakout\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"

linPEAS/builder/linpeas_parts/3_cloud.sh

@@ -30,6 +30,13 @@ check_do(){
   fi
 }
 
+check_aliyun_ecs () {
+  is_aliyun_ecs="No"
+  if [ -f "/etc/cloud/cloud.cfg.d/aliyun_cloud.cfg" ]; then 
+    is_aliyun_ecs="Yes"
+  fi
+}
+
 check_ibm_vm(){
   is_ibm_vm="No"
   if grep -q "nameserver 161.26.0.10" "/etc/resolv.conf" && grep -q "nameserver 161.26.0.11" "/etc/resolv.conf"; then
@@ -131,6 +138,8 @@ check_aws_codebuild
 print_list "AWS Codebuild? ....................... $is_aws_codebuild\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
 check_do
 print_list "DO Droplet? .......................... $is_do\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
+check_aliyun_ecs
+print_list "Aliyun ECS? .......................... $is_aliyun_ecs\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
 check_ibm_vm
 print_list "IBM Cloud VM? ........................ $is_ibm_vm\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
 check_az_vm
@@ -140,6 +149,89 @@ print_list "Azure APP? ........................... $is_az_app\n"$NC | sed "s,Yes
 
 echo ""
 
+if [ "$is_aliyun_ecs" = "Yes" ]; then
+  aliyun_req=""
+  aliyun_token=""
+  if [ "$(command -v curl)" ]; then 
+    aliyun_token=$(curl -X PUT "http://100.100.100.200/latest/api/token" -H "X-aliyun-ecs-metadata-token-ttl-seconds:1000")
+    aliyun_req='curl -s -f -H "X-aliyun-ecs-metadata-token: $aliyun_token"'
+  elif [ "$(command -v wget)" ]; then
+    aliyun_token=$(wget -q -O - --method PUT "http://100.100.100.200/latest/api/token" --header "X-aliyun-ecs-metadata-token-ttl-seconds:1000")
+    aliyun_req='wget -q -O --header "X-aliyun-ecs-metadata-token: $aliyun_token"'
+  else 
+    echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
+  fi
+
+  if [ "$aliyun_token" ]; then
+    print_2title "Aliyun ECS Enumeration"
+    print_info "https://help.aliyun.com/zh/ecs/user-guide/view-instance-metadata"
+    # Todo: print_info "Hacktricks Documents needs to be updated"
+
+    echo ""
+    print_3title "Instance Info"
+    i_hostname=$(eval $aliyun_req http://100.100.100.200/latest/meta-data/hostname)
+    [ "$i_hostname" ] && echo "Hostname: $i_hostname"
+    i_instance_id=$(eval $aliyun_req http://100.100.100.200/latest/meta-data/instance-id)
+    [ "$i_instance_id" ] && echo "Instance ID: $i_instance_id"
+    # no dup of hostname if in ACK it possibly leaks aliyun cluster service ClusterId
+    i_instance_name=$(eval $aliyun_req http://100.100.100.200/latest/meta-data/instance/instance-name)
+    [ "$i_instance_name" ] && echo "Instance Name: $i_instance_name"
+    i_instance_type=$(eval $aliyun_req http://100.100.100.200/latest/meta-data/instance/instance-type)
+    [ "$i_instance_type" ] && echo "Instance Type: $i_instance_type"
+    i_aliyun_owner_account=$(eval $aliyun_req http://i00.100.100.200/latest/meta-data/owner-account-id)
+    [ "$i_aliyun_owner_account" ] && echo "Aliyun Owner Account: $i_aliyun_owner_account"
+    i_region_id=$(eval $aliyun_req http://100.100.100.200/latest/meta-data/region-id)
+    [ "$i_region_id" ] && echo "Region ID: $i_region_id"
+    i_zone_id=$(eval $aliyun_req http://100.100.100.200/latest/meta-data/zone-id)
+    [ "$i_zone_id" ] && echo "Zone ID: $i_zone_id"
+
+    echo ""
+    print_3title "Network Info"
+    i_pub_ipv4=$(eval $aliyun_req http://100.100.100.200/latest/meta-data/public-ipv4)
+    [ "$i_pub_ipv4" ] && echo "Public IPv4: $i_pub_ipv4"
+    i_priv_ipv4=$(eval $aliyun_req http://100.100.100.200/latest/meta-data/private-ipv4)
+    [ "$i_priv_ipv4" ] && echo "Private IPv4: $i_priv_ipv4"
+    net_dns=$(eval $aliyun_req  http://100.100.100.200/latest/meta-data/dns-conf/nameservers)
+    [ "$net_dns" ] && echo "DNS: $net_dns"
+    
+    echo "========"
+    for mac in $(eval $aliyun_req  http://100.100.100.200/latest/meta-data/network/interfaces/macs/); do
+      echo "  Mac: $mac"
+      echo "  Mac interface id: "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/network-interface-id)
+      echo "  Mac netmask: "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/netmask)
+      echo "  Mac vpc id: "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/vpc-id)
+      echo "  Mac vpc cidr: "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/vpc-cidr-block)
+      echo "  Mac vpc cidr (v6): "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/vpc-ipv6-cidr-blocks)
+      echo "  Mac vswitch id: "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/vswitch-id)
+      echo "  Mac vswitch cidr: "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/vswitch-cidr-block)
+      echo "  Mac vswitch cidr (v6): "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/vswitch-ipv6-cidr-block)
+      echo "  Mac private ips: "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/private-ipv4s)
+      echo "  Mac private ips (v6): "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/ipv6s)
+      echo "  Mac gateway: "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/gateway)
+      echo "  Mac gateway (v6): "$(eval $aliyun_req http://100.100.100.200/latest/meta-data/network/interfaces/macs/$mac/ipv6-gateway)
+      echo "======="
+    done
+
+    echo ""
+    print_3title "Service account "
+    for sa in $(eval $aliyun_req "http://100.100.100.200/latest/meta-data/ram/security-credentials/"); do 
+      echo "  Name: $sa"
+      echo "  STS Token: "$(eval $aliyun_req "http://100.100.100.200/latest/meta-data/ram/security-credentials/$sa")
+      echo "  =============="
+    done
+
+    echo ""
+    print_3title "Possbile admin ssh Public keys"
+    for key in $(eval $aliyun_req "http://100.100.100.200/latest/meta-data/public-keys/"); do
+      echo "  Name: $key"
+      echo "  Key: "$(eval $aliyun_req "http://100.100.100.200/latest/meta-data/public-keys/${key}openssh-key")
+      echo "  =============="
+    done
+
+
+  fi
+fi
+
 if [ "$is_gcp" = "Yes" ]; then
     gcp_req=""
     if [ "$(command -v curl)" ]; then

winPEAS/winPEASbat/winPEAS.bat

@@ -363,7 +363,7 @@ CALL :T_Progress 1
 
 :WifiCreds
 CALL :ColorLine " %E%33m[+]%E%97m WIFI"
-for /f "tokens=4 delims=: " %%a in ('netsh wlan show profiles ^| find "Profile "') do (netsh wlan show profiles name=%%a key=clear | findstr "SSID Cipher Content" | find /v "Number" & ECHO.)
+for /f "tokens=3,* delims=: " %%a in ('netsh wlan show profiles ^| find "Profile "') do (netsh wlan show profiles name=%%b key=clear | findstr "SSID Cipher Content" | find /v "Number" & ECHO.)
 CALL :T_Progress 1
 
 :BasicUserInfo

winPEAS/winPEASexe/winPEAS/Checks/FileAnalysis.cs

@@ -444,7 +444,7 @@ namespace winPEAS.Checks
                                             foundRegexes[regex_obj.name][regex.name] = fileResults;
                                         }
                                     }
-                                    catch (System.IO.IOException)
+                                    catch (Exception ex)
                                     {
                                         // Cannot read the file
                                     }