mirror of
https://github.com/peass-ng/PEASS-ng.git
synced 2026-01-21 00:53:50 -08:00
Compare commits
3 Commits
master
...
codex-pr-m
| Author | SHA1 | Date | |
|---|---|---|---|
|
1b449d862a | ||
|
|
44f265f2d3 | ||
|
|
2561b3c928 |
15
.github/workflows/CI-master_tests.yml
vendored
15
.github/workflows/CI-master_tests.yml
vendored
@@ -48,23 +48,23 @@ jobs:
|
||||
|
||||
# build
|
||||
- name: run MSBuild
|
||||
run: msbuild $env:Solution_Path /p:Configuration=$env:Configuration /p:UseSharedCompilation=false
|
||||
run: msbuild $env:Solution_Path
|
||||
|
||||
# Execute all unit tests in the solution
|
||||
- name: Execute unit tests
|
||||
run: dotnet test $env:Solution_Path --configuration $env:Configuration
|
||||
#- name: Execute unit tests
|
||||
# run: dotnet test $env:Solution_Path
|
||||
|
||||
# Build & update all versions
|
||||
- name: Build all versions
|
||||
run: |
|
||||
echo "build x64"
|
||||
msbuild -m $env:Solution_Path /t:Rebuild /p:Configuration=$env:Configuration /p:Platform="x64" /p:UseSharedCompilation=false
|
||||
msbuild -m $env:Solution_Path /t:Rebuild /p:Configuration=$env:Configuration /p:Platform="x64"
|
||||
|
||||
echo "build x86"
|
||||
msbuild -m $env:Solution_Path /t:Rebuild /p:Configuration=$env:Configuration /p:Platform="x86" /p:UseSharedCompilation=false
|
||||
msbuild -m $env:Solution_Path /t:Rebuild /p:Configuration=$env:Configuration /p:Platform="x86"
|
||||
|
||||
echo "build Any CPU"
|
||||
msbuild -m $env:Solution_Path /t:Rebuild /p:Configuration=$env:Configuration /p:Platform="Any CPU" /p:UseSharedCompilation=false
|
||||
msbuild -m $env:Solution_Path /t:Rebuild /p:Configuration=$env:Configuration /p:Platform="Any CPU"
|
||||
|
||||
- name: Execute winPEAS -h
|
||||
shell: pwsh
|
||||
@@ -230,9 +230,6 @@ jobs:
|
||||
python3 -m builder.linpeas_builder --all --output linpeas_fat.sh
|
||||
python3 -m builder.linpeas_builder --all-no-fat --output linpeas.sh
|
||||
python3 -m builder.linpeas_builder --small --output linpeas_small.sh
|
||||
|
||||
- name: Run linPEAS builder tests
|
||||
run: python3 -m unittest discover -s linPEAS/tests -p "test_*.py"
|
||||
|
||||
# Build linpeas binaries
|
||||
- name: Build linpeas binaries
|
||||
|
||||
15
.github/workflows/PR-tests.yml
vendored
15
.github/workflows/PR-tests.yml
vendored
@@ -42,23 +42,19 @@ jobs:
|
||||
|
||||
# build
|
||||
- name: run MSBuild
|
||||
run: msbuild $env:Solution_Path /p:Configuration=$env:Configuration /p:UseSharedCompilation=false
|
||||
|
||||
# Execute unit tests in the solution
|
||||
- name: Execute unit tests
|
||||
run: dotnet test $env:Solution_Path --configuration $env:Configuration
|
||||
run: msbuild $env:Solution_Path
|
||||
|
||||
# Build all versions
|
||||
- name: Build all versions
|
||||
run: |
|
||||
echo "build x64"
|
||||
msbuild -m $env:Solution_Path /t:Rebuild /p:Configuration=$env:Configuration /p:Platform="x64" /p:UseSharedCompilation=false
|
||||
msbuild -m $env:Solution_Path /t:Rebuild /p:Configuration=$env:Configuration /p:Platform="x64"
|
||||
|
||||
echo "build x86"
|
||||
msbuild -m $env:Solution_Path /t:Rebuild /p:Configuration=$env:Configuration /p:Platform="x86" /p:UseSharedCompilation=false
|
||||
msbuild -m $env:Solution_Path /t:Rebuild /p:Configuration=$env:Configuration /p:Platform="x86"
|
||||
|
||||
echo "build Any CPU"
|
||||
msbuild -m $env:Solution_Path /t:Rebuild /p:Configuration=$env:Configuration /p:Platform="Any CPU" /p:UseSharedCompilation=false
|
||||
msbuild -m $env:Solution_Path /t:Rebuild /p:Configuration=$env:Configuration /p:Platform="Any CPU"
|
||||
|
||||
- name: Execute winPEAS -h
|
||||
shell: pwsh
|
||||
@@ -127,9 +123,6 @@ jobs:
|
||||
python3 -m builder.linpeas_builder --all --output linpeas_fat.sh
|
||||
python3 -m builder.linpeas_builder --all-no-fat --output linpeas.sh
|
||||
python3 -m builder.linpeas_builder --small --output linpeas_small.sh
|
||||
|
||||
- name: Run linPEAS builder tests
|
||||
run: python3 -m unittest discover -s linPEAS/tests -p "test_*.py"
|
||||
|
||||
# Run linpeas help as quick test
|
||||
- name: Run linpeas help
|
||||
|
||||
80
.github/workflows/codex-pr-triage.yml
vendored
80
.github/workflows/codex-pr-triage.yml
vendored
@@ -1,94 +1,41 @@
|
||||
name: Codex PR Triage
|
||||
|
||||
on:
|
||||
workflow_run:
|
||||
workflows: ["PR-tests"]
|
||||
types: [completed]
|
||||
pull_request:
|
||||
types: [opened]
|
||||
|
||||
jobs:
|
||||
codex_triage:
|
||||
if: ${{ github.event.workflow_run.conclusion == 'success' }}
|
||||
if: ${{ github.event.pull_request.user.login == 'carlospolop' }}
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: write
|
||||
pull-requests: write
|
||||
outputs:
|
||||
should_run: ${{ steps.gate.outputs.should_run }}
|
||||
pr_number: ${{ steps.gate.outputs.pr_number }}
|
||||
pr_title: ${{ steps.gate.outputs.pr_title }}
|
||||
pr_body: ${{ steps.gate.outputs.pr_body }}
|
||||
base_ref: ${{ steps.gate.outputs.base_ref }}
|
||||
head_ref: ${{ steps.gate.outputs.head_ref }}
|
||||
base_sha: ${{ steps.gate.outputs.base_sha }}
|
||||
head_sha: ${{ steps.gate.outputs.head_sha }}
|
||||
decision: ${{ steps.parse.outputs.decision }}
|
||||
message: ${{ steps.parse.outputs.message }}
|
||||
|
||||
steps:
|
||||
- name: Resolve PR context
|
||||
id: gate
|
||||
env:
|
||||
GH_TOKEN: ${{ github.token }}
|
||||
run: |
|
||||
pr_number="${{ github.event.workflow_run.pull_requests[0].number }}"
|
||||
if [ -z "$pr_number" ]; then
|
||||
echo "No pull request found for this workflow_run; skipping."
|
||||
echo "should_run=false" >> "$GITHUB_OUTPUT"
|
||||
echo "pr_number=" >> "$GITHUB_OUTPUT"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
author="$(gh pr view "$pr_number" --json author --jq .author.login)"
|
||||
if [ "$author" != "carlospolop" ]; then
|
||||
echo "PR author is $author; skipping."
|
||||
echo "should_run=false" >> "$GITHUB_OUTPUT"
|
||||
echo "pr_number=$pr_number" >> "$GITHUB_OUTPUT"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
pr_title="$(gh pr view "$pr_number" --json title --jq .title)"
|
||||
pr_body="$(gh pr view "$pr_number" --json body --jq .body)"
|
||||
base_ref="$(gh pr view "$pr_number" --json baseRefName --jq .baseRefName)"
|
||||
head_ref="$(gh pr view "$pr_number" --json headRefName --jq .headRefName)"
|
||||
base_sha="$(gh pr view "$pr_number" --json baseRefOid --jq .baseRefOid)"
|
||||
head_sha="$(gh pr view "$pr_number" --json headRefOid --jq .headRefOid)"
|
||||
|
||||
echo "should_run=true" >> "$GITHUB_OUTPUT"
|
||||
echo "pr_number=$pr_number" >> "$GITHUB_OUTPUT"
|
||||
echo "pr_title<<EOF" >> "$GITHUB_OUTPUT"
|
||||
echo "$pr_title" >> "$GITHUB_OUTPUT"
|
||||
echo "EOF" >> "$GITHUB_OUTPUT"
|
||||
echo "pr_body<<EOF" >> "$GITHUB_OUTPUT"
|
||||
echo "$pr_body" >> "$GITHUB_OUTPUT"
|
||||
echo "EOF" >> "$GITHUB_OUTPUT"
|
||||
echo "base_ref=$base_ref" >> "$GITHUB_OUTPUT"
|
||||
echo "head_ref=$head_ref" >> "$GITHUB_OUTPUT"
|
||||
echo "base_sha=$base_sha" >> "$GITHUB_OUTPUT"
|
||||
echo "head_sha=$head_sha" >> "$GITHUB_OUTPUT"
|
||||
|
||||
- name: Checkout PR merge ref
|
||||
uses: actions/checkout@v5
|
||||
with:
|
||||
ref: refs/pull/${{ steps.gate.outputs.pr_number }}/merge
|
||||
if: ${{ steps.gate.outputs.should_run == 'true' }}
|
||||
ref: refs/pull/${{ github.event.pull_request.number }}/merge
|
||||
|
||||
- name: Pre-fetch base and head refs
|
||||
if: ${{ steps.gate.outputs.should_run == 'true' }}
|
||||
run: |
|
||||
git fetch --no-tags origin \
|
||||
${{ steps.gate.outputs.base_ref }} \
|
||||
+refs/pull/${{ steps.gate.outputs.pr_number }}/head
|
||||
${{ github.event.pull_request.base.ref }} \
|
||||
+refs/pull/${{ github.event.pull_request.number }}/head
|
||||
|
||||
- name: Run Codex
|
||||
id: run_codex
|
||||
if: ${{ steps.gate.outputs.should_run == 'true' }}
|
||||
uses: openai/codex-action@v1
|
||||
with:
|
||||
openai-api-key: ${{ secrets.OPENAI_API_KEY }}
|
||||
output-schema-file: .github/codex/pr-merge-schema.json
|
||||
model: gpt-5.2-codex
|
||||
prompt: |
|
||||
You are reviewing PR #${{ steps.gate.outputs.pr_number }} for ${{ github.repository }}.
|
||||
You are reviewing PR #${{ github.event.pull_request.number }} for ${{ github.repository }}.
|
||||
|
||||
Decide whether to merge or comment. Merge only if all of the following are true:
|
||||
- Changes are simple and safe (no DoS, no long operations, no backdoors).
|
||||
@@ -101,17 +48,16 @@ jobs:
|
||||
|
||||
Pull request title and body:
|
||||
----
|
||||
${{ steps.gate.outputs.pr_title }}
|
||||
${{ steps.gate.outputs.pr_body }}
|
||||
${{ github.event.pull_request.title }}
|
||||
${{ github.event.pull_request.body }}
|
||||
|
||||
Review ONLY the changes introduced by the PR:
|
||||
git log --oneline ${{ steps.gate.outputs.base_sha }}...${{ steps.gate.outputs.head_sha }}
|
||||
git log --oneline ${{ github.event.pull_request.base.sha }}...${{ github.event.pull_request.head.sha }}
|
||||
|
||||
Output JSON only, following the provided schema.
|
||||
|
||||
- name: Parse Codex decision
|
||||
id: parse
|
||||
if: ${{ steps.gate.outputs.should_run == 'true' }}
|
||||
env:
|
||||
CODEX_MESSAGE: ${{ steps.run_codex.outputs.final-message }}
|
||||
run: |
|
||||
@@ -132,7 +78,7 @@ jobs:
|
||||
merge_or_comment:
|
||||
runs-on: ubuntu-latest
|
||||
needs: codex_triage
|
||||
if: ${{ github.event.workflow_run.conclusion == 'success' && needs.codex_triage.outputs.should_run == 'true' && needs.codex_triage.outputs.decision != '' }}
|
||||
if: ${{ needs.codex_triage.outputs.decision != '' }}
|
||||
permissions:
|
||||
contents: write
|
||||
pull-requests: write
|
||||
@@ -141,7 +87,7 @@ jobs:
|
||||
if: ${{ needs.codex_triage.outputs.decision == 'merge' }}
|
||||
env:
|
||||
GH_TOKEN: ${{ github.token }}
|
||||
PR_NUMBER: ${{ needs.codex_triage.outputs.pr_number }}
|
||||
PR_NUMBER: ${{ github.event.pull_request.number }}
|
||||
run: |
|
||||
gh api \
|
||||
-X PUT \
|
||||
@@ -154,7 +100,7 @@ jobs:
|
||||
if: ${{ needs.codex_triage.outputs.decision == 'comment' }}
|
||||
uses: actions/github-script@v7
|
||||
env:
|
||||
PR_NUMBER: ${{ needs.codex_triage.outputs.pr_number }}
|
||||
PR_NUMBER: ${{ github.event.pull_request.number }}
|
||||
CODEX_MESSAGE: ${{ needs.codex_triage.outputs.message }}
|
||||
with:
|
||||
github-token: ${{ github.token }}
|
||||
|
||||
79
.github/workflows/pr-failure-codex-dispatch.yml
vendored
79
.github/workflows/pr-failure-codex-dispatch.yml
vendored
@@ -6,69 +6,24 @@ on:
|
||||
types: [completed]
|
||||
|
||||
jobs:
|
||||
resolve_pr_context:
|
||||
codex_on_failure:
|
||||
if: >
|
||||
${{ github.event.workflow_run.conclusion == 'failure' &&
|
||||
github.event.workflow_run.pull_requests &&
|
||||
github.event.workflow_run.pull_requests[0] &&
|
||||
github.event.workflow_run.pull_requests[0].user.login == 'carlospolop' &&
|
||||
!startsWith(github.event.workflow_run.head_commit.message, 'Fix CI failures for PR #') }}
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
pull-requests: read
|
||||
issues: read
|
||||
outputs:
|
||||
number: ${{ steps.pr_context.outputs.number }}
|
||||
author: ${{ steps.pr_context.outputs.author }}
|
||||
head_repo: ${{ steps.pr_context.outputs.head_repo }}
|
||||
head_branch: ${{ steps.pr_context.outputs.head_branch }}
|
||||
should_run: ${{ steps.pr_context.outputs.should_run }}
|
||||
steps:
|
||||
- name: Resolve PR context
|
||||
id: pr_context
|
||||
env:
|
||||
PR_NUMBER: ${{ github.event.workflow_run.pull_requests[0].number }}
|
||||
GH_TOKEN: ${{ github.token }}
|
||||
run: |
|
||||
pr_author=$(gh api -H "Accept: application/vnd.github+json" \
|
||||
/repos/${{ github.repository }}/pulls/${PR_NUMBER} \
|
||||
--jq '.user.login')
|
||||
pr_head_repo=$(gh api -H "Accept: application/vnd.github+json" \
|
||||
/repos/${{ github.repository }}/pulls/${PR_NUMBER} \
|
||||
--jq '.head.repo.full_name')
|
||||
pr_head_branch=$(gh api -H "Accept: application/vnd.github+json" \
|
||||
/repos/${{ github.repository }}/pulls/${PR_NUMBER} \
|
||||
--jq '.head.ref')
|
||||
pr_labels=$(gh api -H "Accept: application/vnd.github+json" \
|
||||
/repos/${{ github.repository }}/issues/${PR_NUMBER} \
|
||||
--jq '.labels[].name')
|
||||
if echo "$pr_labels" | grep -q "^codex-fix-attempted$"; then
|
||||
echo "codex fix already attempted for PR #${PR_NUMBER}; skipping."
|
||||
should_run=false
|
||||
else
|
||||
should_run=true
|
||||
fi
|
||||
{
|
||||
echo "number=${PR_NUMBER}"
|
||||
echo "author=${pr_author}"
|
||||
echo "head_repo=${pr_head_repo}"
|
||||
echo "head_branch=${pr_head_branch}"
|
||||
echo "should_run=${should_run}"
|
||||
} >> "$GITHUB_OUTPUT"
|
||||
|
||||
codex_on_failure:
|
||||
needs: resolve_pr_context
|
||||
if: ${{ needs.resolve_pr_context.outputs.author == 'carlospolop' && needs.resolve_pr_context.outputs.should_run == 'true' }}
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: write
|
||||
pull-requests: write
|
||||
issues: write
|
||||
actions: read
|
||||
|
||||
steps:
|
||||
- name: Comment on PR with failure info
|
||||
uses: actions/github-script@v7
|
||||
env:
|
||||
PR_NUMBER: ${{ needs.resolve_pr_context.outputs.number }}
|
||||
PR_NUMBER: ${{ github.event.workflow_run.pull_requests[0].number }}
|
||||
RUN_URL: ${{ github.event.workflow_run.html_url }}
|
||||
WORKFLOW_NAME: ${{ github.event.workflow_run.name }}
|
||||
with:
|
||||
@@ -83,23 +38,13 @@ jobs:
|
||||
body,
|
||||
});
|
||||
|
||||
- name: Mark fix attempt
|
||||
env:
|
||||
PR_NUMBER: ${{ needs.resolve_pr_context.outputs.number }}
|
||||
GH_TOKEN: ${{ github.token }}
|
||||
run: |
|
||||
gh api -X POST -H "Accept: application/vnd.github+json" \
|
||||
/repos/${{ github.repository }}/issues/${PR_NUMBER}/labels \
|
||||
-f labels='["codex-fix-attempted"]'
|
||||
|
||||
- name: Checkout PR head
|
||||
uses: actions/checkout@v5
|
||||
with:
|
||||
repository: ${{ needs.resolve_pr_context.outputs.head_repo }}
|
||||
repository: ${{ github.event.workflow_run.head_repository.full_name }}
|
||||
ref: ${{ github.event.workflow_run.head_sha }}
|
||||
fetch-depth: 0
|
||||
persist-credentials: true
|
||||
token: ${{ secrets.CODEX_FIXER_TOKEN }}
|
||||
|
||||
- name: Configure git author
|
||||
run: |
|
||||
@@ -135,9 +80,9 @@ jobs:
|
||||
|
||||
- name: Create Codex prompt
|
||||
env:
|
||||
PR_NUMBER: ${{ needs.resolve_pr_context.outputs.number }}
|
||||
PR_NUMBER: ${{ github.event.workflow_run.pull_requests[0].number }}
|
||||
RUN_URL: ${{ github.event.workflow_run.html_url }}
|
||||
HEAD_BRANCH: ${{ needs.resolve_pr_context.outputs.head_branch }}
|
||||
HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }}
|
||||
run: |
|
||||
{
|
||||
echo "You are fixing CI failures for PR #${PR_NUMBER} in ${{ github.repository }}."
|
||||
@@ -163,24 +108,22 @@ jobs:
|
||||
|
||||
- name: Commit and push if changed
|
||||
env:
|
||||
TARGET_BRANCH: ${{ needs.resolve_pr_context.outputs.head_branch }}
|
||||
PR_NUMBER: ${{ needs.resolve_pr_context.outputs.number }}
|
||||
TARGET_BRANCH: ${{ github.event.workflow_run.head_branch }}
|
||||
PR_NUMBER: ${{ github.event.workflow_run.pull_requests[0].number }}
|
||||
run: |
|
||||
if git diff --quiet; then
|
||||
echo "No changes to commit."
|
||||
exit 0
|
||||
fi
|
||||
rm -f codex_failure_summary.txt codex_prompt.txt
|
||||
git add -A
|
||||
git reset -- codex_failure_summary.txt codex_prompt.txt
|
||||
git commit -m "Fix CI failures for PR #${PR_NUMBER}"
|
||||
git push origin HEAD:${TARGET_BRANCH}
|
||||
|
||||
- name: Comment with Codex result
|
||||
if: ${{ steps.run_codex.outputs.final-message != '' }}
|
||||
if: steps.run_codex.outputs.final-message != ''
|
||||
uses: actions/github-script@v7
|
||||
env:
|
||||
PR_NUMBER: ${{ needs.resolve_pr_context.outputs.number }}
|
||||
PR_NUMBER: ${{ github.event.workflow_run.pull_requests[0].number }}
|
||||
CODEX_MESSAGE: ${{ steps.run_codex.outputs.final-message }}
|
||||
with:
|
||||
github-token: ${{ github.token }}
|
||||
|
||||
@@ -1705,7 +1705,7 @@ search:
|
||||
auto_check: True
|
||||
exec:
|
||||
- '( redis-server --version || echo_not_found "redis-server") 2>/dev/null'
|
||||
- redis_info="$(if [ "$TIMEOUT" ]; then $TIMEOUT 2 redis-cli INFO 2>/dev/null; else redis-cli INFO 2>/dev/null; fi)"; if [ "$redis_info" ] && ! echo "$redis_info" | grep -i NOAUTH; then echo "Redis isn't password protected" | sed -${E} "s,.*,${SED_RED},"; fi
|
||||
- if [ "`redis-cli INFO 2>/dev/null`" ] && ! [ "`redis-cli INFO 2>/dev/null | grep -i NOAUTH`" ]; then echo "Redis isn't password protected" | sed -${E} "s,.*,${SED_RED},"; fi
|
||||
|
||||
files:
|
||||
- name: "redis.conf"
|
||||
|
||||
@@ -30,9 +30,10 @@
|
||||
# Fat linpeas: 0
|
||||
# Small linpeas: 0
|
||||
|
||||
if apt list --installed 2>/dev/null | grep -E 'polkit.*0\.105-26' | grep -qEv 'ubuntu1\.[1-9]' || \
|
||||
yum list installed 2>/dev/null | grep -qE 'polkit.*\(0\.117-2\|0\.115-6\|0\.11[3-9]\)' || \
|
||||
rpm -qa 2>/dev/null | grep -qE 'polkit.*\(0\.117-2\|0\.115-6\|0\.11[3-9]\)'; then
|
||||
if apt list --installed 2>/dev/null | grep -q 'polkit.*0\.105-26' || \
|
||||
yum list installed 2>/dev/null | grep -q 'polkit.*\(0\.117-2\|0\.115-6\)' || \
|
||||
rpm -qa 2>/dev/null | grep -q 'polkit.*\(0\.117-2\|0\.115-6\)'; then
|
||||
echo "Vulnerable to CVE-2021-3560" | sed -${E} "s,.*,${SED_RED_YELLOW},"
|
||||
echo ""
|
||||
fi
|
||||
|
||||
|
||||
@@ -30,7 +30,7 @@
|
||||
# Functions Used: echo_not_found, print_2title, print_list, warn_exec
|
||||
# Global Variables:
|
||||
# Initial Functions:
|
||||
# Generated Global Variables: $ASLR, $hypervisorflag, $detectedvirt, $unpriv_userns_clone, $perf_event_paranoid, $mmap_min_addr, $ptrace_scope, $dmesg_restrict, $kptr_restrict, $unpriv_bpf_disabled, $protected_symlinks, $protected_hardlinks
|
||||
# Generated Global Variables: $ASLR, $hypervisorflag, $detectedvirt, $unpriv_userns_clone, $perf_event_paranoid, $mmap_min_addr, $ptrace_scope, $dmesg_restrict, $kptr_restrict, $unpriv_bpf_disabled
|
||||
# Fat linpeas: 0
|
||||
# Small linpeas: 0
|
||||
|
||||
@@ -127,22 +127,6 @@ else
|
||||
if [ "$ptrace_scope" -eq 0 ]; then echo "0" | sed -${E} "s,0,${SED_RED},"; else echo "$ptrace_scope" | sed -${E} "s,.*,${SED_GREEN},g"; fi
|
||||
fi
|
||||
|
||||
print_list "protected_symlinks? ............ "$NC
|
||||
protected_symlinks=$(cat /proc/sys/fs/protected_symlinks 2>/dev/null)
|
||||
if [ -z "$protected_symlinks" ]; then
|
||||
echo_not_found "/proc/sys/fs/protected_symlinks"
|
||||
else
|
||||
if [ "$protected_symlinks" -eq 0 ]; then echo "0" | sed -${E} "s,0,${SED_RED},"; else echo "$protected_symlinks" | sed -${E} "s,.*,${SED_GREEN},g"; fi
|
||||
fi
|
||||
|
||||
print_list "protected_hardlinks? ........... "$NC
|
||||
protected_hardlinks=$(cat /proc/sys/fs/protected_hardlinks 2>/dev/null)
|
||||
if [ -z "$protected_hardlinks" ]; then
|
||||
echo_not_found "/proc/sys/fs/protected_hardlinks"
|
||||
else
|
||||
if [ "$protected_hardlinks" -eq 0 ]; then echo "0" | sed -${E} "s,0,${SED_RED},"; else echo "$protected_hardlinks" | sed -${E} "s,.*,${SED_GREEN},g"; fi
|
||||
fi
|
||||
|
||||
print_list "perf_event_paranoid? ........... "$NC
|
||||
perf_event_paranoid=$(cat /proc/sys/kernel/perf_event_paranoid 2>/dev/null)
|
||||
if [ -z "$perf_event_paranoid" ]; then
|
||||
|
||||
@@ -4,7 +4,6 @@
|
||||
# Last Update: 07-03-2024
|
||||
# Description: Check for additional disk information and system resources relevant to privilege escalation:
|
||||
# - Disk utilization
|
||||
# - Inode usage
|
||||
# - System resources
|
||||
# - Storage statistics
|
||||
# - Common vulnerable scenarios:
|
||||
@@ -45,8 +44,4 @@ if [ "$EXTRA_CHECKS" ] || [ "$DEBUG" ]; then
|
||||
(df -h || lsblk) 2>/dev/null || echo_not_found "df and lsblk"
|
||||
warn_exec free 2>/dev/null
|
||||
echo ""
|
||||
|
||||
print_2title "Inode usage"
|
||||
warn_exec df -i 2>/dev/null
|
||||
echo ""
|
||||
fi
|
||||
fi
|
||||
@@ -1,14 +1,14 @@
|
||||
# Title: Cloud - AWS ECS
|
||||
# ID: CL_AWS_ECS
|
||||
# Author: Carlos Polop
|
||||
# Last Update: 17-01-2026
|
||||
# Last Update: 22-08-2023
|
||||
# Description: AWS ECS Enumeration
|
||||
# License: GNU GPL
|
||||
# Version: 1.0
|
||||
# Functions Used: check_aws_ecs, exec_with_jq, print_2title, print_3title
|
||||
# Global Variables: $aws_ecs_metadata_uri, $aws_ecs_service_account_uri, $is_aws_ecs
|
||||
# Initial Functions: check_aws_ecs
|
||||
# Generated Global Variables: $aws_ecs_req, $aws_exec_env, $ecs_task_metadata, $launch_type, $network_modes, $imds_tool, $imds_token, $imds_roles, $imds_http_code, $ecs_block_line, $ecs_host_line, $iptables_cmd, $docker_rules, $first_role
|
||||
# Generated Global Variables: $aws_ecs_req
|
||||
# Fat linpeas: 0
|
||||
# Small linpeas: 1
|
||||
|
||||
@@ -44,146 +44,5 @@ if [ "$is_aws_ecs" = "Yes" ]; then
|
||||
else
|
||||
echo "I couldn't find AWS_CONTAINER_CREDENTIALS_RELATIVE_URI env var to get IAM role info (the task is running without a task role probably)"
|
||||
fi
|
||||
|
||||
print_3title "ECS task metadata hints"
|
||||
aws_exec_env=$(printenv AWS_EXECUTION_ENV 2>/dev/null)
|
||||
if [ "$aws_exec_env" ]; then
|
||||
printf "AWS_EXECUTION_ENV=%s\n" "$aws_exec_env"
|
||||
fi
|
||||
|
||||
ecs_task_metadata=""
|
||||
if [ "$aws_ecs_metadata_uri" ]; then
|
||||
ecs_task_metadata=$(eval $aws_ecs_req "$aws_ecs_metadata_uri/task" 2>/dev/null)
|
||||
fi
|
||||
|
||||
if [ "$ecs_task_metadata" ]; then
|
||||
launch_type=$(printf "%s" "$ecs_task_metadata" | grep -oE '"LaunchType":"[^"]+"' | head -n 1 | cut -d '"' -f4)
|
||||
if [ "$launch_type" ]; then
|
||||
printf "ECS LaunchType reported: %s\n" "$launch_type"
|
||||
fi
|
||||
network_modes=$(printf "%s" "$ecs_task_metadata" | grep -oE '"NetworkMode":"[^"]+"' | cut -d '"' -f4 | sort -u | tr '\n' ' ')
|
||||
if [ "$network_modes" ]; then
|
||||
printf "Reported NetworkMode(s): %s\n" "$network_modes"
|
||||
fi
|
||||
else
|
||||
echo "Unable to fetch task metadata (check ECS_CONTAINER_METADATA_URI)."
|
||||
fi
|
||||
echo ""
|
||||
|
||||
print_3title "IMDS reachability from this task"
|
||||
imds_token=""
|
||||
imds_roles=""
|
||||
imds_http_code=""
|
||||
imds_tool=""
|
||||
|
||||
if command -v curl >/dev/null 2>&1; then
|
||||
imds_tool="curl"
|
||||
elif command -v wget >/dev/null 2>&1; then
|
||||
imds_tool="wget"
|
||||
fi
|
||||
|
||||
if [ "$imds_tool" = "curl" ]; then
|
||||
imds_token=$(curl -s --connect-timeout 2 --max-time 2 -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" 2>/dev/null)
|
||||
if [ "$imds_token" ]; then
|
||||
printf "[!] IMDSv2 token request succeeded (metadata reachable from this task).\n"
|
||||
imds_roles=$(curl -s --connect-timeout 2 --max-time 2 -H "X-aws-ec2-metadata-token: $imds_token" "http://169.254.169.254/latest/meta-data/iam/security-credentials/" 2>/dev/null | tr '\n' ' ')
|
||||
if [ "$imds_roles" ]; then
|
||||
printf " Instance profile role(s) exposed via IMDS: %s\n" "$imds_roles"
|
||||
first_role=$(printf "%s" "$imds_roles" | awk '{print $1}')
|
||||
if [ "$first_role" ]; then
|
||||
printf " Example: curl -H 'X-aws-ec2-metadata-token: <TOKEN>' http://169.254.169.254/latest/meta-data/iam/security-credentials/%s\n" "$first_role"
|
||||
fi
|
||||
else
|
||||
printf " No IAM role names returned (instance profile might be missing).\n"
|
||||
fi
|
||||
else
|
||||
imds_http_code=$(curl -s -o /dev/null -w "%{http_code}" --connect-timeout 2 --max-time 2 "http://169.254.169.254/latest/meta-data/" 2>/dev/null)
|
||||
case "$imds_http_code" in
|
||||
000|"")
|
||||
printf "[i] IMDS endpoint did not respond (likely blocked via hop-limit or host firewalling).\n"
|
||||
;;
|
||||
401)
|
||||
printf "[i] IMDS requires v2 tokens but token requests are being blocked (bridge-mode tasks rely on this when hop limit = 1).\n"
|
||||
;;
|
||||
*)
|
||||
printf "[i] IMDS GET returned HTTP %s (investigate host configuration).\n" "$imds_http_code"
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
elif [ "$imds_tool" = "wget" ]; then
|
||||
imds_token=$(wget -q -O - --timeout=2 --tries=1 --method=PUT --header="X-aws-ec2-metadata-token-ttl-seconds: 21600" "http://169.254.169.254/latest/api/token" 2>/dev/null)
|
||||
if [ "$imds_token" ]; then
|
||||
printf "[!] IMDSv2 token request succeeded (metadata reachable from this task).\n"
|
||||
imds_roles=$(wget -q -O - --timeout=2 --tries=1 --header="X-aws-ec2-metadata-token: $imds_token" "http://169.254.169.254/latest/meta-data/iam/security-credentials/" 2>/dev/null | tr '\n' ' ')
|
||||
if [ "$imds_roles" ]; then
|
||||
printf " Instance profile role(s) exposed via IMDS: %s\n" "$imds_roles"
|
||||
else
|
||||
printf " No IAM role names returned (instance profile might be missing).\n"
|
||||
fi
|
||||
else
|
||||
wget --server-response -O /dev/null --timeout=2 --tries=1 "http://169.254.169.254/latest/meta-data/" 2>&1 | awk 'BEGIN{code=""} /^ HTTP/{code=$2} END{ if(code!="") { printf("[i] IMDS GET returned HTTP %s (token could not be retrieved).\n", code); } else { print "[i] IMDS endpoint did not respond (likely blocked)."; } }'
|
||||
fi
|
||||
else
|
||||
echo "Neither curl nor wget were found, I can't test IMDS reachability."
|
||||
fi
|
||||
echo ""
|
||||
|
||||
print_3title "ECS agent IMDS settings"
|
||||
if [ -r "/etc/ecs/ecs.config" ]; then
|
||||
ecs_block_line=$(grep -E "^ECS_AWSVPC_BLOCK_IMDS=" /etc/ecs/ecs.config 2>/dev/null | tail -n 1)
|
||||
ecs_host_line=$(grep -E "^ECS_ENABLE_TASK_IAM_ROLE_NETWORK_HOST=" /etc/ecs/ecs.config 2>/dev/null | tail -n 1)
|
||||
if [ "$ecs_block_line" ]; then
|
||||
printf "%s\n" "$ecs_block_line"
|
||||
if echo "$ecs_block_line" | grep -qi "=true"; then
|
||||
echo " -> awsvpc-mode tasks should be blocked from IMDS by the ECS agent."
|
||||
else
|
||||
echo " -> awsvpc-mode tasks can still reach IMDS (set this to true to block)."
|
||||
fi
|
||||
else
|
||||
echo "ECS_AWSVPC_BLOCK_IMDS not set (awsvpc tasks inherit host IMDS reachability)."
|
||||
fi
|
||||
|
||||
if [ "$ecs_host_line" ]; then
|
||||
printf "%s\n" "$ecs_host_line"
|
||||
if echo "$ecs_host_line" | grep -qi "=false"; then
|
||||
echo " -> Host-network tasks lose IAM task roles but IMDS is blocked."
|
||||
else
|
||||
echo " -> Host-network tasks keep IAM task roles and retain IMDS access."
|
||||
fi
|
||||
else
|
||||
echo "ECS_ENABLE_TASK_IAM_ROLE_NETWORK_HOST not set (defaults keep IMDS reachable for host-mode tasks)."
|
||||
fi
|
||||
else
|
||||
echo "Cannot read /etc/ecs/ecs.config (file missing or permissions denied)."
|
||||
fi
|
||||
echo ""
|
||||
|
||||
print_3title "DOCKER-USER IMDS filtering"
|
||||
iptables_cmd=""
|
||||
if command -v iptables >/dev/null 2>&1; then
|
||||
iptables_cmd=$(command -v iptables)
|
||||
elif command -v iptables-nft >/dev/null 2>&1; then
|
||||
iptables_cmd=$(command -v iptables-nft)
|
||||
fi
|
||||
|
||||
if [ "$iptables_cmd" ]; then
|
||||
docker_rules=$($iptables_cmd -S DOCKER-USER 2>/dev/null)
|
||||
if [ $? -eq 0 ]; then
|
||||
if [ "$docker_rules" ]; then
|
||||
echo "$docker_rules"
|
||||
else
|
||||
echo "(DOCKER-USER chain exists but no rules were found)"
|
||||
fi
|
||||
if echo "$docker_rules" | grep -q "169\\.254\\.169\\.254"; then
|
||||
echo " -> IMDS traffic is explicitly filtered before Docker NAT."
|
||||
else
|
||||
echo " -> No DOCKER-USER rule drops 169.254.169.254 traffic (bridge tasks rely on hop limit or host firewalling)."
|
||||
fi
|
||||
else
|
||||
echo "Unable to read DOCKER-USER chain (missing chain or insufficient permissions)."
|
||||
fi
|
||||
else
|
||||
echo "iptables binary not found; cannot inspect DOCKER-USER chain."
|
||||
fi
|
||||
echo ""
|
||||
fi
|
||||
fi
|
||||
@@ -6,7 +6,7 @@
|
||||
# License: GNU GPL
|
||||
# Version: 1.2
|
||||
# Functions Used: echo_not_found, print_2title, print_info, print_3title
|
||||
# Global Variables: $EXTRA_CHECKS, $IAMROOT, $SEARCH_IN_FOLDER, $TIMEOUT, $WRITABLESYSTEMDPATH
|
||||
# Global Variables: $EXTRA_CHECKS, $SEARCH_IN_FOLDER, $IAMROOT, $WRITABLESYSTEMDPATH
|
||||
# Initial Functions:
|
||||
# Generated Global Variables: $service_unit, $service_path, $service_content, $finding, $findings, $service_file, $exec_path, $exec_paths, $service, $line, $target_file, $target_exec, $relpath1, $relpath2
|
||||
# Fat linpeas: 0
|
||||
@@ -178,11 +178,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||
if [ "$EXTRA_CHECKS" ]; then
|
||||
echo ""
|
||||
print_3title "Service versions and status:"
|
||||
if [ "$TIMEOUT" ]; then
|
||||
$TIMEOUT 30 sh -c "(service --status-all || service -e || chkconfig --list || rc-status || launchctl list) 2>/dev/null" || echo_not_found "service|chkconfig|rc-status|launchctl"
|
||||
else
|
||||
(service --status-all || service -e || chkconfig --list || rc-status || launchctl list) 2>/dev/null || echo_not_found "service|chkconfig|rc-status|launchctl"
|
||||
fi
|
||||
(service --status-all || service -e || chkconfig --list || rc-status || launchctl list) 2>/dev/null || echo_not_found "service|chkconfig|rc-status|launchctl"
|
||||
fi
|
||||
|
||||
# Check systemd path writability
|
||||
@@ -194,4 +190,4 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||
fi
|
||||
|
||||
echo ""
|
||||
fi
|
||||
fi
|
||||
@@ -1,25 +0,0 @@
|
||||
# Title: Processes & Cron & Services & Timers - Deleted open files
|
||||
# ID: PR_Deleted_open_files
|
||||
# Author: Carlos Polop
|
||||
# Last Update: 2025-01-07
|
||||
# Description: Identify deleted files still held open by running processes
|
||||
# License: GNU GPL
|
||||
# Version: 1.0
|
||||
# Functions Used: print_2title, print_info
|
||||
# Global Variables: $DEBUG, $EXTRA_CHECKS, $E, $SED_RED
|
||||
# Initial Functions:
|
||||
# Generated Global Variables:
|
||||
# Fat linpeas: 0
|
||||
# Small linpeas: 1
|
||||
|
||||
if [ "$(command -v lsof 2>/dev/null || echo -n '')" ] || [ "$DEBUG" ]; then
|
||||
print_2title "Deleted files still open"
|
||||
print_info "Open deleted files can hide tools and still consume disk space"
|
||||
lsof +L1 2>/dev/null | sed -${E} "s,\\(deleted\\),${SED_RED},g"
|
||||
echo ""
|
||||
elif [ "$EXTRA_CHECKS" ] || [ "$DEBUG" ]; then
|
||||
print_2title "Deleted files still open"
|
||||
print_info "lsof not found, scanning /proc for deleted file descriptors"
|
||||
ls -l /proc/[0-9]*/fd 2>/dev/null | grep "(deleted)" | sed -${E} "s,\\(deleted\\),${SED_RED},g" | head -n 200
|
||||
echo ""
|
||||
fi
|
||||
@@ -23,7 +23,6 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||
incrontab -l 2>/dev/null
|
||||
ls -alR /etc/cron* /var/spool/cron/crontabs /var/spool/anacron 2>/dev/null | sed -${E} "s,$cronjobsG,${SED_GREEN},g" | sed "s,$cronjobsB,${SED_RED},g"
|
||||
cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/* /etc/incron.d/* /var/spool/incron/* 2>/dev/null | tr -d "\r" | grep -v "^#" | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED},"
|
||||
grep -Hn '^PATH=' /etc/crontab /etc/cron.d/* 2>/dev/null | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g"
|
||||
crontab -l -u "$USER" 2>/dev/null | tr -d "\r"
|
||||
ls -lR /usr/lib/cron/tabs/ /private/var/at/jobs /var/at/tabs/ /etc/periodic/ 2>/dev/null | sed -${E} "s,$cronjobsG,${SED_GREEN},g" | sed "s,$cronjobsB,${SED_RED},g" #MacOS paths
|
||||
atq 2>/dev/null
|
||||
@@ -248,4 +247,4 @@ else
|
||||
print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scheduledcron-jobs"
|
||||
find "$SEARCH_IN_FOLDER" '(' -type d -or -type f ')' '(' -name "cron*" -or -name "anacron" -or -name "anacrontab" -or -name "incron.d" -or -name "incron" -or -name "at" -or -name "periodic" ')' -exec echo {} \; -exec ls -lR {} \;
|
||||
fi
|
||||
echo ""
|
||||
echo ""
|
||||
@@ -8,7 +8,7 @@
|
||||
# Functions Used: print_2title, print_info
|
||||
# Global Variables: $Groups, $groupsB, $groupsVB, $nosh_usrs, $sh_usrs, $USER
|
||||
# Initial Functions:
|
||||
# Generated Global Variables: $pkexec_bin, $pkexec_version, $policy_dir, $policy_file
|
||||
# Generated Global Variables: $pkexec_bin, $policy_dir, $policy_file
|
||||
# Fat linpeas: 0
|
||||
# Small linpeas: 1
|
||||
|
||||
@@ -30,10 +30,6 @@ if [ -n "$pkexec_bin" ]; then
|
||||
# Check polkit version for known vulnerabilities
|
||||
if command -v pkexec >/dev/null 2>&1; then
|
||||
pkexec --version 2>/dev/null
|
||||
pkexec_version="$(pkexec --version 2>/dev/null | grep -oE '[0-9]+(\\.[0-9]+)+')"
|
||||
if [ "$pkexec_version" ] && [ "$(printf '%s\n' "$pkexec_version" "0.120" | sort -V | head -n1)" = "$pkexec_version" ] && [ "$pkexec_version" != "0.120" ]; then
|
||||
echo "Potentially vulnerable to CVE-2021-4034 (PwnKit) - check distro patches" | sed -${E} "s,.*,${SED_RED_YELLOW},"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
@@ -6,7 +6,7 @@
|
||||
# License: GNU GPL
|
||||
# Version: 1.0
|
||||
# Functions Used: print_2title
|
||||
# Global Variables: $MACPEAS, $sh_usrs, $TIMEOUT, $USER
|
||||
# Global Variables: $MACPEAS, $sh_usrs, $USER
|
||||
# Initial Functions:
|
||||
# Generated Global Variables: $ushell, $no_shells, $unexpected_shells
|
||||
# Fat linpeas: 0
|
||||
@@ -26,16 +26,8 @@ else
|
||||
no_shells=$(grep -Ev "sh$" /etc/passwd 2>/dev/null | cut -d ':' -f 7 | sort | uniq)
|
||||
unexpected_shells=""
|
||||
printf "%s\n" "$no_shells" | while read f; do
|
||||
if [ -x "$f" ]; then
|
||||
if [ "$TIMEOUT" ]; then
|
||||
if $TIMEOUT 1 "$f" -c 'whoami' 2>/dev/null | grep -q "$USER"; then
|
||||
unexpected_shells="$f\n$unexpected_shells"
|
||||
fi
|
||||
else
|
||||
if "$f" -c 'whoami' 2>/dev/null | grep -q "$USER"; then
|
||||
unexpected_shells="$f\n$unexpected_shells"
|
||||
fi
|
||||
fi
|
||||
if $f -c 'whoami' 2>/dev/null | grep -q "$USER"; then
|
||||
unexpected_shells="$f\n$unexpected_shells"
|
||||
fi
|
||||
done
|
||||
grep "sh$" /etc/passwd 2>/dev/null | sort | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"
|
||||
@@ -49,4 +41,4 @@ else
|
||||
done
|
||||
fi
|
||||
fi
|
||||
echo ""
|
||||
echo ""
|
||||
@@ -8,7 +8,7 @@
|
||||
# Functions Used: echo_not_found, print_2title, print_info
|
||||
# Global Variables:$IAMROOT, $PASSWORD, $sudoB, $sudoG, $sudoVB1, $sudoVB2
|
||||
# Initial Functions:
|
||||
# Generated Global Variables: $secure_path_line
|
||||
# Generated Global Variables:
|
||||
# Fat linpeas: 0
|
||||
# Small linpeas: 1
|
||||
|
||||
@@ -19,16 +19,6 @@ print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation
|
||||
if [ "$PASSWORD" ]; then
|
||||
(echo "$PASSWORD" | timeout 1 sudo -S -l | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g") 2>/dev/null || echo_not_found "sudo"
|
||||
fi
|
||||
(sudo -n -l 2>/dev/null | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,\!root,${SED_RED},") 2>/dev/null || echo "No cached sudo token (sudo -n -l)"
|
||||
|
||||
secure_path_line=$(sudo -l 2>/dev/null | grep -o "secure_path=[^,]*" | head -n 1 | cut -d= -f2)
|
||||
if [ "$secure_path_line" ]; then
|
||||
for p in $(echo "$secure_path_line" | tr ':' ' '); do
|
||||
if [ -w "$p" ]; then
|
||||
echo "Writable secure_path entry: $p" | sed -${E} "s,.*,${SED_RED},g"
|
||||
fi
|
||||
done
|
||||
fi
|
||||
( grep -Iv "^$" cat /etc/sudoers | grep -v "#" | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,pwfeedback,${SED_RED},g" ) 2>/dev/null || echo_not_found "/etc/sudoers"
|
||||
if ! [ "$IAMROOT" ] && [ -w '/etc/sudoers.d/' ]; then
|
||||
echo "You can create a file in /etc/sudoers.d/ and escalate privileges" | sed -${E} "s,.*,${SED_RED_YELLOW},"
|
||||
@@ -39,4 +29,4 @@ for f in /etc/sudoers.d/*; do
|
||||
grep -Iv "^$" "$f" | grep -v "#" | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,pwfeedback,${SED_RED},g"
|
||||
fi
|
||||
done
|
||||
echo ""
|
||||
echo ""
|
||||
@@ -40,18 +40,4 @@ else
|
||||
echo "ptrace protection is enabled ($ptrace_scope)" | sed "s,is enabled,${SED_GREEN},g";
|
||||
|
||||
fi
|
||||
|
||||
if [ -d "/var/run/sudo/ts" ]; then
|
||||
echo "Sudo token directory perms:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
|
||||
ls -ld /var/run/sudo/ts 2>/dev/null
|
||||
if [ -w "/var/run/sudo/ts" ]; then
|
||||
echo "/var/run/sudo/ts is writable" | sed -${E} "s,.*,${SED_RED},g"
|
||||
fi
|
||||
if [ -f "/var/run/sudo/ts/$USER" ]; then
|
||||
ls -l "/var/run/sudo/ts/$USER" 2>/dev/null
|
||||
if [ -w "/var/run/sudo/ts/$USER" ]; then
|
||||
echo "User sudo token file is writable" | sed -${E} "s,.*,${SED_RED},g"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
echo ""
|
||||
|
||||
@@ -1,64 +0,0 @@
|
||||
# Title: Software Information - Browser Profiles
|
||||
# ID: SW_Browser_profiles
|
||||
# Author: Carlos Polop
|
||||
# Last Update: 10-03-2025
|
||||
# Description: List browser profiles that may store credentials/cookies
|
||||
# License: GNU GPL
|
||||
# Version: 1.0
|
||||
# Functions Used: print_2title, print_3title, print_info
|
||||
# Global Variables: $HOMESEARCH, $SED_RED
|
||||
# Initial Functions:
|
||||
# Generated Global Variables: $h, $firefox_ini, $chrome_base, $profiles
|
||||
# Fat linpeas: 0
|
||||
# Small linpeas: 1
|
||||
|
||||
print_2title "Browser Profiles"
|
||||
print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#browser-data"
|
||||
|
||||
echo ""
|
||||
|
||||
for h in $HOMESEARCH; do
|
||||
[ -d "$h" ] || continue
|
||||
|
||||
firefox_ini="$h/.mozilla/firefox/profiles.ini"
|
||||
if [ -f "$firefox_ini" ]; then
|
||||
print_3title "Firefox profiles ($h)"
|
||||
awk -F= '
|
||||
/^\[Profile/ { in_profile=1 }
|
||||
/^Path=/ { path=$2 }
|
||||
/^IsRelative=/ { isrel=$2 }
|
||||
/^$/ {
|
||||
if (path != "") {
|
||||
if (isrel == "1") {
|
||||
print base "/.mozilla/firefox/" path
|
||||
} else {
|
||||
print path
|
||||
}
|
||||
}
|
||||
path=""; isrel=""
|
||||
}
|
||||
END {
|
||||
if (path != "") {
|
||||
if (isrel == "1") {
|
||||
print base "/.mozilla/firefox/" path
|
||||
} else {
|
||||
print path
|
||||
}
|
||||
}
|
||||
}
|
||||
' base="$h" "$firefox_ini" 2>/dev/null | sed -${E} "s,.*,${SED_RED},"
|
||||
echo ""
|
||||
fi
|
||||
|
||||
for chrome_base in "$h/.config/google-chrome" "$h/.config/chromium" "$h/.config/BraveSoftware/Brave-Browser" "$h/.config/microsoft-edge" "$h/.config/microsoft-edge-beta" "$h/.config/microsoft-edge-dev"; do
|
||||
if [ -d "$chrome_base" ]; then
|
||||
profiles=$(find "$chrome_base" -maxdepth 1 -type d \( -name "Default" -o -name "Profile *" \) 2>/dev/null)
|
||||
if [ "$profiles" ]; then
|
||||
print_3title "Chromium profiles ($chrome_base)"
|
||||
printf "%s\n" "$profiles" | sed -${E} "s,.*,${SED_RED},"
|
||||
echo ""
|
||||
fi
|
||||
fi
|
||||
done
|
||||
|
||||
done
|
||||
@@ -37,14 +37,14 @@ printf "%s\n" "$suids_files" | while read s; do
|
||||
else
|
||||
c="a"
|
||||
for b in $sidB; do
|
||||
if echo "$sname" | grep -q $(echo $b | cut -d % -f 1); then
|
||||
if echo $s | grep -q $(echo $b | cut -d % -f 1); then
|
||||
echo "$s" | sed -${E} "s,$(echo $b | cut -d % -f 1),${C}[1;31m& ---> $(echo $b | cut -d % -f 2)${C}[0m,"
|
||||
c=""
|
||||
break;
|
||||
fi
|
||||
done;
|
||||
if [ "$c" ]; then
|
||||
if echo "$sname" | grep -qE "$sidG1" || echo "$sname" | grep -qE "$sidG2" || echo "$sname" | grep -qE "$sidG3" || echo "$sname" | grep -qE "$sidG4" || echo "$sname" | grep -qE "$sidVB" || echo "$sname" | grep -qE "$sidVB2"; then
|
||||
if echo "$s" | grep -qE "$sidG1" || echo "$s" | grep -qE "$sidG2" || echo "$s" | grep -qE "$sidG3" || echo "$s" | grep -qE "$sidG4" || echo "$s" | grep -qE "$sidVB" || echo "$s" | grep -qE "$sidVB2"; then
|
||||
echo "$s" | sed -${E} "s,$sidG1,${SED_GREEN}," | sed -${E} "s,$sidG2,${SED_GREEN}," | sed -${E} "s,$sidG3,${SED_GREEN}," | sed -${E} "s,$sidG4,${SED_GREEN}," | sed -${E} "s,$sidVB,${SED_RED_YELLOW}," | sed -${E} "s,$sidVB2,${SED_RED_YELLOW},"
|
||||
else
|
||||
echo "$s (Unknown SUID binary!)" | sed -${E} "s,/.*,${SED_RED},"
|
||||
@@ -96,4 +96,4 @@ printf "%s\n" "$suids_files" | while read s; do
|
||||
fi
|
||||
fi
|
||||
done;
|
||||
echo ""
|
||||
echo ""
|
||||
@@ -17,10 +17,10 @@ check_external_hostname(){
|
||||
INTERNET_SEARCH_TIMEOUT=15
|
||||
# wget or curl?
|
||||
if command -v curl >/dev/null 2>&1; then
|
||||
curl "https://tools.hacktricks.wiki/api/host-checker" -H "User-Agent: linpeas" -d "{\"hostname\":\"$(hostname)\"}" -H "Content-Type: application/json" --max-time "$INTERNET_SEARCH_TIMEOUT"
|
||||
curl "https://2e6ppt7izvuv66qmx2r3et2ufi0mxwqs.lambda-url.us-east-1.on.aws/" -H "User-Agent: linpeas" -d "{\"hostname\":\"$(hostname)\"}" -H "Content-Type: application/json" --max-time "$INTERNET_SEARCH_TIMEOUT"
|
||||
elif command -v wget >/dev/null 2>&1; then
|
||||
wget -q -O - "https://tools.hacktricks.wiki/api/host-checker" --header "User-Agent: linpeas" --post-data "{\"hostname\":\"$(hostname)\"}" -H "Content-Type: application/json" --timeout "$INTERNET_SEARCH_TIMEOUT"
|
||||
wget -q -O - "https://2e6ppt7izvuv66qmx2r3et2ufi0mxwqs.lambda-url.us-east-1.on.aws/" --header "User-Agent: linpeas" --post-data "{\"hostname\":\"$(hostname)\"}" -H "Content-Type: application/json" --timeout "$INTERNET_SEARCH_TIMEOUT"
|
||||
else
|
||||
echo "wget or curl not found"
|
||||
fi
|
||||
}
|
||||
}
|
||||
@@ -15,12 +15,11 @@
|
||||
|
||||
check_tcp_443_bin () {
|
||||
local TIMEOUT_INTERNET_SECONDS_443_BIN=$1
|
||||
local url_lambda="https://tools.hacktricks.wiki/api/host-checker"
|
||||
local url_lambda="https://2e6ppt7izvuv66qmx2r3et2ufi0mxwqs.lambda-url.us-east-1.on.aws/"
|
||||
|
||||
if command -v curl >/dev/null 2>&1; then
|
||||
if curl -s --connect-timeout $TIMEOUT_INTERNET_SECONDS_443_BIN "$url_lambda" \
|
||||
-H "User-Agent: linpeas" -H "Content-Type: application/json" \
|
||||
-d "{\"hostname\":\"$(hostname)\"}" >/dev/null 2>&1
|
||||
-H "User-Agent: linpeas" -H "Content-Type: application/json" >/dev/null 2>&1
|
||||
then
|
||||
echo "Port 443 is accessible with curl"
|
||||
return 0 # ✅ success
|
||||
@@ -31,8 +30,7 @@ check_tcp_443_bin () {
|
||||
|
||||
elif command -v wget >/dev/null 2>&1; then
|
||||
if wget -q --timeout=$TIMEOUT_INTERNET_SECONDS_443_BIN -O - "$url_lambda" \
|
||||
--header "User-Agent: linpeas" -H "Content-Type: application/json" \
|
||||
--post-data "{\"hostname\":\"$(hostname)\"}" >/dev/null 2>&1
|
||||
--header "User-Agent: linpeas" -H "Content-Type: application/json" >/dev/null 2>&1
|
||||
then
|
||||
echo "Port 443 is accessible with wget"
|
||||
return 0
|
||||
|
||||
@@ -15,5 +15,6 @@
|
||||
|
||||
sidG1="/abuild-sudo$|/accton$|/allocate$|/ARDAgent$|/arping$|/atq$|/atrm$|/authpf$|/authpf-noip$|/authopen$|/batch$|/bbsuid$|/bsd-write$|/btsockstat$|/bwrap$|/cacaocsc$|/camel-lock-helper-1.2$|/ccreds_validate$|/cdrw$|/chage$|/check-foreground-console$|/chrome-sandbox$|/chsh$|/cons.saver$|/crontab$|/ct$|/cu$|/dbus-daemon-launch-helper$|/deallocate$|/desktop-create-kmenu$|/dma$|/dma-mbox-create$|/dmcrypt-get-device$|/doas$|/dotlockfile$|/dotlock.mailutils$|/dtaction$|/dtfile$|/eject$|/execabrt-action-install-debuginfo-to-abrt-cache$|/execdbus-daemon-launch-helper$|/execdma-mbox-create$|/execlockspool$|/execlogin_chpass$|/execlogin_lchpass$|/execlogin_passwd$|/execssh-keysign$|/execulog-helper$|/exim4|/expiry$|/fdformat$|/fstat$|/fusermount$|/fusermount3$"
|
||||
sidG2="/gnome-pty-helper$|/glines$|/gnibbles$|/gnobots2$|/gnome-suspend$|/gnometris$|/gnomine$|/gnotski$|/gnotravex$|/gpasswd$|/gpg$|/gpio$|/gtali|/.hal-mtab-lock$|/helper$|/imapd$|/inndstart$|/kismet_cap_nrf_51822$|/kismet_cap_nxp_kw41z$|/kismet_cap_ti_cc_2531$|/kismet_cap_ti_cc_2540$|/kismet_cap_ubertooth_one$|/kismet_capture$|/kismet_cap_linux_bluetooth$|/kismet_cap_linux_wifi$|/kismet_cap_nrf_mousejack$|/ksu$|/list_devices$|/load_osxfuse$|/locate$|/lock$|/lockdev$|/lockfile$|/login_activ$|/login_crypto$|/login_radius$|/login_skey$|/login_snk$|/login_token$|/login_yubikey$|/lpc$|/lpd$|/lpd-port$|/lppasswd$|/lpq$|/lpr$|/lprm$|/lpset$|/lxc-user-nic$|/mahjongg$|/mail-lock$|/mailq$|/mail-touchlock$|/mail-unlock$|/mksnap_ffs$|/mlocate$|/mlock$|/mount$|/mount.cifs$|/mount.ecryptfs_private$|/mount.nfs$|/mount.nfs4$|/mount_osxfuse$|/mtr$|/mutt_dotlock$"
|
||||
sidG3="/ncsa_auth$|/netpr$|/netkit-rcp$|/netkit-rlogin$|/netkit-rsh$|/netreport$|/netstat$|/newgidmap$|/newtask$|/newuidmap$|/nvmmctl$|/opieinfo$|/opiepasswd$|/pam_auth$|/pam_extrausers_chkpwd$|/pam_timestamp_check$|/pamverifier$|/pfexec$|/hping3$|/ping$|/ping6$|/pmconfig$|/pmap$|/polkit-agent-helper-1$|/polkit-explicit-grant-helper$|/polkit-grant-helper$|/polkit-grant-helper-pam$|/polkit-read-auth-helper$|/polkit-resolve-exe-helper$|/polkit-revoke-helper$|/polkit-set-default-helper$|/postdrop$|/postqueue$|/poweroff$|/ppp$|/procmail$|/pstat$|/pt_chmod$|/pwdb_chkpwd$|/quota$|/rcmd|/remote.unknown$|/rlogin$|/rmformat$|/rnews$|/run-mailcap$|/sacadm$|/same-gnome$|screen.real$|/security_authtrampoline$|/sendmail.sendmail$|/shutdown$|/skeyaudit$|/skeyinfo$|/skeyinit$|/sliplogin|/slocate$|/smbmnt$|/smbumount$|/smpatch$|/smtpctl$|/sperl5.8.8$|/ssh-agent$|/ssh-keysign$|/staprun$|/startinnfeed$|/stclient$|/su$|/suexec$|/sys-suspend$|/sysstat$|/systat$"
|
||||
sidG3="/ncsa_auth$|/netpr$|/netkit-rcp$|/netkit-rlogin$|/netkit-rsh$|/netreport$|/netstat$|/newgidmap$|/newtask$|/newuidmap$|/nvmmctl$|/opieinfo$|/opiepasswd$|/pam_auth$|/pam_extrausers_chkpwd$|/pam_timestamp_check$|/pamverifier$|/pfexec$|/ping$|/ping6$|/pmconfig$|/pmap$|/polkit-agent-helper-1$|/polkit-explicit-grant-helper$|/polkit-grant-helper$|/polkit-grant-helper-pam$|/polkit-read-auth-helper$|/polkit-resolve-exe-helper$|/polkit-revoke-helper$|/polkit-set-default-helper$|/postdrop$|/postqueue$|/poweroff$|/ppp$|/procmail$|/pstat$|/pt_chmod$|/pwdb_chkpwd$|/quota$|/rcmd|/remote.unknown$|/rlogin$|/rmformat$|/rnews$|/run-mailcap$|/sacadm$|/same-gnome$|screen.real$|/security_authtrampoline$|/sendmail.sendmail$|/shutdown$|/skeyaudit$|/skeyinfo$|/skeyinit$|/sliplogin|/slocate$|/smbmnt$|/smbumount$|/smpatch$|/smtpctl$|/sperl5.8.8$|/ssh-agent$|/ssh-keysign$|/staprun$|/startinnfeed$|/stclient$|/su$|/suexec$|/sys-suspend$|/sysstat$|/systat$"
|
||||
sidG4="/telnetlogin$|/timedc$|/tip$|/top$|/traceroute6$|/traceroute6.iputils$|/trpt$|/tsoldtlabel$|/tsoljdslabel$|/tsolxagent$|/ufsdump$|/ufsrestore$|/ulog-helper$|/umount.cifs$|/umount.nfs$|/umount.nfs4$|/unix_chkpwd$|/uptime$|/userhelper$|/userisdnctl$|/usernetctl$|/utempter$|/utmp_update$|/uucico$|/uuglist$|/uuidd$|/uuname$|/uusched$|/uustat$|/uux$|/uuxqt$|/VBoxHeadless$|/VBoxNetAdpCtl$|/VBoxNetDHCP$|/VBoxNetNAT$|/VBoxSDL$|/VBoxVolInfo$|/VirtualBoxVM$|/vmstat$|/vmware-authd$|/vmware-user-suid-wrapper$|/vmware-vmx$|/vmware-vmx-debug$|/vmware-vmx-stats$|/vncserver-x11$|/volrmmount$|/w$|/wall$|/whodo$|/write$|/X$|/Xorg.wrap$|/Xsun$|/Xvnc$|/yppasswd$"
|
||||
|
||||
|
||||
@@ -13,5 +13,5 @@
|
||||
# Small linpeas: 1
|
||||
|
||||
|
||||
sudoVB1=" \*|env_keep\W*\+=.*LD_PRELOAD|env_keep\W*\+=.*LD_LIBRARY_PATH|env_keep\W*\+=.*BASH_ENV|env_keep\W*\+=.* ENV|env_keep\W*\+=.*PATH|!env_reset|!requiretty|peass{SUDOVB1_HERE}"
|
||||
sudoVB1=" \*|env_keep\W*\+=.*LD_PRELOAD|env_keep\W*\+=.*LD_LIBRARY_PATH|env_keep\W*\+=.*BASH_ENV|env_keep\W*\+=.* ENV|peass{SUDOVB1_HERE}"
|
||||
sudoVB2="peass{SUDOVB2_HERE}"
|
||||
|
||||
@@ -405,7 +405,7 @@ class LinpeasBuilder:
|
||||
name = entry["name"]
|
||||
caseinsensitive = entry.get("caseinsensitive", False)
|
||||
regex = entry["regex"]
|
||||
regex = regex.replace("\\", "\\\\").replace('"', '\\"').strip()
|
||||
regex = regex.replace('"', '\\"').strip()
|
||||
falsePositives = entry.get("falsePositives", False)
|
||||
|
||||
if falsePositives:
|
||||
|
||||
@@ -1,40 +0,0 @@
|
||||
import os
|
||||
import stat
|
||||
import subprocess
|
||||
import tempfile
|
||||
import unittest
|
||||
from pathlib import Path
|
||||
|
||||
|
||||
class LinpeasBuilderTests(unittest.TestCase):
|
||||
def setUp(self):
|
||||
self.repo_root = Path(__file__).resolve().parents[2]
|
||||
self.linpeas_dir = self.repo_root / "linPEAS"
|
||||
|
||||
def _run_builder(self, args, output_path):
|
||||
cmd = ["python3", "-m", "builder.linpeas_builder"] + args + ["--output", str(output_path)]
|
||||
result = subprocess.run(cmd, cwd=str(self.linpeas_dir), capture_output=True, text=True)
|
||||
if result.returncode != 0:
|
||||
raise AssertionError(
|
||||
f"linpeas_builder failed:\nstdout:\n{result.stdout}\nstderr:\n{result.stderr}"
|
||||
)
|
||||
|
||||
def test_small_build_creates_executable(self):
|
||||
with tempfile.TemporaryDirectory() as tmpdir:
|
||||
output_path = Path(tmpdir) / "linpeas_small.sh"
|
||||
self._run_builder(["--small"], output_path)
|
||||
self.assertTrue(output_path.exists(), "linpeas_small.sh was not created.")
|
||||
mode = output_path.stat().st_mode
|
||||
self.assertTrue(mode & stat.S_IXUSR, "linpeas_small.sh is not executable.")
|
||||
|
||||
def test_include_exclude_modules(self):
|
||||
with tempfile.TemporaryDirectory() as tmpdir:
|
||||
output_path = Path(tmpdir) / "linpeas_include.sh"
|
||||
self._run_builder(["--include", "system_information,container", "--exclude", "container"], output_path)
|
||||
content = output_path.read_text(encoding="utf-8", errors="ignore")
|
||||
self.assertIn("Operative system", content)
|
||||
self.assertNotIn("Am I Containered?", content)
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
unittest.main()
|
||||
@@ -127,9 +127,7 @@ def parse_line(line: str):
|
||||
|
||||
elif is_section(line, INFO_PATTERN):
|
||||
title = parse_title(line)
|
||||
if C_SECTION == {}:
|
||||
return
|
||||
C_SECTION.setdefault("infos", []).append(title)
|
||||
C_SECTION["infos"].append(title)
|
||||
|
||||
#If here, then it's text
|
||||
else:
|
||||
|
||||
@@ -71,7 +71,7 @@ CALL :T_Progress 2
|
||||
:ListHotFixes
|
||||
where wmic >nul 2>&1
|
||||
if %errorlevel% equ 0 (
|
||||
wmic qfe get Caption,Description,HotFixID,InstalledOn
|
||||
wmic qfe get Caption,Description,HotFixID,InstalledOn | more
|
||||
) else (
|
||||
powershell -command "Get-HotFix | Format-Table -AutoSize"
|
||||
)
|
||||
@@ -204,7 +204,7 @@ CALL :T_Progress 1
|
||||
CALL :ColorLine " %E%33m[+]%E%97m Registered Anti-Virus(AV)"
|
||||
where wmic >nul 2>&1
|
||||
if %errorlevel% equ 0 (
|
||||
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
|
||||
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List | more
|
||||
) else (
|
||||
powershell -command "Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct | Select-Object -ExpandProperty displayName"
|
||||
)
|
||||
@@ -238,7 +238,7 @@ CALL :ColorLine " %E%33m[+]%E%97m MOUNTED DISKS"
|
||||
ECHO. [i] Maybe you find something interesting
|
||||
where wmic >nul 2>&1
|
||||
if %errorlevel% equ 0 (
|
||||
wmic logicaldisk get caption
|
||||
wmic logicaldisk get caption | more
|
||||
) else (
|
||||
fsutil fsinfo drives
|
||||
)
|
||||
@@ -670,7 +670,7 @@ if "%long%" == "true" (
|
||||
ECHO.
|
||||
where wmic >nul 2>&1
|
||||
if !errorlevel! equ 0 (
|
||||
for /f %%x in ('wmic logicaldisk get name') do (
|
||||
for /f %%x in ('wmic logicaldisk get name ^| more') do (
|
||||
set tdrive=%%x
|
||||
if "!tdrive:~1,2!" == ":" (
|
||||
%%x
|
||||
|
||||
@@ -1,26 +0,0 @@
|
||||
cmake_minimum_required(VERSION 3.16)
|
||||
project(winPEAS_dotnet NONE)
|
||||
|
||||
set(PROJECT_FILE "${CMAKE_CURRENT_SOURCE_DIR}/winPEAS.csproj")
|
||||
|
||||
find_program(DOTNET_EXECUTABLE dotnet)
|
||||
find_program(MSBUILD_EXECUTABLE msbuild)
|
||||
find_program(XBUILD_EXECUTABLE xbuild)
|
||||
|
||||
if(DOTNET_EXECUTABLE)
|
||||
set(BUILD_TOOL "${DOTNET_EXECUTABLE}")
|
||||
set(BUILD_ARGS build "${PROJECT_FILE}" -c Release)
|
||||
elseif(MSBUILD_EXECUTABLE)
|
||||
set(BUILD_TOOL "${MSBUILD_EXECUTABLE}")
|
||||
set(BUILD_ARGS "${PROJECT_FILE}" /p:Configuration=Release)
|
||||
elseif(XBUILD_EXECUTABLE)
|
||||
set(BUILD_TOOL "${XBUILD_EXECUTABLE}")
|
||||
set(BUILD_ARGS "${PROJECT_FILE}" /p:Configuration=Release)
|
||||
else()
|
||||
message(FATAL_ERROR "dotnet, msbuild, or xbuild is required to build winPEAS")
|
||||
endif()
|
||||
|
||||
add_custom_target(winpeas ALL
|
||||
COMMAND ${BUILD_TOOL} ${BUILD_ARGS}
|
||||
WORKING_DIRECTORY "${CMAKE_CURRENT_SOURCE_DIR}"
|
||||
)
|
||||
@@ -128,7 +128,7 @@ Once you have installed and activated it you need to:
|
||||
|
||||
- **System Information**
|
||||
- [x] Basic System info information
|
||||
- [x] Use WES-NG to search for vulnerabilities
|
||||
- [x] Use Watson to search for vulnerabilities
|
||||
- [x] Enumerate Microsoft updates
|
||||
- [x] PS, Audit, WEF and LAPS Settings
|
||||
- [x] LSA protection
|
||||
@@ -262,7 +262,7 @@ Once you have installed and activated it you need to:
|
||||
|
||||
## TODO
|
||||
- Add more checks
|
||||
- Maintain updated WES-NG
|
||||
- Mantain updated Watson (last JAN 2021)
|
||||
|
||||
If you want to help with any of this, you can do it using **[github issues](https://github.com/peass-ng/PEASS-ng/issues)** or you can submit a pull request.
|
||||
|
||||
|
||||
@@ -1,36 +0,0 @@
|
||||
using System;
|
||||
using System.Reflection;
|
||||
using Microsoft.VisualStudio.TestTools.UnitTesting;
|
||||
using winPEAS.Checks;
|
||||
|
||||
namespace winPEAS.Tests
|
||||
{
|
||||
[TestClass]
|
||||
public class ArgumentParsingTests
|
||||
{
|
||||
private static bool InvokeIsNetworkTypeValid(string arg)
|
||||
{
|
||||
var method = typeof(Checks).GetMethod("IsNetworkTypeValid", BindingFlags.NonPublic | BindingFlags.Static);
|
||||
Assert.IsNotNull(method, "IsNetworkTypeValid method not found.");
|
||||
return (bool)method.Invoke(null, new object[] { arg });
|
||||
}
|
||||
|
||||
[TestMethod]
|
||||
public void ShouldAcceptValidNetworkTypes()
|
||||
{
|
||||
Assert.IsTrue(InvokeIsNetworkTypeValid("-network=auto"));
|
||||
Assert.IsTrue(InvokeIsNetworkTypeValid("-network=10.10.10.10"));
|
||||
Assert.IsTrue(InvokeIsNetworkTypeValid("-network=10.10.10.10/24"));
|
||||
Assert.IsTrue(InvokeIsNetworkTypeValid("-network=10.10.10.10,10.10.10.20"));
|
||||
}
|
||||
|
||||
[TestMethod]
|
||||
public void ShouldRejectInvalidNetworkTypes()
|
||||
{
|
||||
Assert.IsFalse(InvokeIsNetworkTypeValid("-network="));
|
||||
Assert.IsFalse(InvokeIsNetworkTypeValid("-network=10.10.10.999"));
|
||||
Assert.IsFalse(InvokeIsNetworkTypeValid("-network=10.10.10.10/64"));
|
||||
Assert.IsFalse(InvokeIsNetworkTypeValid("-network=not-an-ip"));
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -95,7 +95,6 @@
|
||||
<Reference Include="System.Xml" />
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<Compile Include="ArgumentParsingTests.cs" />
|
||||
<Compile Include="Properties\AssemblyInfo.cs" />
|
||||
<Compile Include="SmokeTests.cs" />
|
||||
</ItemGroup>
|
||||
@@ -134,4 +133,4 @@
|
||||
<Import Project="..\packages\Stub.System.Data.SQLite.Core.NetFramework.1.0.119.0\build\net451\Stub.System.Data.SQLite.Core.NetFramework.targets" Condition="Exists('..\packages\Stub.System.Data.SQLite.Core.NetFramework.1.0.119.0\build\net451\Stub.System.Data.SQLite.Core.NetFramework.targets')" />
|
||||
<Import Project="..\packages\Fody.6.5.5\build\Fody.targets" Condition="Exists('..\packages\Fody.6.5.5\build\Fody.targets')" />
|
||||
<Import Project="..\packages\Costura.Fody.5.7.0\build\Costura.Fody.targets" Condition="Exists('..\packages\Costura.Fody.5.7.0\build\Costura.Fody.targets')" />
|
||||
</Project>
|
||||
</Project>
|
||||
@@ -94,7 +94,6 @@ namespace winPEAS.Checks
|
||||
new SystemCheck("activedirectoryinfo", new ActiveDirectoryInfo()),
|
||||
new SystemCheck("cloudinfo", new CloudInfo()),
|
||||
new SystemCheck("windowscreds", new WindowsCreds()),
|
||||
new SystemCheck("registryinfo", new RegistryInfo()),
|
||||
new SystemCheck("browserinfo", new BrowserInfo()),
|
||||
new SystemCheck("filesinfo", new FilesInfo()),
|
||||
new SystemCheck("fileanalysis", new FileAnalysis()),
|
||||
|
||||
@@ -392,7 +392,7 @@ namespace winPEAS.Checks
|
||||
|
||||
foreach (string regHkcu in passRegHkcu)
|
||||
{
|
||||
Beaprint.DictPrint(RegistryHelper.GetRegValues("HKCU", regHkcu), false);
|
||||
Beaprint.DictPrint(RegistryHelper.GetRegValues("HKLM", regHkcu), false);
|
||||
}
|
||||
|
||||
foreach (string regHklm in passRegHklm)
|
||||
|
||||
@@ -1,141 +0,0 @@
|
||||
using System;
|
||||
using System.Collections.Generic;
|
||||
using System.Linq;
|
||||
using winPEAS.Helpers;
|
||||
using winPEAS.Helpers.Registry;
|
||||
|
||||
namespace winPEAS.Checks
|
||||
{
|
||||
internal class RegistryInfo : ISystemCheck
|
||||
{
|
||||
private const string TypingInsightsRelativePath = @"Software\Microsoft\Input\TypingInsights";
|
||||
|
||||
private static readonly string[] KnownWritableSystemKeyCandidates = new[]
|
||||
{
|
||||
@"SOFTWARE\Microsoft\CoreShell",
|
||||
@"SOFTWARE\Microsoft\DRM",
|
||||
@"SOFTWARE\Microsoft\Input\Locales",
|
||||
@"SOFTWARE\Microsoft\Input\Settings",
|
||||
@"SOFTWARE\Microsoft\Shell\Oobe",
|
||||
@"SOFTWARE\Microsoft\Shell\Session",
|
||||
@"SOFTWARE\Microsoft\Tracing",
|
||||
@"SOFTWARE\Microsoft\Windows\UpdateApi",
|
||||
@"SOFTWARE\Microsoft\WindowsUpdate\UX",
|
||||
@"SOFTWARE\WOW6432Node\Microsoft\DRM",
|
||||
@"SOFTWARE\WOW6432Node\Microsoft\Tracing",
|
||||
@"SYSTEM\Software\Microsoft\TIP",
|
||||
@"SYSTEM\ControlSet001\Control\Cryptography\WebSignIn\Navigation",
|
||||
@"SYSTEM\ControlSet001\Control\MUI\StringCacheSettings",
|
||||
@"SYSTEM\ControlSet001\Control\USB\AutomaticSurpriseRemoval",
|
||||
@"SYSTEM\ControlSet001\Services\BTAGService\Parameters\Settings",
|
||||
};
|
||||
|
||||
private static readonly string[] ScanBasePaths = new[]
|
||||
{
|
||||
@"SOFTWARE\Microsoft",
|
||||
@"SOFTWARE\WOW6432Node\Microsoft",
|
||||
@"SYSTEM\CurrentControlSet\Services",
|
||||
@"SYSTEM\CurrentControlSet\Control",
|
||||
@"SYSTEM\ControlSet001\Control",
|
||||
};
|
||||
|
||||
public void PrintInfo(bool isDebug)
|
||||
{
|
||||
Beaprint.GreatPrint("Registry permissions for hive exploitation");
|
||||
|
||||
new List<Action>
|
||||
{
|
||||
PrintTypingInsightsPermissions,
|
||||
PrintKnownSystemWritableKeys,
|
||||
PrintHeuristicWritableKeys,
|
||||
}.ForEach(action => CheckRunner.Run(action, isDebug));
|
||||
}
|
||||
|
||||
private void PrintTypingInsightsPermissions()
|
||||
{
|
||||
Beaprint.MainPrint("Cross-user TypingInsights key (HKCU/HKU)");
|
||||
|
||||
var matches = new List<RegistryWritableKeyInfo>();
|
||||
var seen = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
|
||||
|
||||
if (RegistryAclScanner.TryGetWritableKey("HKCU", TypingInsightsRelativePath, out var currentUserKey))
|
||||
{
|
||||
if (seen.Add(currentUserKey.FullPath))
|
||||
{
|
||||
matches.Add(currentUserKey);
|
||||
}
|
||||
}
|
||||
|
||||
foreach (var sid in RegistryHelper.GetUserSIDs())
|
||||
{
|
||||
if (string.IsNullOrEmpty(sid) || sid.Equals(".DEFAULT", StringComparison.OrdinalIgnoreCase) || sid.EndsWith("_Classes", StringComparison.OrdinalIgnoreCase))
|
||||
{
|
||||
continue;
|
||||
}
|
||||
|
||||
string relativePath = $"{sid}\\{TypingInsightsRelativePath}";
|
||||
if (RegistryAclScanner.TryGetWritableKey("HKU", relativePath, out var info) && seen.Add(info.FullPath))
|
||||
{
|
||||
matches.Add(info);
|
||||
}
|
||||
}
|
||||
|
||||
if (matches.Count == 0)
|
||||
{
|
||||
Beaprint.GrayPrint(" [-] TypingInsights key does not grant write access to low-privileged groups.");
|
||||
return;
|
||||
}
|
||||
|
||||
PrintEntries(matches);
|
||||
Beaprint.LinkPrint("https://projectzero.google/2025/05/the-windows-registry-adventure-8-exploitation.html", "Writable TypingInsights enables cross-user hive tampering and DoS.");
|
||||
}
|
||||
|
||||
private void PrintKnownSystemWritableKeys()
|
||||
{
|
||||
Beaprint.MainPrint("Known HKLM descendants writable by standard users");
|
||||
|
||||
var matches = new List<RegistryWritableKeyInfo>();
|
||||
foreach (var path in KnownWritableSystemKeyCandidates)
|
||||
{
|
||||
if (RegistryAclScanner.TryGetWritableKey("HKLM", path, out var info))
|
||||
{
|
||||
matches.Add(info);
|
||||
}
|
||||
}
|
||||
|
||||
if (matches.Count == 0)
|
||||
{
|
||||
Beaprint.GrayPrint(" [-] None of the tracked HKLM keys are writable by low-privileged groups.");
|
||||
return;
|
||||
}
|
||||
|
||||
PrintEntries(matches);
|
||||
}
|
||||
|
||||
private void PrintHeuristicWritableKeys()
|
||||
{
|
||||
Beaprint.MainPrint("Sample of additional writable HKLM keys (depth-limited scan)");
|
||||
|
||||
var matches = RegistryAclScanner.ScanWritableKeys("HKLM", ScanBasePaths, maxDepth: 3, maxResults: 25);
|
||||
if (matches.Count == 0)
|
||||
{
|
||||
Beaprint.GrayPrint(" [-] No additional writable HKLM keys were found within the sampled paths.");
|
||||
return;
|
||||
}
|
||||
|
||||
PrintEntries(matches);
|
||||
Beaprint.GrayPrint(" [*] Showing up to 25 entries from the sampled paths to avoid noisy output.");
|
||||
}
|
||||
|
||||
private static void PrintEntries(IEnumerable<RegistryWritableKeyInfo> entries)
|
||||
{
|
||||
foreach (var entry in entries)
|
||||
{
|
||||
var principals = string.Join(", ", entry.Principals);
|
||||
var rights = entry.Rights.Count > 0 ? string.Join(", ", entry.Rights.Distinct(StringComparer.OrdinalIgnoreCase)) : "Write access";
|
||||
var displayPath = string.IsNullOrEmpty(entry.FullPath) ? $"{entry.Hive}\\{entry.RelativePath}" : entry.FullPath;
|
||||
Beaprint.BadPrint($" [!] {displayPath} -> {principals} ({rights})");
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -88,7 +88,6 @@ namespace winPEAS.Checks
|
||||
PrintLocalGroupPolicy,
|
||||
PrintPotentialGPOAbuse,
|
||||
AppLockerHelper.PrintAppLockerPolicy,
|
||||
PrintPrintNightmarePointAndPrint,
|
||||
PrintPrintersWMIInfo,
|
||||
PrintNamedPipes,
|
||||
PrintNamedPipeAbuseCandidates,
|
||||
@@ -837,39 +836,6 @@ namespace winPEAS.Checks
|
||||
}
|
||||
}
|
||||
|
||||
private static void PrintPrintNightmarePointAndPrint()
|
||||
{
|
||||
Beaprint.MainPrint("PrintNightmare PointAndPrint Policies");
|
||||
Beaprint.LinkPrint("https://itm4n.github.io/printnightmare-exploitation/", "Check PointAndPrint policy hardening");
|
||||
|
||||
try
|
||||
{
|
||||
string key = @"Software\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint";
|
||||
var restrict = RegistryHelper.GetDwordValue("HKLM", key, "RestrictDriverInstallationToAdministrators");
|
||||
var noWarn = RegistryHelper.GetDwordValue("HKLM", key, "NoWarningNoElevationOnInstall");
|
||||
var updatePrompt = RegistryHelper.GetDwordValue("HKLM", key, "UpdatePromptSettings");
|
||||
|
||||
if (restrict == null && noWarn == null && updatePrompt == null)
|
||||
{
|
||||
Beaprint.NotFoundPrint();
|
||||
return;
|
||||
}
|
||||
|
||||
Beaprint.NoColorPrint($" RestrictDriverInstallationToAdministrators: {restrict}\n" +
|
||||
$" NoWarningNoElevationOnInstall: {noWarn}\n" +
|
||||
$" UpdatePromptSettings: {updatePrompt}");
|
||||
|
||||
if (restrict == 0 && noWarn == 1 && updatePrompt == 2)
|
||||
{
|
||||
Beaprint.BadPrint(" [!] Potentially vulnerable to PrintNightmare misconfiguration");
|
||||
}
|
||||
}
|
||||
catch (Exception ex)
|
||||
{
|
||||
Beaprint.PrintException(ex.Message);
|
||||
}
|
||||
}
|
||||
|
||||
private static void PrintPrintersWMIInfo()
|
||||
{
|
||||
Beaprint.MainPrint("Enumerating Printers (WMI)");
|
||||
|
||||
@@ -132,7 +132,6 @@ namespace winPEAS.Helpers
|
||||
Console.WriteLine(LCYAN + " activedirectoryinfo" + GRAY + " Quick AD checks (gMSA readable passwords, AD CS template rights)" + NOCOLOR);
|
||||
Console.WriteLine(LCYAN + " cloudinfo" + GRAY + " Enumerate cloud information" + NOCOLOR);
|
||||
Console.WriteLine(LCYAN + " windowscreds" + GRAY + " Search windows credentials" + NOCOLOR);
|
||||
Console.WriteLine(LCYAN + " registryinfo" + GRAY + " Flag writable HKLM/HKU keys that enable hive tampering" + NOCOLOR);
|
||||
Console.WriteLine(LCYAN + " browserinfo" + GRAY + " Search browser information" + NOCOLOR);
|
||||
Console.WriteLine(LCYAN + " filesinfo" + GRAY + " Search generic files that can contains credentials" + NOCOLOR);
|
||||
Console.WriteLine(LCYAN + " fileanalysis" + GRAY + " [NOT RUN BY DEFAULT] Search specific files that can contains credentials and for regexes inside files. Might take several minutes." + NOCOLOR);
|
||||
|
||||
@@ -1,221 +0,0 @@
|
||||
using Microsoft.Win32;
|
||||
using System;
|
||||
using System.Collections.Generic;
|
||||
using System.Linq;
|
||||
using System.Security.AccessControl;
|
||||
using System.Security.Principal;
|
||||
using winPEAS.Helpers;
|
||||
|
||||
namespace winPEAS.Helpers.Registry
|
||||
{
|
||||
internal class RegistryWritableKeyInfo
|
||||
{
|
||||
public string Hive { get; set; }
|
||||
public string RelativePath { get; set; }
|
||||
public string FullPath { get; set; }
|
||||
public List<string> Principals { get; set; } = new List<string>();
|
||||
public List<string> Rights { get; set; } = new List<string>();
|
||||
}
|
||||
|
||||
internal static class RegistryAclScanner
|
||||
{
|
||||
private static readonly Dictionary<string, string> LowPrivSidMap = new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase)
|
||||
{
|
||||
{ new SecurityIdentifier(WellKnownSidType.BuiltinUsersSid, null).Value, "BUILTIN\\Users" },
|
||||
{ new SecurityIdentifier(WellKnownSidType.AuthenticatedUserSid, null).Value, "Authenticated Users" },
|
||||
{ new SecurityIdentifier(WellKnownSidType.WorldSid, null).Value, "Everyone" },
|
||||
{ new SecurityIdentifier(WellKnownSidType.InteractiveSid, null).Value, "Interactive" },
|
||||
{ new SecurityIdentifier(WellKnownSidType.BuiltinGuestsSid, null).Value, "BUILTIN\\Guests" },
|
||||
};
|
||||
|
||||
public static bool TryGetWritableKey(string hive, string relativePath, out RegistryWritableKeyInfo info)
|
||||
{
|
||||
info = null;
|
||||
using (var key = OpenKey(hive, relativePath))
|
||||
{
|
||||
if (key == null)
|
||||
{
|
||||
return false;
|
||||
}
|
||||
|
||||
return TryCollectWritableInfo(hive, relativePath, key, out info);
|
||||
}
|
||||
}
|
||||
|
||||
public static List<RegistryWritableKeyInfo> ScanWritableKeys(string hive, IEnumerable<string> basePaths, int maxDepth, int maxResults)
|
||||
{
|
||||
var results = new List<RegistryWritableKeyInfo>();
|
||||
var seenPaths = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
|
||||
|
||||
foreach (var basePath in basePaths ?? Enumerable.Empty<string>())
|
||||
{
|
||||
if (results.Count >= maxResults)
|
||||
{
|
||||
break;
|
||||
}
|
||||
|
||||
using (var key = OpenKey(hive, basePath))
|
||||
{
|
||||
if (key == null)
|
||||
{
|
||||
continue;
|
||||
}
|
||||
|
||||
Traverse(hive, key, basePath, 0, maxDepth, maxResults, seenPaths, results);
|
||||
}
|
||||
}
|
||||
|
||||
return results;
|
||||
}
|
||||
|
||||
private static void Traverse(string hive, RegistryKey currentKey, string currentPath, int depth, int maxDepth, int maxResults, HashSet<string> seenPaths, List<RegistryWritableKeyInfo> results)
|
||||
{
|
||||
if (currentKey == null || results.Count >= maxResults)
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
||||
if (TryCollectWritableInfo(hive, currentPath, currentKey, out var info))
|
||||
{
|
||||
if (seenPaths.Add(info.FullPath))
|
||||
{
|
||||
results.Add(info);
|
||||
}
|
||||
|
||||
if (results.Count >= maxResults)
|
||||
{
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
if (depth >= maxDepth)
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
||||
string[] subKeys;
|
||||
try
|
||||
{
|
||||
subKeys = currentKey.GetSubKeyNames();
|
||||
}
|
||||
catch
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
||||
foreach (var subKeyName in subKeys)
|
||||
{
|
||||
if (results.Count >= maxResults)
|
||||
{
|
||||
break;
|
||||
}
|
||||
|
||||
try
|
||||
{
|
||||
using (var childKey = currentKey.OpenSubKey(subKeyName))
|
||||
{
|
||||
if (childKey == null)
|
||||
{
|
||||
continue;
|
||||
}
|
||||
|
||||
string childPath = string.IsNullOrEmpty(currentPath) ? subKeyName : $"{currentPath}\\{subKeyName}";
|
||||
Traverse(hive, childKey, childPath, depth + 1, maxDepth, maxResults, seenPaths, results);
|
||||
}
|
||||
}
|
||||
catch
|
||||
{
|
||||
// Ignore keys we cannot open
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
private static bool TryCollectWritableInfo(string hive, string relativePath, RegistryKey key, out RegistryWritableKeyInfo info)
|
||||
{
|
||||
info = null;
|
||||
|
||||
try
|
||||
{
|
||||
var acl = key.GetAccessControl(AccessControlSections.Access);
|
||||
|
||||
var principals = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
|
||||
var rights = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
|
||||
|
||||
foreach (RegistryAccessRule rule in acl.GetAccessRules(true, true, typeof(SecurityIdentifier)))
|
||||
{
|
||||
if (rule.AccessControlType != AccessControlType.Allow)
|
||||
{
|
||||
continue;
|
||||
}
|
||||
|
||||
var sid = rule.IdentityReference as SecurityIdentifier ?? rule.IdentityReference.Translate(typeof(SecurityIdentifier)) as SecurityIdentifier;
|
||||
if (sid == null)
|
||||
{
|
||||
continue;
|
||||
}
|
||||
|
||||
if (!LowPrivSidMap.TryGetValue(sid.Value, out var label))
|
||||
{
|
||||
continue;
|
||||
}
|
||||
|
||||
string interestingRight = PermissionsHelper.PermInt2Str((int)rule.RegistryRights, PermissionType.WRITEABLE_OR_EQUIVALENT_REG);
|
||||
if (string.IsNullOrEmpty(interestingRight))
|
||||
{
|
||||
continue;
|
||||
}
|
||||
|
||||
principals.Add($"{label} ({sid.Value})");
|
||||
rights.Add(interestingRight);
|
||||
}
|
||||
|
||||
if (principals.Count == 0)
|
||||
{
|
||||
return false;
|
||||
}
|
||||
|
||||
string normalizedRelativePath = relativePath ?? string.Empty;
|
||||
string fullPath = string.IsNullOrEmpty(normalizedRelativePath) ? key.Name : $"{hive}\\{normalizedRelativePath}";
|
||||
|
||||
info = new RegistryWritableKeyInfo
|
||||
{
|
||||
Hive = hive,
|
||||
RelativePath = normalizedRelativePath,
|
||||
FullPath = fullPath,
|
||||
Principals = principals.ToList(),
|
||||
Rights = rights.ToList(),
|
||||
};
|
||||
return true;
|
||||
}
|
||||
catch
|
||||
{
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
private static RegistryKey OpenKey(string hive, string path)
|
||||
{
|
||||
if (string.IsNullOrEmpty(path))
|
||||
{
|
||||
return null;
|
||||
}
|
||||
|
||||
try
|
||||
{
|
||||
RegistryKey baseKey = hive switch
|
||||
{
|
||||
"HKLM" => Microsoft.Win32.Registry.LocalMachine,
|
||||
"HKCU" => Microsoft.Win32.Registry.CurrentUser,
|
||||
"HKU" => Microsoft.Win32.Registry.Users,
|
||||
_ => null,
|
||||
};
|
||||
|
||||
return baseKey?.OpenSubKey(path);
|
||||
}
|
||||
catch
|
||||
{
|
||||
return null;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -46,7 +46,7 @@ namespace winPEAS.Info.NetworkInfo
|
||||
|
||||
// 4. Call external checker
|
||||
var resp = httpClient
|
||||
.PostAsync("https://tools.hacktricks.wiki/api/host-checker", payload)
|
||||
.PostAsync("https://2e6ppt7izvuv66qmx2r3et2ufi0mxwqs.lambda-url.us-east-1.on.aws/", payload)
|
||||
.GetAwaiter().GetResult();
|
||||
|
||||
if (resp.IsSuccessStatusCode)
|
||||
|
||||
@@ -4,8 +4,6 @@ using System.Net.Http;
|
||||
using System.Net.Http.Headers;
|
||||
using System.Net.NetworkInformation;
|
||||
using System.Net.Sockets;
|
||||
using System.Text;
|
||||
using System.Text.Json;
|
||||
using System.Threading;
|
||||
|
||||
namespace winPEAS.Info.NetworkInfo
|
||||
@@ -50,7 +48,7 @@ namespace winPEAS.Info.NetworkInfo
|
||||
{ "1.1.1.1", "8.8.8.8" };
|
||||
|
||||
private const string LAMBDA_URL =
|
||||
"https://tools.hacktricks.wiki/api/host-checker";
|
||||
"https://2e6ppt7izvuv66qmx2r3et2ufi0mxwqs.lambda-url.us-east-1.on.aws/";
|
||||
|
||||
// Shared HttpClient (kept for HTTP & Lambda checks)
|
||||
private static readonly HttpClient http = new HttpClient
|
||||
@@ -120,12 +118,7 @@ namespace winPEAS.Info.NetworkInfo
|
||||
using var cts =
|
||||
new CancellationTokenSource(TimeSpan.FromMilliseconds(HTTP_TIMEOUT_MS));
|
||||
|
||||
var payload = new StringContent(
|
||||
JsonSerializer.Serialize(new { hostname = Environment.MachineName }),
|
||||
Encoding.UTF8,
|
||||
"application/json");
|
||||
var req = new HttpRequestMessage(HttpMethod.Post, LAMBDA_URL);
|
||||
req.Content = payload;
|
||||
var req = new HttpRequestMessage(HttpMethod.Get, LAMBDA_URL);
|
||||
req.Headers.UserAgent.ParseAdd("winpeas");
|
||||
req.Headers.Accept.Add(
|
||||
new MediaTypeWithQualityHeaderValue("application/json"));
|
||||
|
||||
@@ -16,10 +16,6 @@ namespace winPEAS.Info.UserInfo.SAM
|
||||
{
|
||||
get
|
||||
{
|
||||
if (_maxPasswordAge == long.MinValue)
|
||||
{
|
||||
return TimeSpan.MinValue;
|
||||
}
|
||||
return -new TimeSpan(_maxPasswordAge);
|
||||
}
|
||||
set
|
||||
@@ -32,10 +28,6 @@ namespace winPEAS.Info.UserInfo.SAM
|
||||
{
|
||||
get
|
||||
{
|
||||
if (_minPasswordAge == long.MinValue)
|
||||
{
|
||||
return TimeSpan.MinValue;
|
||||
}
|
||||
return -new TimeSpan(_minPasswordAge);
|
||||
}
|
||||
set
|
||||
|
||||
@@ -88,10 +88,6 @@ namespace winPEAS.KnownFileCreds
|
||||
if (SID.StartsWith("S-1-5") && !SID.EndsWith("_Classes"))
|
||||
{
|
||||
string[] subKeys = RegistryHelper.GetRegSubkeys("HKU", string.Format("{0}\\Software\\SimonTatham\\PuTTY\\Sessions\\", SID));
|
||||
if (subKeys.Length == 0)
|
||||
{
|
||||
subKeys = RegistryHelper.GetRegSubkeys("HKU", string.Format("{0}\\Software\\SimonTatham\\PuTTY\\Sessions", SID));
|
||||
}
|
||||
|
||||
foreach (string sessionName in subKeys)
|
||||
{
|
||||
@@ -133,10 +129,6 @@ namespace winPEAS.KnownFileCreds
|
||||
else
|
||||
{
|
||||
string[] subKeys = RegistryHelper.GetRegSubkeys("HKCU", "Software\\SimonTatham\\PuTTY\\Sessions\\");
|
||||
if (subKeys.Length == 0)
|
||||
{
|
||||
subKeys = RegistryHelper.GetRegSubkeys("HKCU", "Software\\SimonTatham\\PuTTY\\Sessions");
|
||||
}
|
||||
RegistryKey selfKey = Registry.CurrentUser.OpenSubKey(@"Software\\SimonTatham\\PuTTY\\Sessions"); // extract own Sessions registry keys
|
||||
|
||||
if (selfKey != null)
|
||||
@@ -206,10 +198,6 @@ namespace winPEAS.KnownFileCreds
|
||||
if (SID.StartsWith("S-1-5") && !SID.EndsWith("_Classes"))
|
||||
{
|
||||
Dictionary<string, object> hostKeys = RegistryHelper.GetRegValues("HKU", string.Format("{0}\\Software\\SimonTatham\\PuTTY\\SshHostKeys\\", SID));
|
||||
if ((hostKeys == null) || (hostKeys.Count == 0))
|
||||
{
|
||||
hostKeys = RegistryHelper.GetRegValues("HKU", string.Format("{0}\\Software\\SimonTatham\\PuTTY\\SshHostKeys", SID));
|
||||
}
|
||||
if ((hostKeys != null) && (hostKeys.Count != 0))
|
||||
{
|
||||
Dictionary<string, string> putty_ssh = new Dictionary<string, string>
|
||||
@@ -228,10 +216,6 @@ namespace winPEAS.KnownFileCreds
|
||||
else
|
||||
{
|
||||
Dictionary<string, object> hostKeys = RegistryHelper.GetRegValues("HKCU", "Software\\SimonTatham\\PuTTY\\SshHostKeys\\");
|
||||
if ((hostKeys == null) || (hostKeys.Count == 0))
|
||||
{
|
||||
hostKeys = RegistryHelper.GetRegValues("HKCU", "Software\\SimonTatham\\PuTTY\\SshHostKeys");
|
||||
}
|
||||
if ((hostKeys != null) && (hostKeys.Count != 0))
|
||||
{
|
||||
Dictionary<string, string> putty_ssh = new Dictionary<string, string>();
|
||||
|
||||
@@ -11,7 +11,6 @@ namespace winPEAS
|
||||
[STAThread]
|
||||
public static void Main(string[] args)
|
||||
{
|
||||
// TODO: keep Main minimal; this line was an intentional break in test PR.
|
||||
Checks.Checks.Run(args);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1201,7 +1201,6 @@
|
||||
<Compile Include="Checks\SystemInfo.cs" />
|
||||
<Compile Include="Checks\UserInfo.cs" />
|
||||
<Compile Include="Checks\WindowsCreds.cs" />
|
||||
<Compile Include="Checks\RegistryInfo.cs" />
|
||||
<Compile Include="Helpers\AppLocker\AppLockerHelper.cs" />
|
||||
<Compile Include="Helpers\AppLocker\AppLockerRules.cs" />
|
||||
<Compile Include="Helpers\AppLocker\IAppIdPolicyHandler.cs" />
|
||||
@@ -1470,7 +1469,6 @@
|
||||
<Compile Include="Helpers\CheckRunner.cs" />
|
||||
<Compile Include="Helpers\ReflectionHelper.cs" />
|
||||
<Compile Include="Helpers\Registry\RegistryHelper.cs" />
|
||||
<Compile Include="Helpers\Registry\RegistryAclScanner.cs" />
|
||||
<Compile Include="Helpers\Search\SearchHelper.cs" />
|
||||
<Compile Include="Wifi\Wifi.cs" />
|
||||
<Compile Include="Wifi\NativeWifiApi\Interop.cs" />
|
||||
|
||||
@@ -815,40 +815,12 @@ systeminfo.exe
|
||||
Write-Host ""
|
||||
if ($TimeStamp) { TimeElapsed }
|
||||
Write-Host -ForegroundColor Blue "=========|| WINDOWS HOTFIXES"
|
||||
Write-Host "=| Check missing patches with WES-NG https://github.com/bitsadmin/wesng" -ForegroundColor Yellow
|
||||
Write-Host "=| Check if windows is vulnerable with Watson https://github.com/rasta-mouse/Watson" -ForegroundColor Yellow
|
||||
Write-Host "Possible exploits (https://github.com/codingo/OSCP-2/blob/master/Windows/WinPrivCheck.bat)" -ForegroundColor Yellow
|
||||
$Hotfix = Get-HotFix | Sort-Object -Descending -Property InstalledOn -ErrorAction SilentlyContinue | Select-Object HotfixID, Description, InstalledBy, InstalledOn
|
||||
$Hotfix | Format-Table -AutoSize
|
||||
|
||||
|
||||
# PrintNightmare PointAndPrint policy checks
|
||||
Write-Host ""
|
||||
if ($TimeStamp) { TimeElapsed }
|
||||
Write-Host -ForegroundColor Blue "=========|| PRINTNIGHTMARE POINTANDPRINT POLICY"
|
||||
$pnKey = "HKLM:\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint"
|
||||
if (Test-Path $pnKey) {
|
||||
$pn = Get-ItemProperty -Path $pnKey -ErrorAction SilentlyContinue
|
||||
$restrict = $pn.RestrictDriverInstallationToAdministrators
|
||||
$noWarn = $pn.NoWarningNoElevationOnInstall
|
||||
$updatePrompt = $pn.UpdatePromptSettings
|
||||
|
||||
Write-Host "RestrictDriverInstallationToAdministrators: $restrict"
|
||||
Write-Host "NoWarningNoElevationOnInstall: $noWarn"
|
||||
Write-Host "UpdatePromptSettings: $updatePrompt"
|
||||
|
||||
$hasAllValues = ($null -ne $restrict) -and ($null -ne $noWarn) -and ($null -ne $updatePrompt)
|
||||
if (-not $hasAllValues) {
|
||||
Write-Host "PointAndPrint policy values are missing or not configured" -ForegroundColor Gray
|
||||
} elseif (($restrict -eq 0) -and ($noWarn -eq 1) -and ($updatePrompt -eq 2)) {
|
||||
Write-Host "Potentially vulnerable to PrintNightmare misconfiguration" -ForegroundColor Red
|
||||
} else {
|
||||
Write-Host "PointAndPrint policy is not in the known risky configuration" -ForegroundColor Green
|
||||
}
|
||||
} else {
|
||||
Write-Host "PointAndPrint policy key not found" -ForegroundColor Gray
|
||||
}
|
||||
|
||||
|
||||
#Show all unique updates installed
|
||||
Write-Host ""
|
||||
if ($TimeStamp) { TimeElapsed }
|
||||
|
||||
Reference in New Issue
Block a user