diff --git a/.gitignore b/.gitignore index cd6fee9..098cb3c 100755 --- a/.gitignore +++ b/.gitignore @@ -25,4 +25,6 @@ linPEAS/builder/__pycache__/* linPEAS/builder/src/__pycache__/* linPEAS/linpeas.sh sh2bin -sh2bin/* \ No newline at end of file +sh2bin/* +.dccache +./*/.dccache \ No newline at end of file diff --git a/README.md b/README.md index eabe904..290278d 100755 --- a/README.md +++ b/README.md @@ -12,10 +12,10 @@ Here you will find **privilege escalation tools for Windows and Linux/Unix\* and These tools search for possible **local privilege escalation paths** that you could exploit and print them to you **with nice colors** so you can recognize the misconfigurations easily. -- Check the **Local Windows Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/windows/checklist-windows-privilege-escalation)** +- Check the **Local Windows Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation)** - **[WinPEAS](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS) - Windows local Privilege Escalation Awesome Script (C#.exe and .bat)** -- Check the **Local Linux Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/linux-unix/linux-privilege-escalation-checklist)** +- Check the **Local Linux Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist)** - **[LinPEAS](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS) - Linux local Privilege Escalation Awesome Script (.sh)** ## Quick Start diff --git a/linPEAS/README.md b/linPEAS/README.md index bede216..2aff17d 100755 --- a/linPEAS/README.md +++ b/linPEAS/README.md @@ -2,9 +2,9 @@ ![](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/raw/master/linPEAS/images/linpeas.png) -**LinPEAS is a script that search for possible paths to escalate privileges on Linux/Unix\*/MacOS hosts. The checks are explained on [book.hacktricks.xyz](https://book.hacktricks.xyz/linux-unix/privilege-escalation)** +**LinPEAS is a script that search for possible paths to escalate privileges on Linux/Unix\*/MacOS hosts. The checks are explained on [book.hacktricks.xyz](https://book.hacktricks.xyz/linux-hardening/privilege-escalation)** -Check the **Local Linux Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/linux-unix/linux-privilege-escalation-checklist)**. +Check the **Local Linux Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist)**. [![asciicast](https://asciinema.org/a/250532.png)](https://asciinema.org/a/309566) diff --git a/linPEAS/builder/linpeas_parts/1_system_information.sh b/linPEAS/builder/linpeas_parts/1_system_information.sh index 3c9fb20..2959f2d 100644 --- a/linPEAS/builder/linpeas_parts/1_system_information.sh +++ b/linPEAS/builder/linpeas_parts/1_system_information.sh @@ -4,7 +4,7 @@ #-- SY) OS print_2title "Operative system" -print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#kernel-exploits" +print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits" (cat /proc/version || uname -a ) 2>/dev/null | sed -${E} "s,$kernelDCW_Ubuntu_Precise_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_4,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_5,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_6,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_4,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Xenial,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel5_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel5_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel5_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_4,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel7,${SED_RED_YELLOW}," | sed -${E} "s,$kernelB,${SED_RED}," warn_exec lsb_release -a 2>/dev/null if [ "$MACPEAS" ]; then @@ -15,7 +15,7 @@ echo "" #-- SY) Sudo print_2title "Sudo version" if [ "$(command -v sudo 2>/dev/null)" ]; then -print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-version" +print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-version" sudo -V 2>/dev/null | grep "Sudo ver" | sed -${E} "s,$sudovB,${SED_RED}," else echo_not_found "sudo" fi @@ -51,7 +51,7 @@ echo "" #--SY) USBCreator if (busctl list 2>/dev/null | grep -q com.ubuntu.USBCreator) || [ "$DEBUG" ]; then print_2title "USBCreator" - print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation" + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation" pc_version=$(dpkg -l 2>/dev/null | grep policykit-desktop-privileges | grep -oP "[0-9][0-9a-zA-Z\.]+") if [ -z "$pc_version" ]; then @@ -70,7 +70,7 @@ echo "" #-- SY) PATH print_2title "PATH" -print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-path-abuses" +print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-path-abuses" echo "$OLDPATH" 2>/dev/null | sed -${E} "s,$Wfolders|\./|\.:|:\.,${SED_RED_YELLOW},g" echo "New path exported: $PATH" 2>/dev/null | sed -${E} "s,$Wfolders|\./|\.:|:\. ,${SED_RED_YELLOW},g" echo "" @@ -130,7 +130,7 @@ echo "" #-- SY) Dmesg if [ "$(command -v dmesg 2>/dev/null)" ] || [ "$DEBUG" ]; then print_2title "Searching Signature verification failed in dmesg" - print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#dmesg-signature-verification-failed" + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#dmesg-signature-verification-failed" (dmesg 2>/dev/null | grep "signature") || echo_not_found "dmesg" echo "" fi diff --git a/linPEAS/builder/linpeas_parts/2_container.sh b/linPEAS/builder/linpeas_parts/2_container.sh index f7cfd08..a3b63f5 100644 --- a/linPEAS/builder/linpeas_parts/2_container.sh +++ b/linPEAS/builder/linpeas_parts/2_container.sh @@ -187,7 +187,7 @@ fi if [ "$inContainer" ]; then echo "" print_2title "Container & breakout enumeration" - print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation/docker-breakout" + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout" print_list "Container ID ...................$NC $(cat /etc/hostname && echo '')" if echo "$containerType" | grep -qi "docker"; then print_list "Container Full ID ..............$NC $(basename $(cat /proc/1/cpuset))\n" diff --git a/linPEAS/builder/linpeas_parts/3_procs_crons_timers_srvcs_sockets.sh b/linPEAS/builder/linpeas_parts/3_procs_crons_timers_srvcs_sockets.sh index e18bee4..5dda2e3 100644 --- a/linPEAS/builder/linpeas_parts/3_procs_crons_timers_srvcs_sockets.sh +++ b/linPEAS/builder/linpeas_parts/3_procs_crons_timers_srvcs_sockets.sh @@ -8,7 +8,7 @@ print_2title "Cleaned processes" if [ "$NOUSEPS" ]; then printf ${BLUE}"[i]$GREEN Looks like ps is not finding processes, going to read from /proc/ and not going to monitor 1min of processes\n"$NC fi -print_info "Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-unix/privilege-escalation#processes" +print_info "Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes" if [ "$NOUSEPS" ]; then print_ps | sed -${E} "s,$Wfolders,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$rootcommon,${SED_GREEN}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED}," | sed -${E} "s,$processesVB,${SED_RED_YELLOW},g" | sed "s,$processesB,${SED_RED}," | sed -${E} "s,$processesDump,${SED_RED}," @@ -29,7 +29,7 @@ else #-- PCS) Binary processes permissions print_2title "Binary processes permissions (non 'root root' and not belonging to current user)" - print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#processes" + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes" binW="IniTialiZZinnggg" ps auxwww 2>/dev/null | awk '{print $11}' | while read bpath; do if [ -w "$bpath" ]; then @@ -50,7 +50,7 @@ fi #-- PCS) Processes with credentials inside memory print_2title "Processes with credentials in memory (root req)" -print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#credentials-from-process-memory" +print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#credentials-from-process-memory" if echo "$pslist" | grep -q "gdm-password"; then echo "gdm-password process found (dump creds from memory as root)" | sed "s,gdm-password process,${SED_RED},"; else echo_not_found "gdm-password"; fi if echo "$pslist" | grep -q "gnome-keyring-daemon"; then echo "gnome-keyring-daemon process found (dump creds from memory as root)" | sed "s,gnome-keyring-daemon,${SED_RED},"; else echo_not_found "gnome-keyring-daemon"; fi if echo "$pslist" | grep -q "lightdm"; then echo "lightdm process found (dump creds from memory as root)" | sed "s,lightdm,${SED_RED},"; else echo_not_found "lightdm"; fi @@ -62,7 +62,7 @@ echo "" #-- PCS) Different processes 1 min if ! [ "$FAST" ] && ! [ "$SUPERFAST" ]; then print_2title "Different processes executed during 1 min (interesting is low number of repetitions)" - print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#frequent-cron-jobs" + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#frequent-cron-jobs" temp_file=$(mktemp) if [ "$(ps -e -o command 2>/dev/null)" ]; then for i in $(seq 1 1250); do ps -e -o command >> "$temp_file" 2>/dev/null; sleep 0.05; done; sort "$temp_file" 2>/dev/null | uniq -c | grep -v "\[" | sed '/^.\{200\}./d' | sort -r -n | grep -E -v "\s*[1-9][0-9][0-9][0-9]"; rm "$temp_file"; fi echo "" @@ -70,7 +70,7 @@ fi #-- PCS) Cron print_2title "Cron jobs" -print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#scheduled-cron-jobs" +print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs" command -v crontab 2>/dev/null || echo_not_found "crontab" crontab -l 2>/dev/null | tr -d "\r" | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED}," command -v incrontab 2>/dev/null || echo_not_found "incrontab" @@ -131,7 +131,7 @@ fi #-- PSC) systemd PATH print_2title "Systemd PATH" -print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#systemd-path-relative-paths" +print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#systemd-path-relative-paths" systemctl show-environment 2>/dev/null | grep "PATH" | sed -${E} "s,$Wfolders\|\./\|\.:\|:\.,${SED_RED_YELLOW},g" WRITABLESYSTEMDPATH=$(systemctl show-environment 2>/dev/null | grep "PATH" | grep -E "$Wfolders") echo "" @@ -139,7 +139,7 @@ echo "" #-- PSC) .service files #TODO: .service files in MACOS are folders print_2title "Analyzing .service files" -print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#services" +print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#services" printf "%s\n" "$PSTORAGE_SYSTEMD" | while read s; do if [ ! -O "$s" ]; then #Remove services that belongs to the current user if ! [ "$IAMROOT" ] && [ -w "$s" ] && [ -f "$s" ]; then @@ -167,13 +167,13 @@ echo "" #-- PSC) Timers print_2title "System timers" -print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#timers" +print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers" (systemctl list-timers --all 2>/dev/null | grep -Ev "(^$|timers listed)" | sed -${E} "s,$timersG,${SED_GREEN},") || echo_not_found echo "" #-- PSC) .timer files print_2title "Analyzing .timer files" -print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#timers" +print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers" printf "%s\n" "$PSTORAGE_TIMER" | while read t; do if ! [ "$IAMROOT" ] && [ -w "$t" ]; then echo "$t" | sed -${E} "s,.*,${SED_RED},g" @@ -195,7 +195,7 @@ echo "" #TODO: .socket files in MACOS are folders if ! [ "$IAMROOT" ]; then print_2title "Analyzing .socket files" - print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#sockets" + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets" printf "%s\n" "$PSTORAGE_SOCKET" | while read s; do if ! [ "$IAMROOT" ] && [ -w "$s" ] && [ -f "$s" ]; then echo "Writable .socket file: $s" | sed "s,/.*,${SED_RED},g" @@ -214,15 +214,15 @@ if ! [ "$IAMROOT" ]; then done done if ! [ "$IAMROOT" ] && [ -w "/var/run/docker.sock" ]; then - echo "Docker socket /var/run/docker.sock is writable (https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-docker-socket)" | sed "s,/var/run/docker.sock is writable,${SED_RED_YELLOW},g" + echo "Docker socket /var/run/docker.sock is writable (https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-docker-socket)" | sed "s,/var/run/docker.sock is writable,${SED_RED_YELLOW},g" fi if ! [ "$IAMROOT" ] && [ -w "/run/docker.sock" ]; then - echo "Docker socket /run/docker.sock is writable (https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-docker-socket)" | sed "s,/var/run/docker.sock is writable,${SED_RED_YELLOW},g" + echo "Docker socket /run/docker.sock is writable (https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-docker-socket)" | sed "s,/var/run/docker.sock is writable,${SED_RED_YELLOW},g" fi echo "" print_2title "Unix Sockets Listening" - print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#sockets" + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets" # Search sockets using netstat and ss unix_scks_list=$(ss -xlp -H state listening 2>/dev/null | grep -Eo "/.* " | cut -d " " -f1) if ! [ "$unix_scks_list" ];then @@ -262,7 +262,7 @@ fi #-- PSC) Writable and weak policies in D-Bus config files print_2title "D-Bus config files" -print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#d-bus" +print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus" if [ "$PSTORAGE_DBUS" ]; then printf "%s\n" "$PSTORAGE_DBUS" | while read d; do for f in $d/*; do @@ -289,7 +289,7 @@ fi echo "" print_2title "D-Bus Service Objects list" -print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#d-bus" +print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus" dbuslist=$(busctl list 2>/dev/null) if [ "$dbuslist" ]; then busctl list | while read line; do diff --git a/linPEAS/builder/linpeas_parts/4_network_information.sh b/linPEAS/builder/linpeas_parts/4_network_information.sh index c6255c8..48dc527 100644 --- a/linPEAS/builder/linpeas_parts/4_network_information.sh +++ b/linPEAS/builder/linpeas_parts/4_network_information.sh @@ -53,7 +53,7 @@ fi #-- NI) Ports print_2title "Active Ports" -print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-ports" +print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports" ( (netstat -punta || ss -nltpu || netstat -anv) | grep -i listen) 2>/dev/null | sed -${E} "s,127.0.[0-9]+.[0-9]+|:::|::1:|0\.0\.0\.0,${SED_RED}," echo "" @@ -92,7 +92,7 @@ fi print_2title "Can I sniff with tcpdump?" timeout 1 tcpdump >/dev/null 2>&1 if [ $? -eq 124 ]; then #If 124, then timed out == It worked - print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#sniffing" + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sniffing" echo "You can sniff with tcpdump!" | sed -${E} "s,.*,${SED_RED}," else echo_no fi diff --git a/linPEAS/builder/linpeas_parts/5_users_information.sh b/linPEAS/builder/linpeas_parts/5_users_information.sh index 5b92dcb..785a2cf 100644 --- a/linPEAS/builder/linpeas_parts/5_users_information.sh +++ b/linPEAS/builder/linpeas_parts/5_users_information.sh @@ -4,7 +4,7 @@ #-- UI) My user print_2title "My user" -print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#users" +print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#users" (id || (whoami && groups)) 2>/dev/null | sed -${E} "s,$groupsB,${SED_RED},g" | sed -${E} "s,$groupsVB,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,root,${SED_RED}," | sed -${E} "s,$knw_grps,${SED_GREEN},g" | sed -${E} "s,$idB,${SED_RED},g" echo "" @@ -59,7 +59,7 @@ fi #-- UI) Sudo -l print_2title "Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d" -print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid" +print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid" (echo '' | timeout 1 sudo -S -l | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoB,${SED_RED},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed "s,\!root,${SED_RED},") 2>/dev/null || echo_not_found "sudo" if [ "$PASSWORD" ]; then (echo "$PASSWORD" | timeout 1 sudo -S -l | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoB,${SED_RED},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW},") 2>/dev/null || echo_not_found "sudo" @@ -78,7 +78,7 @@ echo "" #-- UI) Sudo tokens print_2title "Checking sudo tokens" -print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#reusing-sudo-tokens" +print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#reusing-sudo-tokens" ptrace_scope="$(cat /proc/sys/kernel/yama/ptrace_scope 2>/dev/null)" if [ "$ptrace_scope" ] && [ "$ptrace_scope" -eq 0 ]; then echo "ptrace protection is disabled (0)" | sed "s,is disabled,${SED_RED},g"; else echo "ptrace protection is enabled ($ptrace_scope)" | sed "s,is enabled,${SED_GREEN},g"; @@ -117,7 +117,7 @@ fi #-- UI) Pkexec policy print_2title "Checking Pkexec policy" -print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation/interesting-groups-linux-pe#pe-method-2" +print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#pe-method-2" (cat /etc/polkit-1/localauthority.conf.d/* 2>/dev/null | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null | sed -${E} "s,$groupsB,${SED_RED}," | sed -${E} "s,$groupsVB,${SED_RED}," | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,$USER,${SED_RED_YELLOW}," | sed -${E} "s,$Groups,${SED_RED_YELLOW},") || echo_not_found "/etc/polkit-1/localauthority.conf.d" echo "" diff --git a/linPEAS/builder/linpeas_parts/6_software_information.sh b/linPEAS/builder/linpeas_parts/6_software_information.sh index 223648f..cf98388 100644 --- a/linPEAS/builder/linpeas_parts/6_software_information.sh +++ b/linPEAS/builder/linpeas_parts/6_software_information.sh @@ -306,7 +306,7 @@ kadmin_exists="$(command -v kadmin)" klist_exists="$(command -v klist)" if [ "$kadmin_exists" ] || [ "$klist_exists" ] || [ "$PSTORAGE_KERBEROS" ] || [ "$DEBUG" ]; then print_2title "Searching kerberos conf files and tickets" - print_info "http://book.hacktricks.xyz/linux-unix/privilege-escalation/linux-active-directory" + print_info "http://book.hacktricks.xyz/linux-hardening/privilege-escalation/linux-active-directory" if [ "$kadmin_exists" ]; then echo "kadmin was found on $kadmin_exists" | sed "s,$kadmin_exists,${SED_RED},"; fi if [ "$klist_exists" ] && [ -x "$klist_exists" ]; then echo "klist execution"; klist; fi @@ -398,7 +398,7 @@ fi #-- SI) Screen sessions if [ "$screensess" ] || [ "$screensess2" ] || [ "$DEBUG" ]; then print_2title "Searching screen sessions" - print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-shell-sessions" + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-shell-sessions" screensess=$(screen -ls 2>/dev/null) screensess2=$(find /run/screen -type d -path "/run/screen/S-*" 2>/dev/null) @@ -417,7 +417,7 @@ tmuxnondefsess=$(ps auxwww | grep "tmux " | grep -v grep) tmuxsess2=$(find /tmp -type d -path "/tmp/tmux-*" 2>/dev/null) if [ "$tmuxdefsess" ] || [ "$tmuxnondefsess" ] || [ "$tmuxsess2" ] || [ "$DEBUG" ]; then print_2title "Searching tmux sessions"$N - print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-shell-sessions" + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-shell-sessions" tmux -V printf "$tmuxdefsess\n$tmuxnondefsess\n$tmuxsess2" | sed -${E} "s,.*,${SED_RED}," | sed -${E} "s,no server running on.*,${C}[32m&${C}[0m," @@ -544,7 +544,7 @@ peass{Wget} containerd=$(command -v ctr) if [ "$containerd" ] || [ "$DEBUG" ]; then print_2title "Checking if containerd(ctr) is available" - print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation/containerd-ctr-privilege-escalation" + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation" if [ "$containerd" ]; then echo "ctr was found in $containerd, you may be able to escalate privileges with it" | sed -${E} "s,.*,${SED_RED}," ctr image list @@ -556,7 +556,7 @@ fi runc=$(command -v runc) if [ "$runc" ] || [ "$DEBUG" ]; then print_2title "Checking if runc is available" - print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation/runc-privilege-escalation" + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/runc-privilege-escalation" if [ "$runc" ]; then echo "runc was found in $runc, you may be able to escalate privileges with it" | sed -${E} "s,.*,${SED_RED}," fi @@ -566,7 +566,7 @@ fi #-- SI) Docker if [ "$PSTORAGE_DOCKER" ] || [ "$DEBUG" ]; then print_2title "Searching docker files (limit 70)" - print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation" + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation" printf "%s\n" "$PSTORAGE_DOCKER" | head -n 70 | while read f; do ls -l "$f" 2>/dev/null if ! [ "$IAMROOT" ] && [ -S "$f" ] && [ -w "$f" ]; then diff --git a/linPEAS/builder/linpeas_parts/7_interesting_files.sh b/linPEAS/builder/linpeas_parts/7_interesting_files.sh index 46b1123..342d564 100644 --- a/linPEAS/builder/linpeas_parts/7_interesting_files.sh +++ b/linPEAS/builder/linpeas_parts/7_interesting_files.sh @@ -18,7 +18,7 @@ check_critial_root_path(){ ##-- IF) SUID print_2title "SUID - Check easy privesc, exploits and write perms" -print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid" +print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid" if ! [ "$STRINGS" ]; then echo_not_found "strings" fi @@ -90,7 +90,7 @@ echo "" ##-- IF) SGID print_2title "SGID" -print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid" +print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid" sgids_files=$(find / -perm -2000 -type f ! -path "/dev/*" 2>/dev/null) for s in $sgids_files; do s=$(ls -lahtr "$s") @@ -150,7 +150,7 @@ echo "" ##-- IF) Misconfigured ld.so print_2title "Checking misconfigurations of ld.so" -print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#ld-so" +print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#ld-so" printf $ITALIC"/etc/ld.so.conf\n"$NC; cat /etc/ld.so.conf 2>/dev/null | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" cat /etc/ld.so.conf 2>/dev/null | while read l; do @@ -169,7 +169,7 @@ echo "" ##-- IF) Capabilities print_2title "Capabilities" -print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#capabilities" +print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities" echo "Current capabilities:" (capsh --print 2>/dev/null | grep "Current:" | sed -${E} "s,$capsB,${SED_RED_YELLOW}," ) || echo_not_found "capsh" (cat "/proc/$$/status" | grep Cap | sed -${E} "s,.*0000000000000000|CapBnd: 0000003fffffffff,${SED_GREEN},") 2>/dev/null || echo_not_found "/proc/$$/status" @@ -205,7 +205,7 @@ echo "" ##-- IF) Users with capabilities if [ -f "/etc/security/capability.conf" ] || [ "$DEBUG" ]; then print_2title "Users with capabilities" - print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#capabilities" + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities" if [ -f "/etc/security/capability.conf" ]; then grep -v '^#\|none\|^$' /etc/security/capability.conf 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," else echo_not_found "/etc/security/capability.conf" @@ -215,7 +215,7 @@ fi ##-- IF) Files with ACLs print_2title "Files with ACLs (limited to 50)" -print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#acls" +print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#acls" ( (getfacl -t -s -R -p /bin /etc $HOMESEARCH /opt /sbin /usr /tmp /root 2>/dev/null) || echo_not_found "files with acls in searched folders" ) | head -n 70 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," if [ "$MACPEAS" ] && ! [ "$FAST" ] && ! [ "$SUPERFAST" ] && ! [ "$(command -v getfacl)" ]; then #Find ACL files in macos (veeeery slow) @@ -233,7 +233,7 @@ echo "" ##-- IF) .sh files in PATH print_2title ".sh files in path" -print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#script-binaries-in-path" +print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#script-binaries-in-path" echo $PATH | tr ":" "\n" | while read d; do for f in $(find "$d" -name "*.sh" 2>/dev/null); do if ! [ "$IAMROOT" ] && [ -O "$f" ]; then @@ -280,7 +280,7 @@ echo "" ##-- IF) Files (scripts) in /etc/profile.d/ print_2title "Files (scripts) in /etc/profile.d/" -print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#profiles-files" +print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#profiles-files" if [ ! "$MACPEAS" ] && ! [ "$IAMROOT" ]; then #Those folders don´t exist on a MacOS (ls -la /etc/profile.d/ 2>/dev/null | sed -${E} "s,$profiledG,${SED_GREEN},") || echo_not_found "/etc/profile.d/" check_critial_root_path "/etc/profile" @@ -290,7 +290,7 @@ echo "" ##-- IF) Files (scripts) in /etc/init.d/ print_2title "Permissions in init, init.d, systemd, and rc.d" -print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#init-init-d-systemd-and-rc-d" +print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#init-init-d-systemd-and-rc-d" if [ ! "$MACPEAS" ] && ! [ "$IAMROOT" ]; then #Those folders don´t exist on a MacOS check_critial_root_path "/etc/init/" check_critial_root_path "/etc/init.d/" @@ -381,7 +381,7 @@ echo "" ##-- IF) Writable log files print_2title "Writable log files (logrotten) (limit 100)" -print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#logrotate-exploitation" +print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#logrotate-exploitation" logrotate --version 2>/dev/null || echo_not_found "logrotate" lastWlogFolder="ImPOsSiBleeElastWlogFolder" logfind=$(find / -type f -name "*.log" -o -name "*.log.*" 2>/dev/null | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 3){ print line_init; }; if (cont == "3"){print "#)You_can_write_more_log_files_inside_last_directory"}; pre=act}' | head -n 100) @@ -520,7 +520,7 @@ echo "" ##-- IF) Interesting writable files by ownership or all if ! [ "$IAMROOT" ]; then print_2title "Interesting writable files owned by me or writable by everyone (not in Home) (max 500)" - print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files" + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files" #In the next file, you need to specify type "d" and "f" to avoid fake link files apparently writable by all obmowbe=$(find / '(' -type f -or -type d ')' '(' '(' -user $USER ')' -or '(' -perm -o=w ')' ')' ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null | grep -Ev "$notExtensions" | sort | uniq | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 5){ print line_init; } if (cont == "5"){print "#)You_can_write_even_more_files_inside_last_directory\n"}; pre=act }' | head -n500) printf "%s\n" "$obmowbe" | while read entry; do @@ -537,7 +537,7 @@ fi ##-- IF) Interesting writable files by group if ! [ "$IAMROOT" ]; then print_2title "Interesting GROUP writable files (not in Home) (max 500)" - print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files" + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files" for g in $(groups); do iwfbg=$(find / '(' -type f -or -type d ')' -group $g -perm -g=w ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null | grep -Ev "$notExtensions" | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 5){ print line_init; } if (cont == "5"){print "#)You_can_write_even_more_files_inside_last_directory\n"}; pre=act }' | head -n500) if [ "$iwfbg" ] || [ "$DEBUG" ]; then diff --git a/linPEAS/builder/linpeas_parts/linpeas_base.sh b/linPEAS/builder/linpeas_parts/linpeas_base.sh index f885e40..20a7586 100755 --- a/linPEAS/builder/linpeas_parts/linpeas_base.sh +++ b/linPEAS/builder/linpeas_parts/linpeas_base.sh @@ -237,7 +237,7 @@ printf ${BLUE}" $SCRIPTNAME-$VERSION ${YELLOW}by carlospolop\n"$NC; echo "" printf ${YELLOW}"ADVISORY: ${BLUE}$ADVISORY\n$NC" echo "" -printf ${BLUE}"Linux Privesc Checklist: ${YELLOW}https://book.hacktricks.xyz/linux-unix/linux-privilege-escalation-checklist\n"$NC +printf ${BLUE}"Linux Privesc Checklist: ${YELLOW}https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist\n"$NC echo " LEGEND:" | sed "s,LEGEND,${C}[1;4m&${C}[0m," echo " RED/YELLOW: 95% a PE vector" | sed "s,RED/YELLOW,${SED_RED_YELLOW}," echo " RED: You should take a look to it" | sed "s,RED,${SED_RED}," diff --git a/parsers/README.md b/parsers/README.md index 3b9eeee..081be35 100644 --- a/parsers/README.md +++ b/parsers/README.md @@ -38,7 +38,7 @@ There is a **maximun of 3 levels of sections**. } ], "infos": [ - "https://book.hacktricks.xyz/linux-unix/privilege-escalation#kernel-exploits" + "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits" ] }, "infos": [] @@ -65,7 +65,7 @@ There is a **maximun of 3 levels of sections**. } ], "infos": [ - "https://book.hacktricks.xyz/linux-unix/privilege-escalation#kernel-exploits" + "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits" ] }, "infos": [] diff --git a/winPEAS/README.md b/winPEAS/README.md index 83bb7ae..91002be 100755 --- a/winPEAS/README.md +++ b/winPEAS/README.md @@ -2,9 +2,9 @@ ![](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/raw/master/winPEAS/winPEASexe/images/winpeas.png) -Check the **Local Windows Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/windows/checklist-windows-privilege-escalation)** +Check the **Local Windows Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation)** -Check more **information about how to exploit** found misconfigurations in **[book.hacktricks.xyz](https://book.hacktricks.xyz/windows/windows-local-privilege-escalation)** +Check more **information about how to exploit** found misconfigurations in **[book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation)** ## Quick Start Find the **latest versions of all the scripts and binaries in [the releases page](https://github.com/carlospolop/PEASS-ng/releases/latest)**. diff --git a/winPEAS/winPEASbat/README.md b/winPEAS/winPEASbat/README.md index 603d9a5..0df59d2 100755 --- a/winPEAS/winPEASbat/README.md +++ b/winPEAS/winPEASbat/README.md @@ -2,9 +2,9 @@ ![](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/raw/master/winPEAS/winPEASexe/images/winpeas.png) -**WinPEAS is a script that searh for possible paths to escalate privileges on Windows hosts. The checks are explained on [book.hacktricks.xyz](https://book.hacktricks.xyz/windows/windows-local-privilege-escalation)** +**WinPEAS is a script that searh for possible paths to escalate privileges on Windows hosts. The checks are explained on [book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation)** -Check also the **Local Windows Privilege Escalation checklist** from [book.hacktricks.xyz](https://book.hacktricks.xyz/windows/checklist-windows-privilege-escalation) +Check also the **Local Windows Privilege Escalation checklist** from [book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation) ### WinPEAS.bat is a batch script made for Windows systems which don't support WinPEAS.exe (Net.4 required) diff --git a/winPEAS/winPEASbat/winPEAS.bat b/winPEAS/winPEASbat/winPEAS.bat index 31db1d3..b82f336 100755 --- a/winPEAS/winPEASbat/winPEAS.bat +++ b/winPEAS/winPEASbat/winPEAS.bat @@ -55,7 +55,7 @@ ECHO. CALL :ColorLine "%E%32m[*]%E%97m BASIC SYSTEM INFO CALL :ColorLine " %E%33m[+]%E%97m WINDOWS OS" ECHO. [i] Check for vulnerabilities for the OS version with the applied patches -ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#kernel-exploits +ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#kernel-exploits systeminfo ECHO. CALL :T_Progress 2 @@ -174,7 +174,7 @@ CALL :T_Progress 1 :UACSettings CALL :ColorLine " %E%33m[+]%E%97m UAC Settings" ECHO. [i] If the results read ENABLELUA REG_DWORD 0x1, part or all of the UAC components are on -ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access +ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA 2>nul ECHO. CALL :T_Progress 1 @@ -225,7 +225,7 @@ CALL :T_Progress 1 :InstalledSoftware CALL :ColorLine " %E%33m[+]%E%97m INSTALLED SOFTWARE" ECHO. [i] Some weird software? Check for vulnerabilities in unknow software installed -ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#software +ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#software ECHO. dir /b "C:\Program Files" "C:\Program Files (x86)" | sort reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall /s | findstr InstallLocation | findstr ":\\" @@ -236,7 +236,7 @@ CALL :T_Progress 2 :RemodeDeskCredMgr CALL :ColorLine " %E%33m[+]%E%97m Remote Desktop Credentials Manager" -ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#remote-desktop-credential-manager +ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#remote-desktop-credential-manager IF exist "%LOCALAPPDATA%\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings" ECHO.Found: RDCMan.settings in %AppLocal%\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings, check for credentials in .rdg files ECHO. CALL :T_Progress 1 @@ -244,7 +244,7 @@ CALL :T_Progress 1 :WSUS CALL :ColorLine " %E%33m[+]%E%97m WSUS" ECHO. [i] You can inject 'fake' updates into non-SSL WSUS traffic (WSUXploit) -ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#wsus +ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#wsus reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\ 2>nul | findstr /i "wuserver" | findstr /i "http://" ECHO. CALL :T_Progress 1 @@ -252,7 +252,7 @@ CALL :T_Progress 1 :RunningProcesses CALL :ColorLine " %E%33m[+]%E%97m RUNNING PROCESSES" ECHO. [i] Something unexpected is running? Check for vulnerabilities -ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#running-processes +ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#running-processes tasklist /SVC ECHO. CALL :T_Progress 2 @@ -273,7 +273,7 @@ CALL :T_Progress 3 :RunAtStartup CALL :ColorLine " %E%33m[+]%E%97m RUN AT STARTUP" ECHO. [i] Check if you can modify any binary that is going to be executed by admin or if you can impersonate a not found binary -ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#run-at-startup +ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#run-at-startup ::(autorunsc.exe -m -nobanner -a * -ct /accepteula 2>nul || wmic startup get caption,command 2>nul | more & ^ reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run 2>nul & ^ reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce 2>nul & ^ @@ -297,7 +297,7 @@ CALL :T_Progress 2 :AlwaysInstallElevated CALL :ColorLine " %E%33m[+]%E%97m AlwaysInstallElevated?" ECHO. [i] If '1' then you can install a .msi file with admin privileges ;) -ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#alwaysinstallelevated +ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#alwaysinstallelevated reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated 2> nul reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated 2> nul ECHO. @@ -361,7 +361,7 @@ CALL :T_Progress 1 :BasicUserInfo CALL :ColorLine "%E%32m[*]%E%97m BASIC USER INFO ECHO. [i] Check if you are inside the Administrators group or if you have enabled any token that can be use to escalate privileges like SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebbugPrivilege -ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#users-and-groups +ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#users-and-groups ECHO. CALL :ColorLine " %E%33m[+]%E%97m CURRENT USER" net user %username% @@ -435,7 +435,7 @@ ECHO. :ServiceBinaryPermissions CALL :ColorLine " %E%33m[+]%E%97m SERVICE BINARY PERMISSIONS WITH WMIC and ICACLS" -ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services +ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services for /f "tokens=2 delims='='" %%a in ('cmd.exe /c wmic service list full ^| findstr /i "pathname" ^|findstr /i /v "system32"') do ( for /f eol^=^"^ delims^=^" %%b in ("%%a") do icacls "%%b" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos usuarios %username%" && ECHO. ) @@ -444,7 +444,7 @@ CALL :T_Progress 1 :CheckRegistryModificationAbilities CALL :ColorLine " %E%33m[+]%E%97m CHECK IF YOU CAN MODIFY ANY SERVICE REGISTRY" -ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services +ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services for /f %%a in ('reg query hklm\system\currentcontrolset\services') do del %temp%\reg.hiv >nul 2>&1 & reg save %%a %temp%\reg.hiv >nul 2>&1 && reg restore %%a %temp%\reg.hiv >nul 2>&1 && ECHO.You can modify %%a ECHO. CALL :T_Progress 1 @@ -453,7 +453,7 @@ CALL :T_Progress 1 CALL :ColorLine " %E%33m[+]%E%97m UNQUOTED SERVICE PATHS" ECHO. [i] When the path is not quoted (ex: C:\Program files\soft\new folder\exec.exe) Windows will try to execute first 'C:\Program.exe', then 'C:\Program Files\soft\new.exe' and finally 'C:\Program Files\soft\new folder\exec.exe'. Try to create 'C:\Program Files\soft\new.exe' ECHO. [i] The permissions are also checked and filtered using icacls -ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services +ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services for /f "tokens=2" %%n in ('sc query state^= all^| findstr SERVICE_NAME') do ( for /f "delims=: tokens=1*" %%r in ('sc qc "%%~n" ^| findstr BINARY_PATH_NAME ^| findstr /i /v /l /c:"c:\windows\system32" ^| findstr /v /c:""""') do ( ECHO.%%~s ^| findstr /r /c:"[a-Z][ ][a-Z]" >nul 2>&1 && (ECHO.%%n && ECHO.%%~s && icacls %%s | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%") && ECHO. @@ -468,7 +468,7 @@ ECHO. CALL :ColorLine "%E%32m[*]%E%97m DLL HIJACKING in PATHenv variable" ECHO. [i] Maybe you can take advantage of modifying/creating some binary in some of the following locations ECHO. [i] PATH variable entries permissions - place binary or DLL to execute instead of legitimate -ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dll-hijacking +ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dll-hijacking for %%A in ("%path:;=";"%") do ( cmd.exe /c icacls "%%~A" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO. ) ECHO. CALL :T_Progress 1 @@ -477,7 +477,7 @@ CALL :T_Progress 1 CALL :ColorLine "%E%32m[*]%E%97m CREDENTIALS" ECHO. CALL :ColorLine " %E%33m[+]%E%97m WINDOWS VAULT" -ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#windows-vault +ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#windows-vault cmdkey /list ECHO. CALL :T_Progress 2 @@ -485,14 +485,14 @@ CALL :T_Progress 2 :DPAPIMasterKeys CALL :ColorLine " %E%33m[+]%E%97m DPAPI MASTER KEYS" ECHO. [i] Use the Mimikatz 'dpapi::masterkey' module with appropriate arguments (/rpc) to decrypt -ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dpapi +ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi powershell -command "Get-ChildItem %appdata%\Microsoft\Protect" 2>nul powershell -command "Get-ChildItem %localappdata%\Microsoft\Protect" 2>nul CALL :T_Progress 2 CALL :ColorLine " %E%33m[+]%E%97m DPAPI MASTER KEYS" ECHO. [i] Use the Mimikatz 'dpapi::cred' module with appropriate /masterkey to decrypt ECHO. [i] You can also extract many DPAPI masterkeys from memory with the Mimikatz 'sekurlsa::dpapi' module -ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dpapi +ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi ECHO. ECHO.Looking inside %appdata%\Microsoft\Credentials\ ECHO. @@ -565,7 +565,7 @@ CALL :T_Progress 2 :AppCMD CALL :ColorLine " %E%33m[+]%E%97m AppCmd" -ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#appcmd-exe +ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#appcmd-exe IF EXIST %systemroot%\system32\inetsrv\appcmd.exe ECHO.%systemroot%\system32\inetsrv\appcmd.exe exists. ECHO. CALL :T_Progress 2 @@ -573,7 +573,7 @@ CALL :T_Progress 2 :RegFilesCredentials CALL :ColorLine " %E%33m[+]%E%97m Files in registry that may contain credentials" ECHO. [i] Searching specific files that may contains credentials. -ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files +ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files ECHO.Looking inside HKCU\Software\ORL\WinVNC3\Password reg query HKCU\Software\ORL\WinVNC3\Password 2>nul CALL :T_Progress 2 diff --git a/winPEAS/winPEASexe/README.md b/winPEAS/winPEASexe/README.md index ab25a56..8993c39 100755 --- a/winPEAS/winPEASexe/README.md +++ b/winPEAS/winPEASexe/README.md @@ -2,9 +2,9 @@ ![](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/raw/master/winPEAS/winPEASexe/images/winpeas.png) -**WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on [book.hacktricks.xyz](https://book.hacktricks.xyz/windows/windows-local-privilege-escalation)** +**WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on [book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation)** -Check also the **Local Windows Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/windows/checklist-windows-privilege-escalation)** +Check also the **Local Windows Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation)** [![youtube](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/raw/master/winPEAS/winPEASexe/images/screen.png)](https://youtu.be/66gOwXMnxRI) diff --git a/winPEAS/winPEASexe/winPEAS/Checks/ApplicationsInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/ApplicationsInfo.cs index 77d34a6..1d3e578 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/ApplicationsInfo.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/ApplicationsInfo.cs @@ -56,7 +56,7 @@ namespace winPEAS.Checks try { Beaprint.MainPrint("Installed Applications --Via Program Files/Uninstall registry--"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#software", "Check if you can modify installed software"); + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#software", "Check if you can modify installed software"); SortedDictionary> installedAppsPerms = InstalledApps.GetInstalledAppsPerms(); string format = " ==> {0} ({1})"; @@ -102,7 +102,7 @@ namespace winPEAS.Checks try { Beaprint.MainPrint("Autorun Applications"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries", "Check if you can modify other users AutoRuns binaries (Note that is normal that you can modify HKCU registry and binaries indicated there)"); + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries", "Check if you can modify other users AutoRuns binaries (Note that is normal that you can modify HKCU registry and binaries indicated there)"); List> apps = AutoRuns.GetAutoRuns(Checks.CurrentUserSiDs); foreach (Dictionary app in apps) @@ -183,7 +183,7 @@ namespace winPEAS.Checks try { Beaprint.MainPrint("Scheduled Applications --Non Microsoft--"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries", "Check if you can modify other users scheduled binaries"); + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries", "Check if you can modify other users scheduled binaries"); List> scheduled_apps = ApplicationInfoHelper.GetScheduledAppsNoMicrosoft(); foreach (Dictionary sapp in scheduled_apps) @@ -233,7 +233,7 @@ namespace winPEAS.Checks { Beaprint.MainPrint("Device Drivers --Non Microsoft--"); // this link is not very specific, but its the best on hacktricks - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#vulnerable-drivers", "Check 3rd party drivers for known vulnerabilities/rootkits."); + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#vulnerable-drivers", "Check 3rd party drivers for known vulnerabilities/rootkits."); foreach (var driver in DeviceDrivers.GetDeviceDriversNoMicrosoft()) { diff --git a/winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs index a2d3cbe..2b514e9 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs @@ -151,7 +151,7 @@ namespace winPEAS.Checks try { Beaprint.MainPrint("Cloud Credentials"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files"); + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files"); List> could_creds = KnownFileCredsInfo.ListCloudCreds(); if (could_creds.Count != 0) { @@ -382,7 +382,7 @@ namespace winPEAS.Checks string[] passRegHklm = new string[] { @"SYSTEM\CurrentControlSet\Services\SNMP" }; Beaprint.MainPrint("Looking for possible regs with creds"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#inside-the-registry"); + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry"); string winVnc4 = RegistryHelper.GetRegValue("HKLM", @"SOFTWARE\RealVNC\WinVNC4", "password"); if (!string.IsNullOrEmpty(winVnc4.Trim())) @@ -431,7 +431,7 @@ namespace winPEAS.Checks }; Beaprint.MainPrint("Looking for possible password files in users homes"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files"); + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files"); var fileInfos = SearchHelper.SearchUserCredsFiles(); foreach (var fileInfo in fileInfos) @@ -470,7 +470,7 @@ namespace winPEAS.Checks }; Beaprint.MainPrint("Looking inside the Recycle Bin for creds files"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files"); + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files"); List> recy_files = InterestingFiles.InterestingFiles.GetRecycleBin(); foreach (Dictionary rec_file in recy_files) @@ -506,7 +506,7 @@ namespace winPEAS.Checks }; Beaprint.MainPrint("Searching known files that can contain creds in home"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files"); + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files"); var files = SearchHelper.SearchUsersInterestingFiles(); diff --git a/winPEAS/winPEASexe/winPEAS/Checks/ProcessInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/ProcessInfo.cs index 018109c..d9b230f 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/ProcessInfo.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/ProcessInfo.cs @@ -23,7 +23,7 @@ namespace winPEAS.Checks try { Beaprint.MainPrint("Interesting Processes -non Microsoft-"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#running-processes", "Check if any interesting processes for memory dump or if you could overwrite some binary running"); + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#running-processes", "Check if any interesting processes for memory dump or if you could overwrite some binary running"); List> processesInfo = ProcessesInfo.GetProcInfo(); foreach (Dictionary procInfo in processesInfo) diff --git a/winPEAS/winPEASexe/winPEAS/Checks/ServicesInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/ServicesInfo.cs index ec329bc..7a33cd7 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/ServicesInfo.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/ServicesInfo.cs @@ -42,7 +42,7 @@ namespace winPEAS.Checks try { Beaprint.MainPrint("Interesting Services -non Microsoft-"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services", "Check if you can overwrite some service binary or perform a DLL hijacking, also check for unquoted paths"); + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services", "Check if you can overwrite some service binary or perform a DLL hijacking, also check for unquoted paths"); List> services_info = ServicesInfoHelper.GetNonstandardServices(); @@ -121,7 +121,7 @@ namespace winPEAS.Checks try { Beaprint.MainPrint("Modifiable Services"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services", "Check if you can modify any service"); + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services", "Check if you can modify any service"); if (modifiableServices.Count > 0) { Beaprint.BadPrint(" LOOKS LIKE YOU CAN MODIFY OR START/STOP SOME SERVICE/s:"); @@ -158,7 +158,7 @@ namespace winPEAS.Checks try { Beaprint.MainPrint("Looking if you can modify any service registry"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services-registry-permissions", "Check if you can modify the registry of a service"); + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services-registry-permissions", "Check if you can modify the registry of a service"); List> regPerms = ServicesInfoHelper.GetWriteServiceRegs(winPEAS.Checks.Checks.CurrentUserSiDs); Dictionary colorsWR = new Dictionary() @@ -186,7 +186,7 @@ namespace winPEAS.Checks try { Beaprint.MainPrint("Checking write permissions in PATH folders (DLL Hijacking)"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dll-hijacking", "Check for DLL Hijacking in PATH folders"); + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dll-hijacking", "Check for DLL Hijacking in PATH folders"); Dictionary path_dllhijacking = ServicesInfoHelper.GetPathDLLHijacking(); foreach (KeyValuePair entry in path_dllhijacking) { diff --git a/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs index cc20090..19e3666 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs @@ -97,7 +97,7 @@ namespace winPEAS.Checks try { Beaprint.MainPrint("Basic System Information"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#kernel-exploits", "Check if the Windows versions is vulnerable to some known exploit"); + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#kernel-exploits", "Check if the Windows versions is vulnerable to some known exploit"); Dictionary basicDictSystem = Info.SystemInfo.SystemInfo.GetBasicOSInfo(); basicDictSystem["Hotfixes"] = Beaprint.ansi_color_good + basicDictSystem["Hotfixes"] + Beaprint.NOCOLOR; Dictionary colorsSI = new Dictionary @@ -340,7 +340,7 @@ namespace winPEAS.Checks static void PrintWdigest() { Beaprint.MainPrint("Wdigest"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#wdigest", "If enabled, plain-text crds could be stored in LSASS"); + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#wdigest", "If enabled, plain-text crds could be stored in LSASS"); string useLogonCredential = RegistryHelper.GetRegValue("HKLM", @"SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest", "UseLogonCredential"); if (useLogonCredential == "1") Beaprint.BadPrint(" Wdigest is active"); @@ -351,7 +351,7 @@ namespace winPEAS.Checks static void PrintLSAProtection() { Beaprint.MainPrint("LSA Protection"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#lsa-protection", "If enabled, a driver is needed to read LSASS memory (If Secure Boot or UEFI, RunAsPPL cannot be disabled by deleting the registry key)"); + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#lsa-protection", "If enabled, a driver is needed to read LSASS memory (If Secure Boot or UEFI, RunAsPPL cannot be disabled by deleting the registry key)"); string useLogonCredential = RegistryHelper.GetRegValue("HKLM", @"SYSTEM\CurrentControlSet\Control\LSA", "RunAsPPL"); if (useLogonCredential == "1") Beaprint.GoodPrint(" LSA Protection is active"); @@ -362,7 +362,7 @@ namespace winPEAS.Checks static void PrintCredentialGuard() { Beaprint.MainPrint("Credentials Guard"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#credential-guard", "If enabled, a driver is needed to read LSASS memory"); + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#credential-guard", "If enabled, a driver is needed to read LSASS memory"); string lsaCfgFlags = RegistryHelper.GetRegValue("HKLM", @"System\CurrentControlSet\Control\LSA", "LsaCfgFlags"); if (lsaCfgFlags == "1") @@ -386,7 +386,7 @@ namespace winPEAS.Checks static void PrintCachedCreds() { Beaprint.MainPrint("Cached Creds"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#cached-credentials", "If > 0, credentials will be cached in the registry and accessible by SYSTEM user"); + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#cached-credentials", "If > 0, credentials will be cached in the registry and accessible by SYSTEM user"); string cachedlogonscount = RegistryHelper.GetRegValue("HKLM", @"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "CACHEDLOGONSCOUNT"); if (!string.IsNullOrEmpty(cachedlogonscount)) { @@ -523,7 +523,7 @@ namespace winPEAS.Checks try { Beaprint.MainPrint("UAC Status"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access", "If you are in the Administrators group check how to bypass the UAC"); + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access", "If you are in the Administrators group check how to bypass the UAC"); Dictionary uacDict = Info.SystemInfo.SystemInfo.GetUACSystemPolicies(); Dictionary colorsSI = new Dictionary() @@ -556,7 +556,7 @@ namespace winPEAS.Checks try { Beaprint.MainPrint("Checking WSUS"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#wsus"); + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#wsus"); string path = "Software\\Policies\\Microsoft\\Windows\\WindowsUpdate"; string path2 = "Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU"; string HKLM_WSUS = RegistryHelper.GetRegValue("HKLM", path, "WUServer"); @@ -591,7 +591,7 @@ namespace winPEAS.Checks try { Beaprint.MainPrint("Checking AlwaysInstallElevated"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#alwaysinstallelevated"); + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#alwaysinstallelevated"); string path = "Software\\Policies\\Microsoft\\Windows\\Installer"; string HKLM_AIE = RegistryHelper.GetRegValue("HKLM", path, "AlwaysInstallElevated"); string HKCU_AIE = RegistryHelper.GetRegValue("HKCU", path, "AlwaysInstallElevated"); diff --git a/winPEAS/winPEASexe/winPEAS/Checks/UserInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/UserInfo.cs index 730e82a..ed0e178 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/UserInfo.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/UserInfo.cs @@ -80,7 +80,7 @@ namespace winPEAS.Checks try { Beaprint.MainPrint("Users"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#users-and-groups", "Check if you have some admin equivalent privileges"); + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#users-and-groups", "Check if you have some admin equivalent privileges"); List usersGrps = User.GetMachineUsers(false, false, false, false, true); @@ -111,7 +111,7 @@ namespace winPEAS.Checks try { Beaprint.MainPrint("Current Token privileges"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#token-manipulation", "Check if you can escalate privilege using some enabled token"); + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#token-manipulation", "Check if you can escalate privilege using some enabled token"); Dictionary tokenPrivs = Token.GetTokenGroupPrivs(); Beaprint.DictPrint(tokenPrivs, ColorsU(), false); } diff --git a/winPEAS/winPEASexe/winPEAS/Checks/WindowsCreds.cs b/winPEAS/winPEASexe/winPEAS/Checks/WindowsCreds.cs index 01d7a43..1d7cc48 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/WindowsCreds.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/WindowsCreds.cs @@ -48,7 +48,7 @@ namespace winPEAS.Checks try { Beaprint.MainPrint("Checking Windows Vault"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-manager-windows-vault"); + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-manager-windows-vault"); var vaultCreds = VaultCli.DumpVault(); var colorsC = new Dictionary() @@ -68,7 +68,7 @@ namespace winPEAS.Checks try { Beaprint.MainPrint("Checking Credential manager"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-manager-windows-vault"); + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-manager-windows-vault"); var colorsC = new Dictionary() { @@ -153,7 +153,7 @@ namespace winPEAS.Checks try { Beaprint.MainPrint("Checking for DPAPI Master Keys"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dpapi"); + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi"); var masterKeys = KnownFileCredsInfo.ListMasterKeys(); if (masterKeys.Count != 0) @@ -181,7 +181,7 @@ namespace winPEAS.Checks try { Beaprint.MainPrint("Checking for DPAPI Credential Files"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dpapi"); + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi"); var credFiles = KnownFileCredsInfo.GetCredFiles(); Beaprint.DictPrint(credFiles, false); @@ -201,7 +201,7 @@ namespace winPEAS.Checks try { Beaprint.MainPrint("Checking for RDCMan Settings Files"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#remote-desktop-credential-manager", + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#remote-desktop-credential-manager", "Dump credentials from Remote Desktop Connection Manager"); var rdcFiles = RemoteDesktop.GetRDCManFiles(); Beaprint.DictPrint(rdcFiles, false); @@ -307,7 +307,7 @@ namespace winPEAS.Checks try { Beaprint.MainPrint("Looking AppCmd.exe"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#appcmd-exe"); + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#appcmd-exe"); var appCmdPath = Environment.ExpandEnvironmentVariables(@"%systemroot%\system32\inetsrv\appcmd.exe"); @@ -368,7 +368,7 @@ namespace winPEAS.Checks try { Beaprint.MainPrint("Looking SSClient.exe"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#scclient-sccm"); + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#scclient-sccm"); if (File.Exists(Environment.ExpandEnvironmentVariables(@"%systemroot%\Windows\CCM\SCClient.exe"))) { diff --git a/winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs b/winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs index bd86fdf..4772b9a 100644 --- a/winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs +++ b/winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs @@ -107,7 +107,7 @@ namespace winPEAS.Helpers PrintLegend(); Console.WriteLine(); - LinkPrint("https://book.hacktricks.xyz/windows/checklist-windows-privilege-escalation", "You can find a Windows local PE Checklist here:"); + LinkPrint("https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation", "You can find a Windows local PE Checklist here:"); } static void PrintLegend() diff --git a/winPEAS/winPEASexe/winPEAS/Info/UserInfo/SID2GroupNameHelper.cs b/winPEAS/winPEASexe/winPEAS/Info/UserInfo/SID2GroupNameHelper.cs index 2a4ca67..5b34b9d 100644 --- a/winPEAS/winPEASexe/winPEAS/Info/UserInfo/SID2GroupNameHelper.cs +++ b/winPEAS/winPEASexe/winPEAS/Info/UserInfo/SID2GroupNameHelper.cs @@ -113,7 +113,7 @@ namespace winPEAS.Info.UserInfo { "520", "Group Policy Creator Owners" }, //A global group that is authorized to create new Group Policy objects in Active Directory. By default, the only member of the group is Administrator. { "521", "Read-only Domain Controllers" }, //A global group. Members of this group are read-only domain controllers in the domain. { "522", "Cloneable Domain Controllers" }, //A global group. Members of this group that are domain controllers may be cloned. - { "525", "Protected Users" }, //https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#protected-users + { "525", "Protected Users" }, //https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#protected-users { "526", "Key Admins" }, //A security group. The intention for this group is to have delegated write access on the msdsKeyCredentialLink attribute only. The group is intended for use in scenarios where trusted external authorities (for example, Active Directory Federated Services) are responsible for modifying this attribute. Only trusted administrators should be made a member of this group. { "527", "Enterprise Key Admins" }, //A security group. The intention for this group is to have delegated write access on the msdsKeyCredentialLink attribute only. The group is intended for use in scenarios where trusted external authorities (for example, Active Directory Federated Services) are responsible for modifying this attribute. Only trusted administrators should be made a member of this group. { "553", "RAS and IAS Servers" }, //A domain local group. By default, this group has no members. Servers in this group have Read Account Restrictions and Read Logon Information access to User objects in the Active Directory domain local group. diff --git a/winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/Chrome/Chrome.cs b/winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/Chrome/Chrome.cs index 4234791..53d493b 100644 --- a/winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/Chrome/Chrome.cs +++ b/winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/Chrome/Chrome.cs @@ -26,7 +26,7 @@ namespace winPEAS.KnownFileCreds.Browsers.Chrome try { Beaprint.MainPrint("Looking for Chrome DBs"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#browsers-history"); + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history"); Dictionary chromeDBs = Chrome.GetChromeDbs(); if (chromeDBs.ContainsKey("userChromeCookiesPath")) @@ -58,7 +58,7 @@ namespace winPEAS.KnownFileCreds.Browsers.Chrome try { Beaprint.MainPrint("Looking for GET credentials in Chrome history"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#browsers-history"); + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history"); Dictionary> chromeHistBook = Chrome.GetChromeHistBook(); List history = chromeHistBook["history"]; List bookmarks = chromeHistBook["bookmarks"]; diff --git a/winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/Firefox/Firefox.cs b/winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/Firefox/Firefox.cs index 7f9ba7b..c2f9c3d 100644 --- a/winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/Firefox/Firefox.cs +++ b/winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/Firefox/Firefox.cs @@ -28,7 +28,7 @@ namespace winPEAS.KnownFileCreds.Browsers.Firefox try { Beaprint.MainPrint("Looking for Firefox DBs"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#browsers-history"); + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history"); List firefoxDBs = Firefox.GetFirefoxDbs(); if (firefoxDBs.Count > 0) { @@ -55,7 +55,7 @@ namespace winPEAS.KnownFileCreds.Browsers.Firefox try { Beaprint.MainPrint("Looking for GET credentials in Firefox history"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#browsers-history"); + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history"); List firefoxHist = Firefox.GetFirefoxHistory(); if (firefoxHist.Count > 0) { diff --git a/winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/InternetExplorer.cs b/winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/InternetExplorer.cs index 56bb733..5be05dd 100644 --- a/winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/InternetExplorer.cs +++ b/winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/InternetExplorer.cs @@ -29,7 +29,7 @@ namespace winPEAS.KnownFileCreds.Browsers try { Beaprint.MainPrint("Current IE tabs"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#browsers-history"); + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history"); List urls = InternetExplorer.GetCurrentIETabs(); Dictionary colorsB = new Dictionary() @@ -50,7 +50,7 @@ namespace winPEAS.KnownFileCreds.Browsers try { Beaprint.MainPrint("Looking for GET credentials in IE history"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#browsers-history"); + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history"); Dictionary> chromeHistBook = InternetExplorer.GetIEHistFav(); List history = chromeHistBook["history"]; List favorites = chromeHistBook["favorites"]; diff --git a/winPEAS/winPEASexe/winPEAS/KnownFileCreds/Putty.cs b/winPEAS/winPEASexe/winPEAS/KnownFileCreds/Putty.cs index 8f02d40..14ce141 100644 --- a/winPEAS/winPEASexe/winPEAS/KnownFileCreds/Putty.cs +++ b/winPEAS/winPEASexe/winPEAS/KnownFileCreds/Putty.cs @@ -57,7 +57,7 @@ namespace winPEAS.KnownFileCreds try { Beaprint.MainPrint("SSH keys in registry"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#ssh-keys-in-registry", "If you find anything here, follow the link to learn how to decrypt the SSH keys"); + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#ssh-keys-in-registry", "If you find anything here, follow the link to learn how to decrypt the SSH keys"); string[] ssh_reg = RegistryHelper.GetRegSubkeys("HKCU", @"OpenSSH\Agent\Keys"); if (ssh_reg.Length == 0)