Brief description of your changes
This commit is contained in:
Jimmy
parent
82088b597c
commit
96b7bdaf91
@ -12,10 +12,10 @@ Here you will find **privilege escalation tools for Windows and Linux/Unix\* and
|
|||||||
|
|
||||||
These tools search for possible **local privilege escalation paths** that you could exploit and print them to you **with nice colors** so you can recognize the misconfigurations easily.
|
These tools search for possible **local privilege escalation paths** that you could exploit and print them to you **with nice colors** so you can recognize the misconfigurations easily.
|
||||||
|
|
||||||
- Check the **Local Windows Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation)**
|
- Check the **Local Windows Privilege Escalation checklist** from **[book.hacktricks.wiki](https://book.hacktricks.wiki/en/windows-hardening/checklist-windows-privilege-escalation.html)**
|
||||||
- **[WinPEAS](https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS) - Windows local Privilege Escalation Awesome Script (C#.exe and .bat)**
|
- **[WinPEAS](https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS) - Windows local Privilege Escalation Awesome Script (C#.exe and .bat)**
|
||||||
|
|
||||||
- Check the **Local Linux Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist)**
|
- Check the **Local Linux Privilege Escalation checklist** from **[book.hacktricks.wiki](https://book.hacktricks.wiki/en/linux-hardening/linux-privilege-escalation-checklist.html)**
|
||||||
- **[LinPEAS](https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS) - Linux local Privilege Escalation Awesome Script (.sh)**
|
- **[LinPEAS](https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS) - Linux local Privilege Escalation Awesome Script (.sh)**
|
||||||
|
|
||||||
## Quick Start
|
## Quick Start
|
||||||
|
|||||||
@ -1458,7 +1458,7 @@ search:
|
|||||||
config:
|
config:
|
||||||
auto_check: True
|
auto_check: True
|
||||||
exec:
|
exec:
|
||||||
- ipa_exists="$(command -v ipa)"; if [ "$ipa_exists" ]; then print_info "https://book.hacktricks.xyz/linux-hardening/freeipa-pentesting"; fi
|
- ipa_exists="$(command -v ipa)"; if [ "$ipa_exists" ]; then print_info "https://book.hacktricks.wiki/en/linux-hardening/freeipa-pentesting.html"; fi
|
||||||
|
|
||||||
files:
|
files:
|
||||||
- name: "ipa"
|
- name: "ipa"
|
||||||
|
|||||||
@ -2,9 +2,9 @@
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
**LinPEAS is a script that search for possible paths to escalate privileges on Linux/Unix\*/MacOS hosts. The checks are explained on [book.hacktricks.xyz](https://book.hacktricks.xyz/linux-hardening/privilege-escalation)**
|
**LinPEAS is a script that search for possible paths to escalate privileges on Linux/Unix\*/MacOS hosts. The checks are explained on [book.hacktricks.wiki](https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html)**
|
||||||
|
|
||||||
Check the **Local Linux Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist)**.
|
Check the **Local Linux Privilege Escalation checklist** from **[book.hacktricks.wiki](https://book.hacktricks.wiki/en/linux-hardening/linux-privilege-escalation-checklist.html)**.
|
||||||
|
|
||||||
[](https://asciinema.org/a/309566)
|
[](https://asciinema.org/a/309566)
|
||||||
|
|
||||||
|
|||||||
@ -15,7 +15,7 @@
|
|||||||
|
|
||||||
if [ "$(command -v dmesg 2>/dev/null || echo -n '')" ] || [ "$DEBUG" ]; then
|
if [ "$(command -v dmesg 2>/dev/null || echo -n '')" ] || [ "$DEBUG" ]; then
|
||||||
print_2title "Searching Signature verification failed in dmesg"
|
print_2title "Searching Signature verification failed in dmesg"
|
||||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#dmesg-signature-verification-failed"
|
print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#dmesg-signature-verification-failed"
|
||||||
(dmesg 2>/dev/null | grep "signature") || echo_not_found "dmesg"
|
(dmesg 2>/dev/null | grep "signature") || echo_not_found "dmesg"
|
||||||
echo ""
|
echo ""
|
||||||
fi
|
fi
|
||||||
@ -13,7 +13,7 @@
|
|||||||
# Small linpeas: 1
|
# Small linpeas: 1
|
||||||
|
|
||||||
print_2title "Operative system"
|
print_2title "Operative system"
|
||||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits"
|
print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#kernel-exploits"
|
||||||
(cat /proc/version || uname -a ) 2>/dev/null | sed -${E} "s,$kernelDCW_Ubuntu_Precise_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_4,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_5,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_6,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_4,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Xenial,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel5_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel5_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel5_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_4,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel7,${SED_RED_YELLOW}," | sed -${E} "s,$kernelB,${SED_RED},"
|
(cat /proc/version || uname -a ) 2>/dev/null | sed -${E} "s,$kernelDCW_Ubuntu_Precise_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_4,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_5,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_6,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_4,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Xenial,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel5_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel5_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel5_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_4,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel7,${SED_RED_YELLOW}," | sed -${E} "s,$kernelB,${SED_RED},"
|
||||||
warn_exec lsb_release -a 2>/dev/null
|
warn_exec lsb_release -a 2>/dev/null
|
||||||
if [ "$MACPEAS" ]; then
|
if [ "$MACPEAS" ]; then
|
||||||
|
|||||||
@ -15,7 +15,7 @@
|
|||||||
|
|
||||||
print_2title "Sudo version"
|
print_2title "Sudo version"
|
||||||
if [ "$(command -v sudo 2>/dev/null || echo -n '')" ]; then
|
if [ "$(command -v sudo 2>/dev/null || echo -n '')" ]; then
|
||||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-version"
|
print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-version"
|
||||||
sudo -V 2>/dev/null | grep "Sudo ver" | sed -${E} "s,$sudovB,${SED_RED},"
|
sudo -V 2>/dev/null | grep "Sudo ver" | sed -${E} "s,$sudovB,${SED_RED},"
|
||||||
else echo_not_found "sudo"
|
else echo_not_found "sudo"
|
||||||
fi
|
fi
|
||||||
|
|||||||
@ -15,7 +15,7 @@
|
|||||||
|
|
||||||
if (busctl list 2>/dev/null | grep -q com.ubuntu.USBCreator) || [ "$DEBUG" ]; then
|
if (busctl list 2>/dev/null | grep -q com.ubuntu.USBCreator) || [ "$DEBUG" ]; then
|
||||||
print_2title "USBCreator"
|
print_2title "USBCreator"
|
||||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation"
|
print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.html"
|
||||||
|
|
||||||
pc_version=$(dpkg -l 2>/dev/null | grep policykit-desktop-privileges | grep -oP "[0-9][0-9a-zA-Z\.]+")
|
pc_version=$(dpkg -l 2>/dev/null | grep policykit-desktop-privileges | grep -oP "[0-9][0-9a-zA-Z\.]+")
|
||||||
if [ -z "$pc_version" ]; then
|
if [ -z "$pc_version" ]; then
|
||||||
|
|||||||
@ -14,7 +14,7 @@
|
|||||||
|
|
||||||
|
|
||||||
print_2title "PATH"
|
print_2title "PATH"
|
||||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-path-abuses"
|
print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#writable-path-abuses"
|
||||||
if ! [ "$IAMROOT" ]; then
|
if ! [ "$IAMROOT" ]; then
|
||||||
echo "$OLDPATH" 2>/dev/null | sed -${E} "s,$Wfolders|\./|\.:|:\.,${SED_RED_YELLOW},g"
|
echo "$OLDPATH" 2>/dev/null | sed -${E} "s,$Wfolders|\./|\.:|:\.,${SED_RED_YELLOW},g"
|
||||||
fi
|
fi
|
||||||
|
|||||||
@ -15,7 +15,7 @@
|
|||||||
|
|
||||||
if [ "$(mount | sed -n '/secret/ s/^tmpfs on \(.*default.*\) type tmpfs.*$/\1\/namespace/p')" ]; then
|
if [ "$(mount | sed -n '/secret/ s/^tmpfs on \(.*default.*\) type tmpfs.*$/\1\/namespace/p')" ]; then
|
||||||
print_2title "Listing mounted tokens"
|
print_2title "Listing mounted tokens"
|
||||||
print_info "https://book.hacktricks.xyz/cloud-security/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod"
|
print_info "https://cloud.hacktricks.wiki/en/pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod.html"
|
||||||
ALREADY_TOKENS="IinItialVaaluE"
|
ALREADY_TOKENS="IinItialVaaluE"
|
||||||
for i in $(mount | sed -n '/secret/ s/^tmpfs on \(.*default.*\) type tmpfs.*$/\1\/namespace/p'); do
|
for i in $(mount | sed -n '/secret/ s/^tmpfs on \(.*default.*\) type tmpfs.*$/\1\/namespace/p'); do
|
||||||
TEMP_TOKEN=$(cat $(echo $i | sed 's/.namespace$/\/token/'))
|
TEMP_TOKEN=$(cat $(echo $i | sed 's/.namespace$/\/token/'))
|
||||||
|
|||||||
@ -16,7 +16,7 @@
|
|||||||
if [ "$inContainer" ]; then
|
if [ "$inContainer" ]; then
|
||||||
echo ""
|
echo ""
|
||||||
print_2title "Container & breakout enumeration"
|
print_2title "Container & breakout enumeration"
|
||||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout"
|
print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/index.html"
|
||||||
print_list "Container ID ...................$NC $(cat /etc/hostname && echo -n '\n')"
|
print_list "Container ID ...................$NC $(cat /etc/hostname && echo -n '\n')"
|
||||||
if [ -f "/proc/1/cpuset" ] && echo "$containerType" | grep -qi "docker"; then
|
if [ -f "/proc/1/cpuset" ] && echo "$containerType" | grep -qi "docker"; then
|
||||||
print_list "Container Full ID ..............$NC $(basename $(cat /proc/1/cpuset))\n"
|
print_list "Container Full ID ..............$NC $(basename $(cat /proc/1/cpuset))\n"
|
||||||
@ -34,7 +34,7 @@ if [ "$inContainer" ]; then
|
|||||||
print_list "Vulnerable to CVE-2019-5021 .... $VULN_CVE_2019_5021\n"$NC | sed -${E} "s,Yes,${SED_RED_YELLOW},"
|
print_list "Vulnerable to CVE-2019-5021 .... $VULN_CVE_2019_5021\n"$NC | sed -${E} "s,Yes,${SED_RED_YELLOW},"
|
||||||
|
|
||||||
print_3title "Breakout via mounts"
|
print_3title "Breakout via mounts"
|
||||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation/sensitive-mounts"
|
print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/sensitive-mounts.html"
|
||||||
|
|
||||||
checkProcSysBreakouts
|
checkProcSysBreakouts
|
||||||
print_list "/proc mounted? ................. $proc_mounted\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
|
print_list "/proc mounted? ................. $proc_mounted\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
|
||||||
@ -71,7 +71,7 @@ if [ "$inContainer" ]; then
|
|||||||
|
|
||||||
echo ""
|
echo ""
|
||||||
print_3title "Namespaces"
|
print_3title "Namespaces"
|
||||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/namespaces"
|
print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/namespaces/index.html"
|
||||||
ls -l /proc/self/ns/
|
ls -l /proc/self/ns/
|
||||||
|
|
||||||
if echo "$containerType" | grep -qi "kubernetes"; then
|
if echo "$containerType" | grep -qi "kubernetes"; then
|
||||||
@ -80,7 +80,7 @@ if [ "$inContainer" ]; then
|
|||||||
echo ""
|
echo ""
|
||||||
|
|
||||||
print_2title "Kubernetes Information"
|
print_2title "Kubernetes Information"
|
||||||
print_info "https://book.hacktricks.xyz/cloud-security/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod"
|
print_info "https://cloud.hacktricks.wiki/en/pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod.html"
|
||||||
|
|
||||||
|
|
||||||
print_3title "Kubernetes service account folder"
|
print_3title "Kubernetes service account folder"
|
||||||
@ -92,7 +92,7 @@ if [ "$inContainer" ]; then
|
|||||||
echo ""
|
echo ""
|
||||||
|
|
||||||
print_3title "Current sa user k8s permissions"
|
print_3title "Current sa user k8s permissions"
|
||||||
print_info "https://book.hacktricks.xyz/cloud-security/pentesting-kubernetes/hardening-roles-clusterroles"
|
print_info "https://cloud.hacktricks.wiki/en/pentesting-cloud/kubernetes-security/kubernetes-role-based-access-control-rbac.html"
|
||||||
kubectl auth can-i --list 2>/dev/null || curl -s -k -d "$(echo \"eyJraW5kIjoiU2VsZlN1YmplY3RSdWxlc1JldmlldyIsImFwaVZlcnNpb24iOiJhdXRob3JpemF0aW9uLms4cy5pby92MSIsIm1ldGFkYXRhIjp7ImNyZWF0aW9uVGltZXN0YW1wIjpudWxsfSwic3BlYyI6eyJuYW1lc3BhY2UiOiJlZXZlZSJ9LCJzdGF0dXMiOnsicmVzb3VyY2VSdWxlcyI6bnVsbCwibm9uUmVzb3VyY2VSdWxlcyI6bnVsbCwiaW5jb21wbGV0ZSI6ZmFsc2V9fQo=\"|base64 -d)" \
|
kubectl auth can-i --list 2>/dev/null || curl -s -k -d "$(echo \"eyJraW5kIjoiU2VsZlN1YmplY3RSdWxlc1JldmlldyIsImFwaVZlcnNpb24iOiJhdXRob3JpemF0aW9uLms4cy5pby92MSIsIm1ldGFkYXRhIjp7ImNyZWF0aW9uVGltZXN0YW1wIjpudWxsfSwic3BlYyI6eyJuYW1lc3BhY2UiOiJlZXZlZSJ9LCJzdGF0dXMiOnsicmVzb3VyY2VSdWxlcyI6bnVsbCwibm9uUmVzb3VyY2VSdWxlcyI6bnVsbCwiaW5jb21wbGV0ZSI6ZmFsc2V9fQo=\"|base64 -d)" \
|
||||||
"https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT_HTTPS}/apis/authorization.k8s.io/v1/selfsubjectrulesreviews" \
|
"https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT_HTTPS}/apis/authorization.k8s.io/v1/selfsubjectrulesreviews" \
|
||||||
-X 'POST' -H 'Content-Type: application/json' \
|
-X 'POST' -H 'Content-Type: application/json' \
|
||||||
@ -102,7 +102,7 @@ if [ "$inContainer" ]; then
|
|||||||
echo ""
|
echo ""
|
||||||
|
|
||||||
print_2title "Container Capabilities"
|
print_2title "Container Capabilities"
|
||||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation#capabilities-abuse-escape"
|
print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/index.html#capabilities-abuse-escape"
|
||||||
if [ "$(command -v capsh || echo -n '')" ]; then
|
if [ "$(command -v capsh || echo -n '')" ]; then
|
||||||
capsh --print 2>/dev/null | sed -${E} "s,$containercapsB,${SED_RED},g"
|
capsh --print 2>/dev/null | sed -${E} "s,$containercapsB,${SED_RED},g"
|
||||||
else
|
else
|
||||||
|
|||||||
@ -13,7 +13,7 @@
|
|||||||
# Small linpeas: 1
|
# Small linpeas: 1
|
||||||
|
|
||||||
|
|
||||||
printf "${YELLOW}Learn and practice cloud hacking techniques in ${BLUE}training.hacktricks.xyz\n"$NC
|
printf "${YELLOW}Learn and practice cloud hacking techniques in ${BLUE}training.hacktricks.wiki\n"$NC
|
||||||
echo ""
|
echo ""
|
||||||
|
|
||||||
print_list "GCP Virtual Machine? ................. $is_gcp_vm\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
|
print_list "GCP Virtual Machine? ................. $is_gcp_vm\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
|
||||||
|
|||||||
@ -26,7 +26,7 @@ if [ "$is_gcp_function" = "Yes" ]; then
|
|||||||
# GCP Enumeration
|
# GCP Enumeration
|
||||||
if [ "$gcp_req" ]; then
|
if [ "$gcp_req" ]; then
|
||||||
print_2title "Google Cloud Platform Enumeration"
|
print_2title "Google Cloud Platform Enumeration"
|
||||||
print_info "https://cloud.hacktricks.xyz/pentesting-cloud/gcp-security"
|
print_info "https://cloud.hacktricks.wiki/en/pentesting-cloud/gcp-security/index.html"
|
||||||
|
|
||||||
## GC Project Info
|
## GC Project Info
|
||||||
p_id=$(eval $gcp_req 'http://metadata.google.internal/computeMetadata/v1/project/project-id')
|
p_id=$(eval $gcp_req 'http://metadata.google.internal/computeMetadata/v1/project/project-id')
|
||||||
|
|||||||
@ -26,7 +26,7 @@ if [ "$is_gcp_vm" = "Yes" ]; then
|
|||||||
|
|
||||||
if [ "$gcp_req" ]; then
|
if [ "$gcp_req" ]; then
|
||||||
print_2title "Google Cloud Platform Enumeration"
|
print_2title "Google Cloud Platform Enumeration"
|
||||||
print_info "https://book.hacktricks.xyz/cloud-security/gcp-security"
|
print_info "https://cloud.hacktricks.wiki/en/pentesting-cloud/gcp-security/index.html"
|
||||||
|
|
||||||
## GC Project Info
|
## GC Project Info
|
||||||
p_id=$(eval $gcp_req 'http://metadata.google.internal/computeMetadata/v1/project/project-id')
|
p_id=$(eval $gcp_req 'http://metadata.google.internal/computeMetadata/v1/project/project-id')
|
||||||
|
|||||||
@ -47,22 +47,22 @@ if [ "$is_az_vm" = "Yes" ]; then
|
|||||||
echo ""
|
echo ""
|
||||||
|
|
||||||
print_3title "Management token"
|
print_3title "Management token"
|
||||||
print_info "It's possible to assign 1 system MI and several user MI to a VM. LinPEAS can only get the token from the default one. More info in https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#azure-vm"
|
print_info "It's possible to assign 1 system MI and several user MI to a VM. LinPEAS can only get the token from the default one. More info in https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#azure-vm"
|
||||||
exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://management.azure.com/"
|
exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://management.azure.com/"
|
||||||
echo ""
|
echo ""
|
||||||
|
|
||||||
print_3title "Graph token"
|
print_3title "Graph token"
|
||||||
print_info "It's possible to assign 1 system MI and several user MI to a VM. LinPEAS can only get the token from the default one. More info in https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#azure-vm"
|
print_info "It's possible to assign 1 system MI and several user MI to a VM. LinPEAS can only get the token from the default one. More info in https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#azure-vm"
|
||||||
exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://graph.microsoft.com/"
|
exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://graph.microsoft.com/"
|
||||||
echo ""
|
echo ""
|
||||||
|
|
||||||
print_3title "Vault token"
|
print_3title "Vault token"
|
||||||
print_info "It's possible to assign 1 system MI and several user MI to a VM. LinPEAS can only get the token from the default one. More info in https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#azure-vm"
|
print_info "It's possible to assign 1 system MI and several user MI to a VM. LinPEAS can only get the token from the default one. More info in https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#azure-vm"
|
||||||
exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://vault.azure.net/"
|
exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://vault.azure.net/"
|
||||||
echo ""
|
echo ""
|
||||||
|
|
||||||
print_3title "Storage token"
|
print_3title "Storage token"
|
||||||
print_info "It's possible to assign 1 system MI and several user MI to a VM. LinPEAS can only get the token from the default one. More info in https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#azure-vm"
|
print_info "It's possible to assign 1 system MI and several user MI to a VM. LinPEAS can only get the token from the default one. More info in https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#azure-vm"
|
||||||
exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://storage.azure.com/"
|
exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://storage.azure.com/"
|
||||||
echo ""
|
echo ""
|
||||||
fi
|
fi
|
||||||
|
|||||||
@ -15,7 +15,7 @@
|
|||||||
|
|
||||||
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||||
print_2title "System timers"
|
print_2title "System timers"
|
||||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers"
|
print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#timers"
|
||||||
(systemctl list-timers --all 2>/dev/null | grep -Ev "(^$|timers listed)" | sed -${E} "s,$timersG,${SED_GREEN},") || echo_not_found
|
(systemctl list-timers --all 2>/dev/null | grep -Ev "(^$|timers listed)" | sed -${E} "s,$timersG,${SED_GREEN},") || echo_not_found
|
||||||
echo ""
|
echo ""
|
||||||
fi
|
fi
|
||||||
@ -14,7 +14,7 @@
|
|||||||
|
|
||||||
|
|
||||||
print_2title "Analyzing .timer files"
|
print_2title "Analyzing .timer files"
|
||||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers"
|
print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#timers"
|
||||||
printf "%s\n" "$PSTORAGE_TIMER" | while read t; do
|
printf "%s\n" "$PSTORAGE_TIMER" | while read t; do
|
||||||
if ! [ "$IAMROOT" ] && [ -w "$t" ] && ! [ "$SEARCH_IN_FOLDER" ]; then
|
if ! [ "$IAMROOT" ] && [ -w "$t" ] && ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||||
echo "$t" | sed -${E} "s,.*,${SED_RED},g"
|
echo "$t" | sed -${E} "s,.*,${SED_RED},g"
|
||||||
|
|||||||
@ -15,7 +15,7 @@
|
|||||||
|
|
||||||
#TODO: .service files in MACOS are folders
|
#TODO: .service files in MACOS are folders
|
||||||
print_2title "Analyzing .service files"
|
print_2title "Analyzing .service files"
|
||||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#services"
|
print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#services"
|
||||||
printf "%s\n" "$PSTORAGE_SYSTEMD" | while read s; do
|
printf "%s\n" "$PSTORAGE_SYSTEMD" | while read s; do
|
||||||
if [ ! -O "" ] || [ "$SEARCH_IN_FOLDER" ]; then #Remove services that belongs to the current user or if firmware see everything
|
if [ ! -O "" ] || [ "$SEARCH_IN_FOLDER" ]; then #Remove services that belongs to the current user or if firmware see everything
|
||||||
if ! [ "$IAMROOT" ] && [ -w "$s" ] && [ -f "$s" ] && ! [ "$SEARCH_IN_FOLDER" ]; then
|
if ! [ "$IAMROOT" ] && [ -w "$s" ] && [ -f "$s" ] && ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||||
|
|||||||
@ -16,7 +16,7 @@
|
|||||||
#TODO: .socket files in MACOS are folders
|
#TODO: .socket files in MACOS are folders
|
||||||
if ! [ "$IAMROOT" ]; then
|
if ! [ "$IAMROOT" ]; then
|
||||||
print_2title "Analyzing .socket files"
|
print_2title "Analyzing .socket files"
|
||||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets"
|
print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sockets"
|
||||||
printf "%s\n" "$PSTORAGE_SOCKET" | while read s; do
|
printf "%s\n" "$PSTORAGE_SOCKET" | while read s; do
|
||||||
if ! [ "$IAMROOT" ] && [ -w "$s" ] && [ -f "$s" ] && ! [ "$SEARCH_IN_FOLDER" ]; then
|
if ! [ "$IAMROOT" ] && [ -w "$s" ] && [ -f "$s" ] && ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||||
echo "Writable .socket file: $s" | sed "s,/.*,${SED_RED},g"
|
echo "Writable .socket file: $s" | sed "s,/.*,${SED_RED},g"
|
||||||
|
|||||||
@ -17,7 +17,7 @@
|
|||||||
if ! [ "$IAMROOT" ]; then
|
if ! [ "$IAMROOT" ]; then
|
||||||
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||||
print_2title "Unix Sockets Listening"
|
print_2title "Unix Sockets Listening"
|
||||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets"
|
print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sockets"
|
||||||
# Search sockets using netstat and ss
|
# Search sockets using netstat and ss
|
||||||
unix_scks_list=$(ss -xlp -H state listening 2>/dev/null | grep -Eo "/.* " | cut -d " " -f1)
|
unix_scks_list=$(ss -xlp -H state listening 2>/dev/null | grep -Eo "/.* " | cut -d " " -f1)
|
||||||
if ! [ "$unix_scks_list" ];then
|
if ! [ "$unix_scks_list" ];then
|
||||||
|
|||||||
@ -15,7 +15,7 @@
|
|||||||
|
|
||||||
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||||
print_2title "D-Bus Service Objects list"
|
print_2title "D-Bus Service Objects list"
|
||||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus"
|
print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#d-bus"
|
||||||
dbuslist=$(busctl list 2>/dev/null)
|
dbuslist=$(busctl list 2>/dev/null)
|
||||||
if [ "$dbuslist" ]; then
|
if [ "$dbuslist" ]; then
|
||||||
busctl list | while read l; do
|
busctl list | while read l; do
|
||||||
|
|||||||
@ -13,7 +13,7 @@
|
|||||||
# Small linpeas: 0
|
# Small linpeas: 0
|
||||||
|
|
||||||
print_2title "D-Bus config files"
|
print_2title "D-Bus config files"
|
||||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus"
|
print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#d-bus"
|
||||||
if [ "$PSTORAGE_DBUS" ]; then
|
if [ "$PSTORAGE_DBUS" ]; then
|
||||||
printf "%s\n" "$PSTORAGE_DBUS" | while read d; do
|
printf "%s\n" "$PSTORAGE_DBUS" | while read d; do
|
||||||
for f in $d/*; do
|
for f in $d/*; do
|
||||||
|
|||||||
@ -19,7 +19,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
|
|||||||
if [ "$NOUSEPS" ]; then
|
if [ "$NOUSEPS" ]; then
|
||||||
printf ${BLUE}"[i]$GREEN Looks like ps is not finding processes, going to read from /proc/ and not going to monitor 1min of processes\n"$NC
|
printf ${BLUE}"[i]$GREEN Looks like ps is not finding processes, going to read from /proc/ and not going to monitor 1min of processes\n"$NC
|
||||||
fi
|
fi
|
||||||
print_info "Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes"
|
print_info "Check weird & unexpected proceses run by root: https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#processes"
|
||||||
|
|
||||||
if [ -f "/etc/fstab" ] && cat /etc/fstab | grep -q "hidepid=2"; then
|
if [ -f "/etc/fstab" ] && cat /etc/fstab | grep -q "hidepid=2"; then
|
||||||
echo "Looks like /etc/fstab has hidepid=2, so ps will not show processes of other users"
|
echo "Looks like /etc/fstab has hidepid=2, so ps will not show processes of other users"
|
||||||
|
|||||||
@ -15,7 +15,7 @@
|
|||||||
|
|
||||||
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||||
print_2title "Processes with credentials in memory (root req)"
|
print_2title "Processes with credentials in memory (root req)"
|
||||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#credentials-from-process-memory"
|
print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#credentials-from-process-memory"
|
||||||
if echo "$pslist" | grep -q "gdm-password"; then echo "gdm-password process found (dump creds from memory as root)" | sed "s,gdm-password process,${SED_RED},"; else echo_not_found "gdm-password"; fi
|
if echo "$pslist" | grep -q "gdm-password"; then echo "gdm-password process found (dump creds from memory as root)" | sed "s,gdm-password process,${SED_RED},"; else echo_not_found "gdm-password"; fi
|
||||||
if echo "$pslist" | grep -q "gnome-keyring-daemon"; then echo "gnome-keyring-daemon process found (dump creds from memory as root)" | sed "s,gnome-keyring-daemon,${SED_RED},"; else echo_not_found "gnome-keyring-daemon"; fi
|
if echo "$pslist" | grep -q "gnome-keyring-daemon"; then echo "gnome-keyring-daemon process found (dump creds from memory as root)" | sed "s,gnome-keyring-daemon,${SED_RED},"; else echo_not_found "gnome-keyring-daemon"; fi
|
||||||
if echo "$pslist" | grep -q "lightdm"; then echo "lightdm process found (dump creds from memory as root)" | sed "s,lightdm,${SED_RED},"; else echo_not_found "lightdm"; fi
|
if echo "$pslist" | grep -q "lightdm"; then echo "lightdm process found (dump creds from memory as root)" | sed "s,lightdm,${SED_RED},"; else echo_not_found "lightdm"; fi
|
||||||
|
|||||||
@ -16,7 +16,7 @@
|
|||||||
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||||
if [ "$NOUSEPS" ]; then
|
if [ "$NOUSEPS" ]; then
|
||||||
print_2title "Binary processes permissions (non 'root root' and not belonging to current user)"
|
print_2title "Binary processes permissions (non 'root root' and not belonging to current user)"
|
||||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes"
|
print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#processes"
|
||||||
binW="IniTialiZZinnggg"
|
binW="IniTialiZZinnggg"
|
||||||
ps auxwww 2>/dev/null | awk '{print $11}' | while read bpath; do
|
ps auxwww 2>/dev/null | awk '{print $11}' | while read bpath; do
|
||||||
if [ -w "$bpath" ]; then
|
if [ -w "$bpath" ]; then
|
||||||
|
|||||||
@ -16,7 +16,7 @@
|
|||||||
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||||
if ! [ "$FAST" ] && ! [ "$SUPERFAST" ]; then
|
if ! [ "$FAST" ] && ! [ "$SUPERFAST" ]; then
|
||||||
print_2title "Different processes executed during 1 min (interesting is low number of repetitions)"
|
print_2title "Different processes executed during 1 min (interesting is low number of repetitions)"
|
||||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#frequent-cron-jobs"
|
print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#frequent-cron-jobs"
|
||||||
temp_file=$(mktemp)
|
temp_file=$(mktemp)
|
||||||
if [ "$(ps -e -o user,command 2>/dev/null)" ]; then
|
if [ "$(ps -e -o user,command 2>/dev/null)" ]; then
|
||||||
for i in $(seq 1 1210); do
|
for i in $(seq 1 1210); do
|
||||||
|
|||||||
@ -15,7 +15,7 @@
|
|||||||
|
|
||||||
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||||
print_2title "Systemd PATH"
|
print_2title "Systemd PATH"
|
||||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#systemd-path-relative-paths"
|
print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#systemd-path---relative-paths"
|
||||||
systemctl show-environment 2>/dev/null | grep "PATH" | sed -${E} "s,$Wfolders\|\./\|\.:\|:\.,${SED_RED_YELLOW},g"
|
systemctl show-environment 2>/dev/null | grep "PATH" | sed -${E} "s,$Wfolders\|\./\|\.:\|:\.,${SED_RED_YELLOW},g"
|
||||||
WRITABLESYSTEMDPATH=$(systemctl show-environment 2>/dev/null | grep "PATH" | grep -E "$Wfolders")
|
WRITABLESYSTEMDPATH=$(systemctl show-environment 2>/dev/null | grep "PATH" | grep -E "$Wfolders")
|
||||||
echo ""
|
echo ""
|
||||||
|
|||||||
@ -15,7 +15,7 @@
|
|||||||
|
|
||||||
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||||
print_2title "Cron jobs"
|
print_2title "Cron jobs"
|
||||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs"
|
print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scheduledcron-jobs"
|
||||||
command -v crontab 2>/dev/null || echo_not_found "crontab"
|
command -v crontab 2>/dev/null || echo_not_found "crontab"
|
||||||
crontab -l 2>/dev/null | tr -d "\r" | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED},"
|
crontab -l 2>/dev/null | tr -d "\r" | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED},"
|
||||||
command -v incrontab 2>/dev/null || echo_not_found "incrontab"
|
command -v incrontab 2>/dev/null || echo_not_found "incrontab"
|
||||||
@ -27,7 +27,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
|
|||||||
atq 2>/dev/null
|
atq 2>/dev/null
|
||||||
else
|
else
|
||||||
print_2title "Cron jobs"
|
print_2title "Cron jobs"
|
||||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs"
|
print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scheduledcron-jobs"
|
||||||
find "$SEARCH_IN_FOLDER" '(' -type d -or -type f ')' '(' -name "cron*" -or -name "anacron" -or -name "anacrontab" -or -name "incron.d" -or -name "incron" -or -name "at" -or -name "periodic" ')' -exec echo {} \; -exec ls -lR {} \;
|
find "$SEARCH_IN_FOLDER" '(' -type d -or -type f ')' '(' -name "cron*" -or -name "anacron" -or -name "anacrontab" -or -name "incron.d" -or -name "incron" -or -name "at" -or -name "periodic" ')' -exec echo {} \; -exec ls -lR {} \;
|
||||||
fi
|
fi
|
||||||
echo ""
|
echo ""
|
||||||
@ -16,7 +16,7 @@
|
|||||||
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||||
if [ "$MACPEAS" ]; then
|
if [ "$MACPEAS" ]; then
|
||||||
print_2title "Third party LaunchAgents & LaunchDemons"
|
print_2title "Third party LaunchAgents & LaunchDemons"
|
||||||
print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#launchd"
|
print_info "https://book.hacktricks.wiki/en/macos-hardening/macos-auto-start-locations.html#launchd"
|
||||||
ls -l /Library/LaunchAgents/ /Library/LaunchDaemons/ ~/Library/LaunchAgents/ ~/Library/LaunchDaemons/ 2>/dev/null
|
ls -l /Library/LaunchAgents/ /Library/LaunchDaemons/ ~/Library/LaunchAgents/ ~/Library/LaunchDaemons/ 2>/dev/null
|
||||||
echo ""
|
echo ""
|
||||||
|
|
||||||
@ -34,12 +34,12 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
|
|||||||
echo ""
|
echo ""
|
||||||
|
|
||||||
print_2title "StartupItems"
|
print_2title "StartupItems"
|
||||||
print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#startup-items"
|
print_info "https://book.hacktricks.wiki/en/macos-hardening/macos-auto-start-locations.html#startup-items"
|
||||||
ls -l /Library/StartupItems/ /System/Library/StartupItems/ 2>/dev/null
|
ls -l /Library/StartupItems/ /System/Library/StartupItems/ 2>/dev/null
|
||||||
echo ""
|
echo ""
|
||||||
|
|
||||||
print_2title "Login Items"
|
print_2title "Login Items"
|
||||||
print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#login-items"
|
print_info "https://book.hacktricks.wiki/en/macos-hardening/macos-auto-start-locations.html#startup-items"
|
||||||
osascript -e 'tell application "System Events" to get the name of every login item' 2>/dev/null
|
osascript -e 'tell application "System Events" to get the name of every login item' 2>/dev/null
|
||||||
echo ""
|
echo ""
|
||||||
|
|
||||||
@ -48,7 +48,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
|
|||||||
echo ""
|
echo ""
|
||||||
|
|
||||||
print_2title "Emond scripts"
|
print_2title "Emond scripts"
|
||||||
print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#emond"
|
print_info "https://book.hacktricks.wiki/en/macos-hardening/macos-auto-start-locations.html#emond"
|
||||||
ls -l /private/var/db/emondClients
|
ls -l /private/var/db/emondClients
|
||||||
echo ""
|
echo ""
|
||||||
fi
|
fi
|
||||||
|
|||||||
@ -14,6 +14,6 @@
|
|||||||
|
|
||||||
|
|
||||||
print_2title "Active Ports"
|
print_2title "Active Ports"
|
||||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports"
|
print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#open-ports"
|
||||||
( (netstat -punta || ss -nltpu || netstat -anv) | grep -i listen) 2>/dev/null | sed -${E} "s,127.0.[0-9]+.[0-9]+|:::|::1:|0\.0\.0\.0,${SED_RED},g"
|
( (netstat -punta || ss -nltpu || netstat -anv) | grep -i listen) 2>/dev/null | sed -${E} "s,127.0.[0-9]+.[0-9]+|:::|::1:|0\.0\.0\.0,${SED_RED},g"
|
||||||
echo ""
|
echo ""
|
||||||
|
|||||||
@ -16,7 +16,7 @@
|
|||||||
print_2title "Can I sniff with tcpdump?"
|
print_2title "Can I sniff with tcpdump?"
|
||||||
timeout 1 tcpdump >/dev/null 2>&1
|
timeout 1 tcpdump >/dev/null 2>&1
|
||||||
if [ $? -eq 124 ]; then #If 124, then timed out == It worked
|
if [ $? -eq 124 ]; then #If 124, then timed out == It worked
|
||||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sniffing"
|
print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sniffing"
|
||||||
echo "You can sniff with tcpdump!" | sed -${E} "s,.*,${SED_RED},"
|
echo "You can sniff with tcpdump!" | sed -${E} "s,.*,${SED_RED},"
|
||||||
else echo_no
|
else echo_no
|
||||||
fi
|
fi
|
||||||
|
|||||||
@ -14,6 +14,6 @@
|
|||||||
|
|
||||||
|
|
||||||
print_2title "Checking Pkexec policy"
|
print_2title "Checking Pkexec policy"
|
||||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#pe-method-2"
|
print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/interesting-groups-linux-pe/index.html#pe---method-2"
|
||||||
(cat /etc/polkit-1/localauthority.conf.d/* 2>/dev/null | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null | sed -${E} "s,$groupsB,${SED_RED}," | sed -${E} "s,$groupsVB,${SED_RED}," | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,$USER,${SED_RED_YELLOW}," | sed -${E} "s,$Groups,${SED_RED_YELLOW},") || echo_not_found "/etc/polkit-1/localauthority.conf.d"
|
(cat /etc/polkit-1/localauthority.conf.d/* 2>/dev/null | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null | sed -${E} "s,$groupsB,${SED_RED}," | sed -${E} "s,$groupsVB,${SED_RED}," | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,$USER,${SED_RED_YELLOW}," | sed -${E} "s,$Groups,${SED_RED_YELLOW},") || echo_not_found "/etc/polkit-1/localauthority.conf.d"
|
||||||
echo ""
|
echo ""
|
||||||
|
|||||||
@ -14,6 +14,6 @@
|
|||||||
|
|
||||||
|
|
||||||
print_2title "My user"
|
print_2title "My user"
|
||||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#users"
|
print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#users"
|
||||||
(id || (whoami && groups)) 2>/dev/null | sed -${E} "s,$groupsB,${SED_RED},g" | sed -${E} "s,$groupsVB,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,root,${SED_RED}," | sed -${E} "s,$knw_grps,${SED_GREEN},g" | sed -${E} "s,$idB,${SED_RED},g"
|
(id || (whoami && groups)) 2>/dev/null | sed -${E} "s,$groupsB,${SED_RED},g" | sed -${E} "s,$groupsVB,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,root,${SED_RED}," | sed -${E} "s,$knw_grps,${SED_GREEN},g" | sed -${E} "s,$idB,${SED_RED},g"
|
||||||
echo ""
|
echo ""
|
||||||
@ -15,7 +15,7 @@
|
|||||||
|
|
||||||
if [ "$MACPEAS" ];then
|
if [ "$MACPEAS" ];then
|
||||||
print_2title "Keychains"
|
print_2title "Keychains"
|
||||||
print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#chainbreaker"
|
print_info "https://book.hacktricks.wiki/en/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-sensitive-locations.html#chainbreaker"
|
||||||
security list-keychains
|
security list-keychains
|
||||||
echo ""
|
echo ""
|
||||||
fi
|
fi
|
||||||
@ -14,7 +14,7 @@
|
|||||||
|
|
||||||
|
|
||||||
print_2title "Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d"
|
print_2title "Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d"
|
||||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid"
|
print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-and-suid"
|
||||||
(echo '' | timeout 1 sudo -S -l | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,\!root,${SED_RED},") 2>/dev/null || echo_not_found "sudo"
|
(echo '' | timeout 1 sudo -S -l | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,\!root,${SED_RED},") 2>/dev/null || echo_not_found "sudo"
|
||||||
if [ "$PASSWORD" ]; then
|
if [ "$PASSWORD" ]; then
|
||||||
(echo "$PASSWORD" | timeout 1 sudo -S -l | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g") 2>/dev/null || echo_not_found "sudo"
|
(echo "$PASSWORD" | timeout 1 sudo -S -l | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g") 2>/dev/null || echo_not_found "sudo"
|
||||||
|
|||||||
@ -14,7 +14,7 @@
|
|||||||
|
|
||||||
|
|
||||||
print_2title "Checking sudo tokens"
|
print_2title "Checking sudo tokens"
|
||||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#reusing-sudo-tokens"
|
print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#reusing-sudo-tokens"
|
||||||
ptrace_scope="$(cat /proc/sys/kernel/yama/ptrace_scope 2>/dev/null)"
|
ptrace_scope="$(cat /proc/sys/kernel/yama/ptrace_scope 2>/dev/null)"
|
||||||
if [ "$ptrace_scope" ] && [ "$ptrace_scope" -eq 0 ]; then
|
if [ "$ptrace_scope" ] && [ "$ptrace_scope" -eq 0 ]; then
|
||||||
echo "ptrace protection is disabled (0), so sudo tokens could be abused" | sed "s,is disabled,${SED_RED},g";
|
echo "ptrace protection is disabled (0), so sudo tokens could be abused" | sed "s,is disabled,${SED_RED},g";
|
||||||
|
|||||||
@ -17,7 +17,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
|
|||||||
containerd=$(command -v ctr || echo -n '')
|
containerd=$(command -v ctr || echo -n '')
|
||||||
if [ "$containerd" ] || [ "$DEBUG" ]; then
|
if [ "$containerd" ] || [ "$DEBUG" ]; then
|
||||||
print_2title "Checking if containerd(ctr) is available"
|
print_2title "Checking if containerd(ctr) is available"
|
||||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation"
|
print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#containerd-ctr-privilege-escalation"
|
||||||
if [ "$containerd" ]; then
|
if [ "$containerd" ]; then
|
||||||
echo "ctr was found in $containerd, you may be able to escalate privileges with it" | sed -${E} "s,.*,${SED_RED},"
|
echo "ctr was found in $containerd, you may be able to escalate privileges with it" | sed -${E} "s,.*,${SED_RED},"
|
||||||
ctr image list 2>&1
|
ctr image list 2>&1
|
||||||
|
|||||||
@ -15,7 +15,7 @@
|
|||||||
|
|
||||||
if [ "$PSTORAGE_DOCKER" ] || [ "$DEBUG" ]; then
|
if [ "$PSTORAGE_DOCKER" ] || [ "$DEBUG" ]; then
|
||||||
print_2title "Searching docker files (limit 70)"
|
print_2title "Searching docker files (limit 70)"
|
||||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation"
|
print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/index.html#docker-breakout--privilege-escalation"
|
||||||
printf "%s\n" "$PSTORAGE_DOCKER" | head -n 70 | while read f; do
|
printf "%s\n" "$PSTORAGE_DOCKER" | head -n 70 | while read f; do
|
||||||
ls -l "$f" 2>/dev/null
|
ls -l "$f" 2>/dev/null
|
||||||
if ! [ "$IAMROOT" ] && [ -S "$f" ] && [ -w "$f" ]; then
|
if ! [ "$IAMROOT" ] && [ -S "$f" ] && [ -w "$f" ]; then
|
||||||
|
|||||||
@ -15,7 +15,7 @@
|
|||||||
|
|
||||||
if [ "$PSTORAGE_KCPASSWORD" ] || [ "$DEBUG" ]; then
|
if [ "$PSTORAGE_KCPASSWORD" ] || [ "$DEBUG" ]; then
|
||||||
print_2title "Analyzing kcpassword files"
|
print_2title "Analyzing kcpassword files"
|
||||||
print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#kcpassword"
|
print_info "https://book.hacktricks.wiki/en/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-sensitive-locations.html#kcpassword"
|
||||||
printf "%s\n" "$PSTORAGE_KCPASSWORD" | while read f; do
|
printf "%s\n" "$PSTORAGE_KCPASSWORD" | while read f; do
|
||||||
echo "$f" | sed -${E} "s,.*,${SED_RED},"
|
echo "$f" | sed -${E} "s,.*,${SED_RED},"
|
||||||
base64 "$f" 2>/dev/null | sed -${E} "s,.*,${SED_RED},"
|
base64 "$f" 2>/dev/null | sed -${E} "s,.*,${SED_RED},"
|
||||||
|
|||||||
@ -18,7 +18,7 @@ klist_exists="$(command -v klist || echo -n '')"
|
|||||||
kinit_exists="$(command -v kinit || echo -n '')"
|
kinit_exists="$(command -v kinit || echo -n '')"
|
||||||
if [ "$kadmin_exists" ] || [ "$klist_exists" ] || [ "$kinit_exists" ] || [ "$PSTORAGE_KERBEROS" ] || [ "$DEBUG" ]; then
|
if [ "$kadmin_exists" ] || [ "$klist_exists" ] || [ "$kinit_exists" ] || [ "$PSTORAGE_KERBEROS" ] || [ "$DEBUG" ]; then
|
||||||
print_2title "Searching kerberos conf files and tickets"
|
print_2title "Searching kerberos conf files and tickets"
|
||||||
print_info "http://book.hacktricks.xyz/linux-hardening/privilege-escalation/linux-active-directory"
|
print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/linux-active-directory.html#linux-active-directory"
|
||||||
|
|
||||||
if [ "$kadmin_exists" ]; then echo "kadmin was found on $kadmin_exists" | sed "s,$kadmin_exists,${SED_RED},"; fi
|
if [ "$kadmin_exists" ]; then echo "kadmin was found on $kadmin_exists" | sed "s,$kadmin_exists,${SED_RED},"; fi
|
||||||
if [ "$kinit_exists" ]; then echo "kadmin was found on $kinit_exists" | sed "s,$kinit_exists,${SED_RED},"; fi
|
if [ "$kinit_exists" ]; then echo "kadmin was found on $kinit_exists" | sed "s,$kinit_exists,${SED_RED},"; fi
|
||||||
|
|||||||
@ -17,7 +17,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
|
|||||||
runc=$(command -v runc || echo -n '')
|
runc=$(command -v runc || echo -n '')
|
||||||
if [ "$runc" ] || [ "$DEBUG" ]; then
|
if [ "$runc" ] || [ "$DEBUG" ]; then
|
||||||
print_2title "Checking if runc is available"
|
print_2title "Checking if runc is available"
|
||||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/runc-privilege-escalation"
|
print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#runc--privilege-escalation"
|
||||||
if [ "$runc" ]; then
|
if [ "$runc" ]; then
|
||||||
echo "runc was found in $runc, you may be able to escalate privileges with it" | sed -${E} "s,.*,${SED_RED},"
|
echo "runc was found in $runc, you may be able to escalate privileges with it" | sed -${E} "s,.*,${SED_RED},"
|
||||||
fi
|
fi
|
||||||
|
|||||||
@ -15,7 +15,7 @@
|
|||||||
|
|
||||||
if ([ "$screensess" ] || [ "$screensess2" ] || [ "$DEBUG" ]) && ! [ "$SEARCH_IN_FOLDER" ]; then
|
if ([ "$screensess" ] || [ "$screensess2" ] || [ "$DEBUG" ]) && ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||||
print_2title "Searching screen sessions"
|
print_2title "Searching screen sessions"
|
||||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-shell-sessions"
|
print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#open-shell-sessions"
|
||||||
screensess=$(screen -ls 2>/dev/null)
|
screensess=$(screen -ls 2>/dev/null)
|
||||||
screensess2=$(find /run/screen -type d -path "/run/screen/S-*" 2>/dev/null)
|
screensess2=$(find /run/screen -type d -path "/run/screen/S-*" 2>/dev/null)
|
||||||
|
|
||||||
|
|||||||
@ -18,7 +18,7 @@ tmuxnondefsess=$(ps auxwww | grep "tmux " | grep -v grep)
|
|||||||
tmuxsess2=$(find /tmp -type d -path "/tmp/tmux-*" 2>/dev/null)
|
tmuxsess2=$(find /tmp -type d -path "/tmp/tmux-*" 2>/dev/null)
|
||||||
if ([ "$tmuxdefsess" ] || [ "$tmuxnondefsess" ] || [ "$tmuxsess2" ] || [ "$DEBUG" ]) && ! [ "$SEARCH_IN_FOLDER" ]; then
|
if ([ "$tmuxdefsess" ] || [ "$tmuxnondefsess" ] || [ "$tmuxsess2" ] || [ "$DEBUG" ]) && ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||||
print_2title "Searching tmux sessions"$N
|
print_2title "Searching tmux sessions"$N
|
||||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-shell-sessions"
|
print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#open-shell-sessions"
|
||||||
tmux -V
|
tmux -V
|
||||||
printf "$tmuxdefsess\n$tmuxnondefsess\n$tmuxsess2" | sed -${E} "s,.*,${SED_RED}," | sed -${E} "s,no server running on.*,${C}[32m&${C}[0m,"
|
printf "$tmuxdefsess\n$tmuxnondefsess\n$tmuxsess2" | sed -${E} "s,.*,${SED_RED}," | sed -${E} "s,no server running on.*,${C}[32m&${C}[0m,"
|
||||||
|
|
||||||
|
|||||||
@ -15,7 +15,7 @@
|
|||||||
|
|
||||||
if ! [ "$IAMROOT" ]; then
|
if ! [ "$IAMROOT" ]; then
|
||||||
print_2title "Interesting writable files owned by me or writable by everyone (not in Home) (max 200)"
|
print_2title "Interesting writable files owned by me or writable by everyone (not in Home) (max 200)"
|
||||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files"
|
print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#writable-files"
|
||||||
#In the next file, you need to specify type "d" and "f" to avoid fake link files apparently writable by all
|
#In the next file, you need to specify type "d" and "f" to avoid fake link files apparently writable by all
|
||||||
obmowbe=$(find $ROOT_FOLDER '(' -type f -or -type d ')' '(' '(' -user $USER ')' -or '(' -perm -o=w ')' ')' ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null | grep -Ev "$notExtensions" | sort | uniq | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 5){ print line_init; } if (cont == "5"){print "#)You_can_write_even_more_files_inside_last_directory\n"}; pre=act }' | head -n 200)
|
obmowbe=$(find $ROOT_FOLDER '(' -type f -or -type d ')' '(' '(' -user $USER ')' -or '(' -perm -o=w ')' ')' ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null | grep -Ev "$notExtensions" | sort | uniq | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 5){ print line_init; } if (cont == "5"){print "#)You_can_write_even_more_files_inside_last_directory\n"}; pre=act }' | head -n 200)
|
||||||
printf "%s\n" "$obmowbe" | while read l; do
|
printf "%s\n" "$obmowbe" | while read l; do
|
||||||
|
|||||||
@ -15,7 +15,7 @@
|
|||||||
|
|
||||||
if ! [ "$IAMROOT" ]; then
|
if ! [ "$IAMROOT" ]; then
|
||||||
print_2title "Interesting GROUP writable files (not in Home) (max 200)"
|
print_2title "Interesting GROUP writable files (not in Home) (max 200)"
|
||||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files"
|
print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#writable-files"
|
||||||
for g in $(groups); do
|
for g in $(groups); do
|
||||||
iwfbg=$(find $ROOT_FOLDER '(' -type f -or -type d ')' -group $g -perm -g=w ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null | grep -Ev "$notExtensions" | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 5){ print line_init; } if (cont == "5"){print "#)You_can_write_even_more_files_inside_last_directory\n"}; pre=act }' | head -n 200)
|
iwfbg=$(find $ROOT_FOLDER '(' -type f -or -type d ')' -group $g -perm -g=w ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null | grep -Ev "$notExtensions" | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 5){ print line_init; } if (cont == "5"){print "#)You_can_write_even_more_files_inside_last_directory\n"}; pre=act }' | head -n 200)
|
||||||
if [ "$iwfbg" ] || [ "$DEBUG" ]; then
|
if [ "$iwfbg" ] || [ "$DEBUG" ]; then
|
||||||
|
|||||||
@ -14,7 +14,7 @@
|
|||||||
|
|
||||||
|
|
||||||
print_2title "SUID - Check easy privesc, exploits and write perms"
|
print_2title "SUID - Check easy privesc, exploits and write perms"
|
||||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid"
|
print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-and-suid"
|
||||||
if ! [ "$STRINGS" ]; then
|
if ! [ "$STRINGS" ]; then
|
||||||
echo_not_found "strings"
|
echo_not_found "strings"
|
||||||
fi
|
fi
|
||||||
|
|||||||
@ -14,7 +14,7 @@
|
|||||||
|
|
||||||
|
|
||||||
print_2title "SGID"
|
print_2title "SGID"
|
||||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid"
|
print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-and-suid"
|
||||||
sgids_files=$(find $ROOT_FOLDER -perm -2000 -type f ! -path "/dev/*" 2>/dev/null)
|
sgids_files=$(find $ROOT_FOLDER -perm -2000 -type f ! -path "/dev/*" 2>/dev/null)
|
||||||
printf "%s\n" "$sgids_files" | while read s; do
|
printf "%s\n" "$sgids_files" | while read s; do
|
||||||
s=$(ls -lahtr "$s")
|
s=$(ls -lahtr "$s")
|
||||||
|
|||||||
@ -14,7 +14,7 @@
|
|||||||
|
|
||||||
|
|
||||||
print_2title "Files with ACLs (limited to 50)"
|
print_2title "Files with ACLs (limited to 50)"
|
||||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#acls"
|
print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#acls"
|
||||||
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||||
( (getfacl -t -s -R -p /bin /etc $HOMESEARCH /opt /sbin /usr /tmp /root 2>/dev/null) || echo_not_found "files with acls in searched folders" ) | head -n 70 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED},"
|
( (getfacl -t -s -R -p /bin /etc $HOMESEARCH /opt /sbin /usr /tmp /root 2>/dev/null) || echo_not_found "files with acls in searched folders" ) | head -n 70 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED},"
|
||||||
else
|
else
|
||||||
|
|||||||
@ -15,7 +15,7 @@
|
|||||||
|
|
||||||
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||||
print_2title "Capabilities"
|
print_2title "Capabilities"
|
||||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities"
|
print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#capabilities"
|
||||||
if [ "$(command -v capsh || echo -n '')" ]; then
|
if [ "$(command -v capsh || echo -n '')" ]; then
|
||||||
|
|
||||||
print_3title "Current shell capabilities"
|
print_3title "Current shell capabilities"
|
||||||
|
|||||||
@ -15,7 +15,7 @@
|
|||||||
|
|
||||||
if [ -f "/etc/security/capability.conf" ] || [ "$DEBUG" ]; then
|
if [ -f "/etc/security/capability.conf" ] || [ "$DEBUG" ]; then
|
||||||
print_2title "Users with capabilities"
|
print_2title "Users with capabilities"
|
||||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities"
|
print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#capabilities"
|
||||||
if [ -f "/etc/security/capability.conf" ]; then
|
if [ -f "/etc/security/capability.conf" ]; then
|
||||||
grep -v '^#\|none\|^$' /etc/security/capability.conf 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED},"
|
grep -v '^#\|none\|^$' /etc/security/capability.conf 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED},"
|
||||||
else echo_not_found "/etc/security/capability.conf"
|
else echo_not_found "/etc/security/capability.conf"
|
||||||
|
|||||||
@ -15,7 +15,7 @@
|
|||||||
|
|
||||||
if ! [ "$SEARCH_IN_FOLDER" ] && ! [ "$IAMROOT" ]; then
|
if ! [ "$SEARCH_IN_FOLDER" ] && ! [ "$IAMROOT" ]; then
|
||||||
print_2title "Checking misconfigurations of ld.so"
|
print_2title "Checking misconfigurations of ld.so"
|
||||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#ld.so"
|
print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#ldso"
|
||||||
if [ -f "/etc/ld.so.conf" ] && [ -w "/etc/ld.so.conf" ]; then
|
if [ -f "/etc/ld.so.conf" ] && [ -w "/etc/ld.so.conf" ]; then
|
||||||
echo "You have write privileges over /etc/ld.so.conf" | sed -${E} "s,.*,${SED_RED_YELLOW},";
|
echo "You have write privileges over /etc/ld.so.conf" | sed -${E} "s,.*,${SED_RED_YELLOW},";
|
||||||
printf $RED$ITALIC"/etc/ld.so.conf\n"$NC;
|
printf $RED$ITALIC"/etc/ld.so.conf\n"$NC;
|
||||||
|
|||||||
@ -15,7 +15,7 @@
|
|||||||
|
|
||||||
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||||
print_2title "Files (scripts) in /etc/profile.d/"
|
print_2title "Files (scripts) in /etc/profile.d/"
|
||||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#profiles-files"
|
print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#profiles-files"
|
||||||
if [ ! "$MACPEAS" ] && ! [ "$IAMROOT" ]; then #Those folders don´t exist on a MacOS
|
if [ ! "$MACPEAS" ] && ! [ "$IAMROOT" ]; then #Those folders don´t exist on a MacOS
|
||||||
(ls -la /etc/profile.d/ 2>/dev/null | sed -${E} "s,$profiledG,${SED_GREEN},") || echo_not_found "/etc/profile.d/"
|
(ls -la /etc/profile.d/ 2>/dev/null | sed -${E} "s,$profiledG,${SED_GREEN},") || echo_not_found "/etc/profile.d/"
|
||||||
check_critial_root_path "/etc/profile"
|
check_critial_root_path "/etc/profile"
|
||||||
|
|||||||
@ -15,7 +15,7 @@
|
|||||||
|
|
||||||
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||||
print_2title "Permissions in init, init.d, systemd, and rc.d"
|
print_2title "Permissions in init, init.d, systemd, and rc.d"
|
||||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#init-init-d-systemd-and-rc-d"
|
print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#init-initd-systemd-and-rcd"
|
||||||
if [ ! "$MACPEAS" ] && ! [ "$IAMROOT" ]; then #Those folders don´t exist on a MacOS
|
if [ ! "$MACPEAS" ] && ! [ "$IAMROOT" ]; then #Those folders don´t exist on a MacOS
|
||||||
check_critial_root_path "/etc/init/"
|
check_critial_root_path "/etc/init/"
|
||||||
check_critial_root_path "/etc/init.d/"
|
check_critial_root_path "/etc/init.d/"
|
||||||
|
|||||||
@ -15,7 +15,7 @@
|
|||||||
|
|
||||||
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
||||||
print_2title ".sh files in path"
|
print_2title ".sh files in path"
|
||||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#script-binaries-in-path"
|
print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scriptbinaries-in-path"
|
||||||
echo $PATH | tr ":" "\n" | while read d; do
|
echo $PATH | tr ":" "\n" | while read d; do
|
||||||
for f in $(find "$d" -name "*.sh" -o -name "*.sh.*" 2>/dev/null); do
|
for f in $(find "$d" -name "*.sh" -o -name "*.sh.*" 2>/dev/null); do
|
||||||
if ! [ "$IAMROOT" ] && [ -O "$f" ]; then
|
if ! [ "$IAMROOT" ] && [ -O "$f" ]; then
|
||||||
|
|||||||
@ -15,7 +15,7 @@
|
|||||||
|
|
||||||
if command -v logrotate >/dev/null && logrotate --version | head -n 1 | grep -Eq "[012]\.[0-9]+\.|3\.[0-9]\.|3\.1[0-7]\.|3\.18\.0"; then #3.18.0 and below
|
if command -v logrotate >/dev/null && logrotate --version | head -n 1 | grep -Eq "[012]\.[0-9]+\.|3\.[0-9]\.|3\.1[0-7]\.|3\.18\.0"; then #3.18.0 and below
|
||||||
print_2title "Writable log files (logrotten) (limit 50)"
|
print_2title "Writable log files (logrotten) (limit 50)"
|
||||||
print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#logrotate-exploitation"
|
print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#logrotate-exploitation"
|
||||||
logrotate --version 2>/dev/null || echo_not_found "logrotate"
|
logrotate --version 2>/dev/null || echo_not_found "logrotate"
|
||||||
lastWlogFolder="ImPOsSiBleeElastWlogFolder"
|
lastWlogFolder="ImPOsSiBleeElastWlogFolder"
|
||||||
logfind=$(find $ROOT_FOLDER -type f -name "*.log" -o -name "*.log.*" 2>/dev/null | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 3){ print line_init; }; if (cont == "3"){print "#)You_can_write_more_log_files_inside_last_directory"}; pre=act}' | head -n 50)
|
logfind=$(find $ROOT_FOLDER -type f -name "*.log" -o -name "*.log.*" 2>/dev/null | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 3){ print line_init; }; if (cont == "3"){print "#)You_can_write_more_log_files_inside_last_directory"}; pre=act}' | head -n 50)
|
||||||
|
|||||||
@ -343,7 +343,7 @@ print_support () {
|
|||||||
${GREEN}/---------------------------------------------------------------------------------\\
|
${GREEN}/---------------------------------------------------------------------------------\\
|
||||||
| ${BLUE}Do you like PEASS?${GREEN} |
|
| ${BLUE}Do you like PEASS?${GREEN} |
|
||||||
|---------------------------------------------------------------------------------|
|
|---------------------------------------------------------------------------------|
|
||||||
| ${YELLOW}Learn Cloud Hacking${GREEN} : ${RED}https://training.hacktricks.xyz${GREEN} |
|
| ${YELLOW}Learn Cloud Hacking${GREEN} : ${RED}https://training.hacktricks.wiki${GREEN} |
|
||||||
| ${YELLOW}Follow on Twitter${GREEN} : ${RED}@hacktricks_live${GREEN} |
|
| ${YELLOW}Follow on Twitter${GREEN} : ${RED}@hacktricks_live${GREEN} |
|
||||||
| ${YELLOW}Respect on HTB${GREEN} : ${RED}SirBroccoli ${GREEN} |
|
| ${YELLOW}Respect on HTB${GREEN} : ${RED}SirBroccoli ${GREEN} |
|
||||||
|---------------------------------------------------------------------------------|
|
|---------------------------------------------------------------------------------|
|
||||||
@ -362,7 +362,7 @@ printf ${BLUE}" $SCRIPTNAME-$VERSION ${YELLOW}by carlospolop\n"$NC;
|
|||||||
echo ""
|
echo ""
|
||||||
printf ${YELLOW}"ADVISORY: ${BLUE}$ADVISORY\n$NC"
|
printf ${YELLOW}"ADVISORY: ${BLUE}$ADVISORY\n$NC"
|
||||||
echo ""
|
echo ""
|
||||||
printf ${BLUE}"Linux Privesc Checklist: ${YELLOW}https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist\n"$NC
|
printf ${BLUE}"Linux Privesc Checklist: ${YELLOW}https://book.hacktricks.wiki/en/linux-hardening/linux-privilege-escalation-checklist.html\n"$NC
|
||||||
echo " LEGEND:" | sed "s,LEGEND,${C}[1;4m&${C}[0m,"
|
echo " LEGEND:" | sed "s,LEGEND,${C}[1;4m&${C}[0m,"
|
||||||
echo " RED/YELLOW: 95% a PE vector" | sed "s,RED/YELLOW,${SED_RED_YELLOW},"
|
echo " RED/YELLOW: 95% a PE vector" | sed "s,RED/YELLOW,${SED_RED_YELLOW},"
|
||||||
echo " RED: You should take a look to it" | sed "s,RED,${SED_RED},"
|
echo " RED: You should take a look to it" | sed "s,RED,${SED_RED},"
|
||||||
|
|||||||
@ -38,7 +38,7 @@ There is a **maximun of 3 levels of sections**.
|
|||||||
}
|
}
|
||||||
],
|
],
|
||||||
"infos": [
|
"infos": [
|
||||||
"https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits"
|
"https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#kernel-exploits"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"infos": []
|
"infos": []
|
||||||
@ -65,7 +65,7 @@ There is a **maximun of 3 levels of sections**.
|
|||||||
}
|
}
|
||||||
],
|
],
|
||||||
"infos": [
|
"infos": [
|
||||||
"https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits"
|
"https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#kernel-exploits"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"infos": []
|
"infos": []
|
||||||
|
|||||||
@ -2,9 +2,9 @@
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
Check the **Local Windows Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation)**
|
Check the **Local Windows Privilege Escalation checklist** from **[book.hacktricks.wiki](https://book.hacktricks.wiki/en/windows-hardening/checklist-windows-privilege-escalation.html)**
|
||||||
|
|
||||||
Check more **information about how to exploit** found misconfigurations in **[book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation)**
|
Check more **information about how to exploit** found misconfigurations in **[book.hacktricks.wiki](https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html)**
|
||||||
|
|
||||||
## Quick Start
|
## Quick Start
|
||||||
Find the **latest versions of all the scripts and binaries in [the releases page](https://github.com/peass-ng/PEASS-ng/releases/latest)**.
|
Find the **latest versions of all the scripts and binaries in [the releases page](https://github.com/peass-ng/PEASS-ng/releases/latest)**.
|
||||||
|
|||||||
@ -2,9 +2,9 @@
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
**WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on [book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation)**
|
**WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on [book.hacktricks.wiki](https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html)**
|
||||||
|
|
||||||
Check also the **Local Windows Privilege Escalation checklist** from [book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation)
|
Check also the **Local Windows Privilege Escalation checklist** from [book.hacktricks.wiki](https://book.hacktricks.wiki/en/windows-hardening/checklist-windows-privilege-escalation.html)
|
||||||
|
|
||||||
### WinPEAS.bat is a batch script made for Windows systems which don't support WinPEAS.exe (Net.4 required)
|
### WinPEAS.bat is a batch script made for Windows systems which don't support WinPEAS.exe (Net.4 required)
|
||||||
|
|
||||||
|
|||||||
@ -63,7 +63,7 @@ ECHO.
|
|||||||
CALL :ColorLine "%E%32m[*]%E%97m BASIC SYSTEM INFO"
|
CALL :ColorLine "%E%32m[*]%E%97m BASIC SYSTEM INFO"
|
||||||
CALL :ColorLine " %E%33m[+]%E%97m WINDOWS OS"
|
CALL :ColorLine " %E%33m[+]%E%97m WINDOWS OS"
|
||||||
ECHO. [i] Check for vulnerabilities for the OS version with the applied patches
|
ECHO. [i] Check for vulnerabilities for the OS version with the applied patches
|
||||||
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#kernel-exploits
|
ECHO. [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#version-exploits
|
||||||
systeminfo
|
systeminfo
|
||||||
ECHO.
|
ECHO.
|
||||||
CALL :T_Progress 2
|
CALL :T_Progress 2
|
||||||
@ -190,7 +190,7 @@ CALL :T_Progress 1
|
|||||||
:UACSettings
|
:UACSettings
|
||||||
CALL :ColorLine " %E%33m[+]%E%97m UAC Settings"
|
CALL :ColorLine " %E%33m[+]%E%97m UAC Settings"
|
||||||
ECHO. [i] If the results read ENABLELUA REG_DWORD 0x1, part or all of the UAC components are on
|
ECHO. [i] If the results read ENABLELUA REG_DWORD 0x1, part or all of the UAC components are on
|
||||||
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access
|
ECHO. [?] https://book.hacktricks.wiki/en/windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control.html#very-basic-uac-bypass-full-file-system-access
|
||||||
REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA 2>nul
|
REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA 2>nul
|
||||||
ECHO.
|
ECHO.
|
||||||
CALL :T_Progress 1
|
CALL :T_Progress 1
|
||||||
@ -241,7 +241,7 @@ CALL :T_Progress 1
|
|||||||
:InstalledSoftware
|
:InstalledSoftware
|
||||||
CALL :ColorLine " %E%33m[+]%E%97m INSTALLED SOFTWARE"
|
CALL :ColorLine " %E%33m[+]%E%97m INSTALLED SOFTWARE"
|
||||||
ECHO. [i] Some weird software? Check for vulnerabilities in unknow software installed
|
ECHO. [i] Some weird software? Check for vulnerabilities in unknow software installed
|
||||||
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#software
|
ECHO. [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#applications
|
||||||
ECHO.
|
ECHO.
|
||||||
dir /b "C:\Program Files" "C:\Program Files (x86)" | sort
|
dir /b "C:\Program Files" "C:\Program Files (x86)" | sort
|
||||||
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall /s | findstr InstallLocation | findstr ":\\"
|
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall /s | findstr InstallLocation | findstr ":\\"
|
||||||
@ -252,7 +252,7 @@ CALL :T_Progress 2
|
|||||||
|
|
||||||
:RemodeDeskCredMgr
|
:RemodeDeskCredMgr
|
||||||
CALL :ColorLine " %E%33m[+]%E%97m Remote Desktop Credentials Manager"
|
CALL :ColorLine " %E%33m[+]%E%97m Remote Desktop Credentials Manager"
|
||||||
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#remote-desktop-credential-manager
|
ECHO. [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#remote-desktop-credential-manager
|
||||||
IF exist "%LOCALAPPDATA%\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings" ECHO.Found: RDCMan.settings in %AppLocal%\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings, check for credentials in .rdg files
|
IF exist "%LOCALAPPDATA%\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings" ECHO.Found: RDCMan.settings in %AppLocal%\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings, check for credentials in .rdg files
|
||||||
ECHO.
|
ECHO.
|
||||||
CALL :T_Progress 1
|
CALL :T_Progress 1
|
||||||
@ -260,7 +260,7 @@ CALL :T_Progress 1
|
|||||||
:WSUS
|
:WSUS
|
||||||
CALL :ColorLine " %E%33m[+]%E%97m WSUS"
|
CALL :ColorLine " %E%33m[+]%E%97m WSUS"
|
||||||
ECHO. [i] You can inject 'fake' updates into non-SSL WSUS traffic (WSUXploit)
|
ECHO. [i] You can inject 'fake' updates into non-SSL WSUS traffic (WSUXploit)
|
||||||
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#wsus
|
ECHO. [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#wsus
|
||||||
reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\ 2>nul | findstr /i "wuserver" | findstr /i "http://"
|
reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\ 2>nul | findstr /i "wuserver" | findstr /i "http://"
|
||||||
ECHO.
|
ECHO.
|
||||||
CALL :T_Progress 1
|
CALL :T_Progress 1
|
||||||
@ -268,7 +268,7 @@ CALL :T_Progress 1
|
|||||||
:RunningProcesses
|
:RunningProcesses
|
||||||
CALL :ColorLine " %E%33m[+]%E%97m RUNNING PROCESSES"
|
CALL :ColorLine " %E%33m[+]%E%97m RUNNING PROCESSES"
|
||||||
ECHO. [i] Something unexpected is running? Check for vulnerabilities
|
ECHO. [i] Something unexpected is running? Check for vulnerabilities
|
||||||
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#running-processes
|
ECHO. [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#running-processes
|
||||||
tasklist /SVC
|
tasklist /SVC
|
||||||
ECHO.
|
ECHO.
|
||||||
CALL :T_Progress 2
|
CALL :T_Progress 2
|
||||||
@ -289,7 +289,7 @@ CALL :T_Progress 3
|
|||||||
:RunAtStartup
|
:RunAtStartup
|
||||||
CALL :ColorLine " %E%33m[+]%E%97m RUN AT STARTUP"
|
CALL :ColorLine " %E%33m[+]%E%97m RUN AT STARTUP"
|
||||||
ECHO. [i] Check if you can modify any binary that is going to be executed by admin or if you can impersonate a not found binary
|
ECHO. [i] Check if you can modify any binary that is going to be executed by admin or if you can impersonate a not found binary
|
||||||
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#run-at-startup
|
ECHO. [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#run-at-startup
|
||||||
::(autorunsc.exe -m -nobanner -a * -ct /accepteula 2>nul || wmic startup get caption,command 2>nul | more & ^
|
::(autorunsc.exe -m -nobanner -a * -ct /accepteula 2>nul || wmic startup get caption,command 2>nul | more & ^
|
||||||
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run 2>nul & ^
|
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run 2>nul & ^
|
||||||
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce 2>nul & ^
|
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce 2>nul & ^
|
||||||
@ -313,7 +313,7 @@ CALL :T_Progress 2
|
|||||||
:AlwaysInstallElevated
|
:AlwaysInstallElevated
|
||||||
CALL :ColorLine " %E%33m[+]%E%97m AlwaysInstallElevated?"
|
CALL :ColorLine " %E%33m[+]%E%97m AlwaysInstallElevated?"
|
||||||
ECHO. [i] If '1' then you can install a .msi file with admin privileges ;)
|
ECHO. [i] If '1' then you can install a .msi file with admin privileges ;)
|
||||||
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#alwaysinstallelevated
|
ECHO. [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#alwaysinstallelevated-1
|
||||||
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated 2> nul
|
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated 2> nul
|
||||||
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated 2> nul
|
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated 2> nul
|
||||||
ECHO.
|
ECHO.
|
||||||
@ -377,7 +377,7 @@ CALL :T_Progress 1
|
|||||||
:BasicUserInfo
|
:BasicUserInfo
|
||||||
CALL :ColorLine "%E%32m[*]%E%97m BASIC USER INFO
|
CALL :ColorLine "%E%32m[*]%E%97m BASIC USER INFO
|
||||||
ECHO. [i] Check if you are inside the Administrators group or if you have enabled any token that can be use to escalate privileges like SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebbugPrivilege
|
ECHO. [i] Check if you are inside the Administrators group or if you have enabled any token that can be use to escalate privileges like SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebbugPrivilege
|
||||||
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#users-and-groups
|
ECHO. [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#users--groups
|
||||||
ECHO.
|
ECHO.
|
||||||
CALL :ColorLine " %E%33m[+]%E%97m CURRENT USER"
|
CALL :ColorLine " %E%33m[+]%E%97m CURRENT USER"
|
||||||
net user %username%
|
net user %username%
|
||||||
@ -451,7 +451,7 @@ ECHO.
|
|||||||
|
|
||||||
:ServiceBinaryPermissions
|
:ServiceBinaryPermissions
|
||||||
CALL :ColorLine " %E%33m[+]%E%97m SERVICE BINARY PERMISSIONS WITH WMIC and ICACLS"
|
CALL :ColorLine " %E%33m[+]%E%97m SERVICE BINARY PERMISSIONS WITH WMIC and ICACLS"
|
||||||
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services
|
ECHO. [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#services
|
||||||
for /f "tokens=2 delims='='" %%a in ('cmd.exe /c wmic service list full ^| findstr /i "pathname" ^|findstr /i /v "system32"') do (
|
for /f "tokens=2 delims='='" %%a in ('cmd.exe /c wmic service list full ^| findstr /i "pathname" ^|findstr /i /v "system32"') do (
|
||||||
for /f eol^=^"^ delims^=^" %%b in ("%%a") do icacls "%%b" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos usuarios %username%" && ECHO.
|
for /f eol^=^"^ delims^=^" %%b in ("%%a") do icacls "%%b" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos usuarios %username%" && ECHO.
|
||||||
)
|
)
|
||||||
@ -460,7 +460,7 @@ CALL :T_Progress 1
|
|||||||
|
|
||||||
:CheckRegistryModificationAbilities
|
:CheckRegistryModificationAbilities
|
||||||
CALL :ColorLine " %E%33m[+]%E%97m CHECK IF YOU CAN MODIFY ANY SERVICE REGISTRY"
|
CALL :ColorLine " %E%33m[+]%E%97m CHECK IF YOU CAN MODIFY ANY SERVICE REGISTRY"
|
||||||
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services
|
ECHO. [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#services
|
||||||
for /f %%a in ('reg query hklm\system\currentcontrolset\services') do del %temp%\reg.hiv >nul 2>&1 & reg save %%a %temp%\reg.hiv >nul 2>&1 && reg restore %%a %temp%\reg.hiv >nul 2>&1 && ECHO.You can modify %%a
|
for /f %%a in ('reg query hklm\system\currentcontrolset\services') do del %temp%\reg.hiv >nul 2>&1 & reg save %%a %temp%\reg.hiv >nul 2>&1 && reg restore %%a %temp%\reg.hiv >nul 2>&1 && ECHO.You can modify %%a
|
||||||
ECHO.
|
ECHO.
|
||||||
CALL :T_Progress 1
|
CALL :T_Progress 1
|
||||||
@ -469,7 +469,7 @@ CALL :T_Progress 1
|
|||||||
CALL :ColorLine " %E%33m[+]%E%97m UNQUOTED SERVICE PATHS"
|
CALL :ColorLine " %E%33m[+]%E%97m UNQUOTED SERVICE PATHS"
|
||||||
ECHO. [i] When the path is not quoted (ex: C:\Program files\soft\new folder\exec.exe) Windows will try to execute first 'C:\Program.exe', then 'C:\Program Files\soft\new.exe' and finally 'C:\Program Files\soft\new folder\exec.exe'. Try to create 'C:\Program Files\soft\new.exe'
|
ECHO. [i] When the path is not quoted (ex: C:\Program files\soft\new folder\exec.exe) Windows will try to execute first 'C:\Program.exe', then 'C:\Program Files\soft\new.exe' and finally 'C:\Program Files\soft\new folder\exec.exe'. Try to create 'C:\Program Files\soft\new.exe'
|
||||||
ECHO. [i] The permissions are also checked and filtered using icacls
|
ECHO. [i] The permissions are also checked and filtered using icacls
|
||||||
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services
|
ECHO. [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#services
|
||||||
for /f "tokens=2" %%n in ('sc query state^= all^| findstr SERVICE_NAME') do (
|
for /f "tokens=2" %%n in ('sc query state^= all^| findstr SERVICE_NAME') do (
|
||||||
for /f "delims=: tokens=1*" %%r in ('sc qc "%%~n" ^| findstr BINARY_PATH_NAME ^| findstr /i /v /l /c:"c:\windows\system32" ^| findstr /v /c:""""') do (
|
for /f "delims=: tokens=1*" %%r in ('sc qc "%%~n" ^| findstr BINARY_PATH_NAME ^| findstr /i /v /l /c:"c:\windows\system32" ^| findstr /v /c:""""') do (
|
||||||
ECHO.%%~s ^| findstr /r /c:"[a-Z][ ][a-Z]" >nul 2>&1 && (ECHO.%%n && ECHO.%%~s && icacls %%s | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%") && ECHO.
|
ECHO.%%~s ^| findstr /r /c:"[a-Z][ ][a-Z]" >nul 2>&1 && (ECHO.%%n && ECHO.%%~s && icacls %%s | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%") && ECHO.
|
||||||
@ -484,7 +484,7 @@ ECHO.
|
|||||||
CALL :ColorLine "%E%32m[*]%E%97m DLL HIJACKING in PATHenv variable"
|
CALL :ColorLine "%E%32m[*]%E%97m DLL HIJACKING in PATHenv variable"
|
||||||
ECHO. [i] Maybe you can take advantage of modifying/creating some binary in some of the following locations
|
ECHO. [i] Maybe you can take advantage of modifying/creating some binary in some of the following locations
|
||||||
ECHO. [i] PATH variable entries permissions - place binary or DLL to execute instead of legitimate
|
ECHO. [i] PATH variable entries permissions - place binary or DLL to execute instead of legitimate
|
||||||
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dll-hijacking
|
ECHO. [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#dll-hijacking
|
||||||
for %%A in ("%path:;=";"%") do ( cmd.exe /c icacls "%%~A" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO. )
|
for %%A in ("%path:;=";"%") do ( cmd.exe /c icacls "%%~A" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO. )
|
||||||
ECHO.
|
ECHO.
|
||||||
CALL :T_Progress 1
|
CALL :T_Progress 1
|
||||||
@ -493,7 +493,7 @@ CALL :T_Progress 1
|
|||||||
CALL :ColorLine "%E%32m[*]%E%97m CREDENTIALS"
|
CALL :ColorLine "%E%32m[*]%E%97m CREDENTIALS"
|
||||||
ECHO.
|
ECHO.
|
||||||
CALL :ColorLine " %E%33m[+]%E%97m WINDOWS VAULT"
|
CALL :ColorLine " %E%33m[+]%E%97m WINDOWS VAULT"
|
||||||
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#windows-vault
|
ECHO. [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#credentials-manager--windows-vault
|
||||||
cmdkey /list
|
cmdkey /list
|
||||||
ECHO.
|
ECHO.
|
||||||
CALL :T_Progress 2
|
CALL :T_Progress 2
|
||||||
@ -501,14 +501,14 @@ CALL :T_Progress 2
|
|||||||
:DPAPIMasterKeys
|
:DPAPIMasterKeys
|
||||||
CALL :ColorLine " %E%33m[+]%E%97m DPAPI MASTER KEYS"
|
CALL :ColorLine " %E%33m[+]%E%97m DPAPI MASTER KEYS"
|
||||||
ECHO. [i] Use the Mimikatz 'dpapi::masterkey' module with appropriate arguments (/rpc) to decrypt
|
ECHO. [i] Use the Mimikatz 'dpapi::masterkey' module with appropriate arguments (/rpc) to decrypt
|
||||||
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi
|
ECHO. [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#dpapi
|
||||||
powershell -command "Get-ChildItem %appdata%\Microsoft\Protect" 2>nul
|
powershell -command "Get-ChildItem %appdata%\Microsoft\Protect" 2>nul
|
||||||
powershell -command "Get-ChildItem %localappdata%\Microsoft\Protect" 2>nul
|
powershell -command "Get-ChildItem %localappdata%\Microsoft\Protect" 2>nul
|
||||||
CALL :T_Progress 2
|
CALL :T_Progress 2
|
||||||
CALL :ColorLine " %E%33m[+]%E%97m DPAPI MASTER KEYS"
|
CALL :ColorLine " %E%33m[+]%E%97m DPAPI MASTER KEYS"
|
||||||
ECHO. [i] Use the Mimikatz 'dpapi::cred' module with appropriate /masterkey to decrypt
|
ECHO. [i] Use the Mimikatz 'dpapi::cred' module with appropriate /masterkey to decrypt
|
||||||
ECHO. [i] You can also extract many DPAPI masterkeys from memory with the Mimikatz 'sekurlsa::dpapi' module
|
ECHO. [i] You can also extract many DPAPI masterkeys from memory with the Mimikatz 'sekurlsa::dpapi' module
|
||||||
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi
|
ECHO. [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#dpapi
|
||||||
ECHO.
|
ECHO.
|
||||||
ECHO.Looking inside %appdata%\Microsoft\Credentials\
|
ECHO.Looking inside %appdata%\Microsoft\Credentials\
|
||||||
ECHO.
|
ECHO.
|
||||||
@ -581,7 +581,7 @@ CALL :T_Progress 2
|
|||||||
|
|
||||||
:AppCMD
|
:AppCMD
|
||||||
CALL :ColorLine " %E%33m[+]%E%97m AppCmd"
|
CALL :ColorLine " %E%33m[+]%E%97m AppCmd"
|
||||||
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#appcmd.exe
|
ECHO. [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#appcmdexe
|
||||||
IF EXIST %systemroot%\system32\inetsrv\appcmd.exe ECHO.%systemroot%\system32\inetsrv\appcmd.exe exists.
|
IF EXIST %systemroot%\system32\inetsrv\appcmd.exe ECHO.%systemroot%\system32\inetsrv\appcmd.exe exists.
|
||||||
ECHO.
|
ECHO.
|
||||||
CALL :T_Progress 2
|
CALL :T_Progress 2
|
||||||
@ -589,7 +589,7 @@ CALL :T_Progress 2
|
|||||||
:RegFilesCredentials
|
:RegFilesCredentials
|
||||||
CALL :ColorLine " %E%33m[+]%E%97m Files in registry that may contain credentials"
|
CALL :ColorLine " %E%33m[+]%E%97m Files in registry that may contain credentials"
|
||||||
ECHO. [i] Searching specific files that may contains credentials.
|
ECHO. [i] Searching specific files that may contains credentials.
|
||||||
ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files
|
ECHO. [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#files-and-registry-credentials
|
||||||
ECHO.Looking inside HKCU\Software\ORL\WinVNC3\Password
|
ECHO.Looking inside HKCU\Software\ORL\WinVNC3\Password
|
||||||
reg query HKCU\Software\ORL\WinVNC3\Password 2>nul
|
reg query HKCU\Software\ORL\WinVNC3\Password 2>nul
|
||||||
CALL :T_Progress 2
|
CALL :T_Progress 2
|
||||||
|
|||||||
@ -2,9 +2,9 @@
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
**WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on [book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation)**
|
**WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on [book.hacktricks.wiki](https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html)**
|
||||||
|
|
||||||
Check also the **Local Windows Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation)**
|
Check also the **Local Windows Privilege Escalation checklist** from **[book.hacktricks.wiki](https://book.hacktricks.wiki/en/windows-hardening/checklist-windows-privilege-escalation.html)**
|
||||||
|
|
||||||
[](https://youtu.be/66gOwXMnxRI)
|
[](https://youtu.be/66gOwXMnxRI)
|
||||||
|
|
||||||
|
|||||||
@ -56,7 +56,7 @@ namespace winPEAS.Checks
|
|||||||
try
|
try
|
||||||
{
|
{
|
||||||
Beaprint.MainPrint("Installed Applications --Via Program Files/Uninstall registry--");
|
Beaprint.MainPrint("Installed Applications --Via Program Files/Uninstall registry--");
|
||||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#software", "Check if you can modify installed software");
|
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#applications", "Check if you can modify installed software");
|
||||||
SortedDictionary<string, Dictionary<string, string>> installedAppsPerms = InstalledApps.GetInstalledAppsPerms();
|
SortedDictionary<string, Dictionary<string, string>> installedAppsPerms = InstalledApps.GetInstalledAppsPerms();
|
||||||
string format = " ==> {0} ({1})";
|
string format = " ==> {0} ({1})";
|
||||||
|
|
||||||
@ -102,7 +102,7 @@ namespace winPEAS.Checks
|
|||||||
try
|
try
|
||||||
{
|
{
|
||||||
Beaprint.MainPrint("Autorun Applications");
|
Beaprint.MainPrint("Autorun Applications");
|
||||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries", "Check if you can modify other users AutoRuns binaries (Note that is normal that you can modify HKCU registry and binaries indicated there)");
|
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.html", "Check if you can modify other users AutoRuns binaries (Note that is normal that you can modify HKCU registry and binaries indicated there)");
|
||||||
List<Dictionary<string, string>> apps = AutoRuns.GetAutoRuns(Checks.CurrentUserSiDs);
|
List<Dictionary<string, string>> apps = AutoRuns.GetAutoRuns(Checks.CurrentUserSiDs);
|
||||||
|
|
||||||
foreach (Dictionary<string, string> app in apps)
|
foreach (Dictionary<string, string> app in apps)
|
||||||
@ -189,7 +189,7 @@ namespace winPEAS.Checks
|
|||||||
try
|
try
|
||||||
{
|
{
|
||||||
Beaprint.MainPrint("Scheduled Applications --Non Microsoft--");
|
Beaprint.MainPrint("Scheduled Applications --Non Microsoft--");
|
||||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries", "Check if you can modify other users scheduled binaries");
|
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.html", "Check if you can modify other users scheduled binaries");
|
||||||
List<Dictionary<string, string>> scheduled_apps = ApplicationInfoHelper.GetScheduledAppsNoMicrosoft();
|
List<Dictionary<string, string>> scheduled_apps = ApplicationInfoHelper.GetScheduledAppsNoMicrosoft();
|
||||||
|
|
||||||
foreach (Dictionary<string, string> sapp in scheduled_apps)
|
foreach (Dictionary<string, string> sapp in scheduled_apps)
|
||||||
@ -239,7 +239,7 @@ namespace winPEAS.Checks
|
|||||||
{
|
{
|
||||||
Beaprint.MainPrint("Device Drivers --Non Microsoft--");
|
Beaprint.MainPrint("Device Drivers --Non Microsoft--");
|
||||||
// this link is not very specific, but its the best on hacktricks
|
// this link is not very specific, but its the best on hacktricks
|
||||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#vulnerable-drivers", "Check 3rd party drivers for known vulnerabilities/rootkits.");
|
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#drivers", "Check 3rd party drivers for known vulnerabilities/rootkits.");
|
||||||
|
|
||||||
foreach (var driver in DeviceDrivers.GetDeviceDriversNoMicrosoft())
|
foreach (var driver in DeviceDrivers.GetDeviceDriversNoMicrosoft())
|
||||||
{
|
{
|
||||||
|
|||||||
@ -12,10 +12,10 @@ namespace winPEAS.Checks
|
|||||||
|
|
||||||
Dictionary<string, string> colorsTraining = new Dictionary<string, string>()
|
Dictionary<string, string> colorsTraining = new Dictionary<string, string>()
|
||||||
{
|
{
|
||||||
{ "training.hacktricks.xyz", Beaprint.ansi_color_good },
|
{ "training.hacktricks.wiki", Beaprint.ansi_color_good },
|
||||||
{ "Learn & practice cloud hacking in", Beaprint.ansi_color_yellow },
|
{ "Learn & practice cloud hacking in", Beaprint.ansi_color_yellow },
|
||||||
};
|
};
|
||||||
Beaprint.AnsiPrint("Learn and practice cloud hacking in training.hacktricks.xyz", colorsTraining);
|
Beaprint.AnsiPrint("Learn and practice cloud hacking in training.hacktricks.wiki", colorsTraining);
|
||||||
|
|
||||||
var cloudInfoList = new List<CloudInfoBase>
|
var cloudInfoList = new List<CloudInfoBase>
|
||||||
{
|
{
|
||||||
|
|||||||
@ -151,7 +151,7 @@ namespace winPEAS.Checks
|
|||||||
try
|
try
|
||||||
{
|
{
|
||||||
Beaprint.MainPrint("Cloud Credentials");
|
Beaprint.MainPrint("Cloud Credentials");
|
||||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files");
|
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#files-and-registry-credentials");
|
||||||
List<Dictionary<string, string>> could_creds = KnownFileCredsInfo.ListCloudCreds();
|
List<Dictionary<string, string>> could_creds = KnownFileCredsInfo.ListCloudCreds();
|
||||||
if (could_creds.Count != 0)
|
if (could_creds.Count != 0)
|
||||||
{
|
{
|
||||||
@ -382,7 +382,7 @@ namespace winPEAS.Checks
|
|||||||
string[] passRegHklm = new string[] { @"SYSTEM\CurrentControlSet\Services\SNMP" };
|
string[] passRegHklm = new string[] { @"SYSTEM\CurrentControlSet\Services\SNMP" };
|
||||||
|
|
||||||
Beaprint.MainPrint("Looking for possible regs with creds");
|
Beaprint.MainPrint("Looking for possible regs with creds");
|
||||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry");
|
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#inside-the-registry");
|
||||||
|
|
||||||
string winVnc4 = RegistryHelper.GetRegValue("HKLM", @"SOFTWARE\RealVNC\WinVNC4", "password");
|
string winVnc4 = RegistryHelper.GetRegValue("HKLM", @"SOFTWARE\RealVNC\WinVNC4", "password");
|
||||||
if (!string.IsNullOrEmpty(winVnc4.Trim()))
|
if (!string.IsNullOrEmpty(winVnc4.Trim()))
|
||||||
@ -431,7 +431,7 @@ namespace winPEAS.Checks
|
|||||||
};
|
};
|
||||||
|
|
||||||
Beaprint.MainPrint("Looking for possible password files in users homes");
|
Beaprint.MainPrint("Looking for possible password files in users homes");
|
||||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files");
|
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#files-and-registry-credentials");
|
||||||
var fileInfos = SearchHelper.SearchUserCredsFiles();
|
var fileInfos = SearchHelper.SearchUserCredsFiles();
|
||||||
|
|
||||||
foreach (var fileInfo in fileInfos)
|
foreach (var fileInfo in fileInfos)
|
||||||
@ -470,7 +470,7 @@ namespace winPEAS.Checks
|
|||||||
};
|
};
|
||||||
|
|
||||||
Beaprint.MainPrint("Looking inside the Recycle Bin for creds files");
|
Beaprint.MainPrint("Looking inside the Recycle Bin for creds files");
|
||||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files");
|
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#files-and-registry-credentials");
|
||||||
List<Dictionary<string, string>> recy_files = InterestingFiles.InterestingFiles.GetRecycleBin();
|
List<Dictionary<string, string>> recy_files = InterestingFiles.InterestingFiles.GetRecycleBin();
|
||||||
|
|
||||||
foreach (Dictionary<string, string> rec_file in recy_files)
|
foreach (Dictionary<string, string> rec_file in recy_files)
|
||||||
@ -506,7 +506,7 @@ namespace winPEAS.Checks
|
|||||||
};
|
};
|
||||||
|
|
||||||
Beaprint.MainPrint("Searching known files that can contain creds in home");
|
Beaprint.MainPrint("Searching known files that can contain creds in home");
|
||||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files");
|
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#files-and-registry-credentials");
|
||||||
|
|
||||||
var files = SearchHelper.SearchUsersInterestingFiles();
|
var files = SearchHelper.SearchUsersInterestingFiles();
|
||||||
|
|
||||||
|
|||||||
@ -24,7 +24,7 @@ namespace winPEAS.Checks
|
|||||||
try
|
try
|
||||||
{
|
{
|
||||||
Beaprint.MainPrint("Interesting Processes -non Microsoft-");
|
Beaprint.MainPrint("Interesting Processes -non Microsoft-");
|
||||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#running-processes", "Check if any interesting processes for memory dump or if you could overwrite some binary running");
|
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#running-processes", "Check if any interesting processes for memory dump or if you could overwrite some binary running");
|
||||||
List<Dictionary<string, string>> processesInfo = ProcessesInfo.GetProcInfo();
|
List<Dictionary<string, string>> processesInfo = ProcessesInfo.GetProcInfo();
|
||||||
|
|
||||||
foreach (Dictionary<string, string> procInfo in processesInfo)
|
foreach (Dictionary<string, string> procInfo in processesInfo)
|
||||||
@ -93,7 +93,7 @@ namespace winPEAS.Checks
|
|||||||
try
|
try
|
||||||
{
|
{
|
||||||
Beaprint.MainPrint("Vulnerable Leaked Handlers");
|
Beaprint.MainPrint("Vulnerable Leaked Handlers");
|
||||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/leaked-handle-exploitation");
|
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#leaked-handlers");
|
||||||
|
|
||||||
List<Dictionary<string, string>> vulnHandlers = new List<Dictionary<string, string>>();
|
List<Dictionary<string, string>> vulnHandlers = new List<Dictionary<string, string>>();
|
||||||
|
|
||||||
|
|||||||
@ -42,7 +42,7 @@ namespace winPEAS.Checks
|
|||||||
try
|
try
|
||||||
{
|
{
|
||||||
Beaprint.MainPrint("Interesting Services -non Microsoft-");
|
Beaprint.MainPrint("Interesting Services -non Microsoft-");
|
||||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services", "Check if you can overwrite some service binary or perform a DLL hijacking, also check for unquoted paths");
|
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#services", "Check if you can overwrite some service binary or perform a DLL hijacking, also check for unquoted paths");
|
||||||
|
|
||||||
List<Dictionary<string, string>> services_info = ServicesInfoHelper.GetNonstandardServices();
|
List<Dictionary<string, string>> services_info = ServicesInfoHelper.GetNonstandardServices();
|
||||||
|
|
||||||
@ -121,7 +121,7 @@ namespace winPEAS.Checks
|
|||||||
try
|
try
|
||||||
{
|
{
|
||||||
Beaprint.MainPrint("Modifiable Services");
|
Beaprint.MainPrint("Modifiable Services");
|
||||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services", "Check if you can modify any service");
|
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#services", "Check if you can modify any service");
|
||||||
if (modifiableServices.Count > 0)
|
if (modifiableServices.Count > 0)
|
||||||
{
|
{
|
||||||
Beaprint.BadPrint(" LOOKS LIKE YOU CAN MODIFY OR START/STOP SOME SERVICE/s:");
|
Beaprint.BadPrint(" LOOKS LIKE YOU CAN MODIFY OR START/STOP SOME SERVICE/s:");
|
||||||
@ -158,7 +158,7 @@ namespace winPEAS.Checks
|
|||||||
try
|
try
|
||||||
{
|
{
|
||||||
Beaprint.MainPrint("Looking if you can modify any service registry");
|
Beaprint.MainPrint("Looking if you can modify any service registry");
|
||||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services-registry-permissions", "Check if you can modify the registry of a service");
|
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#services-registry-modify-permissions", "Check if you can modify the registry of a service");
|
||||||
List<Dictionary<string, string>> regPerms = ServicesInfoHelper.GetWriteServiceRegs(Checks.CurrentUserSiDs);
|
List<Dictionary<string, string>> regPerms = ServicesInfoHelper.GetWriteServiceRegs(Checks.CurrentUserSiDs);
|
||||||
|
|
||||||
Dictionary<string, string> colorsWR = new Dictionary<string, string>()
|
Dictionary<string, string> colorsWR = new Dictionary<string, string>()
|
||||||
@ -186,7 +186,7 @@ namespace winPEAS.Checks
|
|||||||
try
|
try
|
||||||
{
|
{
|
||||||
Beaprint.MainPrint("Checking write permissions in PATH folders (DLL Hijacking)");
|
Beaprint.MainPrint("Checking write permissions in PATH folders (DLL Hijacking)");
|
||||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dll-hijacking", "Check for DLL Hijacking in PATH folders");
|
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#dll-hijacking", "Check for DLL Hijacking in PATH folders");
|
||||||
Dictionary<string, string> path_dllhijacking = ServicesInfoHelper.GetPathDLLHijacking();
|
Dictionary<string, string> path_dllhijacking = ServicesInfoHelper.GetPathDLLHijacking();
|
||||||
foreach (KeyValuePair<string, string> entry in path_dllhijacking)
|
foreach (KeyValuePair<string, string> entry in path_dllhijacking)
|
||||||
{
|
{
|
||||||
|
|||||||
@ -98,7 +98,7 @@ namespace winPEAS.Checks
|
|||||||
try
|
try
|
||||||
{
|
{
|
||||||
Beaprint.MainPrint("Basic System Information");
|
Beaprint.MainPrint("Basic System Information");
|
||||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#kernel-exploits", "Check if the Windows versions is vulnerable to some known exploit");
|
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#version-exploits", "Check if the Windows versions is vulnerable to some known exploit");
|
||||||
Dictionary<string, string> basicDictSystem = Info.SystemInfo.SystemInfo.GetBasicOSInfo();
|
Dictionary<string, string> basicDictSystem = Info.SystemInfo.SystemInfo.GetBasicOSInfo();
|
||||||
basicDictSystem["Hotfixes"] = Beaprint.ansi_color_good + basicDictSystem["Hotfixes"] + Beaprint.NOCOLOR;
|
basicDictSystem["Hotfixes"] = Beaprint.ansi_color_good + basicDictSystem["Hotfixes"] + Beaprint.NOCOLOR;
|
||||||
Dictionary<string, string> colorsSI = new Dictionary<string, string>
|
Dictionary<string, string> colorsSI = new Dictionary<string, string>
|
||||||
@ -337,7 +337,7 @@ namespace winPEAS.Checks
|
|||||||
static void PrintWdigest()
|
static void PrintWdigest()
|
||||||
{
|
{
|
||||||
Beaprint.MainPrint("Wdigest");
|
Beaprint.MainPrint("Wdigest");
|
||||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#wdigest", "If enabled, plain-text crds could be stored in LSASS");
|
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#wdigest", "If enabled, plain-text crds could be stored in LSASS");
|
||||||
string useLogonCredential = RegistryHelper.GetRegValue("HKLM", @"SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest", "UseLogonCredential");
|
string useLogonCredential = RegistryHelper.GetRegValue("HKLM", @"SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest", "UseLogonCredential");
|
||||||
if (useLogonCredential == "1")
|
if (useLogonCredential == "1")
|
||||||
Beaprint.BadPrint(" Wdigest is active");
|
Beaprint.BadPrint(" Wdigest is active");
|
||||||
@ -348,7 +348,7 @@ namespace winPEAS.Checks
|
|||||||
static void PrintLSAProtection()
|
static void PrintLSAProtection()
|
||||||
{
|
{
|
||||||
Beaprint.MainPrint("LSA Protection");
|
Beaprint.MainPrint("LSA Protection");
|
||||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#lsa-protection", "If enabled, a driver is needed to read LSASS memory (If Secure Boot or UEFI, RunAsPPL cannot be disabled by deleting the registry key)");
|
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#lsa-protection", "If enabled, a driver is needed to read LSASS memory (If Secure Boot or UEFI, RunAsPPL cannot be disabled by deleting the registry key)");
|
||||||
string useLogonCredential = RegistryHelper.GetRegValue("HKLM", @"SYSTEM\CurrentControlSet\Control\LSA", "RunAsPPL");
|
string useLogonCredential = RegistryHelper.GetRegValue("HKLM", @"SYSTEM\CurrentControlSet\Control\LSA", "RunAsPPL");
|
||||||
if (useLogonCredential == "1")
|
if (useLogonCredential == "1")
|
||||||
Beaprint.GoodPrint(" LSA Protection is active");
|
Beaprint.GoodPrint(" LSA Protection is active");
|
||||||
@ -359,7 +359,7 @@ namespace winPEAS.Checks
|
|||||||
static void PrintCredentialGuard()
|
static void PrintCredentialGuard()
|
||||||
{
|
{
|
||||||
Beaprint.MainPrint("Credentials Guard");
|
Beaprint.MainPrint("Credentials Guard");
|
||||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#credential-guard", "If enabled, a driver is needed to read LSASS memory");
|
Beaprint.LinkPrint("https://book.hacktricks.wiki/windows-hardening/stealing-credentials/credentials-protections#credentials-guard", "If enabled, a driver is needed to read LSASS memory");
|
||||||
string lsaCfgFlags = RegistryHelper.GetRegValue("HKLM", @"System\CurrentControlSet\Control\LSA", "LsaCfgFlags");
|
string lsaCfgFlags = RegistryHelper.GetRegValue("HKLM", @"System\CurrentControlSet\Control\LSA", "LsaCfgFlags");
|
||||||
|
|
||||||
if (lsaCfgFlags == "1")
|
if (lsaCfgFlags == "1")
|
||||||
@ -384,7 +384,7 @@ namespace winPEAS.Checks
|
|||||||
{
|
{
|
||||||
try{
|
try{
|
||||||
Beaprint.MainPrint("Cached Creds");
|
Beaprint.MainPrint("Cached Creds");
|
||||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#cached-credentials", "If > 0, credentials will be cached in the registry and accessible by SYSTEM user");
|
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#cached-credentials", "If > 0, credentials will be cached in the registry and accessible by SYSTEM user");
|
||||||
string cachedlogonscount = RegistryHelper.GetRegValue("HKLM", @"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "CACHEDLOGONSCOUNT");
|
string cachedlogonscount = RegistryHelper.GetRegValue("HKLM", @"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "CACHEDLOGONSCOUNT");
|
||||||
if (!string.IsNullOrEmpty(cachedlogonscount))
|
if (!string.IsNullOrEmpty(cachedlogonscount))
|
||||||
{
|
{
|
||||||
@ -526,7 +526,7 @@ namespace winPEAS.Checks
|
|||||||
try
|
try
|
||||||
{
|
{
|
||||||
Beaprint.MainPrint("UAC Status");
|
Beaprint.MainPrint("UAC Status");
|
||||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access", "If you are in the Administrators group check how to bypass the UAC");
|
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#from-administrator-medium-to-high-integrity-level--uac-bypasss", "If you are in the Administrators group check how to bypass the UAC");
|
||||||
Dictionary<string, string> uacDict = Info.SystemInfo.SystemInfo.GetUACSystemPolicies();
|
Dictionary<string, string> uacDict = Info.SystemInfo.SystemInfo.GetUACSystemPolicies();
|
||||||
|
|
||||||
Dictionary<string, string> colorsSI = new Dictionary<string, string>()
|
Dictionary<string, string> colorsSI = new Dictionary<string, string>()
|
||||||
@ -559,7 +559,7 @@ namespace winPEAS.Checks
|
|||||||
try
|
try
|
||||||
{
|
{
|
||||||
Beaprint.MainPrint("Checking WSUS");
|
Beaprint.MainPrint("Checking WSUS");
|
||||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#wsus");
|
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#wsus");
|
||||||
string path = "Software\\Policies\\Microsoft\\Windows\\WindowsUpdate";
|
string path = "Software\\Policies\\Microsoft\\Windows\\WindowsUpdate";
|
||||||
string path2 = "Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU";
|
string path2 = "Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU";
|
||||||
string HKLM_WSUS = RegistryHelper.GetRegValue("HKLM", path, "WUServer");
|
string HKLM_WSUS = RegistryHelper.GetRegValue("HKLM", path, "WUServer");
|
||||||
@ -594,7 +594,7 @@ namespace winPEAS.Checks
|
|||||||
try
|
try
|
||||||
{
|
{
|
||||||
Beaprint.MainPrint("Checking KrbRelayUp");
|
Beaprint.MainPrint("Checking KrbRelayUp");
|
||||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#krbrelayup");
|
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#krbrelayupp");
|
||||||
|
|
||||||
if (Checks.CurrentAdDomainName.Length > 0)
|
if (Checks.CurrentAdDomainName.Length > 0)
|
||||||
{
|
{
|
||||||
@ -640,7 +640,7 @@ namespace winPEAS.Checks
|
|||||||
try
|
try
|
||||||
{
|
{
|
||||||
Beaprint.MainPrint("Checking AlwaysInstallElevated");
|
Beaprint.MainPrint("Checking AlwaysInstallElevated");
|
||||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#alwaysinstallelevated");
|
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#alwaysinstallelevated");
|
||||||
string path = "Software\\Policies\\Microsoft\\Windows\\Installer";
|
string path = "Software\\Policies\\Microsoft\\Windows\\Installer";
|
||||||
string HKLM_AIE = RegistryHelper.GetRegValue("HKLM", path, "AlwaysInstallElevated");
|
string HKLM_AIE = RegistryHelper.GetRegValue("HKLM", path, "AlwaysInstallElevated");
|
||||||
string HKCU_AIE = RegistryHelper.GetRegValue("HKCU", path, "AlwaysInstallElevated");
|
string HKCU_AIE = RegistryHelper.GetRegValue("HKCU", path, "AlwaysInstallElevated");
|
||||||
|
|||||||
@ -78,7 +78,7 @@ namespace winPEAS.Checks
|
|||||||
try
|
try
|
||||||
{
|
{
|
||||||
Beaprint.MainPrint("Users");
|
Beaprint.MainPrint("Users");
|
||||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#users-and-groups", "Check if you have some admin equivalent privileges");
|
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#users--groups", "Check if you have some admin equivalent privileges");
|
||||||
|
|
||||||
List<string> usersGrps = User.GetMachineUsers(false, false, false, false, true);
|
List<string> usersGrps = User.GetMachineUsers(false, false, false, false, true);
|
||||||
|
|
||||||
@ -109,7 +109,7 @@ namespace winPEAS.Checks
|
|||||||
try
|
try
|
||||||
{
|
{
|
||||||
Beaprint.MainPrint("Current Token privileges");
|
Beaprint.MainPrint("Current Token privileges");
|
||||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#token-manipulation", "Check if you can escalate privilege using some enabled token");
|
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#token-manipulation", "Check if you can escalate privilege using some enabled token");
|
||||||
Dictionary<string, string> tokenPrivs = Token.GetTokenGroupPrivs();
|
Dictionary<string, string> tokenPrivs = Token.GetTokenGroupPrivs();
|
||||||
Beaprint.DictPrint(tokenPrivs, ColorsU(), false);
|
Beaprint.DictPrint(tokenPrivs, ColorsU(), false);
|
||||||
}
|
}
|
||||||
|
|||||||
@ -48,7 +48,7 @@ namespace winPEAS.Checks
|
|||||||
try
|
try
|
||||||
{
|
{
|
||||||
Beaprint.MainPrint("Checking Windows Vault");
|
Beaprint.MainPrint("Checking Windows Vault");
|
||||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-manager-windows-vault");
|
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#credentials-manager--windows-vault");
|
||||||
var vaultCreds = VaultCli.DumpVault();
|
var vaultCreds = VaultCli.DumpVault();
|
||||||
|
|
||||||
var colorsC = new Dictionary<string, string>()
|
var colorsC = new Dictionary<string, string>()
|
||||||
@ -68,7 +68,7 @@ namespace winPEAS.Checks
|
|||||||
try
|
try
|
||||||
{
|
{
|
||||||
Beaprint.MainPrint("Checking Credential manager");
|
Beaprint.MainPrint("Checking Credential manager");
|
||||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-manager-windows-vault");
|
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#credentials-manager--windows-vault");
|
||||||
|
|
||||||
var colorsC = new Dictionary<string, string>()
|
var colorsC = new Dictionary<string, string>()
|
||||||
{
|
{
|
||||||
@ -153,7 +153,7 @@ namespace winPEAS.Checks
|
|||||||
try
|
try
|
||||||
{
|
{
|
||||||
Beaprint.MainPrint("Checking for DPAPI Master Keys");
|
Beaprint.MainPrint("Checking for DPAPI Master Keys");
|
||||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi");
|
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#dpapi");
|
||||||
var masterKeys = KnownFileCredsInfo.ListMasterKeys();
|
var masterKeys = KnownFileCredsInfo.ListMasterKeys();
|
||||||
|
|
||||||
if (masterKeys.Count != 0)
|
if (masterKeys.Count != 0)
|
||||||
@ -181,7 +181,7 @@ namespace winPEAS.Checks
|
|||||||
try
|
try
|
||||||
{
|
{
|
||||||
Beaprint.MainPrint("Checking for DPAPI Credential Files");
|
Beaprint.MainPrint("Checking for DPAPI Credential Files");
|
||||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi");
|
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#dpapi");
|
||||||
var credFiles = KnownFileCredsInfo.GetCredFiles();
|
var credFiles = KnownFileCredsInfo.GetCredFiles();
|
||||||
Beaprint.DictPrint(credFiles, false);
|
Beaprint.DictPrint(credFiles, false);
|
||||||
|
|
||||||
@ -201,7 +201,7 @@ namespace winPEAS.Checks
|
|||||||
try
|
try
|
||||||
{
|
{
|
||||||
Beaprint.MainPrint("Checking for RDCMan Settings Files");
|
Beaprint.MainPrint("Checking for RDCMan Settings Files");
|
||||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#remote-desktop-credential-manager",
|
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#remote-desktop-credential-manager",
|
||||||
"Dump credentials from Remote Desktop Connection Manager");
|
"Dump credentials from Remote Desktop Connection Manager");
|
||||||
var rdcFiles = RemoteDesktop.GetRDCManFiles();
|
var rdcFiles = RemoteDesktop.GetRDCManFiles();
|
||||||
Beaprint.DictPrint(rdcFiles, false);
|
Beaprint.DictPrint(rdcFiles, false);
|
||||||
@ -222,7 +222,7 @@ namespace winPEAS.Checks
|
|||||||
try
|
try
|
||||||
{
|
{
|
||||||
Beaprint.MainPrint("Looking for Kerberos tickets");
|
Beaprint.MainPrint("Looking for Kerberos tickets");
|
||||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/pentesting/pentesting-kerberos-88");
|
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-kerberos-88/index.html");
|
||||||
var kerberosTickets = Kerberos.ListKerberosTickets();
|
var kerberosTickets = Kerberos.ListKerberosTickets();
|
||||||
|
|
||||||
Beaprint.DictPrint(kerberosTickets, false);
|
Beaprint.DictPrint(kerberosTickets, false);
|
||||||
@ -307,7 +307,7 @@ namespace winPEAS.Checks
|
|||||||
try
|
try
|
||||||
{
|
{
|
||||||
Beaprint.MainPrint("Looking AppCmd.exe");
|
Beaprint.MainPrint("Looking AppCmd.exe");
|
||||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#appcmd.exe");
|
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#appcmdexe");
|
||||||
|
|
||||||
var appCmdPath = Environment.ExpandEnvironmentVariables(@"%systemroot%\system32\inetsrv\appcmd.exe");
|
var appCmdPath = Environment.ExpandEnvironmentVariables(@"%systemroot%\system32\inetsrv\appcmd.exe");
|
||||||
|
|
||||||
@ -368,7 +368,7 @@ namespace winPEAS.Checks
|
|||||||
try
|
try
|
||||||
{
|
{
|
||||||
Beaprint.MainPrint("Looking SSClient.exe");
|
Beaprint.MainPrint("Looking SSClient.exe");
|
||||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#scclient-sccm");
|
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#scclient--sccm");
|
||||||
|
|
||||||
if (File.Exists(Environment.ExpandEnvironmentVariables(@"%systemroot%\Windows\CCM\SCClient.exe")))
|
if (File.Exists(Environment.ExpandEnvironmentVariables(@"%systemroot%\Windows\CCM\SCClient.exe")))
|
||||||
{
|
{
|
||||||
|
|||||||
@ -81,7 +81,7 @@ namespace winPEAS.Helpers
|
|||||||
/---------------------------------------------------------------------------------\
|
/---------------------------------------------------------------------------------\
|
||||||
| {1}Do you like PEASS?{0} |
|
| {1}Do you like PEASS?{0} |
|
||||||
|---------------------------------------------------------------------------------|
|
|---------------------------------------------------------------------------------|
|
||||||
| {3}Learn Cloud Hacking{0} : {2}training.hacktricks.xyz{0} |
|
| {3}Learn Cloud Hacking{0} : {2}training.hacktricks.wiki{0} |
|
||||||
| {3}Follow on Twitter{0} : {2}@hacktricks_live{0} |
|
| {3}Follow on Twitter{0} : {2}@hacktricks_live{0} |
|
||||||
| {3}Respect on HTB{0} : {2}SirBroccoli {0} |
|
| {3}Respect on HTB{0} : {2}SirBroccoli {0} |
|
||||||
|---------------------------------------------------------------------------------|
|
|---------------------------------------------------------------------------------|
|
||||||
@ -104,7 +104,7 @@ namespace winPEAS.Helpers
|
|||||||
|
|
||||||
PrintLegend();
|
PrintLegend();
|
||||||
Console.WriteLine();
|
Console.WriteLine();
|
||||||
Console.WriteLine(BLUE + " You can find a Windows local PE Checklist here: " + YELLOW + "https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation");
|
Console.WriteLine(BLUE + " You can find a Windows local PE Checklist here: " + YELLOW + "https://book.hacktricks.wiki/en/windows-hardening/checklist-windows-privilege-escalation.html");
|
||||||
}
|
}
|
||||||
|
|
||||||
static void PrintLegend()
|
static void PrintLegend()
|
||||||
|
|||||||
@ -112,7 +112,7 @@ namespace winPEAS.Info.UserInfo
|
|||||||
{ "520", "Group Policy Creator Owners" }, //A global group that is authorized to create new Group Policy objects in Active Directory. By default, the only member of the group is Administrator.
|
{ "520", "Group Policy Creator Owners" }, //A global group that is authorized to create new Group Policy objects in Active Directory. By default, the only member of the group is Administrator.
|
||||||
{ "521", "Read-only Domain Controllers" }, //A global group. Members of this group are read-only domain controllers in the domain.
|
{ "521", "Read-only Domain Controllers" }, //A global group. Members of this group are read-only domain controllers in the domain.
|
||||||
{ "522", "Cloneable Domain Controllers" }, //A global group. Members of this group that are domain controllers may be cloned.
|
{ "522", "Cloneable Domain Controllers" }, //A global group. Members of this group that are domain controllers may be cloned.
|
||||||
{ "525", "Protected Users" }, //https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#protected-users
|
{ "525", "Protected Users" }, //https://book.hacktricks.wiki/en/windows-hardening/stealing-credentials/credentials-protections.html#protected-users
|
||||||
{ "526", "Key Admins" }, //A security group. The intention for this group is to have delegated write access on the msdsKeyCredentialLink attribute only. The group is intended for use in scenarios where trusted external authorities (for example, Active Directory Federated Services) are responsible for modifying this attribute. Only trusted administrators should be made a member of this group.
|
{ "526", "Key Admins" }, //A security group. The intention for this group is to have delegated write access on the msdsKeyCredentialLink attribute only. The group is intended for use in scenarios where trusted external authorities (for example, Active Directory Federated Services) are responsible for modifying this attribute. Only trusted administrators should be made a member of this group.
|
||||||
{ "527", "Enterprise Key Admins" }, //A security group. The intention for this group is to have delegated write access on the msdsKeyCredentialLink attribute only. The group is intended for use in scenarios where trusted external authorities (for example, Active Directory Federated Services) are responsible for modifying this attribute. Only trusted administrators should be made a member of this group.
|
{ "527", "Enterprise Key Admins" }, //A security group. The intention for this group is to have delegated write access on the msdsKeyCredentialLink attribute only. The group is intended for use in scenarios where trusted external authorities (for example, Active Directory Federated Services) are responsible for modifying this attribute. Only trusted administrators should be made a member of this group.
|
||||||
{ "553", "RAS and IAS Servers" }, //A domain local group. By default, this group has no members. Servers in this group have Read Account Restrictions and Read Logon Information access to User objects in the Active Directory domain local group.
|
{ "553", "RAS and IAS Servers" }, //A domain local group. By default, this group has no members. Servers in this group have Read Account Restrictions and Read Logon Information access to User objects in the Active Directory domain local group.
|
||||||
|
|||||||
@ -27,7 +27,7 @@ namespace winPEAS.KnownFileCreds.Browsers.Chrome
|
|||||||
try
|
try
|
||||||
{
|
{
|
||||||
Beaprint.MainPrint("Looking for Chrome DBs");
|
Beaprint.MainPrint("Looking for Chrome DBs");
|
||||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history");
|
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#browsers-history");
|
||||||
Dictionary<string, string> chromeDBs = GetChromeDbs();
|
Dictionary<string, string> chromeDBs = GetChromeDbs();
|
||||||
|
|
||||||
if (chromeDBs.ContainsKey("userChromeCookiesPath"))
|
if (chromeDBs.ContainsKey("userChromeCookiesPath"))
|
||||||
@ -59,7 +59,7 @@ namespace winPEAS.KnownFileCreds.Browsers.Chrome
|
|||||||
try
|
try
|
||||||
{
|
{
|
||||||
Beaprint.MainPrint("Looking for GET credentials in Chrome history");
|
Beaprint.MainPrint("Looking for GET credentials in Chrome history");
|
||||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history");
|
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#browsers-history");
|
||||||
Dictionary<string, List<string>> chromeHistBook = GetChromeHistBook();
|
Dictionary<string, List<string>> chromeHistBook = GetChromeHistBook();
|
||||||
List<string> history = chromeHistBook["history"];
|
List<string> history = chromeHistBook["history"];
|
||||||
List<string> bookmarks = chromeHistBook["bookmarks"];
|
List<string> bookmarks = chromeHistBook["bookmarks"];
|
||||||
|
|||||||
@ -28,7 +28,7 @@ namespace winPEAS.KnownFileCreds.Browsers.Firefox
|
|||||||
try
|
try
|
||||||
{
|
{
|
||||||
Beaprint.MainPrint("Looking for Firefox DBs");
|
Beaprint.MainPrint("Looking for Firefox DBs");
|
||||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history");
|
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#browsers-history");
|
||||||
List<string> firefoxDBs = GetFirefoxDbs();
|
List<string> firefoxDBs = GetFirefoxDbs();
|
||||||
if (firefoxDBs.Count > 0)
|
if (firefoxDBs.Count > 0)
|
||||||
{
|
{
|
||||||
@ -55,7 +55,7 @@ namespace winPEAS.KnownFileCreds.Browsers.Firefox
|
|||||||
try
|
try
|
||||||
{
|
{
|
||||||
Beaprint.MainPrint("Looking for GET credentials in Firefox history");
|
Beaprint.MainPrint("Looking for GET credentials in Firefox history");
|
||||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history");
|
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#browsers-history");
|
||||||
List<string> history = GetFirefoxHistory();
|
List<string> history = GetFirefoxHistory();
|
||||||
if (history.Count > 0)
|
if (history.Count > 0)
|
||||||
{
|
{
|
||||||
|
|||||||
@ -29,7 +29,7 @@ namespace winPEAS.KnownFileCreds.Browsers
|
|||||||
try
|
try
|
||||||
{
|
{
|
||||||
Beaprint.MainPrint("Current IE tabs");
|
Beaprint.MainPrint("Current IE tabs");
|
||||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history");
|
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#browsers-history");
|
||||||
List<string> urls = GetCurrentIETabs();
|
List<string> urls = GetCurrentIETabs();
|
||||||
|
|
||||||
Dictionary<string, string> colorsB = new Dictionary<string, string>()
|
Dictionary<string, string> colorsB = new Dictionary<string, string>()
|
||||||
@ -50,7 +50,7 @@ namespace winPEAS.KnownFileCreds.Browsers
|
|||||||
try
|
try
|
||||||
{
|
{
|
||||||
Beaprint.MainPrint("Looking for GET credentials in IE history");
|
Beaprint.MainPrint("Looking for GET credentials in IE history");
|
||||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history");
|
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#browsers-history");
|
||||||
Dictionary<string, List<string>> ieHistoryBook = GetIEHistFav();
|
Dictionary<string, List<string>> ieHistoryBook = GetIEHistFav();
|
||||||
List<string> history = ieHistoryBook["history"];
|
List<string> history = ieHistoryBook["history"];
|
||||||
List<string> favorites = ieHistoryBook["favorites"];
|
List<string> favorites = ieHistoryBook["favorites"];
|
||||||
|
|||||||
@ -57,7 +57,7 @@ namespace winPEAS.KnownFileCreds
|
|||||||
try
|
try
|
||||||
{
|
{
|
||||||
Beaprint.MainPrint("SSH keys in registry");
|
Beaprint.MainPrint("SSH keys in registry");
|
||||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#ssh-keys-in-registry", "If you find anything here, follow the link to learn how to decrypt the SSH keys");
|
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#ssh-keys-in-registry", "If you find anything here, follow the link to learn how to decrypt the SSH keys");
|
||||||
|
|
||||||
string[] ssh_reg = RegistryHelper.GetRegSubkeys("HKCU", @"OpenSSH\Agent\Keys");
|
string[] ssh_reg = RegistryHelper.GetRegSubkeys("HKCU", @"OpenSSH\Agent\Keys");
|
||||||
if (ssh_reg.Length == 0)
|
if (ssh_reg.Length == 0)
|
||||||
|
|||||||
@ -2,9 +2,9 @@
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
**WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on [book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation)**
|
**WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on [book.hacktricks.wiki](https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html)**
|
||||||
|
|
||||||
Check also the **Local Windows Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation)**
|
Check also the **Local Windows Privilege Escalation checklist** from **[book.hacktricks.wiki](https://book.hacktricks.wiki/en/windows-hardening/checklist-windows-privilege-escalation.html)**
|
||||||
|
|
||||||
## Mantainer
|
## Mantainer
|
||||||
|
|
||||||
|
|||||||
@ -556,7 +556,7 @@ Write-Host -ForegroundColor yellow "Indicates links"
|
|||||||
Write-Host -ForegroundColor Blue "Indicates title"
|
Write-Host -ForegroundColor Blue "Indicates title"
|
||||||
|
|
||||||
|
|
||||||
Write-Host "You can find a Windows local PE Checklist here: https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation" -ForegroundColor Yellow
|
Write-Host "You can find a Windows local PE Checklist here: https://book.hacktricks.wiki/en/windows-hardening/checklist-windows-privilege-escalation.html" -ForegroundColor Yellow
|
||||||
#write-host "Creating Dynamic lists, this could take a while, please wait..."
|
#write-host "Creating Dynamic lists, this could take a while, please wait..."
|
||||||
#write-host "Loading sensitive_files yaml definitions file..."
|
#write-host "Loading sensitive_files yaml definitions file..."
|
||||||
#write-host "Loading regexes yaml definitions file..."
|
#write-host "Loading regexes yaml definitions file..."
|
||||||
@ -875,7 +875,7 @@ if ($TimeStamp) { TimeElapsed }
|
|||||||
Write-Host -ForegroundColor Blue "=========|| UAC Settings"
|
Write-Host -ForegroundColor Blue "=========|| UAC Settings"
|
||||||
if ((Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System).EnableLUA -eq 1) {
|
if ((Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System).EnableLUA -eq 1) {
|
||||||
Write-Host "EnableLUA is equal to 1. Part or all of the UAC components are on."
|
Write-Host "EnableLUA is equal to 1. Part or all of the UAC components are on."
|
||||||
Write-Host "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access" -ForegroundColor Yellow
|
Write-Host "https://book.hacktricks.wiki/en/windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control.html#very-basic-uac-bypass-full-file-system-access" -ForegroundColor Yellow
|
||||||
}
|
}
|
||||||
else { Write-Host "EnableLUA value not equal to 1" }
|
else { Write-Host "EnableLUA value not equal to 1" }
|
||||||
|
|
||||||
@ -917,13 +917,13 @@ Write-Host "Checking Windows Installer Registry (will populate if the key exists
|
|||||||
if ((Get-ItemProperty HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer -ErrorAction SilentlyContinue).AlwaysInstallElevated -eq 1) {
|
if ((Get-ItemProperty HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer -ErrorAction SilentlyContinue).AlwaysInstallElevated -eq 1) {
|
||||||
Write-Host "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer).AlwaysInstallElevated = 1" -ForegroundColor red
|
Write-Host "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer).AlwaysInstallElevated = 1" -ForegroundColor red
|
||||||
Write-Host "Try msfvenom msi package to escalate" -ForegroundColor red
|
Write-Host "Try msfvenom msi package to escalate" -ForegroundColor red
|
||||||
Write-Host "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#metasploit-payloads" -ForegroundColor Yellow
|
Write-Host "https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#metasploit-payloads" -ForegroundColor Yellow
|
||||||
}
|
}
|
||||||
|
|
||||||
if ((Get-ItemProperty HKCU:\SOFTWARE\Policies\Microsoft\Windows\Installer -ErrorAction SilentlyContinue).AlwaysInstallElevated -eq 1) {
|
if ((Get-ItemProperty HKCU:\SOFTWARE\Policies\Microsoft\Windows\Installer -ErrorAction SilentlyContinue).AlwaysInstallElevated -eq 1) {
|
||||||
Write-Host "HKCU:\SOFTWARE\Policies\Microsoft\Windows\Installer).AlwaysInstallElevated = 1" -ForegroundColor red
|
Write-Host "HKCU:\SOFTWARE\Policies\Microsoft\Windows\Installer).AlwaysInstallElevated = 1" -ForegroundColor red
|
||||||
Write-Host "Try msfvenom msi package to escalate" -ForegroundColor red
|
Write-Host "Try msfvenom msi package to escalate" -ForegroundColor red
|
||||||
Write-Host "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#metasploit-payloads" -ForegroundColor Yellow
|
Write-Host "https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#metasploit-payloads" -ForegroundColor Yellow
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -995,7 +995,7 @@ if ( Test-Path HKLM:\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\
|
|||||||
Write-Host ""
|
Write-Host ""
|
||||||
if ($TimeStamp) { TimeElapsed }
|
if ($TimeStamp) { TimeElapsed }
|
||||||
Write-Host -ForegroundColor Blue "=========|| WSUS check for http and UseWAServer = 1, if true, might be vulnerable to exploit"
|
Write-Host -ForegroundColor Blue "=========|| WSUS check for http and UseWAServer = 1, if true, might be vulnerable to exploit"
|
||||||
Write-Host "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#wsus" -ForegroundColor Yellow
|
Write-Host "https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#wsus" -ForegroundColor Yellow
|
||||||
if (Test-Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate) {
|
if (Test-Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate) {
|
||||||
Get-Item HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
|
Get-Item HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
|
||||||
}
|
}
|
||||||
@ -1123,7 +1123,7 @@ Write-Host ""
|
|||||||
if ($TimeStamp) { TimeElapsed }
|
if ($TimeStamp) { TimeElapsed }
|
||||||
Write-Host -ForegroundColor Blue "=========|| STARTUP APPLICATIONS Vulnerable Check"
|
Write-Host -ForegroundColor Blue "=========|| STARTUP APPLICATIONS Vulnerable Check"
|
||||||
"Check if you can modify any binary that is going to be executed by admin or if you can impersonate a not found binary"
|
"Check if you can modify any binary that is going to be executed by admin or if you can impersonate a not found binary"
|
||||||
Write-Host "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#run-at-startup" -ForegroundColor Yellow
|
Write-Host "https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#run-at-startup" -ForegroundColor Yellow
|
||||||
|
|
||||||
@("C:\Documents and Settings\All Users\Start Menu\Programs\Startup",
|
@("C:\Documents and Settings\All Users\Start Menu\Programs\Startup",
|
||||||
"C:\Documents and Settings\$env:Username\Start Menu\Programs\Startup",
|
"C:\Documents and Settings\$env:Username\Start Menu\Programs\Startup",
|
||||||
@ -1322,9 +1322,9 @@ if ($TimeStamp) { TimeElapsed }
|
|||||||
Write-Host -ForegroundColor Blue "=========|| WHOAMI INFO"
|
Write-Host -ForegroundColor Blue "=========|| WHOAMI INFO"
|
||||||
Write-Host ""
|
Write-Host ""
|
||||||
if ($TimeStamp) { TimeElapsed }
|
if ($TimeStamp) { TimeElapsed }
|
||||||
Write-Host -ForegroundColor Blue "=========|| Check Token access here: https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens" -ForegroundColor yellow
|
Write-Host -ForegroundColor Blue "=========|| Check Token access here: https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens.html#abusing-tokens" -ForegroundColor yellow
|
||||||
Write-Host -ForegroundColor Blue "=========|| Check if you are inside the Administrators group or if you have enabled any token that can be use to escalate privileges like SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebbugPrivilege"
|
Write-Host -ForegroundColor Blue "=========|| Check if you are inside the Administrators group or if you have enabled any token that can be use to escalate privileges like SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebbugPrivilege"
|
||||||
Write-Host "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#users-and-groups" -ForegroundColor Yellow
|
Write-Host "https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#users--groups" -ForegroundColor Yellow
|
||||||
Start-Process whoami.exe -ArgumentList "/all" -Wait -NoNewWindow
|
Start-Process whoami.exe -ArgumentList "/all" -Wait -NoNewWindow
|
||||||
|
|
||||||
|
|
||||||
@ -1349,7 +1349,7 @@ Write-Host ""
|
|||||||
if ($TimeStamp) { TimeElapsed }
|
if ($TimeStamp) { TimeElapsed }
|
||||||
Write-Host -ForegroundColor Blue "=========|| APPcmd Check"
|
Write-Host -ForegroundColor Blue "=========|| APPcmd Check"
|
||||||
if (Test-Path ("$Env:SystemRoot\System32\inetsrv\appcmd.exe")) {
|
if (Test-Path ("$Env:SystemRoot\System32\inetsrv\appcmd.exe")) {
|
||||||
Write-Host "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#appcmd.exe" -ForegroundColor Yellow
|
Write-Host "https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#appcmdexe" -ForegroundColor Yellow
|
||||||
Write-Host "$Env:SystemRoot\System32\inetsrv\appcmd.exe exists!" -ForegroundColor Red
|
Write-Host "$Env:SystemRoot\System32\inetsrv\appcmd.exe exists!" -ForegroundColor Red
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1400,7 +1400,7 @@ if ($TimeStamp) { TimeElapsed }
|
|||||||
Write-Host -ForegroundColor Blue "=========|| ENVIRONMENT VARIABLES "
|
Write-Host -ForegroundColor Blue "=========|| ENVIRONMENT VARIABLES "
|
||||||
Write-Host "Maybe you can take advantage of modifying/creating a binary in some of the following locations"
|
Write-Host "Maybe you can take advantage of modifying/creating a binary in some of the following locations"
|
||||||
Write-Host "PATH variable entries permissions - place binary or DLL to execute instead of legitimate"
|
Write-Host "PATH variable entries permissions - place binary or DLL to execute instead of legitimate"
|
||||||
Write-Host "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dll-hijacking" -ForegroundColor Yellow
|
Write-Host "https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#dll-hijacking" -ForegroundColor Yellow
|
||||||
|
|
||||||
Get-ChildItem env: | Format-Table -Wrap
|
Get-ChildItem env: | Format-Table -Wrap
|
||||||
|
|
||||||
@ -1418,7 +1418,7 @@ if (Test-Path "C:\Users\$env:USERNAME\AppData\Local\Packages\Microsoft.Microsoft
|
|||||||
Write-Host ""
|
Write-Host ""
|
||||||
if ($TimeStamp) { TimeElapsed }
|
if ($TimeStamp) { TimeElapsed }
|
||||||
Write-Host -ForegroundColor Blue "=========|| Cached Credentials Check"
|
Write-Host -ForegroundColor Blue "=========|| Cached Credentials Check"
|
||||||
Write-Host "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#windows-vault" -ForegroundColor Yellow
|
Write-Host "https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#windows-vault" -ForegroundColor Yellow
|
||||||
cmdkey.exe /list
|
cmdkey.exe /list
|
||||||
|
|
||||||
|
|
||||||
@ -1426,7 +1426,7 @@ Write-Host ""
|
|||||||
if ($TimeStamp) { TimeElapsed }
|
if ($TimeStamp) { TimeElapsed }
|
||||||
Write-Host -ForegroundColor Blue "=========|| Checking for DPAPI RPC Master Keys"
|
Write-Host -ForegroundColor Blue "=========|| Checking for DPAPI RPC Master Keys"
|
||||||
Write-Host "Use the Mimikatz 'dpapi::masterkey' module with appropriate arguments (/rpc) to decrypt"
|
Write-Host "Use the Mimikatz 'dpapi::masterkey' module with appropriate arguments (/rpc) to decrypt"
|
||||||
Write-Host "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi" -ForegroundColor Yellow
|
Write-Host "https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#dpapi" -ForegroundColor Yellow
|
||||||
|
|
||||||
$appdataRoaming = "C:\Users\$env:USERNAME\AppData\Roaming\Microsoft\"
|
$appdataRoaming = "C:\Users\$env:USERNAME\AppData\Roaming\Microsoft\"
|
||||||
$appdataLocal = "C:\Users\$env:USERNAME\AppData\Local\Microsoft\"
|
$appdataLocal = "C:\Users\$env:USERNAME\AppData\Local\Microsoft\"
|
||||||
@ -1449,7 +1449,7 @@ if ($TimeStamp) { TimeElapsed }
|
|||||||
Write-Host -ForegroundColor Blue "=========|| Checking for DPAPI Cred Master Keys"
|
Write-Host -ForegroundColor Blue "=========|| Checking for DPAPI Cred Master Keys"
|
||||||
Write-Host "Use the Mimikatz 'dpapi::cred' module with appropriate /masterkey to decrypt"
|
Write-Host "Use the Mimikatz 'dpapi::cred' module with appropriate /masterkey to decrypt"
|
||||||
Write-Host "You can also extract many DPAPI masterkeys from memory with the Mimikatz 'sekurlsa::dpapi' module"
|
Write-Host "You can also extract many DPAPI masterkeys from memory with the Mimikatz 'sekurlsa::dpapi' module"
|
||||||
Write-Host "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi" -ForegroundColor Yellow
|
Write-Host "https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#dpapi" -ForegroundColor Yellow
|
||||||
|
|
||||||
if ( Test-Path "$appdataRoaming\Credentials\") {
|
if ( Test-Path "$appdataRoaming\Credentials\") {
|
||||||
Get-ChildItem -Path "$appdataRoaming\Credentials\" -Force
|
Get-ChildItem -Path "$appdataRoaming\Credentials\" -Force
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user