From 96b7bdaf91814622f62ce2562c9ede5a315faea6 Mon Sep 17 00:00:00 2001 From: Jimmy Date: Mon, 6 Jan 2025 13:55:15 +0100 Subject: [PATCH] Brief description of your changes --- README.md | 4 +-- build_lists/sensitive_files.yaml | 2 +- linPEAS/README.md | 4 +-- .../1_system_information/11_Dmesg.sh | 2 +- .../1_Operative_system.sh | 2 +- .../1_system_information/2_Sudo_version.sh | 2 +- .../1_system_information/3_USBCreator.sh | 2 +- .../1_system_information/4_Path.sh | 2 +- .../2_container/2_List_mounted_tokens.sh | 2 +- .../2_container/5_Container_breakout.sh | 12 +++---- .../3_cloud/1_Check_if_in_cloud.sh | 2 +- .../3_cloud/6_Google_cloud_function.sh | 2 +- .../3_cloud/6_Google_cloud_vm.sh | 2 +- .../linpeas_parts/3_cloud/7_Azure_VM.sh | 8 ++--- .../10_System_timers.sh | 2 +- .../11_Timer_files.sh | 2 +- .../13_Service_files.sh | 2 +- .../14_Socket_files.sh | 2 +- .../15_Unix_sockets_listening.sh | 2 +- .../16_DBus_service_objects_list.sh | 2 +- .../17_DBus_config_files.sh | 2 +- .../1_List_processes.sh | 2 +- .../2_Process_cred_in_memory.sh | 2 +- .../3_Process_binaries_perms.sh | 2 +- .../6_Different_procs_1min.sh | 2 +- .../7_Systemd_path.sh | 2 +- .../8_Cron_jobs.sh | 4 +-- .../9_Macos_launch_agents_daemons.sh | 8 ++--- .../5_network_information/4_Open_ports.sh | 2 +- .../5_network_information/7_Tcpdump.sh | 2 +- .../6_users_information/10_Pkexec.sh | 2 +- .../6_users_information/1_My_user.sh | 2 +- .../6_users_information/3_Macos_keychains.sh | 2 +- .../6_users_information/7_Sudo_l.sh | 2 +- .../6_users_information/8_Sudo_tokens.sh | 2 +- .../7_software_information/Containerd.sh | 2 +- .../7_software_information/Docker.sh | 2 +- .../7_software_information/Kcpassword.sh | 2 +- .../7_software_information/Kerberos.sh | 2 +- .../7_software_information/Runc.sh | 2 +- .../7_software_information/Screen_sessions.sh | 2 +- .../7_software_information/Tmux.sh | 2 +- .../14_Writable_files_owner_all.sh | 2 +- .../15_Writable_files_group.sh | 2 +- .../8_interesting_perms_files/1_SUID.sh | 2 +- .../8_interesting_perms_files/2_SGID.sh | 2 +- .../8_interesting_perms_files/3_Files_ACLs.sh | 2 +- .../4_Capabilities.sh | 2 +- .../5_Users_with_capabilities.sh | 2 +- .../6_Misconfigured_ldso.sh | 2 +- .../7_Files_etc_profile_d.sh | 2 +- .../8_Files_etc_init_d.sh | 2 +- .../9_interesting_files/1_Sh_files_in_PATH.sh | 2 +- .../8_Writable_log_files.sh | 2 +- .../linpeas_base/0_variables_base.sh | 4 +-- parsers/README.md | 4 +-- winPEAS/README.md | 4 +-- winPEAS/winPEASbat/README.md | 4 +-- winPEAS/winPEASbat/winPEAS.bat | 36 +++++++++---------- winPEAS/winPEASexe/README.md | 4 +-- .../winPEAS/Checks/ApplicationsInfo.cs | 8 ++--- .../winPEASexe/winPEAS/Checks/CloudInfo.cs | 4 +-- .../winPEASexe/winPEAS/Checks/FilesInfo.cs | 10 +++--- .../winPEASexe/winPEAS/Checks/ProcessInfo.cs | 4 +-- .../winPEASexe/winPEAS/Checks/ServicesInfo.cs | 8 ++--- .../winPEASexe/winPEAS/Checks/SystemInfo.cs | 18 +++++----- winPEAS/winPEASexe/winPEAS/Checks/UserInfo.cs | 4 +-- .../winPEASexe/winPEAS/Checks/WindowsCreds.cs | 16 ++++----- .../winPEASexe/winPEAS/Helpers/Beaprint.cs | 4 +-- .../Info/UserInfo/SID2GroupNameHelper.cs | 2 +- .../KnownFileCreds/Browsers/Chrome/Chrome.cs | 4 +-- .../Browsers/Firefox/Firefox.cs | 4 +-- .../Browsers/InternetExplorer.cs | 4 +-- .../winPEAS/KnownFileCreds/Putty.cs | 2 +- winPEAS/winPEASps1/README.md | 4 +-- winPEAS/winPEASps1/winPEAS.ps1 | 26 +++++++------- 76 files changed, 157 insertions(+), 157 deletions(-) diff --git a/README.md b/README.md index 47ac44cb8..d9550a956 100755 --- a/README.md +++ b/README.md @@ -12,10 +12,10 @@ Here you will find **privilege escalation tools for Windows and Linux/Unix\* and These tools search for possible **local privilege escalation paths** that you could exploit and print them to you **with nice colors** so you can recognize the misconfigurations easily. -- Check the **Local Windows Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation)** +- Check the **Local Windows Privilege Escalation checklist** from **[book.hacktricks.wiki](https://book.hacktricks.wiki/en/windows-hardening/checklist-windows-privilege-escalation.html)** - **[WinPEAS](https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS) - Windows local Privilege Escalation Awesome Script (C#.exe and .bat)** -- Check the **Local Linux Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist)** +- Check the **Local Linux Privilege Escalation checklist** from **[book.hacktricks.wiki](https://book.hacktricks.wiki/en/linux-hardening/linux-privilege-escalation-checklist.html)** - **[LinPEAS](https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS) - Linux local Privilege Escalation Awesome Script (.sh)** ## Quick Start diff --git a/build_lists/sensitive_files.yaml b/build_lists/sensitive_files.yaml index 42fe1f50d..fc86ba277 100644 --- a/build_lists/sensitive_files.yaml +++ b/build_lists/sensitive_files.yaml @@ -1458,7 +1458,7 @@ search: config: auto_check: True exec: - - ipa_exists="$(command -v ipa)"; if [ "$ipa_exists" ]; then print_info "https://book.hacktricks.xyz/linux-hardening/freeipa-pentesting"; fi + - ipa_exists="$(command -v ipa)"; if [ "$ipa_exists" ]; then print_info "https://book.hacktricks.wiki/en/linux-hardening/freeipa-pentesting.html"; fi files: - name: "ipa" diff --git a/linPEAS/README.md b/linPEAS/README.md index c189587d0..4daf97e99 100755 --- a/linPEAS/README.md +++ b/linPEAS/README.md @@ -2,9 +2,9 @@ ![](https://github.com/peass-ng/privilege-escalation-awesome-scripts-suite/raw/master/linPEAS/images/linpeas.png) -**LinPEAS is a script that search for possible paths to escalate privileges on Linux/Unix\*/MacOS hosts. The checks are explained on [book.hacktricks.xyz](https://book.hacktricks.xyz/linux-hardening/privilege-escalation)** +**LinPEAS is a script that search for possible paths to escalate privileges on Linux/Unix\*/MacOS hosts. The checks are explained on [book.hacktricks.wiki](https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html)** -Check the **Local Linux Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist)**. +Check the **Local Linux Privilege Escalation checklist** from **[book.hacktricks.wiki](https://book.hacktricks.wiki/en/linux-hardening/linux-privilege-escalation-checklist.html)**. [![asciicast](https://asciinema.org/a/250532.png)](https://asciinema.org/a/309566) diff --git a/linPEAS/builder/linpeas_parts/1_system_information/11_Dmesg.sh b/linPEAS/builder/linpeas_parts/1_system_information/11_Dmesg.sh index 8cbf956c7..9adc5798d 100644 --- a/linPEAS/builder/linpeas_parts/1_system_information/11_Dmesg.sh +++ b/linPEAS/builder/linpeas_parts/1_system_information/11_Dmesg.sh @@ -15,7 +15,7 @@ if [ "$(command -v dmesg 2>/dev/null || echo -n '')" ] || [ "$DEBUG" ]; then print_2title "Searching Signature verification failed in dmesg" - print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#dmesg-signature-verification-failed" + print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#dmesg-signature-verification-failed" (dmesg 2>/dev/null | grep "signature") || echo_not_found "dmesg" echo "" fi \ No newline at end of file diff --git a/linPEAS/builder/linpeas_parts/1_system_information/1_Operative_system.sh b/linPEAS/builder/linpeas_parts/1_system_information/1_Operative_system.sh index 57d938de8..6873b82f9 100644 --- a/linPEAS/builder/linpeas_parts/1_system_information/1_Operative_system.sh +++ b/linPEAS/builder/linpeas_parts/1_system_information/1_Operative_system.sh @@ -13,7 +13,7 @@ # Small linpeas: 1 print_2title "Operative system" -print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits" +print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#kernel-exploits" (cat /proc/version || uname -a ) 2>/dev/null | sed -${E} "s,$kernelDCW_Ubuntu_Precise_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_4,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_5,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_6,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_4,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Xenial,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel5_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel5_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel5_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_4,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel7,${SED_RED_YELLOW}," | sed -${E} "s,$kernelB,${SED_RED}," warn_exec lsb_release -a 2>/dev/null if [ "$MACPEAS" ]; then diff --git a/linPEAS/builder/linpeas_parts/1_system_information/2_Sudo_version.sh b/linPEAS/builder/linpeas_parts/1_system_information/2_Sudo_version.sh index 4598b9a93..f9a9c6a0a 100644 --- a/linPEAS/builder/linpeas_parts/1_system_information/2_Sudo_version.sh +++ b/linPEAS/builder/linpeas_parts/1_system_information/2_Sudo_version.sh @@ -15,7 +15,7 @@ print_2title "Sudo version" if [ "$(command -v sudo 2>/dev/null || echo -n '')" ]; then -print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-version" +print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-version" sudo -V 2>/dev/null | grep "Sudo ver" | sed -${E} "s,$sudovB,${SED_RED}," else echo_not_found "sudo" fi diff --git a/linPEAS/builder/linpeas_parts/1_system_information/3_USBCreator.sh b/linPEAS/builder/linpeas_parts/1_system_information/3_USBCreator.sh index 24db8ce29..750df7876 100644 --- a/linPEAS/builder/linpeas_parts/1_system_information/3_USBCreator.sh +++ b/linPEAS/builder/linpeas_parts/1_system_information/3_USBCreator.sh @@ -15,7 +15,7 @@ if (busctl list 2>/dev/null | grep -q com.ubuntu.USBCreator) || [ "$DEBUG" ]; then print_2title "USBCreator" - print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation" + print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.html" pc_version=$(dpkg -l 2>/dev/null | grep policykit-desktop-privileges | grep -oP "[0-9][0-9a-zA-Z\.]+") if [ -z "$pc_version" ]; then diff --git a/linPEAS/builder/linpeas_parts/1_system_information/4_Path.sh b/linPEAS/builder/linpeas_parts/1_system_information/4_Path.sh index 8514f7df7..7393bcafc 100644 --- a/linPEAS/builder/linpeas_parts/1_system_information/4_Path.sh +++ b/linPEAS/builder/linpeas_parts/1_system_information/4_Path.sh @@ -14,7 +14,7 @@ print_2title "PATH" -print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-path-abuses" +print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#writable-path-abuses" if ! [ "$IAMROOT" ]; then echo "$OLDPATH" 2>/dev/null | sed -${E} "s,$Wfolders|\./|\.:|:\.,${SED_RED_YELLOW},g" fi diff --git a/linPEAS/builder/linpeas_parts/2_container/2_List_mounted_tokens.sh b/linPEAS/builder/linpeas_parts/2_container/2_List_mounted_tokens.sh index e0096aa5e..441f307c0 100644 --- a/linPEAS/builder/linpeas_parts/2_container/2_List_mounted_tokens.sh +++ b/linPEAS/builder/linpeas_parts/2_container/2_List_mounted_tokens.sh @@ -15,7 +15,7 @@ if [ "$(mount | sed -n '/secret/ s/^tmpfs on \(.*default.*\) type tmpfs.*$/\1\/namespace/p')" ]; then print_2title "Listing mounted tokens" - print_info "https://book.hacktricks.xyz/cloud-security/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod" + print_info "https://cloud.hacktricks.wiki/en/pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod.html" ALREADY_TOKENS="IinItialVaaluE" for i in $(mount | sed -n '/secret/ s/^tmpfs on \(.*default.*\) type tmpfs.*$/\1\/namespace/p'); do TEMP_TOKEN=$(cat $(echo $i | sed 's/.namespace$/\/token/')) diff --git a/linPEAS/builder/linpeas_parts/2_container/5_Container_breakout.sh b/linPEAS/builder/linpeas_parts/2_container/5_Container_breakout.sh index 4d14f4357..1c461b9f3 100644 --- a/linPEAS/builder/linpeas_parts/2_container/5_Container_breakout.sh +++ b/linPEAS/builder/linpeas_parts/2_container/5_Container_breakout.sh @@ -16,7 +16,7 @@ if [ "$inContainer" ]; then echo "" print_2title "Container & breakout enumeration" - print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout" + print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/index.html" print_list "Container ID ...................$NC $(cat /etc/hostname && echo -n '\n')" if [ -f "/proc/1/cpuset" ] && echo "$containerType" | grep -qi "docker"; then print_list "Container Full ID ..............$NC $(basename $(cat /proc/1/cpuset))\n" @@ -34,7 +34,7 @@ if [ "$inContainer" ]; then print_list "Vulnerable to CVE-2019-5021 .... $VULN_CVE_2019_5021\n"$NC | sed -${E} "s,Yes,${SED_RED_YELLOW}," print_3title "Breakout via mounts" - print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation/sensitive-mounts" + print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/sensitive-mounts.html" checkProcSysBreakouts print_list "/proc mounted? ................. $proc_mounted\n" | sed -${E} "s,Yes,${SED_RED_YELLOW}," @@ -71,7 +71,7 @@ if [ "$inContainer" ]; then echo "" print_3title "Namespaces" - print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/namespaces" + print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/namespaces/index.html" ls -l /proc/self/ns/ if echo "$containerType" | grep -qi "kubernetes"; then @@ -80,7 +80,7 @@ if [ "$inContainer" ]; then echo "" print_2title "Kubernetes Information" - print_info "https://book.hacktricks.xyz/cloud-security/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod" + print_info "https://cloud.hacktricks.wiki/en/pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod.html" print_3title "Kubernetes service account folder" @@ -92,7 +92,7 @@ if [ "$inContainer" ]; then echo "" print_3title "Current sa user k8s permissions" - print_info "https://book.hacktricks.xyz/cloud-security/pentesting-kubernetes/hardening-roles-clusterroles" + print_info "https://cloud.hacktricks.wiki/en/pentesting-cloud/kubernetes-security/kubernetes-role-based-access-control-rbac.html" kubectl auth can-i --list 2>/dev/null || curl -s -k -d "$(echo \"eyJraW5kIjoiU2VsZlN1YmplY3RSdWxlc1JldmlldyIsImFwaVZlcnNpb24iOiJhdXRob3JpemF0aW9uLms4cy5pby92MSIsIm1ldGFkYXRhIjp7ImNyZWF0aW9uVGltZXN0YW1wIjpudWxsfSwic3BlYyI6eyJuYW1lc3BhY2UiOiJlZXZlZSJ9LCJzdGF0dXMiOnsicmVzb3VyY2VSdWxlcyI6bnVsbCwibm9uUmVzb3VyY2VSdWxlcyI6bnVsbCwiaW5jb21wbGV0ZSI6ZmFsc2V9fQo=\"|base64 -d)" \ "https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT_HTTPS}/apis/authorization.k8s.io/v1/selfsubjectrulesreviews" \ -X 'POST' -H 'Content-Type: application/json' \ @@ -102,7 +102,7 @@ if [ "$inContainer" ]; then echo "" print_2title "Container Capabilities" - print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation#capabilities-abuse-escape" + print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/index.html#capabilities-abuse-escape" if [ "$(command -v capsh || echo -n '')" ]; then capsh --print 2>/dev/null | sed -${E} "s,$containercapsB,${SED_RED},g" else diff --git a/linPEAS/builder/linpeas_parts/3_cloud/1_Check_if_in_cloud.sh b/linPEAS/builder/linpeas_parts/3_cloud/1_Check_if_in_cloud.sh index 6562ac9c0..bbf1712b5 100644 --- a/linPEAS/builder/linpeas_parts/3_cloud/1_Check_if_in_cloud.sh +++ b/linPEAS/builder/linpeas_parts/3_cloud/1_Check_if_in_cloud.sh @@ -13,7 +13,7 @@ # Small linpeas: 1 -printf "${YELLOW}Learn and practice cloud hacking techniques in ${BLUE}training.hacktricks.xyz\n"$NC +printf "${YELLOW}Learn and practice cloud hacking techniques in ${BLUE}training.hacktricks.wiki\n"$NC echo "" print_list "GCP Virtual Machine? ................. $is_gcp_vm\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN}," diff --git a/linPEAS/builder/linpeas_parts/3_cloud/6_Google_cloud_function.sh b/linPEAS/builder/linpeas_parts/3_cloud/6_Google_cloud_function.sh index fe3931ebd..63e300d78 100644 --- a/linPEAS/builder/linpeas_parts/3_cloud/6_Google_cloud_function.sh +++ b/linPEAS/builder/linpeas_parts/3_cloud/6_Google_cloud_function.sh @@ -26,7 +26,7 @@ if [ "$is_gcp_function" = "Yes" ]; then # GCP Enumeration if [ "$gcp_req" ]; then print_2title "Google Cloud Platform Enumeration" - print_info "https://cloud.hacktricks.xyz/pentesting-cloud/gcp-security" + print_info "https://cloud.hacktricks.wiki/en/pentesting-cloud/gcp-security/index.html" ## GC Project Info p_id=$(eval $gcp_req 'http://metadata.google.internal/computeMetadata/v1/project/project-id') diff --git a/linPEAS/builder/linpeas_parts/3_cloud/6_Google_cloud_vm.sh b/linPEAS/builder/linpeas_parts/3_cloud/6_Google_cloud_vm.sh index cbcf2a9e6..53b83f53d 100644 --- a/linPEAS/builder/linpeas_parts/3_cloud/6_Google_cloud_vm.sh +++ b/linPEAS/builder/linpeas_parts/3_cloud/6_Google_cloud_vm.sh @@ -26,7 +26,7 @@ if [ "$is_gcp_vm" = "Yes" ]; then if [ "$gcp_req" ]; then print_2title "Google Cloud Platform Enumeration" - print_info "https://book.hacktricks.xyz/cloud-security/gcp-security" + print_info "https://cloud.hacktricks.wiki/en/pentesting-cloud/gcp-security/index.html" ## GC Project Info p_id=$(eval $gcp_req 'http://metadata.google.internal/computeMetadata/v1/project/project-id') diff --git a/linPEAS/builder/linpeas_parts/3_cloud/7_Azure_VM.sh b/linPEAS/builder/linpeas_parts/3_cloud/7_Azure_VM.sh index 847144fae..7fac1b7c3 100644 --- a/linPEAS/builder/linpeas_parts/3_cloud/7_Azure_VM.sh +++ b/linPEAS/builder/linpeas_parts/3_cloud/7_Azure_VM.sh @@ -47,22 +47,22 @@ if [ "$is_az_vm" = "Yes" ]; then echo "" print_3title "Management token" - print_info "It's possible to assign 1 system MI and several user MI to a VM. LinPEAS can only get the token from the default one. More info in https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#azure-vm" + print_info "It's possible to assign 1 system MI and several user MI to a VM. LinPEAS can only get the token from the default one. More info in https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#azure-vm" exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://management.azure.com/" echo "" print_3title "Graph token" - print_info "It's possible to assign 1 system MI and several user MI to a VM. LinPEAS can only get the token from the default one. More info in https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#azure-vm" + print_info "It's possible to assign 1 system MI and several user MI to a VM. LinPEAS can only get the token from the default one. More info in https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#azure-vm" exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://graph.microsoft.com/" echo "" print_3title "Vault token" - print_info "It's possible to assign 1 system MI and several user MI to a VM. LinPEAS can only get the token from the default one. More info in https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#azure-vm" + print_info "It's possible to assign 1 system MI and several user MI to a VM. LinPEAS can only get the token from the default one. More info in https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#azure-vm" exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://vault.azure.net/" echo "" print_3title "Storage token" - print_info "It's possible to assign 1 system MI and several user MI to a VM. LinPEAS can only get the token from the default one. More info in https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#azure-vm" + print_info "It's possible to assign 1 system MI and several user MI to a VM. LinPEAS can only get the token from the default one. More info in https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#azure-vm" exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://storage.azure.com/" echo "" fi diff --git a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/10_System_timers.sh b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/10_System_timers.sh index d385d73d9..628573ebd 100644 --- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/10_System_timers.sh +++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/10_System_timers.sh @@ -15,7 +15,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then print_2title "System timers" - print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers" + print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#timers" (systemctl list-timers --all 2>/dev/null | grep -Ev "(^$|timers listed)" | sed -${E} "s,$timersG,${SED_GREEN},") || echo_not_found echo "" fi \ No newline at end of file diff --git a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/11_Timer_files.sh b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/11_Timer_files.sh index b9391bc0e..31ae2df75 100644 --- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/11_Timer_files.sh +++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/11_Timer_files.sh @@ -14,7 +14,7 @@ print_2title "Analyzing .timer files" -print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers" +print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#timers" printf "%s\n" "$PSTORAGE_TIMER" | while read t; do if ! [ "$IAMROOT" ] && [ -w "$t" ] && ! [ "$SEARCH_IN_FOLDER" ]; then echo "$t" | sed -${E} "s,.*,${SED_RED},g" diff --git a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/13_Service_files.sh b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/13_Service_files.sh index b2103f97f..2ec41a2ab 100644 --- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/13_Service_files.sh +++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/13_Service_files.sh @@ -15,7 +15,7 @@ #TODO: .service files in MACOS are folders print_2title "Analyzing .service files" -print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#services" +print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#services" printf "%s\n" "$PSTORAGE_SYSTEMD" | while read s; do if [ ! -O "" ] || [ "$SEARCH_IN_FOLDER" ]; then #Remove services that belongs to the current user or if firmware see everything if ! [ "$IAMROOT" ] && [ -w "$s" ] && [ -f "$s" ] && ! [ "$SEARCH_IN_FOLDER" ]; then diff --git a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/14_Socket_files.sh b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/14_Socket_files.sh index f003d515e..1c9265f4e 100644 --- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/14_Socket_files.sh +++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/14_Socket_files.sh @@ -16,7 +16,7 @@ #TODO: .socket files in MACOS are folders if ! [ "$IAMROOT" ]; then print_2title "Analyzing .socket files" - print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets" + print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sockets" printf "%s\n" "$PSTORAGE_SOCKET" | while read s; do if ! [ "$IAMROOT" ] && [ -w "$s" ] && [ -f "$s" ] && ! [ "$SEARCH_IN_FOLDER" ]; then echo "Writable .socket file: $s" | sed "s,/.*,${SED_RED},g" diff --git a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/15_Unix_sockets_listening.sh b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/15_Unix_sockets_listening.sh index 278a48588..275a91445 100644 --- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/15_Unix_sockets_listening.sh +++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/15_Unix_sockets_listening.sh @@ -17,7 +17,7 @@ if ! [ "$IAMROOT" ]; then if ! [ "$SEARCH_IN_FOLDER" ]; then print_2title "Unix Sockets Listening" - print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets" + print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sockets" # Search sockets using netstat and ss unix_scks_list=$(ss -xlp -H state listening 2>/dev/null | grep -Eo "/.* " | cut -d " " -f1) if ! [ "$unix_scks_list" ];then diff --git a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/16_DBus_service_objects_list.sh b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/16_DBus_service_objects_list.sh index 1d530ab0a..6a9e5eb17 100644 --- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/16_DBus_service_objects_list.sh +++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/16_DBus_service_objects_list.sh @@ -15,7 +15,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then print_2title "D-Bus Service Objects list" - print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus" + print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#d-bus" dbuslist=$(busctl list 2>/dev/null) if [ "$dbuslist" ]; then busctl list | while read l; do diff --git a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/17_DBus_config_files.sh b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/17_DBus_config_files.sh index db3b5c121..31ead9b00 100644 --- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/17_DBus_config_files.sh +++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/17_DBus_config_files.sh @@ -13,7 +13,7 @@ # Small linpeas: 0 print_2title "D-Bus config files" -print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus" +print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#d-bus" if [ "$PSTORAGE_DBUS" ]; then printf "%s\n" "$PSTORAGE_DBUS" | while read d; do for f in $d/*; do diff --git a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/1_List_processes.sh b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/1_List_processes.sh index f7ab651d6..a4be4757a 100644 --- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/1_List_processes.sh +++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/1_List_processes.sh @@ -19,7 +19,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then if [ "$NOUSEPS" ]; then printf ${BLUE}"[i]$GREEN Looks like ps is not finding processes, going to read from /proc/ and not going to monitor 1min of processes\n"$NC fi - print_info "Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes" + print_info "Check weird & unexpected proceses run by root: https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#processes" if [ -f "/etc/fstab" ] && cat /etc/fstab | grep -q "hidepid=2"; then echo "Looks like /etc/fstab has hidepid=2, so ps will not show processes of other users" diff --git a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/2_Process_cred_in_memory.sh b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/2_Process_cred_in_memory.sh index 65b32880b..59b487269 100644 --- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/2_Process_cred_in_memory.sh +++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/2_Process_cred_in_memory.sh @@ -15,7 +15,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then print_2title "Processes with credentials in memory (root req)" - print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#credentials-from-process-memory" + print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#credentials-from-process-memory" if echo "$pslist" | grep -q "gdm-password"; then echo "gdm-password process found (dump creds from memory as root)" | sed "s,gdm-password process,${SED_RED},"; else echo_not_found "gdm-password"; fi if echo "$pslist" | grep -q "gnome-keyring-daemon"; then echo "gnome-keyring-daemon process found (dump creds from memory as root)" | sed "s,gnome-keyring-daemon,${SED_RED},"; else echo_not_found "gnome-keyring-daemon"; fi if echo "$pslist" | grep -q "lightdm"; then echo "lightdm process found (dump creds from memory as root)" | sed "s,lightdm,${SED_RED},"; else echo_not_found "lightdm"; fi diff --git a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/3_Process_binaries_perms.sh b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/3_Process_binaries_perms.sh index 4154ce1c3..c3e61a25a 100644 --- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/3_Process_binaries_perms.sh +++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/3_Process_binaries_perms.sh @@ -16,7 +16,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then if [ "$NOUSEPS" ]; then print_2title "Binary processes permissions (non 'root root' and not belonging to current user)" - print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes" + print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#processes" binW="IniTialiZZinnggg" ps auxwww 2>/dev/null | awk '{print $11}' | while read bpath; do if [ -w "$bpath" ]; then diff --git a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/6_Different_procs_1min.sh b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/6_Different_procs_1min.sh index 5a0356405..7cf222fbe 100644 --- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/6_Different_procs_1min.sh +++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/6_Different_procs_1min.sh @@ -16,7 +16,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then if ! [ "$FAST" ] && ! [ "$SUPERFAST" ]; then print_2title "Different processes executed during 1 min (interesting is low number of repetitions)" - print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#frequent-cron-jobs" + print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#frequent-cron-jobs" temp_file=$(mktemp) if [ "$(ps -e -o user,command 2>/dev/null)" ]; then for i in $(seq 1 1210); do diff --git a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/7_Systemd_path.sh b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/7_Systemd_path.sh index b7b8646cd..2447704d7 100644 --- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/7_Systemd_path.sh +++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/7_Systemd_path.sh @@ -15,7 +15,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then print_2title "Systemd PATH" - print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#systemd-path-relative-paths" + print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#systemd-path---relative-paths" systemctl show-environment 2>/dev/null | grep "PATH" | sed -${E} "s,$Wfolders\|\./\|\.:\|:\.,${SED_RED_YELLOW},g" WRITABLESYSTEMDPATH=$(systemctl show-environment 2>/dev/null | grep "PATH" | grep -E "$Wfolders") echo "" diff --git a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/8_Cron_jobs.sh b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/8_Cron_jobs.sh index e6a36a069..7d3973c1b 100644 --- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/8_Cron_jobs.sh +++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/8_Cron_jobs.sh @@ -15,7 +15,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then print_2title "Cron jobs" - print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs" + print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scheduledcron-jobs" command -v crontab 2>/dev/null || echo_not_found "crontab" crontab -l 2>/dev/null | tr -d "\r" | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED}," command -v incrontab 2>/dev/null || echo_not_found "incrontab" @@ -27,7 +27,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then atq 2>/dev/null else print_2title "Cron jobs" - print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs" + print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scheduledcron-jobs" find "$SEARCH_IN_FOLDER" '(' -type d -or -type f ')' '(' -name "cron*" -or -name "anacron" -or -name "anacrontab" -or -name "incron.d" -or -name "incron" -or -name "at" -or -name "periodic" ')' -exec echo {} \; -exec ls -lR {} \; fi echo "" \ No newline at end of file diff --git a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/9_Macos_launch_agents_daemons.sh b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/9_Macos_launch_agents_daemons.sh index 6c8fe09a3..cc8f3d9f7 100644 --- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/9_Macos_launch_agents_daemons.sh +++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/9_Macos_launch_agents_daemons.sh @@ -16,7 +16,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then if [ "$MACPEAS" ]; then print_2title "Third party LaunchAgents & LaunchDemons" - print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#launchd" + print_info "https://book.hacktricks.wiki/en/macos-hardening/macos-auto-start-locations.html#launchd" ls -l /Library/LaunchAgents/ /Library/LaunchDaemons/ ~/Library/LaunchAgents/ ~/Library/LaunchDaemons/ 2>/dev/null echo "" @@ -34,12 +34,12 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then echo "" print_2title "StartupItems" - print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#startup-items" + print_info "https://book.hacktricks.wiki/en/macos-hardening/macos-auto-start-locations.html#startup-items" ls -l /Library/StartupItems/ /System/Library/StartupItems/ 2>/dev/null echo "" print_2title "Login Items" - print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#login-items" + print_info "https://book.hacktricks.wiki/en/macos-hardening/macos-auto-start-locations.html#startup-items" osascript -e 'tell application "System Events" to get the name of every login item' 2>/dev/null echo "" @@ -48,7 +48,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then echo "" print_2title "Emond scripts" - print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#emond" + print_info "https://book.hacktricks.wiki/en/macos-hardening/macos-auto-start-locations.html#emond" ls -l /private/var/db/emondClients echo "" fi diff --git a/linPEAS/builder/linpeas_parts/5_network_information/4_Open_ports.sh b/linPEAS/builder/linpeas_parts/5_network_information/4_Open_ports.sh index 404f64f2f..df3fd3643 100644 --- a/linPEAS/builder/linpeas_parts/5_network_information/4_Open_ports.sh +++ b/linPEAS/builder/linpeas_parts/5_network_information/4_Open_ports.sh @@ -14,6 +14,6 @@ print_2title "Active Ports" -print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports" +print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#open-ports" ( (netstat -punta || ss -nltpu || netstat -anv) | grep -i listen) 2>/dev/null | sed -${E} "s,127.0.[0-9]+.[0-9]+|:::|::1:|0\.0\.0\.0,${SED_RED},g" echo "" diff --git a/linPEAS/builder/linpeas_parts/5_network_information/7_Tcpdump.sh b/linPEAS/builder/linpeas_parts/5_network_information/7_Tcpdump.sh index 73ea53f4a..a92743607 100644 --- a/linPEAS/builder/linpeas_parts/5_network_information/7_Tcpdump.sh +++ b/linPEAS/builder/linpeas_parts/5_network_information/7_Tcpdump.sh @@ -16,7 +16,7 @@ print_2title "Can I sniff with tcpdump?" timeout 1 tcpdump >/dev/null 2>&1 if [ $? -eq 124 ]; then #If 124, then timed out == It worked - print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sniffing" + print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sniffing" echo "You can sniff with tcpdump!" | sed -${E} "s,.*,${SED_RED}," else echo_no fi diff --git a/linPEAS/builder/linpeas_parts/6_users_information/10_Pkexec.sh b/linPEAS/builder/linpeas_parts/6_users_information/10_Pkexec.sh index e7d93e601..ea3bea65f 100644 --- a/linPEAS/builder/linpeas_parts/6_users_information/10_Pkexec.sh +++ b/linPEAS/builder/linpeas_parts/6_users_information/10_Pkexec.sh @@ -14,6 +14,6 @@ print_2title "Checking Pkexec policy" -print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#pe-method-2" +print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/interesting-groups-linux-pe/index.html#pe---method-2" (cat /etc/polkit-1/localauthority.conf.d/* 2>/dev/null | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null | sed -${E} "s,$groupsB,${SED_RED}," | sed -${E} "s,$groupsVB,${SED_RED}," | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,$USER,${SED_RED_YELLOW}," | sed -${E} "s,$Groups,${SED_RED_YELLOW},") || echo_not_found "/etc/polkit-1/localauthority.conf.d" echo "" diff --git a/linPEAS/builder/linpeas_parts/6_users_information/1_My_user.sh b/linPEAS/builder/linpeas_parts/6_users_information/1_My_user.sh index daaca5825..2f1b23aa4 100644 --- a/linPEAS/builder/linpeas_parts/6_users_information/1_My_user.sh +++ b/linPEAS/builder/linpeas_parts/6_users_information/1_My_user.sh @@ -14,6 +14,6 @@ print_2title "My user" -print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#users" +print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#users" (id || (whoami && groups)) 2>/dev/null | sed -${E} "s,$groupsB,${SED_RED},g" | sed -${E} "s,$groupsVB,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,root,${SED_RED}," | sed -${E} "s,$knw_grps,${SED_GREEN},g" | sed -${E} "s,$idB,${SED_RED},g" echo "" \ No newline at end of file diff --git a/linPEAS/builder/linpeas_parts/6_users_information/3_Macos_keychains.sh b/linPEAS/builder/linpeas_parts/6_users_information/3_Macos_keychains.sh index 359e962aa..d57cd0091 100644 --- a/linPEAS/builder/linpeas_parts/6_users_information/3_Macos_keychains.sh +++ b/linPEAS/builder/linpeas_parts/6_users_information/3_Macos_keychains.sh @@ -15,7 +15,7 @@ if [ "$MACPEAS" ];then print_2title "Keychains" - print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#chainbreaker" + print_info "https://book.hacktricks.wiki/en/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-sensitive-locations.html#chainbreaker" security list-keychains echo "" fi \ No newline at end of file diff --git a/linPEAS/builder/linpeas_parts/6_users_information/7_Sudo_l.sh b/linPEAS/builder/linpeas_parts/6_users_information/7_Sudo_l.sh index b3833aa71..179780e07 100644 --- a/linPEAS/builder/linpeas_parts/6_users_information/7_Sudo_l.sh +++ b/linPEAS/builder/linpeas_parts/6_users_information/7_Sudo_l.sh @@ -14,7 +14,7 @@ print_2title "Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d" -print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid" +print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-and-suid" (echo '' | timeout 1 sudo -S -l | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,\!root,${SED_RED},") 2>/dev/null || echo_not_found "sudo" if [ "$PASSWORD" ]; then (echo "$PASSWORD" | timeout 1 sudo -S -l | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g") 2>/dev/null || echo_not_found "sudo" diff --git a/linPEAS/builder/linpeas_parts/6_users_information/8_Sudo_tokens.sh b/linPEAS/builder/linpeas_parts/6_users_information/8_Sudo_tokens.sh index 74d10fa8c..b840a919f 100644 --- a/linPEAS/builder/linpeas_parts/6_users_information/8_Sudo_tokens.sh +++ b/linPEAS/builder/linpeas_parts/6_users_information/8_Sudo_tokens.sh @@ -14,7 +14,7 @@ print_2title "Checking sudo tokens" -print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#reusing-sudo-tokens" +print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#reusing-sudo-tokens" ptrace_scope="$(cat /proc/sys/kernel/yama/ptrace_scope 2>/dev/null)" if [ "$ptrace_scope" ] && [ "$ptrace_scope" -eq 0 ]; then echo "ptrace protection is disabled (0), so sudo tokens could be abused" | sed "s,is disabled,${SED_RED},g"; diff --git a/linPEAS/builder/linpeas_parts/7_software_information/Containerd.sh b/linPEAS/builder/linpeas_parts/7_software_information/Containerd.sh index dfde81faf..bebb9843e 100644 --- a/linPEAS/builder/linpeas_parts/7_software_information/Containerd.sh +++ b/linPEAS/builder/linpeas_parts/7_software_information/Containerd.sh @@ -17,7 +17,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then containerd=$(command -v ctr || echo -n '') if [ "$containerd" ] || [ "$DEBUG" ]; then print_2title "Checking if containerd(ctr) is available" - print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation" + print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#containerd-ctr-privilege-escalation" if [ "$containerd" ]; then echo "ctr was found in $containerd, you may be able to escalate privileges with it" | sed -${E} "s,.*,${SED_RED}," ctr image list 2>&1 diff --git a/linPEAS/builder/linpeas_parts/7_software_information/Docker.sh b/linPEAS/builder/linpeas_parts/7_software_information/Docker.sh index 60f57d381..faaad8a6d 100644 --- a/linPEAS/builder/linpeas_parts/7_software_information/Docker.sh +++ b/linPEAS/builder/linpeas_parts/7_software_information/Docker.sh @@ -15,7 +15,7 @@ if [ "$PSTORAGE_DOCKER" ] || [ "$DEBUG" ]; then print_2title "Searching docker files (limit 70)" - print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation" + print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/index.html#docker-breakout--privilege-escalation" printf "%s\n" "$PSTORAGE_DOCKER" | head -n 70 | while read f; do ls -l "$f" 2>/dev/null if ! [ "$IAMROOT" ] && [ -S "$f" ] && [ -w "$f" ]; then diff --git a/linPEAS/builder/linpeas_parts/7_software_information/Kcpassword.sh b/linPEAS/builder/linpeas_parts/7_software_information/Kcpassword.sh index f6dd17fe9..5e38749fe 100644 --- a/linPEAS/builder/linpeas_parts/7_software_information/Kcpassword.sh +++ b/linPEAS/builder/linpeas_parts/7_software_information/Kcpassword.sh @@ -15,7 +15,7 @@ if [ "$PSTORAGE_KCPASSWORD" ] || [ "$DEBUG" ]; then print_2title "Analyzing kcpassword files" - print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#kcpassword" + print_info "https://book.hacktricks.wiki/en/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-sensitive-locations.html#kcpassword" printf "%s\n" "$PSTORAGE_KCPASSWORD" | while read f; do echo "$f" | sed -${E} "s,.*,${SED_RED}," base64 "$f" 2>/dev/null | sed -${E} "s,.*,${SED_RED}," diff --git a/linPEAS/builder/linpeas_parts/7_software_information/Kerberos.sh b/linPEAS/builder/linpeas_parts/7_software_information/Kerberos.sh index 4efeb27ec..65aa29110 100644 --- a/linPEAS/builder/linpeas_parts/7_software_information/Kerberos.sh +++ b/linPEAS/builder/linpeas_parts/7_software_information/Kerberos.sh @@ -18,7 +18,7 @@ klist_exists="$(command -v klist || echo -n '')" kinit_exists="$(command -v kinit || echo -n '')" if [ "$kadmin_exists" ] || [ "$klist_exists" ] || [ "$kinit_exists" ] || [ "$PSTORAGE_KERBEROS" ] || [ "$DEBUG" ]; then print_2title "Searching kerberos conf files and tickets" - print_info "http://book.hacktricks.xyz/linux-hardening/privilege-escalation/linux-active-directory" + print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/linux-active-directory.html#linux-active-directory" if [ "$kadmin_exists" ]; then echo "kadmin was found on $kadmin_exists" | sed "s,$kadmin_exists,${SED_RED},"; fi if [ "$kinit_exists" ]; then echo "kadmin was found on $kinit_exists" | sed "s,$kinit_exists,${SED_RED},"; fi diff --git a/linPEAS/builder/linpeas_parts/7_software_information/Runc.sh b/linPEAS/builder/linpeas_parts/7_software_information/Runc.sh index 464ab4852..84f135bb9 100644 --- a/linPEAS/builder/linpeas_parts/7_software_information/Runc.sh +++ b/linPEAS/builder/linpeas_parts/7_software_information/Runc.sh @@ -17,7 +17,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then runc=$(command -v runc || echo -n '') if [ "$runc" ] || [ "$DEBUG" ]; then print_2title "Checking if runc is available" - print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/runc-privilege-escalation" + print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#runc--privilege-escalation" if [ "$runc" ]; then echo "runc was found in $runc, you may be able to escalate privileges with it" | sed -${E} "s,.*,${SED_RED}," fi diff --git a/linPEAS/builder/linpeas_parts/7_software_information/Screen_sessions.sh b/linPEAS/builder/linpeas_parts/7_software_information/Screen_sessions.sh index f0747edff..3bda4ade0 100644 --- a/linPEAS/builder/linpeas_parts/7_software_information/Screen_sessions.sh +++ b/linPEAS/builder/linpeas_parts/7_software_information/Screen_sessions.sh @@ -15,7 +15,7 @@ if ([ "$screensess" ] || [ "$screensess2" ] || [ "$DEBUG" ]) && ! [ "$SEARCH_IN_FOLDER" ]; then print_2title "Searching screen sessions" - print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-shell-sessions" + print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#open-shell-sessions" screensess=$(screen -ls 2>/dev/null) screensess2=$(find /run/screen -type d -path "/run/screen/S-*" 2>/dev/null) diff --git a/linPEAS/builder/linpeas_parts/7_software_information/Tmux.sh b/linPEAS/builder/linpeas_parts/7_software_information/Tmux.sh index c3d18acdb..eced3b3d0 100644 --- a/linPEAS/builder/linpeas_parts/7_software_information/Tmux.sh +++ b/linPEAS/builder/linpeas_parts/7_software_information/Tmux.sh @@ -18,7 +18,7 @@ tmuxnondefsess=$(ps auxwww | grep "tmux " | grep -v grep) tmuxsess2=$(find /tmp -type d -path "/tmp/tmux-*" 2>/dev/null) if ([ "$tmuxdefsess" ] || [ "$tmuxnondefsess" ] || [ "$tmuxsess2" ] || [ "$DEBUG" ]) && ! [ "$SEARCH_IN_FOLDER" ]; then print_2title "Searching tmux sessions"$N - print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-shell-sessions" + print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#open-shell-sessions" tmux -V printf "$tmuxdefsess\n$tmuxnondefsess\n$tmuxsess2" | sed -${E} "s,.*,${SED_RED}," | sed -${E} "s,no server running on.*,${C}[32m&${C}[0m," diff --git a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/14_Writable_files_owner_all.sh b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/14_Writable_files_owner_all.sh index b0d9134d2..894d5bfd2 100644 --- a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/14_Writable_files_owner_all.sh +++ b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/14_Writable_files_owner_all.sh @@ -15,7 +15,7 @@ if ! [ "$IAMROOT" ]; then print_2title "Interesting writable files owned by me or writable by everyone (not in Home) (max 200)" - print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files" + print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#writable-files" #In the next file, you need to specify type "d" and "f" to avoid fake link files apparently writable by all obmowbe=$(find $ROOT_FOLDER '(' -type f -or -type d ')' '(' '(' -user $USER ')' -or '(' -perm -o=w ')' ')' ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null | grep -Ev "$notExtensions" | sort | uniq | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 5){ print line_init; } if (cont == "5"){print "#)You_can_write_even_more_files_inside_last_directory\n"}; pre=act }' | head -n 200) printf "%s\n" "$obmowbe" | while read l; do diff --git a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/15_Writable_files_group.sh b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/15_Writable_files_group.sh index 7e69cdb0e..99efb42d3 100644 --- a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/15_Writable_files_group.sh +++ b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/15_Writable_files_group.sh @@ -15,7 +15,7 @@ if ! [ "$IAMROOT" ]; then print_2title "Interesting GROUP writable files (not in Home) (max 200)" - print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files" + print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#writable-files" for g in $(groups); do iwfbg=$(find $ROOT_FOLDER '(' -type f -or -type d ')' -group $g -perm -g=w ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null | grep -Ev "$notExtensions" | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 5){ print line_init; } if (cont == "5"){print "#)You_can_write_even_more_files_inside_last_directory\n"}; pre=act }' | head -n 200) if [ "$iwfbg" ] || [ "$DEBUG" ]; then diff --git a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/1_SUID.sh b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/1_SUID.sh index ea6d730d7..d9942cf73 100644 --- a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/1_SUID.sh +++ b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/1_SUID.sh @@ -14,7 +14,7 @@ print_2title "SUID - Check easy privesc, exploits and write perms" -print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid" +print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-and-suid" if ! [ "$STRINGS" ]; then echo_not_found "strings" fi diff --git a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/2_SGID.sh b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/2_SGID.sh index e2eed1124..1dfd91c82 100644 --- a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/2_SGID.sh +++ b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/2_SGID.sh @@ -14,7 +14,7 @@ print_2title "SGID" -print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid" +print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-and-suid" sgids_files=$(find $ROOT_FOLDER -perm -2000 -type f ! -path "/dev/*" 2>/dev/null) printf "%s\n" "$sgids_files" | while read s; do s=$(ls -lahtr "$s") diff --git a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/3_Files_ACLs.sh b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/3_Files_ACLs.sh index 4ac247653..503ad9fc5 100644 --- a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/3_Files_ACLs.sh +++ b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/3_Files_ACLs.sh @@ -14,7 +14,7 @@ print_2title "Files with ACLs (limited to 50)" -print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#acls" +print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#acls" if ! [ "$SEARCH_IN_FOLDER" ]; then ( (getfacl -t -s -R -p /bin /etc $HOMESEARCH /opt /sbin /usr /tmp /root 2>/dev/null) || echo_not_found "files with acls in searched folders" ) | head -n 70 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," else diff --git a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/4_Capabilities.sh b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/4_Capabilities.sh index 7d4472a27..0261da7bb 100644 --- a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/4_Capabilities.sh +++ b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/4_Capabilities.sh @@ -15,7 +15,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then print_2title "Capabilities" - print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities" + print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#capabilities" if [ "$(command -v capsh || echo -n '')" ]; then print_3title "Current shell capabilities" diff --git a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/5_Users_with_capabilities.sh b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/5_Users_with_capabilities.sh index bcfe1bac3..a0d4b97a2 100644 --- a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/5_Users_with_capabilities.sh +++ b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/5_Users_with_capabilities.sh @@ -15,7 +15,7 @@ if [ -f "/etc/security/capability.conf" ] || [ "$DEBUG" ]; then print_2title "Users with capabilities" - print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities" + print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#capabilities" if [ -f "/etc/security/capability.conf" ]; then grep -v '^#\|none\|^$' /etc/security/capability.conf 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," else echo_not_found "/etc/security/capability.conf" diff --git a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/6_Misconfigured_ldso.sh b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/6_Misconfigured_ldso.sh index c0395f207..9fbd931a7 100644 --- a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/6_Misconfigured_ldso.sh +++ b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/6_Misconfigured_ldso.sh @@ -15,7 +15,7 @@ if ! [ "$SEARCH_IN_FOLDER" ] && ! [ "$IAMROOT" ]; then print_2title "Checking misconfigurations of ld.so" - print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#ld.so" + print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#ldso" if [ -f "/etc/ld.so.conf" ] && [ -w "/etc/ld.so.conf" ]; then echo "You have write privileges over /etc/ld.so.conf" | sed -${E} "s,.*,${SED_RED_YELLOW},"; printf $RED$ITALIC"/etc/ld.so.conf\n"$NC; diff --git a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/7_Files_etc_profile_d.sh b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/7_Files_etc_profile_d.sh index 5e1f78c85..8be91ebe1 100644 --- a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/7_Files_etc_profile_d.sh +++ b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/7_Files_etc_profile_d.sh @@ -15,7 +15,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then print_2title "Files (scripts) in /etc/profile.d/" - print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#profiles-files" + print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#profiles-files" if [ ! "$MACPEAS" ] && ! [ "$IAMROOT" ]; then #Those folders don´t exist on a MacOS (ls -la /etc/profile.d/ 2>/dev/null | sed -${E} "s,$profiledG,${SED_GREEN},") || echo_not_found "/etc/profile.d/" check_critial_root_path "/etc/profile" diff --git a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/8_Files_etc_init_d.sh b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/8_Files_etc_init_d.sh index 93ec81891..a15968f8c 100644 --- a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/8_Files_etc_init_d.sh +++ b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/8_Files_etc_init_d.sh @@ -15,7 +15,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then print_2title "Permissions in init, init.d, systemd, and rc.d" - print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#init-init-d-systemd-and-rc-d" + print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#init-initd-systemd-and-rcd" if [ ! "$MACPEAS" ] && ! [ "$IAMROOT" ]; then #Those folders don´t exist on a MacOS check_critial_root_path "/etc/init/" check_critial_root_path "/etc/init.d/" diff --git a/linPEAS/builder/linpeas_parts/9_interesting_files/1_Sh_files_in_PATH.sh b/linPEAS/builder/linpeas_parts/9_interesting_files/1_Sh_files_in_PATH.sh index ad69ec667..71f420966 100644 --- a/linPEAS/builder/linpeas_parts/9_interesting_files/1_Sh_files_in_PATH.sh +++ b/linPEAS/builder/linpeas_parts/9_interesting_files/1_Sh_files_in_PATH.sh @@ -15,7 +15,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then print_2title ".sh files in path" - print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#script-binaries-in-path" + print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scriptbinaries-in-path" echo $PATH | tr ":" "\n" | while read d; do for f in $(find "$d" -name "*.sh" -o -name "*.sh.*" 2>/dev/null); do if ! [ "$IAMROOT" ] && [ -O "$f" ]; then diff --git a/linPEAS/builder/linpeas_parts/9_interesting_files/8_Writable_log_files.sh b/linPEAS/builder/linpeas_parts/9_interesting_files/8_Writable_log_files.sh index ee76bb935..938aa99d1 100644 --- a/linPEAS/builder/linpeas_parts/9_interesting_files/8_Writable_log_files.sh +++ b/linPEAS/builder/linpeas_parts/9_interesting_files/8_Writable_log_files.sh @@ -15,7 +15,7 @@ if command -v logrotate >/dev/null && logrotate --version | head -n 1 | grep -Eq "[012]\.[0-9]+\.|3\.[0-9]\.|3\.1[0-7]\.|3\.18\.0"; then #3.18.0 and below print_2title "Writable log files (logrotten) (limit 50)" - print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#logrotate-exploitation" + print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#logrotate-exploitation" logrotate --version 2>/dev/null || echo_not_found "logrotate" lastWlogFolder="ImPOsSiBleeElastWlogFolder" logfind=$(find $ROOT_FOLDER -type f -name "*.log" -o -name "*.log.*" 2>/dev/null | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 3){ print line_init; }; if (cont == "3"){print "#)You_can_write_more_log_files_inside_last_directory"}; pre=act}' | head -n 50) diff --git a/linPEAS/builder/linpeas_parts/linpeas_base/0_variables_base.sh b/linPEAS/builder/linpeas_parts/linpeas_base/0_variables_base.sh index a115b8968..5b871a34b 100644 --- a/linPEAS/builder/linpeas_parts/linpeas_base/0_variables_base.sh +++ b/linPEAS/builder/linpeas_parts/linpeas_base/0_variables_base.sh @@ -343,7 +343,7 @@ print_support () { ${GREEN}/---------------------------------------------------------------------------------\\ | ${BLUE}Do you like PEASS?${GREEN} | |---------------------------------------------------------------------------------| - | ${YELLOW}Learn Cloud Hacking${GREEN} : ${RED}https://training.hacktricks.xyz${GREEN} | + | ${YELLOW}Learn Cloud Hacking${GREEN} : ${RED}https://training.hacktricks.wiki${GREEN} | | ${YELLOW}Follow on Twitter${GREEN} : ${RED}@hacktricks_live${GREEN} | | ${YELLOW}Respect on HTB${GREEN} : ${RED}SirBroccoli ${GREEN} | |---------------------------------------------------------------------------------| @@ -362,7 +362,7 @@ printf ${BLUE}" $SCRIPTNAME-$VERSION ${YELLOW}by carlospolop\n"$NC; echo "" printf ${YELLOW}"ADVISORY: ${BLUE}$ADVISORY\n$NC" echo "" -printf ${BLUE}"Linux Privesc Checklist: ${YELLOW}https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist\n"$NC +printf ${BLUE}"Linux Privesc Checklist: ${YELLOW}https://book.hacktricks.wiki/en/linux-hardening/linux-privilege-escalation-checklist.html\n"$NC echo " LEGEND:" | sed "s,LEGEND,${C}[1;4m&${C}[0m," echo " RED/YELLOW: 95% a PE vector" | sed "s,RED/YELLOW,${SED_RED_YELLOW}," echo " RED: You should take a look to it" | sed "s,RED,${SED_RED}," diff --git a/parsers/README.md b/parsers/README.md index 8c03259df..edf92e272 100644 --- a/parsers/README.md +++ b/parsers/README.md @@ -38,7 +38,7 @@ There is a **maximun of 3 levels of sections**. } ], "infos": [ - "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits" + "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#kernel-exploits" ] }, "infos": [] @@ -65,7 +65,7 @@ There is a **maximun of 3 levels of sections**. } ], "infos": [ - "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits" + "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#kernel-exploits" ] }, "infos": [] diff --git a/winPEAS/README.md b/winPEAS/README.md index 0407e78a0..46657abbd 100755 --- a/winPEAS/README.md +++ b/winPEAS/README.md @@ -2,9 +2,9 @@ ![](https://github.com/peass-ng/PEASS-ng/raw/master/winPEAS/winPEASexe/images/winpeas.png) -Check the **Local Windows Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation)** +Check the **Local Windows Privilege Escalation checklist** from **[book.hacktricks.wiki](https://book.hacktricks.wiki/en/windows-hardening/checklist-windows-privilege-escalation.html)** -Check more **information about how to exploit** found misconfigurations in **[book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation)** +Check more **information about how to exploit** found misconfigurations in **[book.hacktricks.wiki](https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html)** ## Quick Start Find the **latest versions of all the scripts and binaries in [the releases page](https://github.com/peass-ng/PEASS-ng/releases/latest)**. diff --git a/winPEAS/winPEASbat/README.md b/winPEAS/winPEASbat/README.md index 444a33cf3..de70173d7 100755 --- a/winPEAS/winPEASbat/README.md +++ b/winPEAS/winPEASbat/README.md @@ -2,9 +2,9 @@ ![](https://github.com/peass-ng/PEASS-ng/raw/master/winPEAS/winPEASexe/images/winpeas.png) -**WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on [book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation)** +**WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on [book.hacktricks.wiki](https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html)** -Check also the **Local Windows Privilege Escalation checklist** from [book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation) +Check also the **Local Windows Privilege Escalation checklist** from [book.hacktricks.wiki](https://book.hacktricks.wiki/en/windows-hardening/checklist-windows-privilege-escalation.html) ### WinPEAS.bat is a batch script made for Windows systems which don't support WinPEAS.exe (Net.4 required) diff --git a/winPEAS/winPEASbat/winPEAS.bat b/winPEAS/winPEASbat/winPEAS.bat index 73cc55763..6e802b881 100755 --- a/winPEAS/winPEASbat/winPEAS.bat +++ b/winPEAS/winPEASbat/winPEAS.bat @@ -63,7 +63,7 @@ ECHO. CALL :ColorLine "%E%32m[*]%E%97m BASIC SYSTEM INFO" CALL :ColorLine " %E%33m[+]%E%97m WINDOWS OS" ECHO. [i] Check for vulnerabilities for the OS version with the applied patches -ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#kernel-exploits +ECHO. [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#version-exploits systeminfo ECHO. CALL :T_Progress 2 @@ -190,7 +190,7 @@ CALL :T_Progress 1 :UACSettings CALL :ColorLine " %E%33m[+]%E%97m UAC Settings" ECHO. [i] If the results read ENABLELUA REG_DWORD 0x1, part or all of the UAC components are on -ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access +ECHO. [?] https://book.hacktricks.wiki/en/windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control.html#very-basic-uac-bypass-full-file-system-access REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA 2>nul ECHO. CALL :T_Progress 1 @@ -241,7 +241,7 @@ CALL :T_Progress 1 :InstalledSoftware CALL :ColorLine " %E%33m[+]%E%97m INSTALLED SOFTWARE" ECHO. [i] Some weird software? Check for vulnerabilities in unknow software installed -ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#software +ECHO. [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#applications ECHO. dir /b "C:\Program Files" "C:\Program Files (x86)" | sort reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall /s | findstr InstallLocation | findstr ":\\" @@ -252,7 +252,7 @@ CALL :T_Progress 2 :RemodeDeskCredMgr CALL :ColorLine " %E%33m[+]%E%97m Remote Desktop Credentials Manager" -ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#remote-desktop-credential-manager +ECHO. [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#remote-desktop-credential-manager IF exist "%LOCALAPPDATA%\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings" ECHO.Found: RDCMan.settings in %AppLocal%\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings, check for credentials in .rdg files ECHO. CALL :T_Progress 1 @@ -260,7 +260,7 @@ CALL :T_Progress 1 :WSUS CALL :ColorLine " %E%33m[+]%E%97m WSUS" ECHO. [i] You can inject 'fake' updates into non-SSL WSUS traffic (WSUXploit) -ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#wsus +ECHO. [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#wsus reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\ 2>nul | findstr /i "wuserver" | findstr /i "http://" ECHO. CALL :T_Progress 1 @@ -268,7 +268,7 @@ CALL :T_Progress 1 :RunningProcesses CALL :ColorLine " %E%33m[+]%E%97m RUNNING PROCESSES" ECHO. [i] Something unexpected is running? Check for vulnerabilities -ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#running-processes +ECHO. [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#running-processes tasklist /SVC ECHO. CALL :T_Progress 2 @@ -289,7 +289,7 @@ CALL :T_Progress 3 :RunAtStartup CALL :ColorLine " %E%33m[+]%E%97m RUN AT STARTUP" ECHO. [i] Check if you can modify any binary that is going to be executed by admin or if you can impersonate a not found binary -ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#run-at-startup +ECHO. [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#run-at-startup ::(autorunsc.exe -m -nobanner -a * -ct /accepteula 2>nul || wmic startup get caption,command 2>nul | more & ^ reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run 2>nul & ^ reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce 2>nul & ^ @@ -313,7 +313,7 @@ CALL :T_Progress 2 :AlwaysInstallElevated CALL :ColorLine " %E%33m[+]%E%97m AlwaysInstallElevated?" ECHO. [i] If '1' then you can install a .msi file with admin privileges ;) -ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#alwaysinstallelevated +ECHO. [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#alwaysinstallelevated-1 reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated 2> nul reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated 2> nul ECHO. @@ -377,7 +377,7 @@ CALL :T_Progress 1 :BasicUserInfo CALL :ColorLine "%E%32m[*]%E%97m BASIC USER INFO ECHO. [i] Check if you are inside the Administrators group or if you have enabled any token that can be use to escalate privileges like SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebbugPrivilege -ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#users-and-groups +ECHO. [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#users--groups ECHO. CALL :ColorLine " %E%33m[+]%E%97m CURRENT USER" net user %username% @@ -451,7 +451,7 @@ ECHO. :ServiceBinaryPermissions CALL :ColorLine " %E%33m[+]%E%97m SERVICE BINARY PERMISSIONS WITH WMIC and ICACLS" -ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services +ECHO. [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#services for /f "tokens=2 delims='='" %%a in ('cmd.exe /c wmic service list full ^| findstr /i "pathname" ^|findstr /i /v "system32"') do ( for /f eol^=^"^ delims^=^" %%b in ("%%a") do icacls "%%b" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos usuarios %username%" && ECHO. ) @@ -460,7 +460,7 @@ CALL :T_Progress 1 :CheckRegistryModificationAbilities CALL :ColorLine " %E%33m[+]%E%97m CHECK IF YOU CAN MODIFY ANY SERVICE REGISTRY" -ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services +ECHO. [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#services for /f %%a in ('reg query hklm\system\currentcontrolset\services') do del %temp%\reg.hiv >nul 2>&1 & reg save %%a %temp%\reg.hiv >nul 2>&1 && reg restore %%a %temp%\reg.hiv >nul 2>&1 && ECHO.You can modify %%a ECHO. CALL :T_Progress 1 @@ -469,7 +469,7 @@ CALL :T_Progress 1 CALL :ColorLine " %E%33m[+]%E%97m UNQUOTED SERVICE PATHS" ECHO. [i] When the path is not quoted (ex: C:\Program files\soft\new folder\exec.exe) Windows will try to execute first 'C:\Program.exe', then 'C:\Program Files\soft\new.exe' and finally 'C:\Program Files\soft\new folder\exec.exe'. Try to create 'C:\Program Files\soft\new.exe' ECHO. [i] The permissions are also checked and filtered using icacls -ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services +ECHO. [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#services for /f "tokens=2" %%n in ('sc query state^= all^| findstr SERVICE_NAME') do ( for /f "delims=: tokens=1*" %%r in ('sc qc "%%~n" ^| findstr BINARY_PATH_NAME ^| findstr /i /v /l /c:"c:\windows\system32" ^| findstr /v /c:""""') do ( ECHO.%%~s ^| findstr /r /c:"[a-Z][ ][a-Z]" >nul 2>&1 && (ECHO.%%n && ECHO.%%~s && icacls %%s | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%") && ECHO. @@ -484,7 +484,7 @@ ECHO. CALL :ColorLine "%E%32m[*]%E%97m DLL HIJACKING in PATHenv variable" ECHO. [i] Maybe you can take advantage of modifying/creating some binary in some of the following locations ECHO. [i] PATH variable entries permissions - place binary or DLL to execute instead of legitimate -ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dll-hijacking +ECHO. [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#dll-hijacking for %%A in ("%path:;=";"%") do ( cmd.exe /c icacls "%%~A" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO. ) ECHO. CALL :T_Progress 1 @@ -493,7 +493,7 @@ CALL :T_Progress 1 CALL :ColorLine "%E%32m[*]%E%97m CREDENTIALS" ECHO. CALL :ColorLine " %E%33m[+]%E%97m WINDOWS VAULT" -ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#windows-vault +ECHO. [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#credentials-manager--windows-vault cmdkey /list ECHO. CALL :T_Progress 2 @@ -501,14 +501,14 @@ CALL :T_Progress 2 :DPAPIMasterKeys CALL :ColorLine " %E%33m[+]%E%97m DPAPI MASTER KEYS" ECHO. [i] Use the Mimikatz 'dpapi::masterkey' module with appropriate arguments (/rpc) to decrypt -ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi +ECHO. [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#dpapi powershell -command "Get-ChildItem %appdata%\Microsoft\Protect" 2>nul powershell -command "Get-ChildItem %localappdata%\Microsoft\Protect" 2>nul CALL :T_Progress 2 CALL :ColorLine " %E%33m[+]%E%97m DPAPI MASTER KEYS" ECHO. [i] Use the Mimikatz 'dpapi::cred' module with appropriate /masterkey to decrypt ECHO. [i] You can also extract many DPAPI masterkeys from memory with the Mimikatz 'sekurlsa::dpapi' module -ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi +ECHO. [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#dpapi ECHO. ECHO.Looking inside %appdata%\Microsoft\Credentials\ ECHO. @@ -581,7 +581,7 @@ CALL :T_Progress 2 :AppCMD CALL :ColorLine " %E%33m[+]%E%97m AppCmd" -ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#appcmd.exe +ECHO. [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#appcmdexe IF EXIST %systemroot%\system32\inetsrv\appcmd.exe ECHO.%systemroot%\system32\inetsrv\appcmd.exe exists. ECHO. CALL :T_Progress 2 @@ -589,7 +589,7 @@ CALL :T_Progress 2 :RegFilesCredentials CALL :ColorLine " %E%33m[+]%E%97m Files in registry that may contain credentials" ECHO. [i] Searching specific files that may contains credentials. -ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files +ECHO. [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#files-and-registry-credentials ECHO.Looking inside HKCU\Software\ORL\WinVNC3\Password reg query HKCU\Software\ORL\WinVNC3\Password 2>nul CALL :T_Progress 2 diff --git a/winPEAS/winPEASexe/README.md b/winPEAS/winPEASexe/README.md index 5f545780a..62470d5a5 100755 --- a/winPEAS/winPEASexe/README.md +++ b/winPEAS/winPEASexe/README.md @@ -2,9 +2,9 @@ ![](https://github.com/peass-ng/PEASS-ng/raw/master/winPEAS/winPEASexe/images/winpeas.png) -**WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on [book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation)** +**WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on [book.hacktricks.wiki](https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html)** -Check also the **Local Windows Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation)** +Check also the **Local Windows Privilege Escalation checklist** from **[book.hacktricks.wiki](https://book.hacktricks.wiki/en/windows-hardening/checklist-windows-privilege-escalation.html)** [![youtube](https://github.com/peass-ng/PEASS-ng/raw/master/winPEAS/winPEASexe/images/screen.png)](https://youtu.be/66gOwXMnxRI) diff --git a/winPEAS/winPEASexe/winPEAS/Checks/ApplicationsInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/ApplicationsInfo.cs index fed1fe377..ac7d18124 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/ApplicationsInfo.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/ApplicationsInfo.cs @@ -56,7 +56,7 @@ void PrintInstalledApps() try { Beaprint.MainPrint("Installed Applications --Via Program Files/Uninstall registry--"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#software", "Check if you can modify installed software"); + Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#applications", "Check if you can modify installed software"); SortedDictionary> installedAppsPerms = InstalledApps.GetInstalledAppsPerms(); string format = " ==> {0} ({1})"; @@ -102,7 +102,7 @@ private static void PrintAutoRuns() try { Beaprint.MainPrint("Autorun Applications"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries", "Check if you can modify other users AutoRuns binaries (Note that is normal that you can modify HKCU registry and binaries indicated there)"); + Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.html", "Check if you can modify other users AutoRuns binaries (Note that is normal that you can modify HKCU registry and binaries indicated there)"); List> apps = AutoRuns.GetAutoRuns(Checks.CurrentUserSiDs); foreach (Dictionary app in apps) @@ -189,7 +189,7 @@ void PrintScheduled() try { Beaprint.MainPrint("Scheduled Applications --Non Microsoft--"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries", "Check if you can modify other users scheduled binaries"); + Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.html", "Check if you can modify other users scheduled binaries"); List> scheduled_apps = ApplicationInfoHelper.GetScheduledAppsNoMicrosoft(); foreach (Dictionary sapp in scheduled_apps) @@ -239,7 +239,7 @@ void PrintDeviceDrivers() { Beaprint.MainPrint("Device Drivers --Non Microsoft--"); // this link is not very specific, but its the best on hacktricks - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#vulnerable-drivers", "Check 3rd party drivers for known vulnerabilities/rootkits."); + Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#drivers", "Check 3rd party drivers for known vulnerabilities/rootkits."); foreach (var driver in DeviceDrivers.GetDeviceDriversNoMicrosoft()) { diff --git a/winPEAS/winPEASexe/winPEAS/Checks/CloudInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/CloudInfo.cs index a1e903701..aed45db0c 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/CloudInfo.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/CloudInfo.cs @@ -12,10 +12,10 @@ public void PrintInfo(bool isDebug) Dictionary colorsTraining = new Dictionary() { - { "training.hacktricks.xyz", Beaprint.ansi_color_good }, + { "training.hacktricks.wiki", Beaprint.ansi_color_good }, { "Learn & practice cloud hacking in", Beaprint.ansi_color_yellow }, }; - Beaprint.AnsiPrint("Learn and practice cloud hacking in training.hacktricks.xyz", colorsTraining); + Beaprint.AnsiPrint("Learn and practice cloud hacking in training.hacktricks.wiki", colorsTraining); var cloudInfoList = new List { diff --git a/winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs index b6974f99c..9fe48f076 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs @@ -151,7 +151,7 @@ void PrintCloudCreds() try { Beaprint.MainPrint("Cloud Credentials"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files"); + Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#files-and-registry-credentials"); List> could_creds = KnownFileCredsInfo.ListCloudCreds(); if (could_creds.Count != 0) { @@ -382,7 +382,7 @@ void PrintPossCredsRegs() string[] passRegHklm = new string[] { @"SYSTEM\CurrentControlSet\Services\SNMP" }; Beaprint.MainPrint("Looking for possible regs with creds"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry"); + Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#inside-the-registry"); string winVnc4 = RegistryHelper.GetRegValue("HKLM", @"SOFTWARE\RealVNC\WinVNC4", "password"); if (!string.IsNullOrEmpty(winVnc4.Trim())) @@ -431,7 +431,7 @@ void PrintUserCredsFiles() }; Beaprint.MainPrint("Looking for possible password files in users homes"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files"); + Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#files-and-registry-credentials"); var fileInfos = SearchHelper.SearchUserCredsFiles(); foreach (var fileInfo in fileInfos) @@ -470,7 +470,7 @@ void PrintRecycleBin() }; Beaprint.MainPrint("Looking inside the Recycle Bin for creds files"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files"); + Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#files-and-registry-credentials"); List> recy_files = InterestingFiles.InterestingFiles.GetRecycleBin(); foreach (Dictionary rec_file in recy_files) @@ -506,7 +506,7 @@ void PrintUsersInterestingFiles() }; Beaprint.MainPrint("Searching known files that can contain creds in home"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files"); + Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#files-and-registry-credentials"); var files = SearchHelper.SearchUsersInterestingFiles(); diff --git a/winPEAS/winPEASexe/winPEAS/Checks/ProcessInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/ProcessInfo.cs index a6d4ced2f..be96378f8 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/ProcessInfo.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/ProcessInfo.cs @@ -24,7 +24,7 @@ void PrintInterestingProcesses() try { Beaprint.MainPrint("Interesting Processes -non Microsoft-"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#running-processes", "Check if any interesting processes for memory dump or if you could overwrite some binary running"); + Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#running-processes", "Check if any interesting processes for memory dump or if you could overwrite some binary running"); List> processesInfo = ProcessesInfo.GetProcInfo(); foreach (Dictionary procInfo in processesInfo) @@ -93,7 +93,7 @@ void PrintVulnLeakedHandlers() try { Beaprint.MainPrint("Vulnerable Leaked Handlers"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/leaked-handle-exploitation"); + Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#leaked-handlers"); List> vulnHandlers = new List>(); diff --git a/winPEAS/winPEASexe/winPEAS/Checks/ServicesInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/ServicesInfo.cs index ddfdf4763..739be635c 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/ServicesInfo.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/ServicesInfo.cs @@ -42,7 +42,7 @@ void PrintInterestingServices() try { Beaprint.MainPrint("Interesting Services -non Microsoft-"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services", "Check if you can overwrite some service binary or perform a DLL hijacking, also check for unquoted paths"); + Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#services", "Check if you can overwrite some service binary or perform a DLL hijacking, also check for unquoted paths"); List> services_info = ServicesInfoHelper.GetNonstandardServices(); @@ -121,7 +121,7 @@ void PrintModifiableServices() try { Beaprint.MainPrint("Modifiable Services"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services", "Check if you can modify any service"); + Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#services", "Check if you can modify any service"); if (modifiableServices.Count > 0) { Beaprint.BadPrint(" LOOKS LIKE YOU CAN MODIFY OR START/STOP SOME SERVICE/s:"); @@ -158,7 +158,7 @@ void PrintWritableRegServices() try { Beaprint.MainPrint("Looking if you can modify any service registry"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services-registry-permissions", "Check if you can modify the registry of a service"); + Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#services-registry-modify-permissions", "Check if you can modify the registry of a service"); List> regPerms = ServicesInfoHelper.GetWriteServiceRegs(Checks.CurrentUserSiDs); Dictionary colorsWR = new Dictionary() @@ -186,7 +186,7 @@ void PrintPathDllHijacking() try { Beaprint.MainPrint("Checking write permissions in PATH folders (DLL Hijacking)"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dll-hijacking", "Check for DLL Hijacking in PATH folders"); + Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#dll-hijacking", "Check for DLL Hijacking in PATH folders"); Dictionary path_dllhijacking = ServicesInfoHelper.GetPathDLLHijacking(); foreach (KeyValuePair entry in path_dllhijacking) { diff --git a/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs index 41260ec45..5d6b00a30 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs @@ -98,7 +98,7 @@ private static void PrintBasicSystemInfo() try { Beaprint.MainPrint("Basic System Information"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#kernel-exploits", "Check if the Windows versions is vulnerable to some known exploit"); + Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#version-exploits", "Check if the Windows versions is vulnerable to some known exploit"); Dictionary basicDictSystem = Info.SystemInfo.SystemInfo.GetBasicOSInfo(); basicDictSystem["Hotfixes"] = Beaprint.ansi_color_good + basicDictSystem["Hotfixes"] + Beaprint.NOCOLOR; Dictionary colorsSI = new Dictionary @@ -337,7 +337,7 @@ void PrintLAPSInfo() static void PrintWdigest() { Beaprint.MainPrint("Wdigest"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#wdigest", "If enabled, plain-text crds could be stored in LSASS"); + Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#wdigest", "If enabled, plain-text crds could be stored in LSASS"); string useLogonCredential = RegistryHelper.GetRegValue("HKLM", @"SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest", "UseLogonCredential"); if (useLogonCredential == "1") Beaprint.BadPrint(" Wdigest is active"); @@ -348,7 +348,7 @@ static void PrintWdigest() static void PrintLSAProtection() { Beaprint.MainPrint("LSA Protection"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#lsa-protection", "If enabled, a driver is needed to read LSASS memory (If Secure Boot or UEFI, RunAsPPL cannot be disabled by deleting the registry key)"); + Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#lsa-protection", "If enabled, a driver is needed to read LSASS memory (If Secure Boot or UEFI, RunAsPPL cannot be disabled by deleting the registry key)"); string useLogonCredential = RegistryHelper.GetRegValue("HKLM", @"SYSTEM\CurrentControlSet\Control\LSA", "RunAsPPL"); if (useLogonCredential == "1") Beaprint.GoodPrint(" LSA Protection is active"); @@ -359,7 +359,7 @@ static void PrintLSAProtection() static void PrintCredentialGuard() { Beaprint.MainPrint("Credentials Guard"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#credential-guard", "If enabled, a driver is needed to read LSASS memory"); + Beaprint.LinkPrint("https://book.hacktricks.wiki/windows-hardening/stealing-credentials/credentials-protections#credentials-guard", "If enabled, a driver is needed to read LSASS memory"); string lsaCfgFlags = RegistryHelper.GetRegValue("HKLM", @"System\CurrentControlSet\Control\LSA", "LsaCfgFlags"); if (lsaCfgFlags == "1") @@ -384,7 +384,7 @@ static void PrintCachedCreds() { try{ Beaprint.MainPrint("Cached Creds"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#cached-credentials", "If > 0, credentials will be cached in the registry and accessible by SYSTEM user"); + Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#cached-credentials", "If > 0, credentials will be cached in the registry and accessible by SYSTEM user"); string cachedlogonscount = RegistryHelper.GetRegValue("HKLM", @"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "CACHEDLOGONSCOUNT"); if (!string.IsNullOrEmpty(cachedlogonscount)) { @@ -526,7 +526,7 @@ static void PrintUACInfo() try { Beaprint.MainPrint("UAC Status"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access", "If you are in the Administrators group check how to bypass the UAC"); + Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#from-administrator-medium-to-high-integrity-level--uac-bypasss", "If you are in the Administrators group check how to bypass the UAC"); Dictionary uacDict = Info.SystemInfo.SystemInfo.GetUACSystemPolicies(); Dictionary colorsSI = new Dictionary() @@ -559,7 +559,7 @@ static void PrintWSUS() try { Beaprint.MainPrint("Checking WSUS"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#wsus"); + Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#wsus"); string path = "Software\\Policies\\Microsoft\\Windows\\WindowsUpdate"; string path2 = "Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU"; string HKLM_WSUS = RegistryHelper.GetRegValue("HKLM", path, "WUServer"); @@ -594,7 +594,7 @@ static void PrintKrbRelayUp() try { Beaprint.MainPrint("Checking KrbRelayUp"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#krbrelayup"); + Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#krbrelayupp"); if (Checks.CurrentAdDomainName.Length > 0) { @@ -640,7 +640,7 @@ static void PrintAlwaysInstallElevated() try { Beaprint.MainPrint("Checking AlwaysInstallElevated"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#alwaysinstallelevated"); + Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#alwaysinstallelevated"); string path = "Software\\Policies\\Microsoft\\Windows\\Installer"; string HKLM_AIE = RegistryHelper.GetRegValue("HKLM", path, "AlwaysInstallElevated"); string HKCU_AIE = RegistryHelper.GetRegValue("HKCU", path, "AlwaysInstallElevated"); diff --git a/winPEAS/winPEASexe/winPEAS/Checks/UserInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/UserInfo.cs index e8a2fa245..350e525b1 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/UserInfo.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/UserInfo.cs @@ -78,7 +78,7 @@ void PrintCU() try { Beaprint.MainPrint("Users"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#users-and-groups", "Check if you have some admin equivalent privileges"); + Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#users--groups", "Check if you have some admin equivalent privileges"); List usersGrps = User.GetMachineUsers(false, false, false, false, true); @@ -109,7 +109,7 @@ void PrintTokenP() try { Beaprint.MainPrint("Current Token privileges"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#token-manipulation", "Check if you can escalate privilege using some enabled token"); + Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#token-manipulation", "Check if you can escalate privilege using some enabled token"); Dictionary tokenPrivs = Token.GetTokenGroupPrivs(); Beaprint.DictPrint(tokenPrivs, ColorsU(), false); } diff --git a/winPEAS/winPEASexe/winPEAS/Checks/WindowsCreds.cs b/winPEAS/winPEASexe/winPEAS/Checks/WindowsCreds.cs index c6ec4c766..bd259700d 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/WindowsCreds.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/WindowsCreds.cs @@ -48,7 +48,7 @@ private static void PrintVaultCreds() try { Beaprint.MainPrint("Checking Windows Vault"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-manager-windows-vault"); + Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#credentials-manager--windows-vault"); var vaultCreds = VaultCli.DumpVault(); var colorsC = new Dictionary() @@ -68,7 +68,7 @@ private static void PrintCredentialManager() try { Beaprint.MainPrint("Checking Credential manager"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-manager-windows-vault"); + Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#credentials-manager--windows-vault"); var colorsC = new Dictionary() { @@ -153,7 +153,7 @@ private static void PrintDPAPIMasterKeys() try { Beaprint.MainPrint("Checking for DPAPI Master Keys"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi"); + Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#dpapi"); var masterKeys = KnownFileCredsInfo.ListMasterKeys(); if (masterKeys.Count != 0) @@ -181,7 +181,7 @@ private static void PrintDpapiCredFiles() try { Beaprint.MainPrint("Checking for DPAPI Credential Files"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi"); + Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#dpapi"); var credFiles = KnownFileCredsInfo.GetCredFiles(); Beaprint.DictPrint(credFiles, false); @@ -201,7 +201,7 @@ private static void PrintRCManFiles() try { Beaprint.MainPrint("Checking for RDCMan Settings Files"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#remote-desktop-credential-manager", + Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#remote-desktop-credential-manager", "Dump credentials from Remote Desktop Connection Manager"); var rdcFiles = RemoteDesktop.GetRDCManFiles(); Beaprint.DictPrint(rdcFiles, false); @@ -222,7 +222,7 @@ private static void PrintKerberosTickets() try { Beaprint.MainPrint("Looking for Kerberos tickets"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/pentesting/pentesting-kerberos-88"); + Beaprint.LinkPrint("https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-kerberos-88/index.html"); var kerberosTickets = Kerberos.ListKerberosTickets(); Beaprint.DictPrint(kerberosTickets, false); @@ -307,7 +307,7 @@ private static void PrintAppCmd() try { Beaprint.MainPrint("Looking AppCmd.exe"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#appcmd.exe"); + Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#appcmdexe"); var appCmdPath = Environment.ExpandEnvironmentVariables(@"%systemroot%\system32\inetsrv\appcmd.exe"); @@ -368,7 +368,7 @@ private static void PrintSCClient() try { Beaprint.MainPrint("Looking SSClient.exe"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#scclient-sccm"); + Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#scclient--sccm"); if (File.Exists(Environment.ExpandEnvironmentVariables(@"%systemroot%\Windows\CCM\SCClient.exe"))) { diff --git a/winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs b/winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs index fe66bd9f6..8122cbd0b 100644 --- a/winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs +++ b/winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs @@ -81,7 +81,7 @@ public static void PrintMarketingBanner() /---------------------------------------------------------------------------------\ | {1}Do you like PEASS?{0} | |---------------------------------------------------------------------------------| - | {3}Learn Cloud Hacking{0} : {2}training.hacktricks.xyz{0} | + | {3}Learn Cloud Hacking{0} : {2}training.hacktricks.wiki{0} | | {3}Follow on Twitter{0} : {2}@hacktricks_live{0} | | {3}Respect on HTB{0} : {2}SirBroccoli {0} | |---------------------------------------------------------------------------------| @@ -104,7 +104,7 @@ public static void PrintInit() PrintLegend(); Console.WriteLine(); - Console.WriteLine(BLUE + " You can find a Windows local PE Checklist here: " + YELLOW + "https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation"); + Console.WriteLine(BLUE + " You can find a Windows local PE Checklist here: " + YELLOW + "https://book.hacktricks.wiki/en/windows-hardening/checklist-windows-privilege-escalation.html"); } static void PrintLegend() diff --git a/winPEAS/winPEASexe/winPEAS/Info/UserInfo/SID2GroupNameHelper.cs b/winPEAS/winPEASexe/winPEAS/Info/UserInfo/SID2GroupNameHelper.cs index f6f0fd265..c04881807 100644 --- a/winPEAS/winPEASexe/winPEAS/Info/UserInfo/SID2GroupNameHelper.cs +++ b/winPEAS/winPEASexe/winPEAS/Info/UserInfo/SID2GroupNameHelper.cs @@ -112,7 +112,7 @@ public static string StaticSID2GroupName(string SID) { "520", "Group Policy Creator Owners" }, //A global group that is authorized to create new Group Policy objects in Active Directory. By default, the only member of the group is Administrator. { "521", "Read-only Domain Controllers" }, //A global group. Members of this group are read-only domain controllers in the domain. { "522", "Cloneable Domain Controllers" }, //A global group. Members of this group that are domain controllers may be cloned. - { "525", "Protected Users" }, //https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#protected-users + { "525", "Protected Users" }, //https://book.hacktricks.wiki/en/windows-hardening/stealing-credentials/credentials-protections.html#protected-users { "526", "Key Admins" }, //A security group. The intention for this group is to have delegated write access on the msdsKeyCredentialLink attribute only. The group is intended for use in scenarios where trusted external authorities (for example, Active Directory Federated Services) are responsible for modifying this attribute. Only trusted administrators should be made a member of this group. { "527", "Enterprise Key Admins" }, //A security group. The intention for this group is to have delegated write access on the msdsKeyCredentialLink attribute only. The group is intended for use in scenarios where trusted external authorities (for example, Active Directory Federated Services) are responsible for modifying this attribute. Only trusted administrators should be made a member of this group. { "553", "RAS and IAS Servers" }, //A domain local group. By default, this group has no members. Servers in this group have Read Account Restrictions and Read Logon Information access to User objects in the Active Directory domain local group. diff --git a/winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/Chrome/Chrome.cs b/winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/Chrome/Chrome.cs index d79cbdfbb..03697cef9 100644 --- a/winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/Chrome/Chrome.cs +++ b/winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/Chrome/Chrome.cs @@ -27,7 +27,7 @@ private static void PrintDBsChrome() try { Beaprint.MainPrint("Looking for Chrome DBs"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history"); + Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#browsers-history"); Dictionary chromeDBs = GetChromeDbs(); if (chromeDBs.ContainsKey("userChromeCookiesPath")) @@ -59,7 +59,7 @@ private static void PrintHistBookChrome() try { Beaprint.MainPrint("Looking for GET credentials in Chrome history"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history"); + Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#browsers-history"); Dictionary> chromeHistBook = GetChromeHistBook(); List history = chromeHistBook["history"]; List bookmarks = chromeHistBook["bookmarks"]; diff --git a/winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/Firefox/Firefox.cs b/winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/Firefox/Firefox.cs index 31d6c61f5..ddb81f414 100644 --- a/winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/Firefox/Firefox.cs +++ b/winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/Firefox/Firefox.cs @@ -28,7 +28,7 @@ private static void PrintDBsFirefox() try { Beaprint.MainPrint("Looking for Firefox DBs"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history"); + Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#browsers-history"); List firefoxDBs = GetFirefoxDbs(); if (firefoxDBs.Count > 0) { @@ -55,7 +55,7 @@ private static void PrintHistFirefox() try { Beaprint.MainPrint("Looking for GET credentials in Firefox history"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history"); + Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#browsers-history"); List history = GetFirefoxHistory(); if (history.Count > 0) { diff --git a/winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/InternetExplorer.cs b/winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/InternetExplorer.cs index af229dabc..a887708e8 100644 --- a/winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/InternetExplorer.cs +++ b/winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/InternetExplorer.cs @@ -29,7 +29,7 @@ private static void PrintCurrentIETabs() try { Beaprint.MainPrint("Current IE tabs"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history"); + Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#browsers-history"); List urls = GetCurrentIETabs(); Dictionary colorsB = new Dictionary() @@ -50,7 +50,7 @@ private static void PrintHistFavIE() try { Beaprint.MainPrint("Looking for GET credentials in IE history"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history"); + Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#browsers-history"); Dictionary> ieHistoryBook = GetIEHistFav(); List history = ieHistoryBook["history"]; List favorites = ieHistoryBook["favorites"]; diff --git a/winPEAS/winPEASexe/winPEAS/KnownFileCreds/Putty.cs b/winPEAS/winPEASexe/winPEAS/KnownFileCreds/Putty.cs index 7e4ef57ac..9d9b0d427 100644 --- a/winPEAS/winPEASexe/winPEAS/KnownFileCreds/Putty.cs +++ b/winPEAS/winPEASexe/winPEAS/KnownFileCreds/Putty.cs @@ -57,7 +57,7 @@ private static void PrintSSHKeysReg() try { Beaprint.MainPrint("SSH keys in registry"); - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#ssh-keys-in-registry", "If you find anything here, follow the link to learn how to decrypt the SSH keys"); + Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#ssh-keys-in-registry", "If you find anything here, follow the link to learn how to decrypt the SSH keys"); string[] ssh_reg = RegistryHelper.GetRegSubkeys("HKCU", @"OpenSSH\Agent\Keys"); if (ssh_reg.Length == 0) diff --git a/winPEAS/winPEASps1/README.md b/winPEAS/winPEASps1/README.md index ddf3fc8b4..6475870ce 100755 --- a/winPEAS/winPEASps1/README.md +++ b/winPEAS/winPEASps1/README.md @@ -2,9 +2,9 @@ ![](https://github.com/peass-ng/PEASS-ng/raw/master/winPEAS/winPEASexe/images/winpeas.png) -**WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on [book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation)** +**WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on [book.hacktricks.wiki](https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html)** -Check also the **Local Windows Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation)** +Check also the **Local Windows Privilege Escalation checklist** from **[book.hacktricks.wiki](https://book.hacktricks.wiki/en/windows-hardening/checklist-windows-privilege-escalation.html)** ## Mantainer diff --git a/winPEAS/winPEASps1/winPEAS.ps1 b/winPEAS/winPEASps1/winPEAS.ps1 index bd00e81b7..6ab50c3f0 100644 --- a/winPEAS/winPEASps1/winPEAS.ps1 +++ b/winPEAS/winPEASps1/winPEAS.ps1 @@ -556,7 +556,7 @@ Write-Host -ForegroundColor yellow "Indicates links" Write-Host -ForegroundColor Blue "Indicates title" -Write-Host "You can find a Windows local PE Checklist here: https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation" -ForegroundColor Yellow +Write-Host "You can find a Windows local PE Checklist here: https://book.hacktricks.wiki/en/windows-hardening/checklist-windows-privilege-escalation.html" -ForegroundColor Yellow #write-host "Creating Dynamic lists, this could take a while, please wait..." #write-host "Loading sensitive_files yaml definitions file..." #write-host "Loading regexes yaml definitions file..." @@ -875,7 +875,7 @@ if ($TimeStamp) { TimeElapsed } Write-Host -ForegroundColor Blue "=========|| UAC Settings" if ((Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System).EnableLUA -eq 1) { Write-Host "EnableLUA is equal to 1. Part or all of the UAC components are on." - Write-Host "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access" -ForegroundColor Yellow + Write-Host "https://book.hacktricks.wiki/en/windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control.html#very-basic-uac-bypass-full-file-system-access" -ForegroundColor Yellow } else { Write-Host "EnableLUA value not equal to 1" } @@ -917,13 +917,13 @@ Write-Host "Checking Windows Installer Registry (will populate if the key exists if ((Get-ItemProperty HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer -ErrorAction SilentlyContinue).AlwaysInstallElevated -eq 1) { Write-Host "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer).AlwaysInstallElevated = 1" -ForegroundColor red Write-Host "Try msfvenom msi package to escalate" -ForegroundColor red - Write-Host "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#metasploit-payloads" -ForegroundColor Yellow + Write-Host "https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#metasploit-payloads" -ForegroundColor Yellow } if ((Get-ItemProperty HKCU:\SOFTWARE\Policies\Microsoft\Windows\Installer -ErrorAction SilentlyContinue).AlwaysInstallElevated -eq 1) { Write-Host "HKCU:\SOFTWARE\Policies\Microsoft\Windows\Installer).AlwaysInstallElevated = 1" -ForegroundColor red Write-Host "Try msfvenom msi package to escalate" -ForegroundColor red - Write-Host "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#metasploit-payloads" -ForegroundColor Yellow + Write-Host "https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#metasploit-payloads" -ForegroundColor Yellow } @@ -995,7 +995,7 @@ if ( Test-Path HKLM:\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\ Write-Host "" if ($TimeStamp) { TimeElapsed } Write-Host -ForegroundColor Blue "=========|| WSUS check for http and UseWAServer = 1, if true, might be vulnerable to exploit" -Write-Host "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#wsus" -ForegroundColor Yellow +Write-Host "https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#wsus" -ForegroundColor Yellow if (Test-Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate) { Get-Item HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate } @@ -1123,7 +1123,7 @@ Write-Host "" if ($TimeStamp) { TimeElapsed } Write-Host -ForegroundColor Blue "=========|| STARTUP APPLICATIONS Vulnerable Check" "Check if you can modify any binary that is going to be executed by admin or if you can impersonate a not found binary" -Write-Host "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#run-at-startup" -ForegroundColor Yellow +Write-Host "https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#run-at-startup" -ForegroundColor Yellow @("C:\Documents and Settings\All Users\Start Menu\Programs\Startup", "C:\Documents and Settings\$env:Username\Start Menu\Programs\Startup", @@ -1322,9 +1322,9 @@ if ($TimeStamp) { TimeElapsed } Write-Host -ForegroundColor Blue "=========|| WHOAMI INFO" Write-Host "" if ($TimeStamp) { TimeElapsed } -Write-Host -ForegroundColor Blue "=========|| Check Token access here: https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens" -ForegroundColor yellow +Write-Host -ForegroundColor Blue "=========|| Check Token access here: https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens.html#abusing-tokens" -ForegroundColor yellow Write-Host -ForegroundColor Blue "=========|| Check if you are inside the Administrators group or if you have enabled any token that can be use to escalate privileges like SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebbugPrivilege" -Write-Host "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#users-and-groups" -ForegroundColor Yellow +Write-Host "https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#users--groups" -ForegroundColor Yellow Start-Process whoami.exe -ArgumentList "/all" -Wait -NoNewWindow @@ -1349,7 +1349,7 @@ Write-Host "" if ($TimeStamp) { TimeElapsed } Write-Host -ForegroundColor Blue "=========|| APPcmd Check" if (Test-Path ("$Env:SystemRoot\System32\inetsrv\appcmd.exe")) { - Write-Host "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#appcmd.exe" -ForegroundColor Yellow + Write-Host "https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#appcmdexe" -ForegroundColor Yellow Write-Host "$Env:SystemRoot\System32\inetsrv\appcmd.exe exists!" -ForegroundColor Red } @@ -1400,7 +1400,7 @@ if ($TimeStamp) { TimeElapsed } Write-Host -ForegroundColor Blue "=========|| ENVIRONMENT VARIABLES " Write-Host "Maybe you can take advantage of modifying/creating a binary in some of the following locations" Write-Host "PATH variable entries permissions - place binary or DLL to execute instead of legitimate" -Write-Host "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dll-hijacking" -ForegroundColor Yellow +Write-Host "https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#dll-hijacking" -ForegroundColor Yellow Get-ChildItem env: | Format-Table -Wrap @@ -1418,7 +1418,7 @@ if (Test-Path "C:\Users\$env:USERNAME\AppData\Local\Packages\Microsoft.Microsoft Write-Host "" if ($TimeStamp) { TimeElapsed } Write-Host -ForegroundColor Blue "=========|| Cached Credentials Check" -Write-Host "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#windows-vault" -ForegroundColor Yellow +Write-Host "https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#windows-vault" -ForegroundColor Yellow cmdkey.exe /list @@ -1426,7 +1426,7 @@ Write-Host "" if ($TimeStamp) { TimeElapsed } Write-Host -ForegroundColor Blue "=========|| Checking for DPAPI RPC Master Keys" Write-Host "Use the Mimikatz 'dpapi::masterkey' module with appropriate arguments (/rpc) to decrypt" -Write-Host "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi" -ForegroundColor Yellow +Write-Host "https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#dpapi" -ForegroundColor Yellow $appdataRoaming = "C:\Users\$env:USERNAME\AppData\Roaming\Microsoft\" $appdataLocal = "C:\Users\$env:USERNAME\AppData\Local\Microsoft\" @@ -1449,7 +1449,7 @@ if ($TimeStamp) { TimeElapsed } Write-Host -ForegroundColor Blue "=========|| Checking for DPAPI Cred Master Keys" Write-Host "Use the Mimikatz 'dpapi::cred' module with appropriate /masterkey to decrypt" Write-Host "You can also extract many DPAPI masterkeys from memory with the Mimikatz 'sekurlsa::dpapi' module" -Write-Host "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi" -ForegroundColor Yellow +Write-Host "https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#dpapi" -ForegroundColor Yellow if ( Test-Path "$appdataRoaming\Credentials\") { Get-ChildItem -Path "$appdataRoaming\Credentials\" -Force