crash.software
Projects
Pull Requests
Issues
Builds
PEASS-ng
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY PEASS-ng Commits 585fcc33
🤬
  • ■ ■ ■ ■ ■ ■
    .gitignore
    skipped 25 lines
    26 26  linPEAS/linpeas.sh
    27 27  sh2bin
    28 28  sh2bin/*
     29 +.dccache
     30 +./*/.dccache
  • ■ ■ ■ ■ ■ ■
    README.md
    skipped 11 lines
    12 12   
    13 13  These tools search for possible **local privilege escalation paths** that you could exploit and print them to you **with nice colors** so you can recognize the misconfigurations easily.
    14 14   
    15  -- Check the **Local Windows Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/windows/checklist-windows-privilege-escalation)**
     15 +- Check the **Local Windows Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation)**
    16 16  - **[WinPEAS](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS) - Windows local Privilege Escalation Awesome Script (C#.exe and .bat)**
    17 17   
    18  -- Check the **Local Linux Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/linux-unix/linux-privilege-escalation-checklist)**
     18 +- Check the **Local Linux Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist)**
    19 19  - **[LinPEAS](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS) - Linux local Privilege Escalation Awesome Script (.sh)**
    20 20   
    21 21  ## Quick Start
    skipped 25 lines
  • ■ ■ ■ ■ ■ ■
    linPEAS/README.md
    skipped 1 lines
    2 2   
    3 3  ![](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/raw/master/linPEAS/images/linpeas.png)
    4 4   
    5  -**LinPEAS is a script that search for possible paths to escalate privileges on Linux/Unix\*/MacOS hosts. The checks are explained on [book.hacktricks.xyz](https://book.hacktricks.xyz/linux-unix/privilege-escalation)**
     5 +**LinPEAS is a script that search for possible paths to escalate privileges on Linux/Unix\*/MacOS hosts. The checks are explained on [book.hacktricks.xyz](https://book.hacktricks.xyz/linux-hardening/privilege-escalation)**
    6 6   
    7  -Check the **Local Linux Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/linux-unix/linux-privilege-escalation-checklist)**.
     7 +Check the **Local Linux Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist)**.
    8 8   
    9 9  [![asciicast](https://asciinema.org/a/250532.png)](https://asciinema.org/a/309566)
    10 10   
    skipped 197 lines
  • ■ ■ ■ ■ ■ ■
    linPEAS/builder/linpeas_parts/1_system_information.sh
    skipped 3 lines
    4 4   
    5 5  #-- SY) OS
    6 6  print_2title "Operative system"
    7  -print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#kernel-exploits"
     7 +print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits"
    8 8  (cat /proc/version || uname -a ) 2>/dev/null | sed -${E} "s,$kernelDCW_Ubuntu_Precise_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_4,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_5,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_6,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_4,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Xenial,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel5_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel5_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel5_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_4,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel7,${SED_RED_YELLOW}," | sed -${E} "s,$kernelB,${SED_RED},"
    9 9  warn_exec lsb_release -a 2>/dev/null
    10 10  if [ "$MACPEAS" ]; then
    skipped 4 lines
    15 15  #-- SY) Sudo
    16 16  print_2title "Sudo version"
    17 17  if [ "$(command -v sudo 2>/dev/null)" ]; then
    18  -print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-version"
     18 +print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-version"
    19 19  sudo -V 2>/dev/null | grep "Sudo ver" | sed -${E} "s,$sudovB,${SED_RED},"
    20 20  else echo_not_found "sudo"
    21 21  fi
    skipped 29 lines
    51 51  #--SY) USBCreator
    52 52  if (busctl list 2>/dev/null | grep -q com.ubuntu.USBCreator) || [ "$DEBUG" ]; then
    53 53   print_2title "USBCreator"
    54  - print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation"
     54 + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation"
    55 55   
    56 56   pc_version=$(dpkg -l 2>/dev/null | grep policykit-desktop-privileges | grep -oP "[0-9][0-9a-zA-Z\.]+")
    57 57   if [ -z "$pc_version" ]; then
    skipped 12 lines
    70 70   
    71 71  #-- SY) PATH
    72 72  print_2title "PATH"
    73  -print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-path-abuses"
     73 +print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-path-abuses"
    74 74  echo "$OLDPATH" 2>/dev/null | sed -${E} "s,$Wfolders|\./|\.:|:\.,${SED_RED_YELLOW},g"
    75 75  echo "New path exported: $PATH" 2>/dev/null | sed -${E} "s,$Wfolders|\./|\.:|:\. ,${SED_RED_YELLOW},g"
    76 76  echo ""
    skipped 53 lines
    130 130  #-- SY) Dmesg
    131 131  if [ "$(command -v dmesg 2>/dev/null)" ] || [ "$DEBUG" ]; then
    132 132   print_2title "Searching Signature verification failed in dmesg"
    133  - print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#dmesg-signature-verification-failed"
     133 + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#dmesg-signature-verification-failed"
    134 134   (dmesg 2>/dev/null | grep "signature") || echo_not_found "dmesg"
    135 135   echo ""
    136 136  fi
    skipped 113 lines
  • ■ ■ ■ ■
    linPEAS/builder/linpeas_parts/2_container.sh
    skipped 186 lines
    187 187  if [ "$inContainer" ]; then
    188 188   echo ""
    189 189   print_2title "Container & breakout enumeration"
    190  - print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation/docker-breakout"
     190 + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout"
    191 191   print_list "Container ID ...................$NC $(cat /etc/hostname && echo '')"
    192 192   if echo "$containerType" | grep -qi "docker"; then
    193 193   print_list "Container Full ID ..............$NC $(basename $(cat /proc/1/cpuset))\n"
    skipped 44 lines
  • ■ ■ ■ ■ ■ ■
    linPEAS/builder/linpeas_parts/3_procs_crons_timers_srvcs_sockets.sh
    skipped 7 lines
    8 8  if [ "$NOUSEPS" ]; then
    9 9   printf ${BLUE}"[i]$GREEN Looks like ps is not finding processes, going to read from /proc/ and not going to monitor 1min of processes\n"$NC
    10 10  fi
    11  -print_info "Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-unix/privilege-escalation#processes"
     11 +print_info "Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes"
    12 12   
    13 13  if [ "$NOUSEPS" ]; then
    14 14   print_ps | sed -${E} "s,$Wfolders,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$rootcommon,${SED_GREEN}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED}," | sed -${E} "s,$processesVB,${SED_RED_YELLOW},g" | sed "s,$processesB,${SED_RED}," | sed -${E} "s,$processesDump,${SED_RED},"
    skipped 14 lines
    29 29   
    30 30   #-- PCS) Binary processes permissions
    31 31   print_2title "Binary processes permissions (non 'root root' and not belonging to current user)"
    32  - print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#processes"
     32 + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes"
    33 33   binW="IniTialiZZinnggg"
    34 34   ps auxwww 2>/dev/null | awk '{print $11}' | while read bpath; do
    35 35   if [ -w "$bpath" ]; then
    skipped 14 lines
    50 50   
    51 51  #-- PCS) Processes with credentials inside memory
    52 52  print_2title "Processes with credentials in memory (root req)"
    53  -print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#credentials-from-process-memory"
     53 +print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#credentials-from-process-memory"
    54 54  if echo "$pslist" | grep -q "gdm-password"; then echo "gdm-password process found (dump creds from memory as root)" | sed "s,gdm-password process,${SED_RED},"; else echo_not_found "gdm-password"; fi
    55 55  if echo "$pslist" | grep -q "gnome-keyring-daemon"; then echo "gnome-keyring-daemon process found (dump creds from memory as root)" | sed "s,gnome-keyring-daemon,${SED_RED},"; else echo_not_found "gnome-keyring-daemon"; fi
    56 56  if echo "$pslist" | grep -q "lightdm"; then echo "lightdm process found (dump creds from memory as root)" | sed "s,lightdm,${SED_RED},"; else echo_not_found "lightdm"; fi
    skipped 5 lines
    62 62  #-- PCS) Different processes 1 min
    63 63  if ! [ "$FAST" ] && ! [ "$SUPERFAST" ]; then
    64 64   print_2title "Different processes executed during 1 min (interesting is low number of repetitions)"
    65  - print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#frequent-cron-jobs"
     65 + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#frequent-cron-jobs"
    66 66   temp_file=$(mktemp)
    67 67   if [ "$(ps -e -o command 2>/dev/null)" ]; then for i in $(seq 1 1250); do ps -e -o command >> "$temp_file" 2>/dev/null; sleep 0.05; done; sort "$temp_file" 2>/dev/null | uniq -c | grep -v "\[" | sed '/^.\{200\}./d' | sort -r -n | grep -E -v "\s*[1-9][0-9][0-9][0-9]"; rm "$temp_file"; fi
    68 68   echo ""
    skipped 1 lines
    70 70   
    71 71  #-- PCS) Cron
    72 72  print_2title "Cron jobs"
    73  -print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#scheduled-cron-jobs"
     73 +print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs"
    74 74  command -v crontab 2>/dev/null || echo_not_found "crontab"
    75 75  crontab -l 2>/dev/null | tr -d "\r" | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED},"
    76 76  command -v incrontab 2>/dev/null || echo_not_found "incrontab"
    skipped 54 lines
    131 131   
    132 132  #-- PSC) systemd PATH
    133 133  print_2title "Systemd PATH"
    134  -print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#systemd-path-relative-paths"
     134 +print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#systemd-path-relative-paths"
    135 135  systemctl show-environment 2>/dev/null | grep "PATH" | sed -${E} "s,$Wfolders\|\./\|\.:\|:\.,${SED_RED_YELLOW},g"
    136 136  WRITABLESYSTEMDPATH=$(systemctl show-environment 2>/dev/null | grep "PATH" | grep -E "$Wfolders")
    137 137  echo ""
    skipped 1 lines
    139 139  #-- PSC) .service files
    140 140  #TODO: .service files in MACOS are folders
    141 141  print_2title "Analyzing .service files"
    142  -print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#services"
     142 +print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#services"
    143 143  printf "%s\n" "$PSTORAGE_SYSTEMD" | while read s; do
    144 144   if [ ! -O "$s" ]; then #Remove services that belongs to the current user
    145 145   if ! [ "$IAMROOT" ] && [ -w "$s" ] && [ -f "$s" ]; then
    skipped 21 lines
    167 167   
    168 168  #-- PSC) Timers
    169 169  print_2title "System timers"
    170  -print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#timers"
     170 +print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers"
    171 171  (systemctl list-timers --all 2>/dev/null | grep -Ev "(^$|timers listed)" | sed -${E} "s,$timersG,${SED_GREEN},") || echo_not_found
    172 172  echo ""
    173 173   
    174 174  #-- PSC) .timer files
    175 175  print_2title "Analyzing .timer files"
    176  -print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#timers"
     176 +print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers"
    177 177  printf "%s\n" "$PSTORAGE_TIMER" | while read t; do
    178 178   if ! [ "$IAMROOT" ] && [ -w "$t" ]; then
    179 179   echo "$t" | sed -${E} "s,.*,${SED_RED},g"
    skipped 15 lines
    195 195  #TODO: .socket files in MACOS are folders
    196 196  if ! [ "$IAMROOT" ]; then
    197 197   print_2title "Analyzing .socket files"
    198  - print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#sockets"
     198 + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets"
    199 199   printf "%s\n" "$PSTORAGE_SOCKET" | while read s; do
    200 200   if ! [ "$IAMROOT" ] && [ -w "$s" ] && [ -f "$s" ]; then
    201 201   echo "Writable .socket file: $s" | sed "s,/.*,${SED_RED},g"
    skipped 12 lines
    214 214   done
    215 215   done
    216 216   if ! [ "$IAMROOT" ] && [ -w "/var/run/docker.sock" ]; then
    217  - echo "Docker socket /var/run/docker.sock is writable (https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-docker-socket)" | sed "s,/var/run/docker.sock is writable,${SED_RED_YELLOW},g"
     217 + echo "Docker socket /var/run/docker.sock is writable (https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-docker-socket)" | sed "s,/var/run/docker.sock is writable,${SED_RED_YELLOW},g"
    218 218   fi
    219 219   if ! [ "$IAMROOT" ] && [ -w "/run/docker.sock" ]; then
    220  - echo "Docker socket /run/docker.sock is writable (https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-docker-socket)" | sed "s,/var/run/docker.sock is writable,${SED_RED_YELLOW},g"
     220 + echo "Docker socket /run/docker.sock is writable (https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-docker-socket)" | sed "s,/var/run/docker.sock is writable,${SED_RED_YELLOW},g"
    221 221   fi
    222 222   echo ""
    223 223   
    224 224   print_2title "Unix Sockets Listening"
    225  - print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#sockets"
     225 + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets"
    226 226   # Search sockets using netstat and ss
    227 227   unix_scks_list=$(ss -xlp -H state listening 2>/dev/null | grep -Eo "/.* " | cut -d " " -f1)
    228 228   if ! [ "$unix_scks_list" ];then
    skipped 33 lines
    262 262   
    263 263  #-- PSC) Writable and weak policies in D-Bus config files
    264 264  print_2title "D-Bus config files"
    265  -print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#d-bus"
     265 +print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus"
    266 266  if [ "$PSTORAGE_DBUS" ]; then
    267 267   printf "%s\n" "$PSTORAGE_DBUS" | while read d; do
    268 268   for f in $d/*; do
    skipped 20 lines
    289 289  echo ""
    290 290   
    291 291  print_2title "D-Bus Service Objects list"
    292  -print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#d-bus"
     292 +print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus"
    293 293  dbuslist=$(busctl list 2>/dev/null)
    294 294  if [ "$dbuslist" ]; then
    295 295   busctl list | while read line; do
    skipped 12 lines
  • ■ ■ ■ ■ ■ ■
    linPEAS/builder/linpeas_parts/4_network_information.sh
    skipped 52 lines
    53 53   
    54 54  #-- NI) Ports
    55 55  print_2title "Active Ports"
    56  -print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-ports"
     56 +print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports"
    57 57  ( (netstat -punta || ss -nltpu || netstat -anv) | grep -i listen) 2>/dev/null | sed -${E} "s,127.0.[0-9]+.[0-9]+|:::|::1:|0\.0\.0\.0,${SED_RED},"
    58 58  echo ""
    59 59   
    skipped 32 lines
    92 92  print_2title "Can I sniff with tcpdump?"
    93 93  timeout 1 tcpdump >/dev/null 2>&1
    94 94  if [ $? -eq 124 ]; then #If 124, then timed out == It worked
    95  - print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#sniffing"
     95 + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sniffing"
    96 96   echo "You can sniff with tcpdump!" | sed -${E} "s,.*,${SED_RED},"
    97 97  else echo_no
    98 98  fi
    skipped 86 lines
  • ■ ■ ■ ■ ■ ■
    linPEAS/builder/linpeas_parts/5_users_information.sh
    skipped 3 lines
    4 4   
    5 5  #-- UI) My user
    6 6  print_2title "My user"
    7  -print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#users"
     7 +print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#users"
    8 8  (id || (whoami && groups)) 2>/dev/null | sed -${E} "s,$groupsB,${SED_RED},g" | sed -${E} "s,$groupsVB,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,root,${SED_RED}," | sed -${E} "s,$knw_grps,${SED_GREEN},g" | sed -${E} "s,$idB,${SED_RED},g"
    9 9  echo ""
    10 10   
    skipped 48 lines
    59 59   
    60 60  #-- UI) Sudo -l
    61 61  print_2title "Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d"
    62  -print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid"
     62 +print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid"
    63 63  (echo '' | timeout 1 sudo -S -l | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoB,${SED_RED},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed "s,\!root,${SED_RED},") 2>/dev/null || echo_not_found "sudo"
    64 64  if [ "$PASSWORD" ]; then
    65 65   (echo "$PASSWORD" | timeout 1 sudo -S -l | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoB,${SED_RED},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW},") 2>/dev/null || echo_not_found "sudo"
    skipped 12 lines
    78 78   
    79 79  #-- UI) Sudo tokens
    80 80  print_2title "Checking sudo tokens"
    81  -print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#reusing-sudo-tokens"
     81 +print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#reusing-sudo-tokens"
    82 82  ptrace_scope="$(cat /proc/sys/kernel/yama/ptrace_scope 2>/dev/null)"
    83 83  if [ "$ptrace_scope" ] && [ "$ptrace_scope" -eq 0 ]; then echo "ptrace protection is disabled (0)" | sed "s,is disabled,${SED_RED},g";
    84 84  else echo "ptrace protection is enabled ($ptrace_scope)" | sed "s,is enabled,${SED_GREEN},g";
    skipped 32 lines
    117 117   
    118 118  #-- UI) Pkexec policy
    119 119  print_2title "Checking Pkexec policy"
    120  -print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation/interesting-groups-linux-pe#pe-method-2"
     120 +print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#pe-method-2"
    121 121  (cat /etc/polkit-1/localauthority.conf.d/* 2>/dev/null | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null | sed -${E} "s,$groupsB,${SED_RED}," | sed -${E} "s,$groupsVB,${SED_RED}," | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,$USER,${SED_RED_YELLOW}," | sed -${E} "s,$Groups,${SED_RED_YELLOW},") || echo_not_found "/etc/polkit-1/localauthority.conf.d"
    122 122  echo ""
    123 123   
    skipped 109 lines
  • ■ ■ ■ ■ ■ ■
    linPEAS/builder/linpeas_parts/6_software_information.sh
    skipped 305 lines
    306 306  klist_exists="$(command -v klist)"
    307 307  if [ "$kadmin_exists" ] || [ "$klist_exists" ] || [ "$PSTORAGE_KERBEROS" ] || [ "$DEBUG" ]; then
    308 308   print_2title "Searching kerberos conf files and tickets"
    309  - print_info "http://book.hacktricks.xyz/linux-unix/privilege-escalation/linux-active-directory"
     309 + print_info "http://book.hacktricks.xyz/linux-hardening/privilege-escalation/linux-active-directory"
    310 310   
    311 311   if [ "$kadmin_exists" ]; then echo "kadmin was found on $kadmin_exists" | sed "s,$kadmin_exists,${SED_RED},"; fi
    312 312   if [ "$klist_exists" ] && [ -x "$klist_exists" ]; then echo "klist execution"; klist; fi
    skipped 85 lines
    398 398  #-- SI) Screen sessions
    399 399  if [ "$screensess" ] || [ "$screensess2" ] || [ "$DEBUG" ]; then
    400 400   print_2title "Searching screen sessions"
    401  - print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-shell-sessions"
     401 + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-shell-sessions"
    402 402   screensess=$(screen -ls 2>/dev/null)
    403 403   screensess2=$(find /run/screen -type d -path "/run/screen/S-*" 2>/dev/null)
    404 404  
    skipped 12 lines
    417 417  tmuxsess2=$(find /tmp -type d -path "/tmp/tmux-*" 2>/dev/null)
    418 418  if [ "$tmuxdefsess" ] || [ "$tmuxnondefsess" ] || [ "$tmuxsess2" ] || [ "$DEBUG" ]; then
    419 419   print_2title "Searching tmux sessions"$N
    420  - print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-shell-sessions"
     420 + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-shell-sessions"
    421 421   tmux -V
    422 422   printf "$tmuxdefsess\n$tmuxnondefsess\n$tmuxsess2" | sed -${E} "s,.*,${SED_RED}," | sed -${E} "s,no server running on.*,${C}[32m&${C}[0m,"
    423 423   
    skipped 120 lines
    544 544  containerd=$(command -v ctr)
    545 545  if [ "$containerd" ] || [ "$DEBUG" ]; then
    546 546   print_2title "Checking if containerd(ctr) is available"
    547  - print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation/containerd-ctr-privilege-escalation"
     547 + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation"
    548 548   if [ "$containerd" ]; then
    549 549   echo "ctr was found in $containerd, you may be able to escalate privileges with it" | sed -${E} "s,.*,${SED_RED},"
    550 550   ctr image list
    skipped 5 lines
    556 556  runc=$(command -v runc)
    557 557  if [ "$runc" ] || [ "$DEBUG" ]; then
    558 558   print_2title "Checking if runc is available"
    559  - print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation/runc-privilege-escalation"
     559 + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/runc-privilege-escalation"
    560 560   if [ "$runc" ]; then
    561 561   echo "runc was found in $runc, you may be able to escalate privileges with it" | sed -${E} "s,.*,${SED_RED},"
    562 562   fi
    skipped 3 lines
    566 566  #-- SI) Docker
    567 567  if [ "$PSTORAGE_DOCKER" ] || [ "$DEBUG" ]; then
    568 568   print_2title "Searching docker files (limit 70)"
    569  - print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation"
     569 + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation"
    570 570   printf "%s\n" "$PSTORAGE_DOCKER" | head -n 70 | while read f; do
    571 571   ls -l "$f" 2>/dev/null
    572 572   if ! [ "$IAMROOT" ] && [ -S "$f" ] && [ -w "$f" ]; then
    skipped 80 lines
  • ■ ■ ■ ■ ■ ■
    linPEAS/builder/linpeas_parts/7_interesting_files.sh
    skipped 17 lines
    18 18   
    19 19  ##-- IF) SUID
    20 20  print_2title "SUID - Check easy privesc, exploits and write perms"
    21  -print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid"
     21 +print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid"
    22 22  if ! [ "$STRINGS" ]; then
    23 23   echo_not_found "strings"
    24 24  fi
    skipped 65 lines
    90 90   
    91 91  ##-- IF) SGID
    92 92  print_2title "SGID"
    93  -print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid"
     93 +print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid"
    94 94  sgids_files=$(find / -perm -2000 -type f ! -path "/dev/*" 2>/dev/null)
    95 95  for s in $sgids_files; do
    96 96   s=$(ls -lahtr "$s")
    skipped 53 lines
    150 150   
    151 151  ##-- IF) Misconfigured ld.so
    152 152  print_2title "Checking misconfigurations of ld.so"
    153  -print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#ld-so"
     153 +print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#ld-so"
    154 154  printf $ITALIC"/etc/ld.so.conf\n"$NC;
    155 155  cat /etc/ld.so.conf 2>/dev/null | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g"
    156 156  cat /etc/ld.so.conf 2>/dev/null | while read l; do
    skipped 12 lines
    169 169   
    170 170  ##-- IF) Capabilities
    171 171  print_2title "Capabilities"
    172  -print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#capabilities"
     172 +print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities"
    173 173  echo "Current capabilities:"
    174 174  (capsh --print 2>/dev/null | grep "Current:" | sed -${E} "s,$capsB,${SED_RED_YELLOW}," ) || echo_not_found "capsh"
    175 175  (cat "/proc/$$/status" | grep Cap | sed -${E} "s,.*0000000000000000|CapBnd: 0000003fffffffff,${SED_GREEN},") 2>/dev/null || echo_not_found "/proc/$$/status"
    skipped 29 lines
    205 205  ##-- IF) Users with capabilities
    206 206  if [ -f "/etc/security/capability.conf" ] || [ "$DEBUG" ]; then
    207 207   print_2title "Users with capabilities"
    208  - print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#capabilities"
     208 + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities"
    209 209   if [ -f "/etc/security/capability.conf" ]; then
    210 210   grep -v '^#\|none\|^$' /etc/security/capability.conf 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED},"
    211 211   else echo_not_found "/etc/security/capability.conf"
    skipped 3 lines
    215 215   
    216 216  ##-- IF) Files with ACLs
    217 217  print_2title "Files with ACLs (limited to 50)"
    218  -print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#acls"
     218 +print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#acls"
    219 219  ( (getfacl -t -s -R -p /bin /etc $HOMESEARCH /opt /sbin /usr /tmp /root 2>/dev/null) || echo_not_found "files with acls in searched folders" ) | head -n 70 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED},"
    220 220   
    221 221  if [ "$MACPEAS" ] && ! [ "$FAST" ] && ! [ "$SUPERFAST" ] && ! [ "$(command -v getfacl)" ]; then #Find ACL files in macos (veeeery slow)
    skipped 11 lines
    233 233   
    234 234  ##-- IF) .sh files in PATH
    235 235  print_2title ".sh files in path"
    236  -print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#script-binaries-in-path"
     236 +print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#script-binaries-in-path"
    237 237  echo $PATH | tr ":" "\n" | while read d; do
    238 238   for f in $(find "$d" -name "*.sh" 2>/dev/null); do
    239 239   if ! [ "$IAMROOT" ] && [ -O "$f" ]; then
    skipped 40 lines
    280 280   
    281 281  ##-- IF) Files (scripts) in /etc/profile.d/
    282 282  print_2title "Files (scripts) in /etc/profile.d/"
    283  -print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#profiles-files"
     283 +print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#profiles-files"
    284 284  if [ ! "$MACPEAS" ] && ! [ "$IAMROOT" ]; then #Those folders don´t exist on a MacOS
    285 285   (ls -la /etc/profile.d/ 2>/dev/null | sed -${E} "s,$profiledG,${SED_GREEN},") || echo_not_found "/etc/profile.d/"
    286 286   check_critial_root_path "/etc/profile"
    skipped 3 lines
    290 290   
    291 291   ##-- IF) Files (scripts) in /etc/init.d/
    292 292  print_2title "Permissions in init, init.d, systemd, and rc.d"
    293  -print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#init-init-d-systemd-and-rc-d"
     293 +print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#init-init-d-systemd-and-rc-d"
    294 294  if [ ! "$MACPEAS" ] && ! [ "$IAMROOT" ]; then #Those folders don´t exist on a MacOS
    295 295   check_critial_root_path "/etc/init/"
    296 296   check_critial_root_path "/etc/init.d/"
    skipped 84 lines
    381 381   
    382 382  ##-- IF) Writable log files
    383 383  print_2title "Writable log files (logrotten) (limit 100)"
    384  -print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#logrotate-exploitation"
     384 +print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#logrotate-exploitation"
    385 385  logrotate --version 2>/dev/null || echo_not_found "logrotate"
    386 386  lastWlogFolder="ImPOsSiBleeElastWlogFolder"
    387 387  logfind=$(find / -type f -name "*.log" -o -name "*.log.*" 2>/dev/null | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 3){ print line_init; }; if (cont == "3"){print "#)You_can_write_more_log_files_inside_last_directory"}; pre=act}' | head -n 100)
    skipped 132 lines
    520 520  ##-- IF) Interesting writable files by ownership or all
    521 521  if ! [ "$IAMROOT" ]; then
    522 522   print_2title "Interesting writable files owned by me or writable by everyone (not in Home) (max 500)"
    523  - print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files"
     523 + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files"
    524 524   #In the next file, you need to specify type "d" and "f" to avoid fake link files apparently writable by all
    525 525   obmowbe=$(find / '(' -type f -or -type d ')' '(' '(' -user $USER ')' -or '(' -perm -o=w ')' ')' ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null | grep -Ev "$notExtensions" | sort | uniq | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 5){ print line_init; } if (cont == "5"){print "#)You_can_write_even_more_files_inside_last_directory\n"}; pre=act }' | head -n500)
    526 526   printf "%s\n" "$obmowbe" | while read entry; do
    skipped 10 lines
    537 537  ##-- IF) Interesting writable files by group
    538 538  if ! [ "$IAMROOT" ]; then
    539 539   print_2title "Interesting GROUP writable files (not in Home) (max 500)"
    540  - print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files"
     540 + print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files"
    541 541   for g in $(groups); do
    542 542   iwfbg=$(find / '(' -type f -or -type d ')' -group $g -perm -g=w ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null | grep -Ev "$notExtensions" | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 5){ print line_init; } if (cont == "5"){print "#)You_can_write_even_more_files_inside_last_directory\n"}; pre=act }' | head -n500)
    543 543   if [ "$iwfbg" ] || [ "$DEBUG" ]; then
    skipped 95 lines
  • ■ ■ ■ ■
    linPEAS/builder/linpeas_parts/linpeas_base.sh
    skipped 236 lines
    237 237  echo ""
    238 238  printf ${YELLOW}"ADVISORY: ${BLUE}$ADVISORY\n$NC"
    239 239  echo ""
    240  -printf ${BLUE}"Linux Privesc Checklist: ${YELLOW}https://book.hacktricks.xyz/linux-unix/linux-privilege-escalation-checklist\n"$NC
     240 +printf ${BLUE}"Linux Privesc Checklist: ${YELLOW}https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist\n"$NC
    241 241  echo " LEGEND:" | sed "s,LEGEND,${C}[1;4m&${C}[0m,"
    242 242  echo " RED/YELLOW: 95% a PE vector" | sed "s,RED/YELLOW,${SED_RED_YELLOW},"
    243 243  echo " RED: You should take a look to it" | sed "s,RED,${SED_RED},"
    skipped 769 lines
  • ■ ■ ■ ■ ■ ■
    parsers/README.md
    skipped 37 lines
    38 38   }
    39 39   ],
    40 40   "infos": [
    41  - "https://book.hacktricks.xyz/linux-unix/privilege-escalation#kernel-exploits"
     41 + "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits"
    42 42   ]
    43 43   },
    44 44   "infos": []
    skipped 20 lines
    65 65   }
    66 66   ],
    67 67   "infos": [
    68  - "https://book.hacktricks.xyz/linux-unix/privilege-escalation#kernel-exploits"
     68 + "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits"
    69 69   ]
    70 70   },
    71 71   "infos": []
    skipped 11 lines
  • ■ ■ ■ ■ ■ ■
    winPEAS/README.md
    skipped 1 lines
    2 2   
    3 3  ![](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/raw/master/winPEAS/winPEASexe/images/winpeas.png)
    4 4   
    5  -Check the **Local Windows Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/windows/checklist-windows-privilege-escalation)**
     5 +Check the **Local Windows Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation)**
    6 6   
    7  -Check more **information about how to exploit** found misconfigurations in **[book.hacktricks.xyz](https://book.hacktricks.xyz/windows/windows-local-privilege-escalation)**
     7 +Check more **information about how to exploit** found misconfigurations in **[book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation)**
    8 8   
    9 9  ## Quick Start
    10 10  Find the **latest versions of all the scripts and binaries in [the releases page](https://github.com/carlospolop/PEASS-ng/releases/latest)**.
    skipped 20 lines
  • ■ ■ ■ ■ ■ ■
    winPEAS/winPEASbat/README.md
    skipped 1 lines
    2 2   
    3 3  ![](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/raw/master/winPEAS/winPEASexe/images/winpeas.png)
    4 4   
    5  -**WinPEAS is a script that searh for possible paths to escalate privileges on Windows hosts. The checks are explained on [book.hacktricks.xyz](https://book.hacktricks.xyz/windows/windows-local-privilege-escalation)**
     5 +**WinPEAS is a script that searh for possible paths to escalate privileges on Windows hosts. The checks are explained on [book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation)**
    6 6   
    7  -Check also the **Local Windows Privilege Escalation checklist** from [book.hacktricks.xyz](https://book.hacktricks.xyz/windows/checklist-windows-privilege-escalation)
     7 +Check also the **Local Windows Privilege Escalation checklist** from [book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation)
    8 8   
    9 9  ### WinPEAS.bat is a batch script made for Windows systems which don't support WinPEAS.exe (Net.4 required)
    10 10   
    skipped 132 lines
  • ■ ■ ■ ■ ■ ■
    winPEAS/winPEASbat/winPEAS.bat
    skipped 54 lines
    55 55  CALL :ColorLine "%E%32m[*]%E%97m BASIC SYSTEM INFO
    56 56  CALL :ColorLine " %E%33m[+]%E%97m WINDOWS OS"
    57 57  ECHO. [i] Check for vulnerabilities for the OS version with the applied patches
    58  -ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#kernel-exploits
     58 +ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#kernel-exploits
    59 59  systeminfo
    60 60  ECHO.
    61 61  CALL :T_Progress 2
    skipped 112 lines
    174 174  :UACSettings
    175 175  CALL :ColorLine " %E%33m[+]%E%97m UAC Settings"
    176 176  ECHO. [i] If the results read ENABLELUA REG_DWORD 0x1, part or all of the UAC components are on
    177  -ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access
     177 +ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access
    178 178  REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA 2>nul
    179 179  ECHO.
    180 180  CALL :T_Progress 1
    skipped 44 lines
    225 225  :InstalledSoftware
    226 226  CALL :ColorLine " %E%33m[+]%E%97m INSTALLED SOFTWARE"
    227 227  ECHO. [i] Some weird software? Check for vulnerabilities in unknow software installed
    228  -ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#software
     228 +ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#software
    229 229  ECHO.
    230 230  dir /b "C:\Program Files" "C:\Program Files (x86)" | sort
    231 231  reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall /s | findstr InstallLocation | findstr ":\\"
    skipped 4 lines
    236 236   
    237 237  :RemodeDeskCredMgr
    238 238  CALL :ColorLine " %E%33m[+]%E%97m Remote Desktop Credentials Manager"
    239  -ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#remote-desktop-credential-manager
     239 +ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#remote-desktop-credential-manager
    240 240  IF exist "%LOCALAPPDATA%\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings" ECHO.Found: RDCMan.settings in %AppLocal%\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings, check for credentials in .rdg files
    241 241  ECHO.
    242 242  CALL :T_Progress 1
    skipped 1 lines
    244 244  :WSUS
    245 245  CALL :ColorLine " %E%33m[+]%E%97m WSUS"
    246 246  ECHO. [i] You can inject 'fake' updates into non-SSL WSUS traffic (WSUXploit)
    247  -ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#wsus
     247 +ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#wsus
    248 248  reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\ 2>nul | findstr /i "wuserver" | findstr /i "http://"
    249 249  ECHO.
    250 250  CALL :T_Progress 1
    skipped 1 lines
    252 252  :RunningProcesses
    253 253  CALL :ColorLine " %E%33m[+]%E%97m RUNNING PROCESSES"
    254 254  ECHO. [i] Something unexpected is running? Check for vulnerabilities
    255  -ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#running-processes
     255 +ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#running-processes
    256 256  tasklist /SVC
    257 257  ECHO.
    258 258  CALL :T_Progress 2
    skipped 14 lines
    273 273  :RunAtStartup
    274 274  CALL :ColorLine " %E%33m[+]%E%97m RUN AT STARTUP"
    275 275  ECHO. [i] Check if you can modify any binary that is going to be executed by admin or if you can impersonate a not found binary
    276  -ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#run-at-startup
     276 +ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#run-at-startup
    277 277  ::(autorunsc.exe -m -nobanner -a * -ct /accepteula 2>nul || wmic startup get caption,command 2>nul | more & ^
    278 278  reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run 2>nul & ^
    279 279  reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce 2>nul & ^
    skipped 17 lines
    297 297  :AlwaysInstallElevated
    298 298  CALL :ColorLine " %E%33m[+]%E%97m AlwaysInstallElevated?"
    299 299  ECHO. [i] If '1' then you can install a .msi file with admin privileges ;)
    300  -ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#alwaysinstallelevated
     300 +ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#alwaysinstallelevated
    301 301  reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated 2> nul
    302 302  reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated 2> nul
    303 303  ECHO.
    skipped 57 lines
    361 361  :BasicUserInfo
    362 362  CALL :ColorLine "%E%32m[*]%E%97m BASIC USER INFO
    363 363  ECHO. [i] Check if you are inside the Administrators group or if you have enabled any token that can be use to escalate privileges like SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebbugPrivilege
    364  -ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#users-and-groups
     364 +ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#users-and-groups
    365 365  ECHO.
    366 366  CALL :ColorLine " %E%33m[+]%E%97m CURRENT USER"
    367 367  net user %username%
    skipped 67 lines
    435 435   
    436 436  :ServiceBinaryPermissions
    437 437  CALL :ColorLine " %E%33m[+]%E%97m SERVICE BINARY PERMISSIONS WITH WMIC and ICACLS"
    438  -ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services
     438 +ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services
    439 439  for /f "tokens=2 delims='='" %%a in ('cmd.exe /c wmic service list full ^| findstr /i "pathname" ^|findstr /i /v "system32"') do (
    440 440   for /f eol^=^"^ delims^=^" %%b in ("%%a") do icacls "%%b" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos usuarios %username%" && ECHO.
    441 441  )
    skipped 2 lines
    444 444   
    445 445  :CheckRegistryModificationAbilities
    446 446  CALL :ColorLine " %E%33m[+]%E%97m CHECK IF YOU CAN MODIFY ANY SERVICE REGISTRY"
    447  -ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services
     447 +ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services
    448 448  for /f %%a in ('reg query hklm\system\currentcontrolset\services') do del %temp%\reg.hiv >nul 2>&1 & reg save %%a %temp%\reg.hiv >nul 2>&1 && reg restore %%a %temp%\reg.hiv >nul 2>&1 && ECHO.You can modify %%a
    449 449  ECHO.
    450 450  CALL :T_Progress 1
    skipped 2 lines
    453 453  CALL :ColorLine " %E%33m[+]%E%97m UNQUOTED SERVICE PATHS"
    454 454  ECHO. [i] When the path is not quoted (ex: C:\Program files\soft\new folder\exec.exe) Windows will try to execute first 'C:\Program.exe', then 'C:\Program Files\soft\new.exe' and finally 'C:\Program Files\soft\new folder\exec.exe'. Try to create 'C:\Program Files\soft\new.exe'
    455 455  ECHO. [i] The permissions are also checked and filtered using icacls
    456  -ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services
     456 +ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services
    457 457  for /f "tokens=2" %%n in ('sc query state^= all^| findstr SERVICE_NAME') do (
    458 458   for /f "delims=: tokens=1*" %%r in ('sc qc "%%~n" ^| findstr BINARY_PATH_NAME ^| findstr /i /v /l /c:"c:\windows\system32" ^| findstr /v /c:""""') do (
    459 459   ECHO.%%~s ^| findstr /r /c:"[a-Z][ ][a-Z]" >nul 2>&1 && (ECHO.%%n && ECHO.%%~s && icacls %%s | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%") && ECHO.
    skipped 8 lines
    468 468  CALL :ColorLine "%E%32m[*]%E%97m DLL HIJACKING in PATHenv variable"
    469 469  ECHO. [i] Maybe you can take advantage of modifying/creating some binary in some of the following locations
    470 470  ECHO. [i] PATH variable entries permissions - place binary or DLL to execute instead of legitimate
    471  -ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dll-hijacking
     471 +ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dll-hijacking
    472 472  for %%A in ("%path:;=";"%") do ( cmd.exe /c icacls "%%~A" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO. )
    473 473  ECHO.
    474 474  CALL :T_Progress 1
    skipped 2 lines
    477 477  CALL :ColorLine "%E%32m[*]%E%97m CREDENTIALS"
    478 478  ECHO.
    479 479  CALL :ColorLine " %E%33m[+]%E%97m WINDOWS VAULT"
    480  -ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#windows-vault
     480 +ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#windows-vault
    481 481  cmdkey /list
    482 482  ECHO.
    483 483  CALL :T_Progress 2
    skipped 1 lines
    485 485  :DPAPIMasterKeys
    486 486  CALL :ColorLine " %E%33m[+]%E%97m DPAPI MASTER KEYS"
    487 487  ECHO. [i] Use the Mimikatz 'dpapi::masterkey' module with appropriate arguments (/rpc) to decrypt
    488  -ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dpapi
     488 +ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi
    489 489  powershell -command "Get-ChildItem %appdata%\Microsoft\Protect" 2>nul
    490 490  powershell -command "Get-ChildItem %localappdata%\Microsoft\Protect" 2>nul
    491 491  CALL :T_Progress 2
    492 492  CALL :ColorLine " %E%33m[+]%E%97m DPAPI MASTER KEYS"
    493 493  ECHO. [i] Use the Mimikatz 'dpapi::cred' module with appropriate /masterkey to decrypt
    494 494  ECHO. [i] You can also extract many DPAPI masterkeys from memory with the Mimikatz 'sekurlsa::dpapi' module
    495  -ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dpapi
     495 +ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi
    496 496  ECHO.
    497 497  ECHO.Looking inside %appdata%\Microsoft\Credentials\
    498 498  ECHO.
    skipped 66 lines
    565 565   
    566 566  :AppCMD
    567 567  CALL :ColorLine " %E%33m[+]%E%97m AppCmd"
    568  -ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#appcmd-exe
     568 +ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#appcmd-exe
    569 569  IF EXIST %systemroot%\system32\inetsrv\appcmd.exe ECHO.%systemroot%\system32\inetsrv\appcmd.exe exists.
    570 570  ECHO.
    571 571  CALL :T_Progress 2
    skipped 1 lines
    573 573  :RegFilesCredentials
    574 574  CALL :ColorLine " %E%33m[+]%E%97m Files in registry that may contain credentials"
    575 575  ECHO. [i] Searching specific files that may contains credentials.
    576  -ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files
     576 +ECHO. [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files
    577 577  ECHO.Looking inside HKCU\Software\ORL\WinVNC3\Password
    578 578  reg query HKCU\Software\ORL\WinVNC3\Password 2>nul
    579 579  CALL :T_Progress 2
    skipped 76 lines
  • ■ ■ ■ ■ ■ ■
    winPEAS/winPEASexe/README.md
    skipped 1 lines
    2 2   
    3 3  ![](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/raw/master/winPEAS/winPEASexe/images/winpeas.png)
    4 4   
    5  -**WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on [book.hacktricks.xyz](https://book.hacktricks.xyz/windows/windows-local-privilege-escalation)**
     5 +**WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on [book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation)**
    6 6   
    7  -Check also the **Local Windows Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/windows/checklist-windows-privilege-escalation)**
     7 +Check also the **Local Windows Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation)**
    8 8   
    9 9  [![youtube](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/raw/master/winPEAS/winPEASexe/images/screen.png)](https://youtu.be/66gOwXMnxRI)
    10 10   
    skipped 279 lines
  • ■ ■ ■ ■ ■ ■
    winPEAS/winPEASexe/winPEAS/Checks/ApplicationsInfo.cs
    skipped 55 lines
    56 56   try
    57 57   {
    58 58   Beaprint.MainPrint("Installed Applications --Via Program Files/Uninstall registry--");
    59  - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#software", "Check if you can modify installed software");
     59 + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#software", "Check if you can modify installed software");
    60 60   SortedDictionary<string, Dictionary<string, string>> installedAppsPerms = InstalledApps.GetInstalledAppsPerms();
    61 61   string format = " ==> {0} ({1})";
    62 62   
    skipped 39 lines
    102 102   try
    103 103   {
    104 104   Beaprint.MainPrint("Autorun Applications");
    105  - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries", "Check if you can modify other users AutoRuns binaries (Note that is normal that you can modify HKCU registry and binaries indicated there)");
     105 + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries", "Check if you can modify other users AutoRuns binaries (Note that is normal that you can modify HKCU registry and binaries indicated there)");
    106 106   List<Dictionary<string, string>> apps = AutoRuns.GetAutoRuns(Checks.CurrentUserSiDs);
    107 107   
    108 108   foreach (Dictionary<string, string> app in apps)
    skipped 74 lines
    183 183   try
    184 184   {
    185 185   Beaprint.MainPrint("Scheduled Applications --Non Microsoft--");
    186  - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries", "Check if you can modify other users scheduled binaries");
     186 + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries", "Check if you can modify other users scheduled binaries");
    187 187   List<Dictionary<string, string>> scheduled_apps = ApplicationInfoHelper.GetScheduledAppsNoMicrosoft();
    188 188   
    189 189   foreach (Dictionary<string, string> sapp in scheduled_apps)
    skipped 43 lines
    233 233   {
    234 234   Beaprint.MainPrint("Device Drivers --Non Microsoft--");
    235 235   // this link is not very specific, but its the best on hacktricks
    236  - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#vulnerable-drivers", "Check 3rd party drivers for known vulnerabilities/rootkits.");
     236 + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#vulnerable-drivers", "Check 3rd party drivers for known vulnerabilities/rootkits.");
    237 237   
    238 238   foreach (var driver in DeviceDrivers.GetDeviceDriversNoMicrosoft())
    239 239   {
    skipped 40 lines
  • ■ ■ ■ ■ ■ ■
    winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs
    skipped 150 lines
    151 151   try
    152 152   {
    153 153   Beaprint.MainPrint("Cloud Credentials");
    154  - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files");
     154 + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files");
    155 155   List<Dictionary<string, string>> could_creds = KnownFileCredsInfo.ListCloudCreds();
    156 156   if (could_creds.Count != 0)
    157 157   {
    skipped 224 lines
    382 382   string[] passRegHklm = new string[] { @"SYSTEM\CurrentControlSet\Services\SNMP" };
    383 383   
    384 384   Beaprint.MainPrint("Looking for possible regs with creds");
    385  - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#inside-the-registry");
     385 + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry");
    386 386   
    387 387   string winVnc4 = RegistryHelper.GetRegValue("HKLM", @"SOFTWARE\RealVNC\WinVNC4", "password");
    388 388   if (!string.IsNullOrEmpty(winVnc4.Trim()))
    skipped 42 lines
    431 431   };
    432 432   
    433 433   Beaprint.MainPrint("Looking for possible password files in users homes");
    434  - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files");
     434 + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files");
    435 435   var fileInfos = SearchHelper.SearchUserCredsFiles();
    436 436   
    437 437   foreach (var fileInfo in fileInfos)
    skipped 32 lines
    470 470   };
    471 471   
    472 472   Beaprint.MainPrint("Looking inside the Recycle Bin for creds files");
    473  - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files");
     473 + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files");
    474 474   List<Dictionary<string, string>> recy_files = InterestingFiles.InterestingFiles.GetRecycleBin();
    475 475  
    476 476   foreach (Dictionary<string, string> rec_file in recy_files)
    skipped 29 lines
    506 506   };
    507 507   
    508 508   Beaprint.MainPrint("Searching known files that can contain creds in home");
    509  - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files");
     509 + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files");
    510 510  
    511 511   var files = SearchHelper.SearchUsersInterestingFiles();
    512 512   
    skipped 546 lines
  • ■ ■ ■ ■
    winPEAS/winPEASexe/winPEAS/Checks/ProcessInfo.cs
    skipped 22 lines
    23 23   try
    24 24   {
    25 25   Beaprint.MainPrint("Interesting Processes -non Microsoft-");
    26  - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#running-processes", "Check if any interesting processes for memory dump or if you could overwrite some binary running");
     26 + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#running-processes", "Check if any interesting processes for memory dump or if you could overwrite some binary running");
    27 27   List<Dictionary<string, string>> processesInfo = ProcessesInfo.GetProcInfo();
    28 28   
    29 29   foreach (Dictionary<string, string> procInfo in processesInfo)
    skipped 59 lines
  • ■ ■ ■ ■ ■ ■
    winPEAS/winPEASexe/winPEAS/Checks/ServicesInfo.cs
    skipped 41 lines
    42 42   try
    43 43   {
    44 44   Beaprint.MainPrint("Interesting Services -non Microsoft-");
    45  - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services", "Check if you can overwrite some service binary or perform a DLL hijacking, also check for unquoted paths");
     45 + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services", "Check if you can overwrite some service binary or perform a DLL hijacking, also check for unquoted paths");
    46 46   
    47 47   List<Dictionary<string, string>> services_info = ServicesInfoHelper.GetNonstandardServices();
    48 48   
    skipped 72 lines
    121 121   try
    122 122   {
    123 123   Beaprint.MainPrint("Modifiable Services");
    124  - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services", "Check if you can modify any service");
     124 + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services", "Check if you can modify any service");
    125 125   if (modifiableServices.Count > 0)
    126 126   {
    127 127   Beaprint.BadPrint(" LOOKS LIKE YOU CAN MODIFY OR START/STOP SOME SERVICE/s:");
    skipped 30 lines
    158 158   try
    159 159   {
    160 160   Beaprint.MainPrint("Looking if you can modify any service registry");
    161  - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services-registry-permissions", "Check if you can modify the registry of a service");
     161 + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services-registry-permissions", "Check if you can modify the registry of a service");
    162 162   List<Dictionary<string, string>> regPerms = ServicesInfoHelper.GetWriteServiceRegs(winPEAS.Checks.Checks.CurrentUserSiDs);
    163 163   
    164 164   Dictionary<string, string> colorsWR = new Dictionary<string, string>()
    skipped 21 lines
    186 186   try
    187 187   {
    188 188   Beaprint.MainPrint("Checking write permissions in PATH folders (DLL Hijacking)");
    189  - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dll-hijacking", "Check for DLL Hijacking in PATH folders");
     189 + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dll-hijacking", "Check for DLL Hijacking in PATH folders");
    190 190   Dictionary<string, string> path_dllhijacking = ServicesInfoHelper.GetPathDLLHijacking();
    191 191   foreach (KeyValuePair<string, string> entry in path_dllhijacking)
    192 192   {
    skipped 19 lines
  • ■ ■ ■ ■ ■ ■
    winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs
    skipped 96 lines
    97 97   try
    98 98   {
    99 99   Beaprint.MainPrint("Basic System Information");
    100  - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#kernel-exploits", "Check if the Windows versions is vulnerable to some known exploit");
     100 + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#kernel-exploits", "Check if the Windows versions is vulnerable to some known exploit");
    101 101   Dictionary<string, string> basicDictSystem = Info.SystemInfo.SystemInfo.GetBasicOSInfo();
    102 102   basicDictSystem["Hotfixes"] = Beaprint.ansi_color_good + basicDictSystem["Hotfixes"] + Beaprint.NOCOLOR;
    103 103   Dictionary<string, string> colorsSI = new Dictionary<string, string>
    skipped 236 lines
    340 340   static void PrintWdigest()
    341 341   {
    342 342   Beaprint.MainPrint("Wdigest");
    343  - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#wdigest", "If enabled, plain-text crds could be stored in LSASS");
     343 + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#wdigest", "If enabled, plain-text crds could be stored in LSASS");
    344 344   string useLogonCredential = RegistryHelper.GetRegValue("HKLM", @"SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest", "UseLogonCredential");
    345 345   if (useLogonCredential == "1")
    346 346   Beaprint.BadPrint(" Wdigest is active");
    skipped 4 lines
    351 351   static void PrintLSAProtection()
    352 352   {
    353 353   Beaprint.MainPrint("LSA Protection");
    354  - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#lsa-protection", "If enabled, a driver is needed to read LSASS memory (If Secure Boot or UEFI, RunAsPPL cannot be disabled by deleting the registry key)");
     354 + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#lsa-protection", "If enabled, a driver is needed to read LSASS memory (If Secure Boot or UEFI, RunAsPPL cannot be disabled by deleting the registry key)");
    355 355   string useLogonCredential = RegistryHelper.GetRegValue("HKLM", @"SYSTEM\CurrentControlSet\Control\LSA", "RunAsPPL");
    356 356   if (useLogonCredential == "1")
    357 357   Beaprint.GoodPrint(" LSA Protection is active");
    skipped 4 lines
    362 362   static void PrintCredentialGuard()
    363 363   {
    364 364   Beaprint.MainPrint("Credentials Guard");
    365  - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#credential-guard", "If enabled, a driver is needed to read LSASS memory");
     365 + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#credential-guard", "If enabled, a driver is needed to read LSASS memory");
    366 366   string lsaCfgFlags = RegistryHelper.GetRegValue("HKLM", @"System\CurrentControlSet\Control\LSA", "LsaCfgFlags");
    367 367  
    368 368   if (lsaCfgFlags == "1")
    skipped 17 lines
    386 386   static void PrintCachedCreds()
    387 387   {
    388 388   Beaprint.MainPrint("Cached Creds");
    389  - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#cached-credentials", "If > 0, credentials will be cached in the registry and accessible by SYSTEM user");
     389 + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#cached-credentials", "If > 0, credentials will be cached in the registry and accessible by SYSTEM user");
    390 390   string cachedlogonscount = RegistryHelper.GetRegValue("HKLM", @"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "CACHEDLOGONSCOUNT");
    391 391   if (!string.IsNullOrEmpty(cachedlogonscount))
    392 392   {
    skipped 130 lines
    523 523   try
    524 524   {
    525 525   Beaprint.MainPrint("UAC Status");
    526  - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access", "If you are in the Administrators group check how to bypass the UAC");
     526 + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access", "If you are in the Administrators group check how to bypass the UAC");
    527 527   Dictionary<string, string> uacDict = Info.SystemInfo.SystemInfo.GetUACSystemPolicies();
    528 528   
    529 529   Dictionary<string, string> colorsSI = new Dictionary<string, string>()
    skipped 26 lines
    556 556   try
    557 557   {
    558 558   Beaprint.MainPrint("Checking WSUS");
    559  - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#wsus");
     559 + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#wsus");
    560 560   string path = "Software\\Policies\\Microsoft\\Windows\\WindowsUpdate";
    561 561   string path2 = "Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU";
    562 562   string HKLM_WSUS = RegistryHelper.GetRegValue("HKLM", path, "WUServer");
    skipped 28 lines
    591 591   try
    592 592   {
    593 593   Beaprint.MainPrint("Checking AlwaysInstallElevated");
    594  - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#alwaysinstallelevated");
     594 + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#alwaysinstallelevated");
    595 595   string path = "Software\\Policies\\Microsoft\\Windows\\Installer";
    596 596   string HKLM_AIE = RegistryHelper.GetRegValue("HKLM", path, "AlwaysInstallElevated");
    597 597   string HKCU_AIE = RegistryHelper.GetRegValue("HKCU", path, "AlwaysInstallElevated");
    skipped 555 lines
  • ■ ■ ■ ■ ■ ■
    winPEAS/winPEASexe/winPEAS/Checks/UserInfo.cs
    skipped 79 lines
    80 80   try
    81 81   {
    82 82   Beaprint.MainPrint("Users");
    83  - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#users-and-groups", "Check if you have some admin equivalent privileges");
     83 + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#users-and-groups", "Check if you have some admin equivalent privileges");
    84 84   
    85 85   List<string> usersGrps = User.GetMachineUsers(false, false, false, false, true);
    86 86   
    skipped 24 lines
    111 111   try
    112 112   {
    113 113   Beaprint.MainPrint("Current Token privileges");
    114  - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#token-manipulation", "Check if you can escalate privilege using some enabled token");
     114 + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#token-manipulation", "Check if you can escalate privilege using some enabled token");
    115 115   Dictionary<string, string> tokenPrivs = Token.GetTokenGroupPrivs();
    116 116   Beaprint.DictPrint(tokenPrivs, ColorsU(), false);
    117 117   }
    skipped 313 lines
  • ■ ■ ■ ■ ■ ■
    winPEAS/winPEASexe/winPEAS/Checks/WindowsCreds.cs
    skipped 47 lines
    48 48   try
    49 49   {
    50 50   Beaprint.MainPrint("Checking Windows Vault");
    51  - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-manager-windows-vault");
     51 + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-manager-windows-vault");
    52 52   var vaultCreds = VaultCli.DumpVault();
    53 53   
    54 54   var colorsC = new Dictionary<string, string>()
    skipped 13 lines
    68 68   try
    69 69   {
    70 70   Beaprint.MainPrint("Checking Credential manager");
    71  - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-manager-windows-vault");
     71 + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-manager-windows-vault");
    72 72   
    73 73   var colorsC = new Dictionary<string, string>()
    74 74   {
    skipped 78 lines
    153 153   try
    154 154   {
    155 155   Beaprint.MainPrint("Checking for DPAPI Master Keys");
    156  - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dpapi");
     156 + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi");
    157 157   var masterKeys = KnownFileCredsInfo.ListMasterKeys();
    158 158   
    159 159   if (masterKeys.Count != 0)
    skipped 21 lines
    181 181   try
    182 182   {
    183 183   Beaprint.MainPrint("Checking for DPAPI Credential Files");
    184  - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dpapi");
     184 + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi");
    185 185   var credFiles = KnownFileCredsInfo.GetCredFiles();
    186 186   Beaprint.DictPrint(credFiles, false);
    187 187   
    skipped 13 lines
    201 201   try
    202 202   {
    203 203   Beaprint.MainPrint("Checking for RDCMan Settings Files");
    204  - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#remote-desktop-credential-manager",
     204 + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#remote-desktop-credential-manager",
    205 205   "Dump credentials from Remote Desktop Connection Manager");
    206 206   var rdcFiles = RemoteDesktop.GetRDCManFiles();
    207 207   Beaprint.DictPrint(rdcFiles, false);
    skipped 99 lines
    307 307   try
    308 308   {
    309 309   Beaprint.MainPrint("Looking AppCmd.exe");
    310  - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#appcmd-exe");
     310 + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#appcmd-exe");
    311 311   
    312 312   var appCmdPath = Environment.ExpandEnvironmentVariables(@"%systemroot%\system32\inetsrv\appcmd.exe");
    313 313   
    skipped 54 lines
    368 368   try
    369 369   {
    370 370   Beaprint.MainPrint("Looking SSClient.exe");
    371  - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#scclient-sccm");
     371 + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#scclient-sccm");
    372 372   
    373 373   if (File.Exists(Environment.ExpandEnvironmentVariables(@"%systemroot%\Windows\CCM\SCClient.exe")))
    374 374   {
    skipped 134 lines
  • ■ ■ ■ ■
    winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs
    skipped 106 lines
    107 107   
    108 108   PrintLegend();
    109 109   Console.WriteLine();
    110  - LinkPrint("https://book.hacktricks.xyz/windows/checklist-windows-privilege-escalation", "You can find a Windows local PE Checklist here:");
     110 + LinkPrint("https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation", "You can find a Windows local PE Checklist here:");
    111 111   }
    112 112   
    113 113   static void PrintLegend()
    skipped 317 lines
  • ■ ■ ■ ■
    winPEAS/winPEASexe/winPEAS/Info/UserInfo/SID2GroupNameHelper.cs
    skipped 112 lines
    113 113   { "520", "Group Policy Creator Owners" }, //A global group that is authorized to create new Group Policy objects in Active Directory. By default, the only member of the group is Administrator.
    114 114   { "521", "Read-only Domain Controllers" }, //A global group. Members of this group are read-only domain controllers in the domain.
    115 115   { "522", "Cloneable Domain Controllers" }, //A global group. Members of this group that are domain controllers may be cloned.
    116  - { "525", "Protected Users" }, //https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#protected-users
     116 + { "525", "Protected Users" }, //https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#protected-users
    117 117   { "526", "Key Admins" }, //A security group. The intention for this group is to have delegated write access on the msdsKeyCredentialLink attribute only. The group is intended for use in scenarios where trusted external authorities (for example, Active Directory Federated Services) are responsible for modifying this attribute. Only trusted administrators should be made a member of this group.
    118 118   { "527", "Enterprise Key Admins" }, //A security group. The intention for this group is to have delegated write access on the msdsKeyCredentialLink attribute only. The group is intended for use in scenarios where trusted external authorities (for example, Active Directory Federated Services) are responsible for modifying this attribute. Only trusted administrators should be made a member of this group.
    119 119   { "553", "RAS and IAS Servers" }, //A domain local group. By default, this group has no members. Servers in this group have Read Account Restrictions and Read Logon Information access to User objects in the Active Directory domain local group.
    skipped 57 lines
  • ■ ■ ■ ■ ■ ■
    winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/Chrome/Chrome.cs
    skipped 25 lines
    26 26   try
    27 27   {
    28 28   Beaprint.MainPrint("Looking for Chrome DBs");
    29  - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#browsers-history");
     29 + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history");
    30 30   Dictionary<string, string> chromeDBs = Chrome.GetChromeDbs();
    31 31   
    32 32   if (chromeDBs.ContainsKey("userChromeCookiesPath"))
    skipped 25 lines
    58 58   try
    59 59   {
    60 60   Beaprint.MainPrint("Looking for GET credentials in Chrome history");
    61  - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#browsers-history");
     61 + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history");
    62 62   Dictionary<string, List<string>> chromeHistBook = Chrome.GetChromeHistBook();
    63 63   List<string> history = chromeHistBook["history"];
    64 64   List<string> bookmarks = chromeHistBook["bookmarks"];
    skipped 211 lines
  • ■ ■ ■ ■ ■ ■
    winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/Firefox/Firefox.cs
    skipped 27 lines
    28 28   try
    29 29   {
    30 30   Beaprint.MainPrint("Looking for Firefox DBs");
    31  - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#browsers-history");
     31 + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history");
    32 32   List<string> firefoxDBs = Firefox.GetFirefoxDbs();
    33 33   if (firefoxDBs.Count > 0)
    34 34   {
    skipped 20 lines
    55 55   try
    56 56   {
    57 57   Beaprint.MainPrint("Looking for GET credentials in Firefox history");
    58  - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#browsers-history");
     58 + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history");
    59 59   List<string> firefoxHist = Firefox.GetFirefoxHistory();
    60 60   if (firefoxHist.Count > 0)
    61 61   {
    skipped 274 lines
  • ■ ■ ■ ■ ■ ■
    winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/InternetExplorer.cs
    skipped 28 lines
    29 29   try
    30 30   {
    31 31   Beaprint.MainPrint("Current IE tabs");
    32  - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#browsers-history");
     32 + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history");
    33 33   List<string> urls = InternetExplorer.GetCurrentIETabs();
    34 34   
    35 35   Dictionary<string, string> colorsB = new Dictionary<string, string>()
    skipped 14 lines
    50 50   try
    51 51   {
    52 52   Beaprint.MainPrint("Looking for GET credentials in IE history");
    53  - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#browsers-history");
     53 + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history");
    54 54   Dictionary<string, List<string>> chromeHistBook = InternetExplorer.GetIEHistFav();
    55 55   List<string> history = chromeHistBook["history"];
    56 56   List<string> favorites = chromeHistBook["favorites"];
    skipped 223 lines
  • ■ ■ ■ ■
    winPEAS/winPEASexe/winPEAS/KnownFileCreds/Putty.cs
    skipped 56 lines
    57 57   try
    58 58   {
    59 59   Beaprint.MainPrint("SSH keys in registry");
    60  - Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#ssh-keys-in-registry", "If you find anything here, follow the link to learn how to decrypt the SSH keys");
     60 + Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#ssh-keys-in-registry", "If you find anything here, follow the link to learn how to decrypt the SSH keys");
    61 61   
    62 62   string[] ssh_reg = RegistryHelper.GetRegSubkeys("HKCU", @"OpenSSH\Agent\Keys");
    63 63   if (ssh_reg.Length == 0)
    skipped 150 lines
Please wait...
Page is in error, reload to recover