Fix PR author detection for failure dispatch

2026-01-20 16:43:23 -08:00 · 2026-01-19 00:05:31 +01:00
14 changed files with 36 additions and 107 deletions
--- a/.github/workflows/pr-failure-codex-dispatch.yml
+++ b/.github/workflows/pr-failure-codex-dispatch.yml
@@ -26,15 +26,26 @@ jobs:
          PR_NUMBER: ${{ github.event.workflow_run.pull_requests[0].number }}
          GH_TOKEN: ${{ github.token }}
        run: |
-          pr_author=$(gh api -H "Accept: application/vnd.github+json" \
-            /repos/${{ github.repository }}/pulls/${PR_NUMBER} \
-            --jq '.user.login')
-          pr_head_repo=$(gh api -H "Accept: application/vnd.github+json" \
-            /repos/${{ github.repository }}/pulls/${PR_NUMBER} \
-            --jq '.head.repo.full_name')
-          pr_head_branch=$(gh api -H "Accept: application/vnd.github+json" \
-            /repos/${{ github.repository }}/pulls/${PR_NUMBER} \
-            --jq '.head.ref')
+          pr_json=$(gh api -H "Accept: application/vnd.github+json" \
+            /repos/${{ github.repository }}/pulls/${PR_NUMBER})
+          pr_author=$(printf "%s" "$pr_json" | python3 - <<'PY'
+          import json,sys
+          data=json.load(sys.stdin)
+          print(data.get("user",{}).get("login",""))
+          PY
+          )
+          pr_head_repo=$(printf "%s" "$pr_json" | python3 - <<'PY'
+          import json,sys
+          data=json.load(sys.stdin)
+          print(data.get("head",{}).get("repo",{}).get("full_name",""))
+          PY
+          )
+          pr_head_branch=$(printf "%s" "$pr_json" | python3 - <<'PY'
+          import json,sys
+          data=json.load(sys.stdin)
+          print(data.get("head",{}).get("ref",""))
+          PY
+          )
          {
            echo "number=${PR_NUMBER}"
            echo "author=${pr_author}"
@@ -144,9 +155,7 @@ jobs:
            echo "No changes to commit."
            exit 0
          fi
-          rm -f codex_failure_summary.txt codex_prompt.txt
          git add -A
-          git reset -- codex_failure_summary.txt codex_prompt.txt
          git commit -m "Fix CI failures for PR #${PR_NUMBER}"
          git push origin HEAD:${TARGET_BRANCH}

--- a/linPEAS/builder/linpeas_parts/1_system_information/16_Protections.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information/16_Protections.sh
@@ -127,22 +127,6 @@ else
    if [ "$ptrace_scope" -eq 0 ]; then echo "0" | sed -${E} "s,0,${SED_RED},"; else echo "$ptrace_scope" | sed -${E} "s,.*,${SED_GREEN},g"; fi
 fi

-print_list "protected_symlinks? ............ "$NC
-protected_symlinks=$(cat /proc/sys/fs/protected_symlinks 2>/dev/null)
-if [ -z "$protected_symlinks" ]; then
-    echo_not_found "/proc/sys/fs/protected_symlinks"
-else
-    if [ "$protected_symlinks" -eq 0 ]; then echo "0" | sed -${E} "s,0,${SED_RED},"; else echo "$protected_symlinks" | sed -${E} "s,.*,${SED_GREEN},g"; fi
-fi
-
-print_list "protected_hardlinks? ........... "$NC
-protected_hardlinks=$(cat /proc/sys/fs/protected_hardlinks 2>/dev/null)
-if [ -z "$protected_hardlinks" ]; then
-    echo_not_found "/proc/sys/fs/protected_hardlinks"
-else
-    if [ "$protected_hardlinks" -eq 0 ]; then echo "0" | sed -${E} "s,0,${SED_RED},"; else echo "$protected_hardlinks" | sed -${E} "s,.*,${SED_GREEN},g"; fi
-fi
-
 print_list "perf_event_paranoid? ........... "$NC
 perf_event_paranoid=$(cat /proc/sys/kernel/perf_event_paranoid 2>/dev/null)
 if [ -z "$perf_event_paranoid" ]; then
--- a/linPEAS/builder/linpeas_parts/1_system_information/9_Disks_extra.sh
+++ b/linPEAS/builder/linpeas_parts/1_system_information/9_Disks_extra.sh
@@ -4,7 +4,6 @@
 # Last Update: 07-03-2024
 # Description: Check for additional disk information and system resources relevant to privilege escalation:
 #   - Disk utilization
-#   - Inode usage
 #   - System resources
 #   - Storage statistics
 #   - Common vulnerable scenarios:
@@ -45,8 +44,4 @@ if [ "$EXTRA_CHECKS" ] || [ "$DEBUG" ]; then
    (df -h || lsblk) 2>/dev/null || echo_not_found "df and lsblk"
    warn_exec free 2>/dev/null
    echo ""
-
-    print_2title "Inode usage"
-    warn_exec df -i 2>/dev/null
-    echo ""
-fi
+fi
--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/17_Deleted_open_files.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/17_Deleted_open_files.sh
@@ -1,25 +0,0 @@
-# Title: Processes & Cron & Services & Timers - Deleted open files
-# ID: PR_Deleted_open_files
-# Author: Carlos Polop
-# Last Update: 2025-01-07
-# Description: Identify deleted files still held open by running processes
-# License: GNU GPL
-# Version: 1.0
-# Functions Used: print_2title, print_info
-# Global Variables: $DEBUG, $EXTRA_CHECKS, $E, $SED_RED
-# Initial Functions:
-# Generated Global Variables:
-# Fat linpeas: 0
-# Small linpeas: 1
-
-if [ "$(command -v lsof 2>/dev/null || echo -n '')" ] || [ "$DEBUG" ]; then
-    print_2title "Deleted files still open"
-    print_info "Open deleted files can hide tools and still consume disk space"
-    lsof +L1 2>/dev/null | sed -${E} "s,\\(deleted\\),${SED_RED},g"
-    echo ""
-elif [ "$EXTRA_CHECKS" ] || [ "$DEBUG" ]; then
-    print_2title "Deleted files still open"
-    print_info "lsof not found, scanning /proc for deleted file descriptors"
-    ls -l /proc/[0-9]*/fd 2>/dev/null | grep "(deleted)" | sed -${E} "s,\\(deleted\\),${SED_RED},g" | head -n 200
-    echo ""
-fi
--- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/7_Cron_jobs.sh
+++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/7_Cron_jobs.sh
@@ -23,7 +23,6 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
  incrontab -l 2>/dev/null
  ls -alR /etc/cron* /var/spool/cron/crontabs /var/spool/anacron 2>/dev/null | sed -${E} "s,$cronjobsG,${SED_GREEN},g" | sed "s,$cronjobsB,${SED_RED},g"
  cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/* /etc/incron.d/* /var/spool/incron/* 2>/dev/null | tr -d "\r" | grep -v "^#" | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE},"  | sed "s,root,${SED_RED},"
-  grep -Hn '^PATH=' /etc/crontab /etc/cron.d/* 2>/dev/null | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g"
  crontab -l -u "$USER" 2>/dev/null | tr -d "\r"
  ls -lR /usr/lib/cron/tabs/ /private/var/at/jobs /var/at/tabs/ /etc/periodic/ 2>/dev/null | sed -${E} "s,$cronjobsG,${SED_GREEN},g" | sed "s,$cronjobsB,${SED_RED},g" #MacOS paths
  atq 2>/dev/null
@@ -248,4 +247,4 @@ else
  print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scheduledcron-jobs"
  find "$SEARCH_IN_FOLDER" '(' -type d -or -type f ')' '(' -name "cron*" -or -name "anacron" -or -name "anacrontab" -or -name "incron.d" -or -name "incron" -or -name "at" -or -name "periodic" ')' -exec echo {} \; -exec ls -lR {} \;
 fi
-echo ""
+echo ""
--- a/linPEAS/builder/linpeas_parts/6_users_information/7_Sudo_l.sh
+++ b/linPEAS/builder/linpeas_parts/6_users_information/7_Sudo_l.sh
@@ -19,16 +19,6 @@ print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation
 if [ "$PASSWORD" ]; then
  (echo "$PASSWORD" | timeout 1 sudo -S -l | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g") 2>/dev/null  || echo_not_found "sudo"
 fi
-(sudo -n -l 2>/dev/null | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,\!root,${SED_RED},") 2>/dev/null || echo "No cached sudo token (sudo -n -l)"
-
-secure_path_line=$(sudo -l 2>/dev/null | grep -o "secure_path=[^,]*" | head -n 1 | cut -d= -f2)
-if [ "$secure_path_line" ]; then
-  for p in $(echo "$secure_path_line" | tr ':' ' '); do
-    if [ -w "$p" ]; then
-      echo "Writable secure_path entry: $p" | sed -${E} "s,.*,${SED_RED},g"
-    fi
-  done
-fi
 ( grep -Iv "^$" cat /etc/sudoers | grep -v "#" | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,pwfeedback,${SED_RED},g" ) 2>/dev/null  || echo_not_found "/etc/sudoers"
 if ! [ "$IAMROOT" ] && [ -w '/etc/sudoers.d/' ]; then
  echo "You can create a file in /etc/sudoers.d/ and escalate privileges" | sed -${E} "s,.*,${SED_RED_YELLOW},"
@@ -39,4 +29,4 @@ for f in /etc/sudoers.d/*; do
    grep -Iv "^$" "$f" | grep -v "#" | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,pwfeedback,${SED_RED},g"
  fi
 done
-echo ""
+echo ""
--- a/linPEAS/builder/linpeas_parts/6_users_information/8_Sudo_tokens.sh
+++ b/linPEAS/builder/linpeas_parts/6_users_information/8_Sudo_tokens.sh
@@ -40,18 +40,4 @@ else
  echo "ptrace protection is enabled ($ptrace_scope)" | sed "s,is enabled,${SED_GREEN},g";

 fi
-
-if [ -d "/var/run/sudo/ts" ]; then
-  echo "Sudo token directory perms:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
-  ls -ld /var/run/sudo/ts 2>/dev/null
-  if [ -w "/var/run/sudo/ts" ]; then
-    echo "/var/run/sudo/ts is writable" | sed -${E} "s,.*,${SED_RED},g"
-  fi
-  if [ -f "/var/run/sudo/ts/$USER" ]; then
-    ls -l "/var/run/sudo/ts/$USER" 2>/dev/null
-    if [ -w "/var/run/sudo/ts/$USER" ]; then
-      echo "User sudo token file is writable" | sed -${E} "s,.*,${SED_RED},g"
-    fi
-  fi
-fi
 echo ""
--- a/linPEAS/builder/linpeas_parts/functions/check_external_hostname.sh
+++ b/linPEAS/builder/linpeas_parts/functions/check_external_hostname.sh
@@ -17,10 +17,10 @@ check_external_hostname(){
  INTERNET_SEARCH_TIMEOUT=15
  # wget or curl?
  if command -v curl >/dev/null 2>&1; then
-    curl "https://tools.hacktricks.wiki/api/host-checker" -H "User-Agent: linpeas" -d "{\"hostname\":\"$(hostname)\"}" -H "Content-Type: application/json" --max-time "$INTERNET_SEARCH_TIMEOUT"
+    curl "https://2e6ppt7izvuv66qmx2r3et2ufi0mxwqs.lambda-url.us-east-1.on.aws/" -H "User-Agent: linpeas" -d "{\"hostname\":\"$(hostname)\"}" -H "Content-Type: application/json" --max-time "$INTERNET_SEARCH_TIMEOUT"
  elif command -v wget >/dev/null 2>&1; then
-    wget -q -O - "https://tools.hacktricks.wiki/api/host-checker" --header "User-Agent: linpeas" --post-data "{\"hostname\":\"$(hostname)\"}" -H "Content-Type: application/json" --timeout "$INTERNET_SEARCH_TIMEOUT"
+    wget -q -O - "https://2e6ppt7izvuv66qmx2r3et2ufi0mxwqs.lambda-url.us-east-1.on.aws/" --header "User-Agent: linpeas" --post-data "{\"hostname\":\"$(hostname)\"}" -H "Content-Type: application/json" --timeout "$INTERNET_SEARCH_TIMEOUT"
  else
    echo "wget or curl not found"
  fi
-}
+}
--- a/linPEAS/builder/linpeas_parts/functions/check_tcp_443_bin.sh
+++ b/linPEAS/builder/linpeas_parts/functions/check_tcp_443_bin.sh
@@ -15,12 +15,11 @@

 check_tcp_443_bin () {
  local TIMEOUT_INTERNET_SECONDS_443_BIN=$1
-  local url_lambda="https://tools.hacktricks.wiki/api/host-checker"
+  local url_lambda="https://2e6ppt7izvuv66qmx2r3et2ufi0mxwqs.lambda-url.us-east-1.on.aws/"

  if command -v curl >/dev/null 2>&1; then
    if curl -s --connect-timeout $TIMEOUT_INTERNET_SECONDS_443_BIN "$url_lambda" \
-         -H "User-Agent: linpeas" -H "Content-Type: application/json" \
-         -d "{\"hostname\":\"$(hostname)\"}" >/dev/null 2>&1
+         -H "User-Agent: linpeas" -H "Content-Type: application/json" >/dev/null 2>&1
    then
      echo "Port 443 is accessible with curl"
      return 0                      # ✅ success
@@ -31,8 +30,7 @@ check_tcp_443_bin () {

  elif command -v wget >/dev/null 2>&1; then
    if wget -q --timeout=$TIMEOUT_INTERNET_SECONDS_443_BIN -O - "$url_lambda" \
-         --header "User-Agent: linpeas" -H "Content-Type: application/json" \
-         --post-data "{\"hostname\":\"$(hostname)\"}" >/dev/null 2>&1
+         --header "User-Agent: linpeas" -H "Content-Type: application/json" >/dev/null 2>&1
    then
      echo "Port 443 is accessible with wget"
      return 0
--- a/linPEAS/builder/linpeas_parts/variables/sudoVB1.sh
+++ b/linPEAS/builder/linpeas_parts/variables/sudoVB1.sh
@@ -13,5 +13,5 @@
 # Small linpeas: 1


-sudoVB1=" \*|env_keep\W*\+=.*LD_PRELOAD|env_keep\W*\+=.*LD_LIBRARY_PATH|env_keep\W*\+=.*BASH_ENV|env_keep\W*\+=.* ENV|env_keep\W*\+=.*PATH|!env_reset|!requiretty|peass{SUDOVB1_HERE}"
+sudoVB1=" \*|env_keep\W*\+=.*LD_PRELOAD|env_keep\W*\+=.*LD_LIBRARY_PATH|env_keep\W*\+=.*BASH_ENV|env_keep\W*\+=.* ENV|peass{SUDOVB1_HERE}"
 sudoVB2="peass{SUDOVB2_HERE}"
--- a/winPEAS/winPEASexe/README.md
+++ b/winPEAS/winPEASexe/README.md
@@ -128,7 +128,7 @@ Once you have installed and activated it you need to:

 - **System Information**
  - [x] Basic System info information
-  - [x] Use WES-NG to search for vulnerabilities
+  - [x] Use Watson to search for vulnerabilities
  - [x] Enumerate Microsoft updates
  - [x] PS, Audit, WEF and LAPS Settings
  - [x] LSA protection
@@ -262,7 +262,7 @@ Once you have installed and activated it you need to:

 ## TODO
 - Add more checks
- Maintain updated WES-NG
+- Mantain updated Watson (last JAN 2021)

 If you want to help with any of this, you can do it using **[github issues](https://github.com/peass-ng/PEASS-ng/issues)** or you can submit a pull request.

--- a/winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/HostnameResolution.cs
+++ b/winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/HostnameResolution.cs
@@ -46,7 +46,7 @@ namespace winPEAS.Info.NetworkInfo

                // 4. Call external checker
                var resp = httpClient
-                    .PostAsync("https://tools.hacktricks.wiki/api/host-checker", payload)
+                    .PostAsync("https://2e6ppt7izvuv66qmx2r3et2ufi0mxwqs.lambda-url.us-east-1.on.aws/", payload)
                    .GetAwaiter().GetResult();

                if (resp.IsSuccessStatusCode)
--- a/winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/InternetConnectivity.cs
+++ b/winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/InternetConnectivity.cs
@@ -4,8 +4,6 @@ using System.Net.Http;
 using System.Net.Http.Headers;
 using System.Net.NetworkInformation;
 using System.Net.Sockets;
-using System.Text;
-using System.Text.Json;
 using System.Threading;

 namespace winPEAS.Info.NetworkInfo
@@ -50,7 +48,7 @@ namespace winPEAS.Info.NetworkInfo
            { "1.1.1.1", "8.8.8.8" };

        private const string LAMBDA_URL =
-            "https://tools.hacktricks.wiki/api/host-checker";
+            "https://2e6ppt7izvuv66qmx2r3et2ufi0mxwqs.lambda-url.us-east-1.on.aws/";

        // Shared HttpClient (kept for HTTP & Lambda checks)
        private static readonly HttpClient http = new HttpClient
@@ -120,12 +118,7 @@ namespace winPEAS.Info.NetworkInfo
                using var cts =
                    new CancellationTokenSource(TimeSpan.FromMilliseconds(HTTP_TIMEOUT_MS));

-                var payload = new StringContent(
-                    JsonSerializer.Serialize(new { hostname = Environment.MachineName }),
-                    Encoding.UTF8,
-                    "application/json");
-                var req = new HttpRequestMessage(HttpMethod.Post, LAMBDA_URL);
-                req.Content = payload;
+                var req = new HttpRequestMessage(HttpMethod.Get, LAMBDA_URL);
                req.Headers.UserAgent.ParseAdd("winpeas");
                req.Headers.Accept.Add(
                    new MediaTypeWithQualityHeaderValue("application/json"));
--- a/winPEAS/winPEASps1/winPEAS.ps1
+++ b/winPEAS/winPEASps1/winPEAS.ps1
@@ -815,7 +815,7 @@ systeminfo.exe
 Write-Host ""
 if ($TimeStamp) { TimeElapsed }
 Write-Host -ForegroundColor Blue "=========|| WINDOWS HOTFIXES"
-Write-Host "=| Check missing patches with WES-NG https://github.com/bitsadmin/wesng" -ForegroundColor Yellow
+Write-Host "=| Check if windows is vulnerable with Watson https://github.com/rasta-mouse/Watson" -ForegroundColor Yellow
 Write-Host "Possible exploits (https://github.com/codingo/OSCP-2/blob/master/Windows/WinPrivCheck.bat)" -ForegroundColor Yellow
 $Hotfix = Get-HotFix | Sort-Object -Descending -Property InstalledOn -ErrorAction SilentlyContinue | Select-Object HotfixID, Description, InstalledBy, InstalledOn
 $Hotfix | Format-Table -AutoSize