Make sure we continue with other users when one user fails

NeffIsBack · NeffIsBack · commit 2ec56d143292 · 2025-05-15T12:30:19.000-04:00
diff --git a/nxc/modules/recyclebin.py b/nxc/modules/recyclebin.py
@@ -28,70 +28,78 @@ def on_admin_login(self, context, connection):
             remote_ops.enableRegistry()
 
             for sid_directory in connection.conn.listPath("C$",  "$Recycle.Bin\\*"):
-                if sid_directory.get_longname() and sid_directory.get_longname() not in self.false_positive:
+                try:
+                    if sid_directory.get_longname() and sid_directory.get_longname() not in self.false_positive:
 
-                    # Extracts the username from the SID
-                    reg_handle = rrp.hOpenLocalMachine(remote_ops._RemoteOperations__rrp)["phKey"]
-                    key_handle = rrp.hBaseRegOpenKey(remote_ops._RemoteOperations__rrp, reg_handle, f"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\{sid_directory.get_longname()}")["phkResult"]
-                    username = profileimagepath = None
-                    try:
-                        _, profileimagepath = rrp.hBaseRegQueryValue(remote_ops._RemoteOperations__rrp, key_handle, "ProfileImagePath\x00")
-                        # Get username and remove embedded null byte
-                        username = profileimagepath.split("\\")[-1].replace("\x00", "")
-                    except rrp.DCERPCSessionError as e:
-                        context.log.debug(f"Couldn't get username from SID {e} on host {connection.host}")
+                        # Extracts the username from the SID
+                        reg_handle = rrp.hOpenLocalMachine(remote_ops._RemoteOperations__rrp)["phKey"]
+                        key_handle = rrp.hBaseRegOpenKey(remote_ops._RemoteOperations__rrp, reg_handle, f"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\{sid_directory.get_longname()}")["phkResult"]
+                        username = profileimagepath = None
+                        try:
+                            _, profileimagepath = rrp.hBaseRegQueryValue(remote_ops._RemoteOperations__rrp, key_handle, "ProfileImagePath\x00")
+                            # Get username and remove embedded null byte
+                            username = profileimagepath.split("\\")[-1].replace("\x00", "")
+                        except rrp.DCERPCSessionError as e:
+                            context.log.debug(f"Couldn't get username from SID {e} on host {connection.host}")
 
-                    # Lists for any file or directory in the recycle bin
-                    spider_folder = f"$Recycle.Bin\\{sid_directory.get_longname()}\\"
-                    paths = connection.spider(
-                        "C$",
-                        folder=spider_folder,
-                        regex=[r"(.*)"],
-                        no_print_results=True
-                    )
+                        # Lists for any file or directory in the recycle bin
+                        spider_folder = f"$Recycle.Bin\\{sid_directory.get_longname()}\\"
+                        paths = connection.spider(
+                            "C$",
+                            folder=spider_folder,
+                            regex=[r"(.*)"],
+                            no_print_results=True
+                        )
 
-                    false_positiv = (".", "..", "desktop.ini")
-                    filtered_file_paths = [path for path in paths if not path.endswith(false_positiv)]
-                    if filtered_file_paths:
-                        if username is not None:
-                            context.log.highlight(f"CONTENT FOUND {sid_directory.get_longname()} ({username})")
-                        else:
-                            context.log.highlight(f"CONTENT FOUND {sid_directory.get_longname()}")
+                        false_positiv = (".", "..", "desktop.ini")
+                        filtered_file_paths = [path for path in paths if not path.endswith(false_positiv)]
+                        if filtered_file_paths:
+                            if username is not None:
+                                context.log.highlight(f"CONTENT FOUND {sid_directory.get_longname()} ({username})")
+                            else:
+                                context.log.highlight(f"CONTENT FOUND {sid_directory.get_longname()}")
 
-                        for path in filtered_file_paths:
-                            # Returned path look like:
-                            # $Recycle.Bin\S-1-5-21-4140170355-2927207985-2497279808-500\/$I87021Q.txt
-                            # Or
-                            # $Recycle.Bin\S-1-5-21-4140170355-2927207985-2497279808-500\/$R87021Q.txt
-                            # $I files are metadata while $R are actual files so we split the path from the SID
-                            # And check that the filename contains $R only to prevent downloading useless stuff
+                            for path in filtered_file_paths:
+                                # Returned path look like:
+                                # $Recycle.Bin\S-1-5-21-4140170355-2927207985-2497279808-500\/$I87021Q.txt
+                                # Or
+                                # $Recycle.Bin\S-1-5-21-4140170355-2927207985-2497279808-500\/$R87021Q.txt
+                                # $I files are metadata while $R are actual files so we split the path from the SID
+                                # And check that the filename contains $R only to prevent downloading useless stuff
 
-                            if "$R" in path.split(sid_directory.get_longname())[1] and not path.endswith(false_positiv):
-                                try:
-                                    buf = BytesIO()
-                                    connection.conn.getFile("C$", path, buf.write)
-                                    context.log.highlight(f"\t{path}")
-                                    found += 1
-                                    buf.seek(0)
-                                    file_path = path.split("$")[-1].replace("/", "_")
-                                    if username:  # noqa: SIM108
-                                        filename = f"{connection.host}_{username}_recyclebin_{file_path}"
-                                    else:
-                                        filename = f"{connection.host}_{sid_directory.get_longname()}_recyclebin_{file_path}"
-                                    export_path = join(NXC_PATH, "modules", "recyclebin")
-                                    path = abspath(join(export_path, filename))
-                                    makedirs(export_path, exist_ok=True)
+                                if "$R" in path.split(sid_directory.get_longname())[1] and not path.endswith(false_positiv):
                                     try:
-                                        with open(path, "w+") as file:
-                                            file.write(buf.read().decode("utf-8", errors="ignore"))
+                                        buf = BytesIO()
+                                        connection.conn.getFile("C$", path, buf.write)
+                                        context.log.highlight(f"\t{path}")
+                                        found += 1
+                                        buf.seek(0)
+                                        file_path = path.split("$")[-1].replace("/", "_")
+                                        if username:  # noqa: SIM108
+                                            filename = f"{connection.host}_{username}_recyclebin_{file_path}"
+                                        else:
+                                            filename = f"{connection.host}_{sid_directory.get_longname()}_recyclebin_{file_path}"
+                                        export_path = join(NXC_PATH, "modules", "recyclebin")
+                                        path = abspath(join(export_path, filename))
+                                        makedirs(export_path, exist_ok=True)
+                                        try:
+                                            with open(path, "w+") as file:
+                                                file.write(buf.read().decode("utf-8", errors="ignore"))
+                                        except Exception as e:
+                                            context.log.fail(f"Failed to write recyclebin file to {filename}: {e}")
                                     except Exception as e:
-                                        context.log.fail(f"Failed to write recyclebin file to {filename}: {e}")
-                                except Exception as e:
-                                    # Probably trying to getFile a directory which won't work
-                                    context.log.debug(f"Couldn't open {path} because of {e}")
+                                        # Probably trying to getFile a directory which won't work
+                                        context.log.debug(f"Couldn't open {path} because of {e}")
+                except DCERPCSessionError as e:
+                    if "ERROR_FILE_NOT_FOUND" in str(e):
+                        continue
+                    else:
+                        context.log.fail(f"Error opening {sid_directory.get_longname()} on host {connection.host} because of {e}")
+                        continue
             if found > 0:
                 context.log.highlight(f"Recycle bin's content downloaded to {export_path}")
         except DCERPCSessionError as e:
+            context.log.exception(e)
             context.log.fail(f"Error connecting to RemoteRegistry {e} on host {connection.host}")
         finally:
             remote_ops.finish()
