alessandroz / beroot Goto Github PK

Privilege Escalation Project - Windows / Linux / Mac

Python 72.96% C++ 2.31% C 0.31% Shell 24.42%

beroot's Introduction

BeRoot Project

BeRoot Project is a post exploitation tool to check common misconfigurations to find a way to escalate our privilege.
It has been added to the pupy project as a post exploitation module (so it will be executed in memory without touching the disk).

This tool does not realize any exploitation. It mains goal is not to realize a configuration assessment of the host (listing all services, all processes, all network connection, etc.) but to print only information that have been found as potential way to escalate our privilege.

This project works on Windows, Linux and Mac OS. You could find the Windows version here and the Linux and Mac OS here

I recommend reading the README depending on the targeted OS, to better understand what's happening.

I tried to implement most techniques described in this picture:

Enjoy ;)

Interesting projects

Windows / Linux Local Privilege Escalation Workshop

beroot's People

Contributors

Stargazers

Watchers

Forkers

u53r55 kbahaxor jaonlin johnjohnsp1 techlord-rce songofhack sengkyaut johnnash99 minkione dinamite01 max-smith yaserfaraj 0thm4n3 taylorwin r000kie yzpku jerusalemsbell yuansec phpplay bailongwang1 debugevery xblackswan kknet ovidsec lehoon rajivraj tobey123 kakuye nusree mgcfish brosster treadstone7 edgardo001 opexxx pythonone hacktest dawson0x00 xiaoyanyuha pjieei bhasbor langlyyy h3ll0world qazcy megamindat pentestingxroot snollyg0st3r 740i nessastein xtratoast test1213145 jackbro tuian ellerbrock ht13 jack51706 awesome-security nimdakey pd1r e0n3elgato resite hackntkt f0829 yikez978 h0k5 m41doror antirootkit cjjduck adinanta c002 haltcompiler av1080p tigerteamdevops black-walker vaginessa jctmendes r0cknrolla losiry 1sn0m4d beyondcy topotam dosglas digits88 capitaogancho m4rm0k akpotter bee04 subzeroking lexuanquyen jamesshew hybridious buglessdr cyberhack255 galacticmaster bilportistivraboti 2010phenix mcomtzg fingerleakers ro9ueadmin doz10 asionsuis

beroot's Issues

[Chore] setup.py

Hi,

Could you provide a setup.py please?

Python packaging

32-bits pre-compiled binary

There is only a 64-bits pre-compiled version of the tool on https://github.com/AlessandroZ/BeRoot/releases/download/1.0/beRoot.zip .

It would be great to have 32-bits too.
Did you use py2exe for binary compilation?

Linux Exploit Suggester

Hey,
Why are you putting the whole code of linux exploit suggester straight into a var in your code ?
What happens if the project is updated ?
cheers

python files not found at runtime

$ wget https://github.com/AlessandroZ/BeRoot/releases/download/1.0.1/beRoot.zip
$ unzip beRoot.zip

Moved it to the windows server.

beRoot.exe
|====================================================================|
|                                                                    |
|                    Windows Privilege Escalation                    |
|                                                                    |
|                          ! BANG BANG !                             |
|                                                                    |
|====================================================================|



################ Service ################

[!] Permission to create a service with openscmanager
True

-------------- Get System Priv with WebClient --------------

[!] Checking WebClient vulnerability

################ Error on: check_webclient ################
Traceback (most recent call last):
  File "beroot\run_checks.py", line 315, in check_all
  File "beroot\run_checks.py", line 277, in check_webclient
  File "beroot\modules\checks\webclient\webclient.py", line 206, in run
  File "beroot\modules\checks\webclient\webclient.py", line 101, in startWebclient
ValueError: Procedure probably called with not enough arguments (4 bytes missing)


[!] Elapsed time = 0.569000005722

when put this comand python beRoot.py i have this bug

$python beRoot.py
Traceback (most recent call last):
File "beRoot.py", line 2, in
from beroot.run_checks import check_all, get_sofwares
File "/home/kevin/Documenti/PENTEST/BeRoot/BeRoot/beroot/run_checks.py", line 1, in
from modules.checks.path_manipulation_checks import isRootDirectoryWritable, space_and_no_quotes, exe_with_writable_directory
File "/home/kevin/Documenti/PENTEST/BeRoot/BeRoot/beroot/modules/checks/path_manipulation_checks.py", line 2, in
import win32con
ImportError: No module named win32con

stand-alone

Hey, first of all congrats on this awsome proj!
in order to run the script on target systems i'm packaging it in a zip and renaming beroot.py to main.py (the linux version), so that i can run python beroot.zip as a standalone.
it can be useful in case you can't run it with pupy, which is my scenario

Failed to start the service RasMan

[-] Failed to start the service RasMan
[?] The authentication process has not reached the end, try to check the standard output

[!] Elapsed time = 24.728000164

Unable to download win32net and make the python code working on windows

Hi,
I tried to install the dependancies, but I could not download win32net with pip, or in any other source in the web. Can you help?

Python 3 compatibility

flake8 testing of https://github.com/AlessandroZ/BeRoot on Python 3.6.3

$ flake8 . --count --select=E901,E999,F821,F822,F823 --show-source --statistics

./Linux/beroot.py:14:13: E999 SyntaxError: invalid syntax
	print banner
            ^
./Linux/beroot/analyse/analyse.py:55:39: E999 SyntaxError: invalid syntax
				print '[+] Writable file: {file}\n'.format(file=fm.file.path)
                                      ^
./Linux/beroot/conf/files.py:185:21: E999 SyntaxError: invalid syntax
				except Exception, e: 
                    ^
./Windows/BeRoot/beRoot.py:49:11: E999 SyntaxError: invalid syntax
		print str(st)
          ^
./Windows/BeRoot/beroot/run_checks.py:273:72: E999 SyntaxError: invalid syntax
		print '-------------- Get System Priv with WebClient --------------\n'
                                                                       ^
./Windows/BeRoot/beroot/modules/checks/filesystem_checks.py:24:2: E999 SyntaxError: (unicode error) 'unicodeescape' codec can't decode bytes in position 8-9: truncated \UXXXXXXXX escape
		"\Panther\Unattend.xml",
 ^
./Windows/BeRoot/beroot/modules/checks/system.py:6:49: E999 SyntaxError: invalid syntax
READ_CONTROL                        = 0x00020000L
                                                ^
./Windows/BeRoot/beroot/modules/checks/webclient/attack.py:31:19: E999 SyntaxError: invalid syntax
		except Exception, e:
                  ^
./Windows/BeRoot/beroot/modules/checks/webclient/httpserver.py:80:21: E999 SyntaxError: invalid syntax
				except Exception, e:
                    ^
./Windows/BeRoot/beroot/modules/checks/webclient/secretsdump.py:468:31: E999 SyntaxError: invalid syntax
        except DCERPCException, e:
                              ^
./Windows/BeRoot/beroot/modules/checks/webclient/smbclient.py:98:30: E999 SyntaxError: invalid syntax
			print "SessionSetup Error!"
                             ^
./Windows/BeRoot/beroot/modules/checks/webclient/webclient.py:120:34: E999 SyntaxError: invalid syntax
						print '[+] Service %s found' % s.name
                                 ^
./Windows/BeRoot/beroot/modules/get_info/softwares_list.py:20:37: E999 SyntaxError: (unicode error) 'unicodeescape' codec can't decode bytes in position 41-42: truncated \UXXXXXXXX escape
		hkey = OpenKey(HKEY_LOCAL_MACHINE, "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\\", 0, accessRead)
                                    ^
13    E999 SyntaxError: invalid syntax
13

ValueError: in check_webclient when running with different bitness of python

Getting this at the end of the output when running it with 32-bit python on a x64 Windows 10:

################ Check user admin ################

[!] Is user in the administrator group
True

-------------- Get System Priv with WebClient --------------

[!] Checking WebClient vulnerability

################ Error on: check_webclient ################
Traceback (most recent call last):
  File "D:\PTs\Utils\Programs\BeRoot\Windows\BeRoot\beroot\run.py", line 336, in check_all
    results = c(cmd)
  File "D:\PTs\Utils\Programs\BeRoot\Windows\BeRoot\beroot\run.py", line 297, in check_webclient
    b = w.run(self.service, cmd)
  File "D:\PTs\Utils\Programs\BeRoot\Windows\BeRoot\beroot\modules\checks\webclient\webclient.py", line 218, in run
    if self.start_webclient():
  File "D:\PTs\Utils\Programs\BeRoot\Windows\BeRoot\beroot\modules\checks\webclient\webclient.py", line 114, in start_webclient
    if self.EventWrite(hReg, byref(event_desc), 0, None) == 0:
ValueError: Procedure probably called with not enough arguments (4 bytes missing)

It should probably either be fixed, or replaced with a more descriptive error (it's easy to check the bitness of python and of the system...).
Running it with 64-bit python works.

sudoers file - error

Hello,
The script is running fine, until sudoers file part. There I get this error:

Traceback (most recent call last):
File "./beroot.py", line 28, in
run(arguments.password)
File "/root/BeRoot/Linux/beroot/run.py", line 190, in run
results = c()
File "/root/BeRoot/Linux/beroot/run.py", line 73, in sudo_list
rules = self.sudolist.rules_from_sudo_ll()
File "/root/BeRoot/Linux/beroot/modules/sudo/sudo_list.py", line 53, in rules_from_sudo_ll
sudo_rules = self._parse_sudo_list(sudo_list)
File "/root/BeRoot/Linux/beroot/modules/sudo/sudo_list.py", line 68, in _parse_sudo_list
user = sudo_list[sudo_list.index('User '):].split(' ')[1]
ValueError: substring not found

Not working on Windows 10 - argument of type 'NoneType' is not iterable

Hi,

I got this error

Traceback (most recent call last):
File "beRoot.py", line 95, in
File "beRoot.py", line 60, in run
File "beroot\run_checks.py", line 298, in check_all
File "beroot\run_checks.py", line 30, in init
File "beroot\modules\get_info\from_taskscheduler.py", line 122, in tasksList
File "ntpath.py", line 331, in expandvars
TypeError: argument of type 'NoneType' is not iterable
[13636] Failed to execute script beRoot

c:\TMP>

can it be fixed somehow?

SyntaxError in modules\objects\winstructures.py

Traceback (most recent call last):
File "C:\Users\0x00\Desktop\BeRoot\Windows\BeRoot\beroot.py", line 3, in
from beroot.run import check_all, get_sofwares
File "C:\Users\0x00\Desktop\BeRoot\Windows\BeRoot\beroot\run.py", line 6, in
from .modules.checks.services_checks import check_services_creation_with_openscmanager, check_service_permissions
File "C:\Users\0x00\Desktop\BeRoot\Windows\BeRoot\beroot\modules\checks\services_checks.py", line 3, in
from ..objects.winstructures import OpenSCManager, SC_MANAGER_CREATE_SERVICE
File "C:\Users\0x00\Desktop\BeRoot\Windows\BeRoot\beroot\modules\objects\winstructures.py", line 66
STANDARD_RIGHTS_REQUIRED = 0x000F0000L
^
SyntaxError: invalid syntax

How is exe compiled?

Can you please share how the exe is compiled? Trying to perform some modifications to bypass defender.

Find service with writable binary

services_checks.py does not check the permission of the service executable, can you add that?

The exploit path is replace the binary then restart the service.

Missing error handling around Access Denied to SCManager

|====================================================================|
|                                                                    |
|                    Windows Privilege Escalation                    |
|                                                                    |
|                          ! BANG BANG !                             |
|                                                                    |
|====================================================================|


beRoot.exe : [4332] Failed to execute script beRoot
    + CategoryInfo          : NotSpecified: ([4332] Failed to execute script beRoot:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
Traceback (most recent call last):
  File "beRoot.py", line 95, in <module>
  File "beRoot.py", line 60, in run
  File "beroot\run_checks.py", line 298, in check_all
  File "beroot\run_checks.py", line 26, in __init__
  File "beroot\modules\get_info\from_scmanager_services.py", line 10, in get_services
pywintypes.error: (5, 'OpenSCManager', 'Access is denied.')

NameError: name 'unicode' is not defined AND TypeError: a bytes-like object is required, not 'str'

If I run the BeRoot for linux script I get:

python3 ./beroot.py

|====================================================================|
| |
| Linux Privilege Escalation |
| |
| ! BANG BANG ! |
| |
|====================================================================|

Traceback (most recent call last):
File "/mnt/ubie/mark/secur/BeRoot/Linux/beroot/modules/services.py", line 50, in _get_services_systemd
argv0 = unicode(argv0)
NameError: name 'unicode' is not defined

Getting permissions of sensitive files. Could take some time...
Checking for suid bins. Could take some time...

################ Suid Binaries ################

/usr/bin/chsh
/usr/bin/chfn
/usr/bin/fusermount
/usr/bin/mount
[+] gtfobins found:
- sudo mount -o bind /bin/sh /bin/mount
- sudo mount
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/umount
/usr/bin/passwd
/usr/bin/su
/usr/sbin/pppd
/usr/sbin/mount.nfs
/usr/share/skypeforlinux/chrome-sandbox
/usr/share/teams/chrome-sandbox
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/cupsPPD/prlinuxcupsppd
/usr/lib/xorg/Xorg.wrap
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/chromium-browser/chrome-sandbox
/usr/lib/openssh/ssh-keysign

Traceback (most recent call last):
File "./beroot.py", line 28, in
run(arguments.password)
File "/mnt/ubie/mark/secur/BeRoot/Linux/beroot/run.py", line 192, in run
results = c()
File "/mnt/ubie/mark/secur/BeRoot/Linux/beroot/run.py", line 74, in sudo_list
rules = self.sudolist.rules_from_sudo_ll()
File "/mnt/ubie/mark/secur/BeRoot/Linux/beroot/modules/sudo/sudo_list.py", line 53, in rules_from_sudo_ll
sudo_rules = self._parse_sudo_list(sudo_list)
File "/mnt/ubie/mark/secur/BeRoot/Linux/beroot/modules/sudo/sudo_list.py", line 65, in _parse_sudo_list
if 'LD_PRELOAD' in sudo_list:
TypeError: a bytes-like object is required, not 'str'

I'm on Ubuntu 20.04.
uname -a
Linux fusion 5.8.0-36-generic #40~20.04.1-Ubuntu SMP Wed Jan 6 10:15:55 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

python3 --version
Python 3.8.5

[Chore] License

Please set up a license https://choosealicense.com/no-permission/

Possible new privilege escalation vectors

It could be worth going over this repo, and see if there are more methods worth implementing here as well:
https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite

WebClient check failing with ValueError: Procedure probably called with not enough arguments (4 bytes missing

C:\Users\IEUser\Downloads\BeRoot-1.0\BeRoot-1.0\BeRoot>python beRoot.py
|====================================================================|
|                                                                    |
|                    Windows Privilege Escalation                    |
|                                                                    |
|                          ! BANG BANG !                             |
|                                                                    |
|====================================================================|



-------------- Check user admin --------------

[!] Is user in the administrator group
True


-------------- Check well known dlls hijacking --------------

[!] Writeable path on the path environment variable
C:\Python27\
C:\Python27\Scripts

[!] Check if well known vulnerable services are present
Associated dll: wlbsctrl.dll
Service: ikeext


-------------- Get System Priv with WebClient --------------

[!] Checking WebClient vulnerability

-------------- Error on: check_webclient --------------
Traceback (most recent call last):
  File "C:\Users\IEUser\Downloads\BeRoot-1.0\BeRoot-1.0\BeRoot\beroot\run_checks
.py", line 315, in check_all
    results = c(cmd)
  File "C:\Users\IEUser\Downloads\BeRoot-1.0\BeRoot-1.0\BeRoot\beroot\run_checks
.py", line 277, in check_webclient
    b = w.run(self.service, cmd)
  File "C:\Users\IEUser\Downloads\BeRoot-1.0\BeRoot-1.0\BeRoot\beroot\modules\ch
ecks\webclient\webclient.py", line 190, in run
    if self.startWebclient():
  File "C:\Users\IEUser\Downloads\BeRoot-1.0\BeRoot-1.0\BeRoot\beroot\modules\ch
ecks\webclient\webclient.py", line 96, in startWebclient
    if self.EventWrite(hReg, byref(event_desc), 0, None) == 0:
ValueError: Procedure probably called with not enough arguments (4 bytes missing
)


[!] Elapsed time = 0.125

IE 8 on Windows 7 - 32-bits vm from https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/

I have installed python 2.7.13, pywin32 and py2exe.

C:\Users\IEUser\Downloads\BeRoot-1.0\BeRoot-1.0\BeRoot>pip freeze
impacket==0.9.15
py2exe==0.6.9
pyasn1==0.2.3
pycrypto==2.6.1
pywin32==221

False detection of permission to create a service with openscmanager

In case OpenSCMnager returns ERROR_ACCESS_DENIED(0x5) it will be successfully casted to integer and check_services_creation_with_openscmanager() will return True.

def check_services_creation_with_openscmanager():
	isPossible = False
	try:
		# open the SCM with "SC_MANAGER_CREATE_SERVICE" rights 
		createServ = OpenSCManager(None, None, SC_MANAGER_CREATE_SERVICE)
		try:
			if int(createServ) != 0:
				return True
		# if the int cast failed (when it is an HANDLE)
		except:
			return True
	except: 
		pass
	
	return False

TypeError in "ctypes\init.py", line 66, in create_string_buffer"

Traceback (most recent call last):
File "C:\Users\0x00\Desktop\BeRoot\Windows\BeRoot\beroot.py", line 50, in
for r in run_check_all(args.list):
File "C:\Users\0x00\Desktop\BeRoot\Windows\BeRoot\beroot.py", line 30, in run_check_all
for r in f():
File "C:\Users\0x00\Desktop\BeRoot\Windows\BeRoot\beroot\run.py", line 255, in check_all
checks = RunChecks()
File "C:\Users\0x00\Desktop\BeRoot\Windows\BeRoot\beroot\run.py", line 32, in init
self.service = s.get_services(self.service)
File "C:\Users\0x00\Desktop\BeRoot\Windows\BeRoot\beroot\modules\get_info\from_scmanager_services.py", line 21, in get_services
for i in EnumServicesStatus(scm):
File "C:\Users\0x00\Desktop\BeRoot\Windows\BeRoot\beroot\modules\objects\winstructures.py", line 294, in EnumServicesStatus
services_buffer = create_string_buffer("", cbBytesNeeded.value)
File "C:\Users\0x00\AppData\Local\Programs\Python\Python39\lib\ctypes_init_.py", line 66, in create_string_buffer
raise TypeError(init)
TypeError

SyntaxError: invalid syntax

Hey,

I tried to run for the first time with python 3.8.0 with windows and get this output:
Traceback (most recent call last):
File "xr.py", line 45, in
from lib.beroot.run import check_all, get_sofwares
File "C:\Users\james\Desktop\Support-master\dev\lib\beroot\run.py", line 6, in
from .modules.checks.services_checks import check_services_creation_with_openscmanager, check_service_permissions
File "C:\Users\james\Desktop\Support-master\dev\lib\beroot\modules\checks\services_checks.py", line 3, in
from ..objects.winstructures import OpenSCManager, SC_MANAGER_CREATE_SERVICE
File "C:\Users\james\Desktop\Support-master\dev\lib\beroot\modules\objects\winstructures.py", line 66
STANDARD_RIGHTS_REQUIRED = 0x000F0000L

Do you get any idea why?

Picture

Issue with check_webclient

While running this on Windows Server 2008 R2 x64 (Metasploitable 3) I get this error:

-------------- Error on: check_webclient --------------
Traceback (most recent call last):
  File "beroot\run_checks.py", line 315, in check_all
  File "beroot\run_checks.py", line 277, in check_webclient
  File "beroot\modules\checks\webclient\webclient.py", line 187, in run
  File "beroot\modules\checks\webclient\webclient.py", line 130, in isServiceRunning
error: (1060, 'OpenService', 'The specified service does not exist as an installed service.')


[!] Elapsed time = 0.18799996376

I'm using version 1 x64 precompiled binary.

False positive - writable directories

Hey,

thank you for the tool. Thank you for your hard work.

Could you explain why the tool reports writable directory, while it is not really writable by a user? I have so many false positives reporting writing possible to c:\ or c:\windows\system32 .

thanks

Reopening of issue #3 ValueError: Procedure probably called with not enough arguments (4 bytes missing )

-------------- Get System Priv with WebClient --------------

[!] Checking WebClient vulnerability

################ Error on: check_webclient ################
Traceback (most recent call last):
File "beroot\run_checks.py", line 315, in check_all
File "beroot\run_checks.py", line 277, in check_webclient
File "beroot\modules\checks\webclient\webclient.py", line 206, in run
File "beroot\modules\checks\webclient\webclient.py", line 101, in startWebclie
nt
ValueError: Procedure probably called with not enough arguments (4 bytes missing
)

I got the X86 precompiled version v1.01