carlospolop / peass-ng Goto Github PK

Hello!

I am quite new to pentesting, and I have been using linpeas often to find vectors of privilege escalation.

Here I have a question, I noticed recently that I got a RED/YELLOW on a SUID file I have permission to write

However, the owner of this file in this specific case is not root, it's just me

If I'm not mistaken, SUID allows you to perform actions as the file's owner, so in this case, as myself. I don't see how I can use this as a 99% PE Vector at least with my current skillset/knowledge

Maybe there should be another check in place that the owner of the file is root?
Or ignore it if the user is the file's owner?
Or maybe have it RED and not RED/YELLOW?
Up to you really :)

Thank you for taking a loot at it!

https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/a85dacaa44fc5f56e3024b29e84468c99cb3c604/linPEAS/linpeas.sh#L1830

I believe this should say "Legend" instead of "Leyend"

https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/bd90c857407d04870e095eb0869a9987abceff2c/winPEAS/winPEASexe/winPEAS/Beaprint.cs#L81

https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/bd90c857407d04870e095eb0869a9987abceff2c/winPEAS/winPEASexe/winPEAS/Beaprint.cs#L87

got the following error when running the obfus version of winpeas (winPEASx64.exe). The error occurs when it is enumerating the "processes information".
==================error message================
Unhandled Exception: System.Runtime.InteropServices.COMException: The handle is invalid. (Exception from HRESULT: 0x80070006 (E_HANDLE))
at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo)
at System.Runtime.InteropServices.Marshal.FreeHGlobal(IntPtr hglobal)
at winPEAS.SamServer.c.d(Boolean A_0)
at winPEAS.SamServer.c.Finalize()

if running 64 bit winpeas, the error message is slightly different.
c:\scripts\privesc\config checking\peas>winPEAS.exe notcolor > output4.txt

Unhandled Exception: System.Runtime.InteropServices.COMException: The handle is invalid. (Exception from HRESULT: 0x80070006 (E_HANDLE))
at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo)
at System.Runtime.InteropServices.Marshal.FreeHGlobal(IntPtr hglobal)
at winPEAS.SamServer.UNICODE_STRING.Dispose(Boolean disposing)
at winPEAS.SamServer.UNICODE_STRING.Finalize()

===========
windows 10 64bits version:
Microsoft Windows [Version 10.0.17763.1039]

by the way, I did some change of the system by installing the batch script for practicing privesc
which shouldn't cause the issue.. https://github.com/sagishahar/lpeworkshop/blob/master/lpe_windows_setup.bat

Awesome script!!!

I noticed tmux sessions are not detected with tmux ls but they do show with a ps aux (which the script does not check for):

$ tmux ls 2>/dev/null
$ tmux ls
failed to connect to server: No such file or directory
$ ps aux |grep tmux
root       1019  0.0  0.1  26476  1700 ?        Ss   08:18   0:00 /usr/bin/tmux -S /.devs/dev_sess
user1       2037  0.0  0.0  13576   920 pts/4    S+   08:19   0:00 grep --color=auto tmux
$ /usr/bin/tmux -S /.devs/dev_sess
[exited]
$ 

In this case user1 can connect to /usr/bin/tmux -S /.devs/dev_sess and get root access via that session.

The text at the bottom ("Private SSH keys found!:" and below) should be highlighted RED, not bolded.

https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/a8b559e9578b0155f651acca52f8148cd2c95149/linPEAS/linpeas.sh#L934

Why is this filtered to be only user timers?
Ran into this in a CTF where there were timers on the box. I think --user is not needed and the title should be "System Timers" instead.

I fixed all the Readme.md files where the Telegramm group links where displayed wrong.
but I can’t upload them since GitHub wont allow it.

Source:

https://unit42.paloaltonetworks.com/usbcreator-d-bus-privilege-escalation-in-ubuntu-desktop/

Ubuntu Desktop system with policykit-desktop-privileges <= 0.20 will allow any member of the sudo group to write files as root without knowledge of the users password if USBCreator is present.

In the linpeas script, add a check to retrieve all 'look alike' hashes (md5, sha, db hashes, etc)

Thanks for fantastic script!
My note to improve it ... linpeas v2.8.5 (on fedora 31)

1/
this should by fixed (space is misig after -E)

2003c2003
<       cat "$d/conf.d/filt*" | grep "path\s*=>\|code\s*=>\|ruby\s*{" | sed -E"s,path\W*=>|code\W*=>|ruby\W*\{,${C}[1;31m&${C}[0m,"
---
>       cat "$d/conf.d/filt*" | grep "path\s*=>\|code\s*=>\|ruby\s*{" | sed -E "s,path\W*=>|code\W*=>|ruby\W*\{,${C}[1;31m&${C}[0m,"

2/
when I start linpeas I see something like this

linpeas.sh: line 257: printf: `C': invalid format character

it is good to see it?

3/

[+] Unmounted file-system?
[i] Check if you can mount umounted devices
sed: -e expression #1, char 40: unknown option to `s'

4/ problem with \n

[+] Searching Wordpress wp-config.php files
wp-config.php files found:\n/....../wordpress/wp-config.php

ran the following:

./linpeas.sh -a > linpeas.txt
root@time:/home/pericles# less linpeas.txt
"linpeas.txt" may be a binary file. See it anyway?

Non usable output where did I go wrong?

This was my mistake I misread the instructions and did not use the -r flag.

I'm testing the LinPEASS on my system and i'm having some .ovpn files. The result of script showed ".ovpn Not Found" so i'm wondering if this is something wrong in this script or it looks for specific cases?
My ovpn files are in $HOME/Downloads and $HOME/Desktop.

Hi, I just did a box on HackTheBox, and I had to use DNSAdmins to Domain Admins - Server Level DLL Injection (http://www.abhizer.com/windows-privilege-escalation-dnsadmin-to-domaincontroller/) Apparently a vulnerable box can be detected if the user is part of the DNSAdmin group. Could winPEAS be able to detect this?

Peass is detected by windows defender still chrome, firefox, ms edge all blocked download and if i allowed download defender removed it becouse it "contained a virus"

Version: linpeas v2.4.4 by carlospolop
Tested with Parrot OS 4.8

[+] PATH
[i] Any writable folder in original PATH? (a new completed path will be exported)
./linpeas.sh: 625: sed: Argument list too long
./linpeas.sh: 626: sed: Argument list too long

[i] Check if you can mount umounted devices
./linpeas.sh: 695: sed: Argument list too long

================================( Processes, Cron & Services )================================
[+] Cleaned processes
[i] Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-unix/privilege-escalation#processes
./linpeas.sh: 736: sed: Argument list too long

[+] Binary processes permissions
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#processes
./linpeas.sh: 742: sed: Argument list too long

[+] Cron jobs
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#scheduled-jobs
./linpeas.sh: 757: sed: Argument list too long
-rw-r--r-- 1 root root 1042 Mar 10  2019 /etc/crontab

I've started using winPEAS and I love it, however I've noticed that for some reason it doesn't seem to ever "finish" running, even with basic checks that don't search the filesystem, for example. In order to complete the scan, you have to press Enter and it will show the command prompt again. This isn't an issue most of the time, but it does cause issues when running winPEAS in a reverse shell, because pressing Enter doesn't do anything, so you are left with a useless shell.

I tested it on the latest Windows 10 using winPEASany.exe.

I noticed this doing a machine on HackTheBox - Before November 2019, the UsoSvc was writable by the Network Service group (CVE-2019-1322). A user commonly has this permission when exploiting a web server.

AccessChk.exe Output:

UsoSvc                                                                                                                                  
  Medium Mandatory Level (Default) [No-Write-Up]                                                                                        
  RW NT AUTHORITY\SYSTEM                                                                                                                
        SERVICE_ALL_ACCESS                                                                                                              
  RW NT AUTHORITY\SERVICE                                                                                                               
        SERVICE_ALL_ACCESS  

Identified by PowerUp:

[*] Checking service permissions...                                                                                                     
                                                                                                                                        
                                                                                                                                        
ServiceName   : UsoSvc                                                                                                                  
Path          : C:\Windows\system32\svchost.exe -k netsvcs -p                                                                           
StartName     : LocalSystem                                                                                                             
AbuseFunction : Invoke-ServiceAbuse -ServiceName 'UsoSvc'  

I've checked the entire output of winpeas cmd and winpeas cmd fast and did not see this service listed.

First off: wonderful tool!

The linpeas quick start is very helpful. It shows how to get the script to the target with curl, without curl, if you have to invoke AV bypass, and so forth.

The winpeas quick start only shows how run it. How do you get it there? How do you do AV bypass? What is best practice if you are in powershell versus cmd?

I realize you can google these things, but given how helpful it is to have that info in the linpeas quickstart, could it be added to the winpeas quick start as well? Thanks.

linpeas.sh v2.6.9 from master branch.

Hi noticed options -n and -P can't be used as they are flagged as illegal. I believe line: 65 needs amending to "allow" the options

while getopts "h?asd:p:i:qo:w" opt; do
to something like
while getopts "h?asd:n:P:p:i:qo:w" opt; do

Also when using -P so the PASSWORD variable is set to something so the check for sudo -l can be performed with a supplied password, it errors at line: 1264 the IF statment is not executed.

if [ "$PASSWORD"]; then
needs a space
if [ "$PASSWORD" ]; then

https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/a1a144b182fd69b9e88be1a8bdbcc03f99e6a749/linPEAS/linpeas.sh#L1368

Hello,

Recently I noticed that looking for 3rd party drivers on windows is a bit of a kerfuffle. At least I cant see a clean way of doing this/already available scripts.

The closet I could come up with is the following:

Get-WmiObject Win32_PnPSignedDriver | Where-Object {$_.DriverProviderName -notmatch "Microsoft"} | Select DeviceName, DriverVersion, DeviceID

However, it has the issue of (1) relying on WMI that the user might not have access to, and (2) it reports about signed drivers, so could ignore unsigned drivers.

Instead, I was thinking that it could be possible to use the Win32 API. Microsoft has a simple example in c that should be easy to implement in C# by adding the needed types. Essentially, when the code runs, it outputs a list of file names correlating to the drivers loaded.

However, this would enumerate all drivers on the system. To make this list useful it would be required removed known drivers that are not of interest, i.e. Microsoft drivers that would be covered by the windows patch level. Sadly I cant see an easier way to do this than including a whitelist of Microsoft drivers, and a quick search does not reveal such a list.

I'm not sure if there is an easier way or that the information would be better covered by the SCM instead (but that could require additional permissions to interact with), but thought I'd put this suggestion here in case its of use.

$ ./linpeas.sh
cut: you must specify a list of bytes, characters, or fields
Try cut --help' for more information. ./linpeas.sh: line 60: -d: command not found cut: option requires an argument -- d Try cut --help' for more information.
./linpeas.sh: line 60: : command not found
Usage: grep [OPTION]... PATTERN [FILE]...
Try grep --help' for more information. ./linpeas.sh: line 75: AT: command not found tr: missing operand Try tr --help' for more information.
./linpeas.sh: line 154: \n: command not found
Usage: sed [OPTION]... {script-only-if-no-other-script} [input-file]...

-n, --quiet, --silent
suppress automatic printing of pattern space
-e script, --expression=script
add the script to the commands to be executed
-f script-file, --file=script-file
add the contents of script-file to the commands to be executed
-i[SUFFIX], --in-place[=SUFFIX]
edit files in place (makes backup if extension supplied)
-c, --copy
use copy instead of rename when shuffling files in -i mode
(avoids change of input file ownership)
-l N, --line-length=N
specify the desired line-wrap length for the `l' command
--posix
disable all GNU extensions.
-r, --regexp-extended
use extended regular expressions in the script.
-s, --separate
consider files as separate rather than as a single continuous
long stream.
-u, --unbuffered
load minimal amounts of data from the input files and flush
the output buffers more often
--help display this help and exit
--version output version information and exit

If no -e, --expression, -f, or --file option is given, then the first
non-option argument is taken as the sed script to interpret. All
remaining arguments are names of input files; if no input files are
specified, then the standard input is read.

E-mail bug reports to: [email protected] .
Be sure to include the word sed'' somewhere in the Subject:'' field.
./linpeas.sh: line 155: s/|daemon|/|daemon[\s:]|^daemon$|/: No such file or directory
./linpeas.sh: line 154: and: command not found
tr: missing operand after \\n' Two strings must be given when translating. Try tr --help' for more information.
./linpeas.sh: line 157: |: command not found
Usage: sed [OPTION]... {script-only-if-no-other-script} [input-file]...

-n, --quiet, --silent
suppress automatic printing of pattern space
-e script, --expression=script
add the script to the commands to be executed
-f script-file, --file=script-file
add the contents of script-file to the commands to be executed
-i[SUFFIX], --in-place[=SUFFIX]
edit files in place (makes backup if extension supplied)
-c, --copy
use copy instead of rename when shuffling files in -i mode
(avoids change of input file ownership)
-l N, --line-length=N
specify the desired line-wrap length for the `l' command
--posix
disable all GNU extensions.
-r, --regexp-extended
use extended regular expressions in the script.
-s, --separate
consider files as separate rather than as a single continuous
long stream.
-u, --unbuffered
load minimal amounts of data from the input files and flush
the output buffers more often
--help display this help and exit
--version output version information and exit

If no -e, --expression, -f, or --file option is given, then the first
non-option argument is taken as the sed script to interpret. All
remaining arguments are names of input files; if no input files are
specified, then the standard input is read.

E-mail bug reports to: [email protected] .
Be sure to include the word sed'' somewhere in the Subject:'' field.
./linpeas.sh: line 162: s/|/\|/g: No such file or directory

It would be awesome, if WinPEAS checks the content of the file:

$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history

Its like bash_history for powershell and contains often jucy information

Hi everyone !

It could be useful to know if the OS is running on a virtual or physical machine. So I added the following lines to linpeas.sh:

diff --git a/linPEAS/linpeas.sh b/linPEAS/linpeas.sh
index 74d421f..10e7697 100755
--- a/linPEAS/linpeas.sh
+++ b/linPEAS/linpeas.sh
@@ -1011,6 +1011,17 @@ if [ "`echo $CHECKS | grep SysI`" ]; then
   printf $Y"[+] "$GREEN"Printer? ....................... "$NC
   lpstat -a 2>/dev/null || echo_not_found "lpstat"
 
+  #-- SY) Running in a virtual environment
+  printf $Y"[+] "$GREEN"Is this a virtual machine? ..... "$NC
+  hypervisorflag=`cat /proc/cpuinfo | grep flags | grep hypervisor 2>/dev/null`
+  if [ `which systemd-detect-virt 2>/dev/null` ]; then
+    detectedvirt=`systemd-detect-virt`
+    if [ "$hypervisorflag" ]; then printf $RED"Yes ("$detectedvirt")"$NC; else printf $GREEN"No"$NC; fi
+  else
+    if [ "$hypervisorflag" ]; then printf $RED"Yes"$NC; else printf $GREEN"No"$NC; fi
+  fi
+  echo ""
+
   #-- SY) Container
   printf $Y"[+] "$GREEN"Is this a container? ........... "$NC
   dockercontainer=`grep -i docker /proc/self/cgroup  2>/dev/null; find / -maxdepth 3 -name "*dockerenv*" -exec ls -la {} \; 2>/dev/null`

I have successfully tested it on XEN, virtualbox, Docker (KVM/QEMU should work too) and bare metal machines for various Debian-based Linux distributions. Not tested, but it should work on Redhat too.

Hope this help !

i try version obfuscated and normal version, with two architecture x64 and x86 help

There is a box that has a hidden .bat script that contained the commands

@echo off

:LOOP

for /F "skip=6" %%i in ('net localgroup "administrators"') do net localgroup "administrators" %%i /delete

net user ausername somepassword
net user administrator someotherpassword

ping -n 3 127.0.0.1

cls

GOTO :LOOP

:EXIT

This appeared to have missed it.... think you could add a check for finding .bat files such as this that container credentials?

A good one for Windows privilege escalation, if they have the SeImpersonatePrivilege privilege enabled, the can get to SYSTEM access.

https://www.exploit-db.com/exploits/31667
https://hunter2.gitbook.io/darthsidious/privilege-escalation/juicy-potato
https://foxglovesecurity.com/2017/08/25/abusing-token-privileges-for-windows-local-privilege-escalation/

Some very POC code below:

whoami /priv | find "Enabled" | find "SeImpersonatePrivilege" && set expl=yes

It returned false negative results.
Instead it returned the path of the files that without a match with the expr.
Tried to create a file /var/www/htm/configurations.php with "password = '1234'"
it failed to detect.

Buenas!

Me bajé la versión compilada de winPEAS para 65bits y me aparece"no se puede iniciar o ejecutar porque no es compatible con versiones de 64 bits de windows...".

Utilizo un W10, alguién tiene alguna idea?

Muchas gracias!

Un saludo,

I assume there's a reason why it's coded this way, but grep -v "#" prevents commented lines (or more accurately any lines with # in them) from showing even if they have PASSWORD in the line. This has burned me at least once. 😄

The current linpeas.sh script does not find and parse invisible crontab entries. An attacker could install a somewhat invisible crontab entry by adding a carriage return after that malicious entry, then hiding it using the next line that should be longer or the same length as the malicious one. By removing the carriage return, we can make the malicious entry visible so that the script shows it to the user. The following screenshot explains the idea:

On the left hand side is what the script currently does to find out which crontab entries are installed.
On the other side is what the script should do to uncover hidden crontab entries.

In this example, the attacker would have added his malicious entry followed by a space, a hash mark (#) and finally the carriage return after which comes the next line. (notice that we don't put a line feed character here (\n) as this will render the trick useless)
The purpose of adding the hash mark is to comment out the carriage return so that it doesn't get interpreted by the shell and ruins the command.

To fix this, we remove the carriage return byte from the output before parsing it. This could help in a scenario where the system got backdoored using a covert cron job.

This was inspired from a story that happened in DEFCON finals.

An option to exclude network shares from all find commands would be useful as those can be extremely time consuming. Yes, it will miss potentially dangerous files but it'll be a lot faster and a lot less discussion with the storage guys.

This is the list of requested features that I haven't find the time to create yet and aren't top priority.
Help is wanted for the following tasks:

• Profiles-based audit for business models #42
• .Net to cmake #39
• Colours for WinPEAS.bat #41
• Monitoring reports #107
• Check md5sums of known vulnerable binary files (if you have a list with this information for any OS let me know!)
• JSON Output

When i start this script i have this errors, the previous update work correctly.
./linpeas.sh: 968: ./linpeas.sh: Syntax error: "done" unexpected (expecting "fi")

PayPal cannot process this transaction because of a problem with the seller's website. Please contact the seller directly to resolve this problem.

After clicking the button. FYI.

Tried this on TryHackMe DailyBugle box. Script did not detect password in /var/www/html/configuration.php file. Odd because all the old writeups mention about the script detecting this password.

Do you think listing block devices would be useful?
lsblk

The default output when I launch the exe in my powershell console

How can I fix this ?

Hey!
I'm just curious about the Privilege Escalation Course. Can i get more information regarding this?
Thanks

Please add this feature.

Hello,

the linpeas.sh script freezes in case the variable $privatekeyfiles contains filepaths with the character sequence " - " (that is whitespace, dash, whitespace).

$privatekeyfiles is defined here:

https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/f10256df16a836480adf32fe3b06fefade194778/linPEAS/linpeas.sh#L1114

And the freeze happens here:

https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/f10256df16a836480adf32fe3b06fefade194778/linPEAS/linpeas.sh#L1129

The issues arises because if $privatekeyfiles contains whitespaces than grep interprets the whitespace seperated strings as multiple paths. normally this would only result in errors and not block the script but this can actually be abused to inject commandline flags for grep or also to inject the "-" character which grep interprets as stdin and therefore "freezes", i.e. waits for user input from stdin.

Here is an easy example showing the issue:

mkdir "path - poc"
ssh-keygen -b 2048 -t rsa -f "./path - poc/sshkey" -q -N ""
privatekeyfiles=`readlink -f "./path - poc/sshkey"`
grep "" `echo $privatekeyfiles`

As explained before grep now freezes and waits for user input. Therefore the whole linpeas.sh script freezes at this point. I did not check whether the same issue occurrs in other places of the enumeration script but I would assume so.

A solution would be to put quotation marks around the $privatekeyfiles like so (line 1129):

privatekeyfilesgrep=`grep -L "\"|'\|(" "$privatekeyfiles"` # Check there aren't unexpected symbols in the file

Hi! I recently used the awesome winPEAS on htb.
I think this could be improved by adding this simple feature to monitor interesting Powershell Transcript files located under C:\transcripts\.
What do you think about?

Hello,

It seems like 76aa0ad added a new check which can lead to a file been written to disk, even when -s is provided.

https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/b7127e4a67ebb02babf1f498298d4a32adde61f7/linPEAS/linpeas.sh#L1422

Non-standard SUID/SGID binaries on the system are likely to be interesting.

I have an idea that this script can use for audit / hardening server base on profiles that use defined. For example, for file server:

1. User defines which is allowed on file share server. Basic profile can be something like:

• net.allow 445
• service.allow samba
• service.alert vnc

2. When in audit mode, script can have 3 levels:

• alert: something suspicious or is defined as alert in profile
• warning: it isn't defined as allow and it is unknown data / service / port /...
• allow: it is defined as allow
  So, with this custom profile syntax, admins can define rules for their servers and remove / block unsafe stuff easier.
  It should be also works for end-users with something like check firewall rules, ....
  What do you think about this idea?

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Hi,

To make the output colored, you can use this too:
https://github.com/adoxa/ansicon

Just copy ansicon.exe and ANSI32.dll and execute:

ansicon.exe -p

For Windows xp and 7 I used version 1.66:
https://github.com/adoxa/ansicon/releases/tag/v1.66

And for Windows 10, version 1.89:
https://github.com/adoxa/ansicon/releases/tag/v1.89

There is problem with winPEAS.bat to identify unquoted service paths. To fix this, I modified the following line:
https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/master/winPEAS/winPEASbat/winPEAS.bat#L362

echo %%~s | findstr /r /c:"[a-Z][ ][a-Z]" >nul 2>&1 ...

to:

echo %%~s ^| findstr /r /c:"[a-Z][ ][a-Z]" >nul 2>&1 ...

Thanks for this amazing project.

Might prove useful
Unfortunately 1 way conversion only.
https://github.com/pavelliavonau/cmakeconverter
Linux windows. Net crossdev/compile.