carlospolop / peass-ng Goto Github PK
View Code? Open in Web Editor NEWPEASS - Privilege Escalation Awesome Scripts SUITE (with colors)
Home Page: https://book.hacktricks.xyz
License: Other
PEASS - Privilege Escalation Awesome Scripts SUITE (with colors)
Home Page: https://book.hacktricks.xyz
License: Other
Hello!
I am quite new to pentesting, and I have been using linpeas often to find vectors of privilege escalation.
Here I have a question, I noticed recently that I got a RED/YELLOW on a SUID file I have permission to write
However, the owner of this file in this specific case is not root, it's just me
If I'm not mistaken, SUID allows you to perform actions as the file's owner, so in this case, as myself. I don't see how I can use this as a 99% PE Vector at least with my current skillset/knowledge
Maybe there should be another check in place that the owner of the file is root?
Or ignore it if the user is the file's owner?
Or maybe have it RED and not RED/YELLOW?
Up to you really :)
Thank you for taking a loot at it!
I believe this should say "Legend" instead of "Leyend"
got the following error when running the obfus version of winpeas (winPEASx64.exe). The error occurs when it is enumerating the "processes information".
==================error message================
Unhandled Exception: System.Runtime.InteropServices.COMException: The handle is invalid. (Exception from HRESULT: 0x80070006 (E_HANDLE))
at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo)
at System.Runtime.InteropServices.Marshal.FreeHGlobal(IntPtr hglobal)
at winPEAS.SamServer.c.d(Boolean A_0)
at winPEAS.SamServer.c.Finalize()
if running 64 bit winpeas, the error message is slightly different.
c:\scripts\privesc\config checking\peas>winPEAS.exe notcolor > output4.txt
Unhandled Exception: System.Runtime.InteropServices.COMException: The handle is invalid. (Exception from HRESULT: 0x80070006 (E_HANDLE))
at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo)
at System.Runtime.InteropServices.Marshal.FreeHGlobal(IntPtr hglobal)
at winPEAS.SamServer.UNICODE_STRING.Dispose(Boolean disposing)
at winPEAS.SamServer.UNICODE_STRING.Finalize()
===========
windows 10 64bits version:
Microsoft Windows [Version 10.0.17763.1039]
by the way, I did some change of the system by installing the batch script for practicing privesc
which shouldn't cause the issue.. https://github.com/sagishahar/lpeworkshop/blob/master/lpe_windows_setup.bat
Awesome script!!!
I noticed tmux sessions are not detected with tmux ls but they do show with a ps aux (which the script does not check for):
$ tmux ls 2>/dev/null
$ tmux ls
failed to connect to server: No such file or directory
$ ps aux |grep tmux
root 1019 0.0 0.1 26476 1700 ? Ss 08:18 0:00 /usr/bin/tmux -S /.devs/dev_sess
user1 2037 0.0 0.0 13576 920 pts/4 S+ 08:19 0:00 grep --color=auto tmux
$ /usr/bin/tmux -S /.devs/dev_sess
[exited]
$
In this case user1 can connect to /usr/bin/tmux -S /.devs/dev_sess and get root access via that session.
Why is this filtered to be only user timers?
Ran into this in a CTF where there were timers on the box. I think --user is not needed and the title should be "System Timers" instead.
I fixed all the Readme.md files where the Telegramm group links where displayed wrong.
but I can’t upload them since GitHub wont allow it.
Source:
https://unit42.paloaltonetworks.com/usbcreator-d-bus-privilege-escalation-in-ubuntu-desktop/
Ubuntu Desktop system with policykit-desktop-privileges
<= 0.20 will allow any member of the sudo
group to write files as root
without knowledge of the users password if USBCreator is present.
In the linpeas script, add a check to retrieve all 'look alike' hashes (md5, sha, db hashes, etc)
Thanks for fantastic script!
My note to improve it ... linpeas v2.8.5 (on fedora 31)
1/
this should by fixed (space is misig after -E)
2003c2003
< cat "$d/conf.d/filt*" | grep "path\s*=>\|code\s*=>\|ruby\s*{" | sed -E"s,path\W*=>|code\W*=>|ruby\W*\{,${C}[1;31m&${C}[0m,"
---
> cat "$d/conf.d/filt*" | grep "path\s*=>\|code\s*=>\|ruby\s*{" | sed -E "s,path\W*=>|code\W*=>|ruby\W*\{,${C}[1;31m&${C}[0m,"
2/
when I start linpeas I see something like this
linpeas.sh: line 257: printf: `C': invalid format character
it is good to see it?
3/
[+] Unmounted file-system?
[i] Check if you can mount umounted devices
sed: -e expression #1, char 40: unknown option to `s'
4/ problem with \n
[+] Searching Wordpress wp-config.php files
wp-config.php files found:\n/....../wordpress/wp-config.php
ran the following:
./linpeas.sh -a > linpeas.txt
root@time:/home/pericles# less linpeas.txt
"linpeas.txt" may be a binary file. See it anyway?
Non usable output where did I go wrong?
This was my mistake I misread the instructions and did not use the -r flag.
I'm testing the LinPEASS on my system and i'm having some .ovpn
files. The result of script showed ".ovpn Not Found" so i'm wondering if this is something wrong in this script or it looks for specific cases?
My ovpn files are in $HOME/Downloads
and $HOME/Desktop
.
Hi, I just did a box on HackTheBox, and I had to use DNSAdmins to Domain Admins - Server Level DLL Injection (http://www.abhizer.com/windows-privilege-escalation-dnsadmin-to-domaincontroller/) Apparently a vulnerable box can be detected if the user is part of the DNSAdmin group. Could winPEAS be able to detect this?
Peass is detected by windows defender still chrome, firefox, ms edge all blocked download and if i allowed download defender removed it becouse it "contained a virus"
Version: linpeas v2.4.4 by carlospolop
Tested with Parrot OS 4.8
[+] PATH
[i] Any writable folder in original PATH? (a new completed path will be exported)
./linpeas.sh: 625: sed: Argument list too long
./linpeas.sh: 626: sed: Argument list too long
[i] Check if you can mount umounted devices
./linpeas.sh: 695: sed: Argument list too long
================================( Processes, Cron & Services )================================
[+] Cleaned processes
[i] Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-unix/privilege-escalation#processes
./linpeas.sh: 736: sed: Argument list too long
[+] Binary processes permissions
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#processes
./linpeas.sh: 742: sed: Argument list too long
[+] Cron jobs
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#scheduled-jobs
./linpeas.sh: 757: sed: Argument list too long
-rw-r--r-- 1 root root 1042 Mar 10 2019 /etc/crontab
I've started using winPEAS and I love it, however I've noticed that for some reason it doesn't seem to ever "finish" running, even with basic checks that don't search the filesystem, for example. In order to complete the scan, you have to press Enter and it will show the command prompt again. This isn't an issue most of the time, but it does cause issues when running winPEAS in a reverse shell, because pressing Enter doesn't do anything, so you are left with a useless shell.
I tested it on the latest Windows 10 using winPEASany.exe.
I noticed this doing a machine on HackTheBox - Before November 2019, the UsoSvc was writable by the Network Service group (CVE-2019-1322). A user commonly has this permission when exploiting a web server.
AccessChk.exe Output:
UsoSvc
Medium Mandatory Level (Default) [No-Write-Up]
RW NT AUTHORITY\SYSTEM
SERVICE_ALL_ACCESS
RW NT AUTHORITY\SERVICE
SERVICE_ALL_ACCESS
Identified by PowerUp:
[*] Checking service permissions...
ServiceName : UsoSvc
Path : C:\Windows\system32\svchost.exe -k netsvcs -p
StartName : LocalSystem
AbuseFunction : Invoke-ServiceAbuse -ServiceName 'UsoSvc'
I've checked the entire output of winpeas cmd
and winpeas cmd fast
and did not see this service listed.
First off: wonderful tool!
The linpeas quick start is very helpful. It shows how to get the script to the target with curl, without curl, if you have to invoke AV bypass, and so forth.
The winpeas quick start only shows how run it. How do you get it there? How do you do AV bypass? What is best practice if you are in powershell versus cmd?
I realize you can google these things, but given how helpful it is to have that info in the linpeas quickstart, could it be added to the winpeas quick start as well? Thanks.
linpeas.sh v2.6.9 from master branch.
Hi noticed options -n and -P can't be used as they are flagged as illegal. I believe line: 65 needs amending to "allow" the options
while getopts "h?asd:p:i:qo:w" opt; do
to something like
while getopts "h?asd:n:P:p:i:qo:w" opt; do
Also when using -P so the PASSWORD variable is set to something so the check for sudo -l can be performed with a supplied password, it errors at line: 1264 the IF statment is not executed.
if [ "$PASSWORD"]; then
needs a space
if [ "$PASSWORD" ]; then
Hello,
Recently I noticed that looking for 3rd party drivers on windows is a bit of a kerfuffle. At least I cant see a clean way of doing this/already available scripts.
The closet I could come up with is the following:
Get-WmiObject Win32_PnPSignedDriver | Where-Object {$_.DriverProviderName -notmatch "Microsoft"} | Select DeviceName, DriverVersion, DeviceID
However, it has the issue of (1) relying on WMI that the user might not have access to, and (2) it reports about signed drivers, so could ignore unsigned drivers.
Instead, I was thinking that it could be possible to use the Win32 API. Microsoft has a simple example in c
that should be easy to implement in C#
by adding the needed types. Essentially, when the code runs, it outputs a list of file names correlating to the drivers loaded.
However, this would enumerate all drivers on the system. To make this list useful it would be required removed known drivers that are not of interest, i.e. Microsoft drivers that would be covered by the windows patch level. Sadly I cant see an easier way to do this than including a whitelist of Microsoft drivers, and a quick search does not reveal such a list.
I'm not sure if there is an easier way or that the information would be better covered by the SCM instead (but that could require additional permissions to interact with), but thought I'd put this suggestion here in case its of use.
$ ./linpeas.sh
cut: you must specify a list of bytes, characters, or fields
Try cut --help' for more information. ./linpeas.sh: line 60: -d: command not found cut: option requires an argument -- d Try
cut --help' for more information.
./linpeas.sh: line 60: : command not found
Usage: grep [OPTION]... PATTERN [FILE]...
Try grep --help' for more information. ./linpeas.sh: line 75: AT: command not found tr: missing operand Try
tr --help' for more information.
./linpeas.sh: line 154: \n: command not found
Usage: sed [OPTION]... {script-only-if-no-other-script} [input-file]...
-n, --quiet, --silent
suppress automatic printing of pattern space
-e script, --expression=script
add the script to the commands to be executed
-f script-file, --file=script-file
add the contents of script-file to the commands to be executed
-i[SUFFIX], --in-place[=SUFFIX]
edit files in place (makes backup if extension supplied)
-c, --copy
use copy instead of rename when shuffling files in -i mode
(avoids change of input file ownership)
-l N, --line-length=N
specify the desired line-wrap length for the `l' command
--posix
disable all GNU extensions.
-r, --regexp-extended
use extended regular expressions in the script.
-s, --separate
consider files as separate rather than as a single continuous
long stream.
-u, --unbuffered
load minimal amounts of data from the input files and flush
the output buffers more often
--help display this help and exit
--version output version information and exit
If no -e, --expression, -f, or --file option is given, then the first
non-option argument is taken as the sed script to interpret. All
remaining arguments are names of input files; if no input files are
specified, then the standard input is read.
E-mail bug reports to: [email protected] .
Be sure to include the word sed'' somewhere in the
Subject:'' field.
./linpeas.sh: line 155: s/|daemon|/|daemon[\s:]|^daemon$|/: No such file or directory
./linpeas.sh: line 154: and: command not found
tr: missing operand after \\n' Two strings must be given when translating. Try
tr --help' for more information.
./linpeas.sh: line 157: |: command not found
Usage: sed [OPTION]... {script-only-if-no-other-script} [input-file]...
-n, --quiet, --silent
suppress automatic printing of pattern space
-e script, --expression=script
add the script to the commands to be executed
-f script-file, --file=script-file
add the contents of script-file to the commands to be executed
-i[SUFFIX], --in-place[=SUFFIX]
edit files in place (makes backup if extension supplied)
-c, --copy
use copy instead of rename when shuffling files in -i mode
(avoids change of input file ownership)
-l N, --line-length=N
specify the desired line-wrap length for the `l' command
--posix
disable all GNU extensions.
-r, --regexp-extended
use extended regular expressions in the script.
-s, --separate
consider files as separate rather than as a single continuous
long stream.
-u, --unbuffered
load minimal amounts of data from the input files and flush
the output buffers more often
--help display this help and exit
--version output version information and exit
If no -e, --expression, -f, or --file option is given, then the first
non-option argument is taken as the sed script to interpret. All
remaining arguments are names of input files; if no input files are
specified, then the standard input is read.
E-mail bug reports to: [email protected] .
Be sure to include the word sed'' somewhere in the
Subject:'' field.
./linpeas.sh: line 162: s/|/\|/g: No such file or directory
It would be awesome, if WinPEAS checks the content of the file:
$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history
Its like bash_history for powershell and contains often jucy information
Hi everyone !
It could be useful to know if the OS is running on a virtual or physical machine. So I added the following lines to linpeas.sh:
diff --git a/linPEAS/linpeas.sh b/linPEAS/linpeas.sh
index 74d421f..10e7697 100755
--- a/linPEAS/linpeas.sh
+++ b/linPEAS/linpeas.sh
@@ -1011,6 +1011,17 @@ if [ "`echo $CHECKS | grep SysI`" ]; then
printf $Y"[+] "$GREEN"Printer? ....................... "$NC
lpstat -a 2>/dev/null || echo_not_found "lpstat"
+ #-- SY) Running in a virtual environment
+ printf $Y"[+] "$GREEN"Is this a virtual machine? ..... "$NC
+ hypervisorflag=`cat /proc/cpuinfo | grep flags | grep hypervisor 2>/dev/null`
+ if [ `which systemd-detect-virt 2>/dev/null` ]; then
+ detectedvirt=`systemd-detect-virt`
+ if [ "$hypervisorflag" ]; then printf $RED"Yes ("$detectedvirt")"$NC; else printf $GREEN"No"$NC; fi
+ else
+ if [ "$hypervisorflag" ]; then printf $RED"Yes"$NC; else printf $GREEN"No"$NC; fi
+ fi
+ echo ""
+
#-- SY) Container
printf $Y"[+] "$GREEN"Is this a container? ........... "$NC
dockercontainer=`grep -i docker /proc/self/cgroup 2>/dev/null; find / -maxdepth 3 -name "*dockerenv*" -exec ls -la {} \; 2>/dev/null`
I have successfully tested it on XEN, virtualbox, Docker (KVM/QEMU should work too) and bare metal machines for various Debian-based Linux distributions. Not tested, but it should work on Redhat too.
Hope this help !
There is a box that has a hidden .bat script that contained the commands
@echo off
:LOOP
for /F "skip=6" %%i in ('net localgroup "administrators"') do net localgroup "administrators" %%i /delete
net user ausername somepassword
net user administrator someotherpassword
ping -n 3 127.0.0.1
cls
GOTO :LOOP
:EXIT
This appeared to have missed it.... think you could add a check for finding .bat files such as this that container credentials?
A good one for Windows privilege escalation, if they have the SeImpersonatePrivilege privilege enabled, the can get to SYSTEM access.
https://www.exploit-db.com/exploits/31667
https://hunter2.gitbook.io/darthsidious/privilege-escalation/juicy-potato
https://foxglovesecurity.com/2017/08/25/abusing-token-privileges-for-windows-local-privilege-escalation/
Some very POC code below:
whoami /priv | find "Enabled" | find "SeImpersonatePrivilege" && set expl=yes
It returned false negative results.
Instead it returned the path of the files that without a match with the expr.
Tried to create a file /var/www/htm/configurations.php with "password = '1234'"
it failed to detect.
Buenas!
Me bajé la versión compilada de winPEAS para 65bits y me aparece"no se puede iniciar o ejecutar porque no es compatible con versiones de 64 bits de windows...".
Utilizo un W10, alguién tiene alguna idea?
Muchas gracias!
Un saludo,
I assume there's a reason why it's coded this way, but grep -v "#"
prevents commented lines (or more accurately any lines with #
in them) from showing even if they have PASSWORD
in the line. This has burned me at least once. 😄
The current linpeas.sh script does not find and parse invisible crontab entries. An attacker could install a somewhat invisible crontab entry by adding a carriage return after that malicious entry, then hiding it using the next line that should be longer or the same length as the malicious one. By removing the carriage return, we can make the malicious entry visible so that the script shows it to the user. The following screenshot explains the idea:
On the left hand side is what the script currently does to find out which crontab entries are installed.
On the other side is what the script should do to uncover hidden crontab entries.
In this example, the attacker would have added his malicious entry followed by a space, a hash mark (#) and finally the carriage return after which comes the next line. (notice that we don't put a line feed character here (\n) as this will render the trick useless)
The purpose of adding the hash mark is to comment out the carriage return so that it doesn't get interpreted by the shell and ruins the command.
To fix this, we remove the carriage return byte from the output before parsing it. This could help in a scenario where the system got backdoored using a covert cron job.
This was inspired from a story that happened in DEFCON finals.
An option to exclude network shares from all find commands would be useful as those can be extremely time consuming. Yes, it will miss potentially dangerous files but it'll be a lot faster and a lot less discussion with the storage guys.
This is the list of requested features that I haven't find the time to create yet and aren't top priority.
Help is wanted for the following tasks:
When i start this script i have this errors, the previous update work correctly.
./linpeas.sh: 968: ./linpeas.sh: Syntax error: "done" unexpected (expecting "fi")
PayPal cannot process this transaction because of a problem with the seller's website. Please contact the seller directly to resolve this problem.
After clicking the button. FYI.
Tried this on TryHackMe DailyBugle box. Script did not detect password in /var/www/html/configuration.php file. Odd because all the old writeups mention about the script detecting this password.
Do you think listing block devices would be useful?
lsblk
Hey!
I'm just curious about the Privilege Escalation Course. Can i get more information regarding this?
Thanks
Please add this feature.
Hello,
the linpeas.sh script freezes in case the variable $privatekeyfiles contains filepaths with the character sequence " - " (that is whitespace, dash, whitespace).
$privatekeyfiles is defined here:
And the freeze happens here:
The issues arises because if $privatekeyfiles contains whitespaces than grep interprets the whitespace seperated strings as multiple paths. normally this would only result in errors and not block the script but this can actually be abused to inject commandline flags for grep or also to inject the "-" character which grep interprets as stdin and therefore "freezes", i.e. waits for user input from stdin.
Here is an easy example showing the issue:
mkdir "path - poc"
ssh-keygen -b 2048 -t rsa -f "./path - poc/sshkey" -q -N ""
privatekeyfiles=`readlink -f "./path - poc/sshkey"`
grep "" `echo $privatekeyfiles`
As explained before grep now freezes and waits for user input. Therefore the whole linpeas.sh script freezes at this point. I did not check whether the same issue occurrs in other places of the enumeration script but I would assume so.
A solution would be to put quotation marks around the $privatekeyfiles like so (line 1129):
privatekeyfilesgrep=`grep -L "\"|'\|(" "$privatekeyfiles"` # Check there aren't unexpected symbols in the file
Hi! I recently used the awesome winPEAS on htb.
I think this could be improved by adding this simple feature to monitor interesting Powershell Transcript files located under C:\transcripts\
.
What do you think about?
Hello,
It seems like 76aa0ad added a new check which can lead to a file been written to disk, even when -s is provided.
Non-standard SUID/SGID binaries on the system are likely to be interesting.
I have an idea that this script can use for audit / hardening server base on profiles that use defined. For example, for file server:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Hi,
To make the output colored, you can use this too:
https://github.com/adoxa/ansicon
Just copy ansicon.exe and ANSI32.dll and execute:
ansicon.exe -p
For Windows xp and 7 I used version 1.66:
https://github.com/adoxa/ansicon/releases/tag/v1.66
And for Windows 10, version 1.89:
https://github.com/adoxa/ansicon/releases/tag/v1.89
There is problem with winPEAS.bat to identify unquoted service paths. To fix this, I modified the following line:
https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/master/winPEAS/winPEASbat/winPEAS.bat#L362
echo %%~s | findstr /r /c:"[a-Z][ ][a-Z]" >nul 2>&1 ...
to:
echo %%~s ^| findstr /r /c:"[a-Z][ ][a-Z]" >nul 2>&1 ...
Thanks for this amazing project.
Might prove useful
Unfortunately 1 way conversion only.
https://github.com/pavelliavonau/cmakeconverter
Linux windows. Net crossdev/compile.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.