Add winpeas privilege escalation checks from: HTB: TheFrizz

2025-12-06 09:01:29 +00:00 · 2025-08-27 15:06:08 +02:00
parent cc5ab76991
commit ab5596e38f
5 changed files with 76 additions and 3 deletions
--- a/build_lists/sensitive_files.yaml
+++ b/build_lists/sensitive_files.yaml
@@ -3941,3 +3941,27 @@ search:
                type: f
                search_in: 
                  - common
  - name: WAPT
    value:
        config:
          auto_check: True
        files:
          - name: "waptserver.ini"
            value:
                type: f
                search_in:
                  - common
          - name: "wapt-get.ini"
            value:
                type: f
                search_in:
                  - common
          - name: "*wapt*.7z"
            value:
                type: f
                search_in:
                  - common
--- a/winPEAS/winPEASexe/README.md
+++ b/winPEAS/winPEASexe/README.md
@@ -266,3 +266,8 @@ If you find any issue, please report it using **[github issues](https://github.c
 ## Advisory
 All the scripts/binaries of the PEAS Suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
 ### New in this update
 - AD GPO abuse indicators: winPEAS now highlights membership in "Group Policy Creator Owners" and inspects applied GPO folders in SYSVOL for write permissions that can enable SYSTEM via GPO abuse.
 - WAPT artifacts: added detection of common WAPT files (waptserver.ini, wapt-get.ini) and backup archives (*wapt*.7z) in user homes and Recycle Bin searches.
--- a/winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs
+++ b/winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs
@@ -20,7 +20,7 @@ namespace winPEAS.Checks
 {
    internal class FilesInfo : ISystemCheck
    {
-        static readonly string _patternsFileCredsColor = @"RDCMan.settings|.rdg|_history|httpd.conf|.htpasswd|.gitconfig|.git-credentials|Dockerfile|docker-compose.ymlaccess_tokens.db|accessTokens.json|azureProfile.json|appcmd.exe|scclient.exe|unattend.txt|access.log|error.log|credential|password|.gpg|.pgp|config.php|elasticsearch|kibana.|.p12|\.der|.csr|.crt|.cer|.pem|known_hosts|id_rsa|id_dsa|.ovpn|tomcat-users.xml|web.config|.kdbx|.key|KeePass.config|ntds.dir|Ntds.dit|sam|system|SAM|SYSTEM|security|software|SECURITY|SOFTWARE|FreeSSHDservice.ini|sysprep.inf|sysprep.xml|unattend.xml|unattended.xml|vnc|groups.xml|services.xml|scheduledtasks.xml|printers.xml|drives.xml|datasources.xml|php.ini|https.conf|https-xampp.conf|my.ini|my.cnf|access.log|error.log|server.xml|setupinfo|pagefile.sys|NetSetup.log|iis6.log|AppEvent.Evt|SecEvent.Evt|default.sav|security.sav|software.sav|system.sav|ntuser.dat|index.dat|bash.exe|wsl.exe";
+        static readonly string _patternsFileCredsColor = @"RDCMan.settings|.rdg|_history|httpd.conf|.htpasswd|.gitconfig|.git-credentials|Dockerfile|docker-compose.ymlaccess_tokens.db|accessTokens.json|azureProfile.json|appcmd.exe|scclient.exe|unattend.txt|access.log|error.log|credential|password|.gpg|.pgp|config.php|elasticsearch|kibana.|.p12|\.der|.csr|.crt|.cer|.pem|known_hosts|id_rsa|id_dsa|.ovpn|tomcat-users.xml|web.config|.kdbx|.key|KeePass.config|ntds.dir|Ntds.dit|sam|system|SAM|SYSTEM|security|software|SECURITY|SOFTWARE|FreeSSHDservice.ini|sysprep.inf|sysprep.xml|unattend.xml|unattended.xml|vnc|groups.xml|services.xml|scheduledtasks.xml|printers.xml|drives.xml|datasources.xml|php.ini|https.conf|https-xampp.conf|my.ini|my.cnf|access.log|error.log|server.xml|setupinfo|pagefile.sys|NetSetup.log|iis6.log|AppEvent.Evt|SecEvent.Evt|default.sav|security.sav|software.sav|system.sav|ntuser.dat|index.dat|bash.exe|wsl.exe|waptserver.ini|wapt-get.ini|wapt.*\.7z|wapt";
        //    static readonly string _patternsFileCreds = @"RDCMan.settings;*.rdg;*_history*;httpd.conf;.htpasswd;.gitconfig;.git-credentials;Dockerfile;docker-compose.yml;access_tokens.db;accessTokens.json;azureProfile.json;appcmd.exe;scclient.exe;*.gpg$;*.pgp$;*config*.php;elasticsearch.y*ml;kibana.y*ml;*.p12$;*.cer$;known_hosts;*id_rsa*;*id_dsa*;*.ovpn;tomcat-users.xml;web.config;*.kdbx;KeePass.config;Ntds.dit;SAM;SYSTEM;security;software;FreeSSHDservice.ini;sysprep.inf;sysprep.xml;*vnc*.ini;*vnc*.c*nf*;*vnc*.txt;*vnc*.xml;php.ini;https.conf;https-xampp.conf;my.ini;my.cnf;access.log;error.log;server.xml;ConsoleHost_history.txt;pagefile.sys;NetSetup.log;iis6.log;AppEvent.Evt;SecEvent.Evt;default.sav;security.sav;software.sav;system.sav;ntuser.dat;index.dat;bash.exe;wsl.exe;unattend.txt;*.der$;*.csr$;unattend.xml;unattended.xml;groups.xml;services.xml;scheduledtasks.xml;printers.xml;drives.xml;datasources.xml;setupinfo;setupinfo.bak";
        private static readonly IList<string> patternsFileCreds = new List<string>()
@@ -110,6 +110,11 @@ namespace winPEAS.Checks
            "winscp.ini",
            "ws_ftp.ini",
            "wsl.exe",
            // WAPT software artifacts (from HTB TheFrizz case):
            "waptserver.ini",
            "wapt-get.ini",
            "wapt*.ini",
            "*wapt*.7z",
        };
--- a/winPEAS/winPEASexe/winPEAS/Checks/UserInfo.GpoAbuse.cs
+++ b/winPEAS/winPEASexe/winPEAS/Checks/UserInfo.GpoAbuse.cs
@@ -0,0 +1,37 @@
 using System; using winPEAS.Helpers; namespace winPEAS.Checks { internal partial class UserInfo { 
 void PrintPotentialGpoAbuseIndicators() { 
    try {
        Beaprint.MainPrint("Potential GPO abuse (Active Directory)");
        Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/gpo-abuse.html", "Check if you can abuse GPO permissions to run code as SYSTEM");
        if (!Checks.IsPartOfDomain || Checks.IsCurrentUserLocal) { Beaprint.NotFoundPrint(); return; }
        bool isGpcOwner = false;
        foreach (var kv in Checks.CurrentUserSiDs) {
            if (!string.IsNullOrEmpty(kv.Value) && kv.Value.Equals("Group Policy Creator Owners", StringComparison.OrdinalIgnoreCase)) { isGpcOwner = true; break; }
        }
        if (isGpcOwner) { Beaprint.BadPrint("  [!] Current user token contains 'Group Policy Creator Owners' – you may be able to create/modify GPOs."); }
        else { Beaprint.NoColorPrint("  [-] Not a member of 'Group Policy Creator Owners' (based on current token)."); }
        try {
            var applied = winPEAS.Info.SystemInfo.GroupPolicy.GroupPolicy.GetLocalGroupPolicyInfos();
            var anyPrinted = false;
            foreach (var info in applied) {
                if ($"{info.GPOType}".Equals("machine", StringComparison.OrdinalIgnoreCase)) {
                    var fileSysPath = $"{info.FileSysPath}";
                    if (string.IsNullOrEmpty(fileSysPath)) continue;
                    if (fileSysPath.StartsWith("\\\\")) {
                        var rights = PermissionsHelper.GetPermissionsFolder(fileSysPath, Checks.CurrentUserSiDs, PermissionType.WRITEABLE_OR_EQUIVALENT);
                        if (rights.Count > 0) {
                            if (!anyPrinted) { Beaprint.BadPrint("  [!] Writable applied GPO folders in SYSVOL (abusable):"); anyPrinted = true; }
                            Beaprint.BadPrint($"      -> {fileSysPath} | Rights: {string.Join(", ", rights)}");
                        }
                    }
                }
            }
            if (!isGpcOwner && !anyPrinted) { Beaprint.NotFoundPrint(); }
        } catch (Exception ex2) {
            Beaprint.GrayPrint("    [i] Error while checking applied GPO folders: " + ex2.Message);
            if (!isGpcOwner) { Beaprint.NotFoundPrint(); }
        }
        Beaprint.GrayPrint("    Tip: If you can edit a GPO linked to this computer, tools like SharpGPOAbuse can add an immediate scheduled task to execute a command as SYSTEM.");
    } catch (Exception ex) { Beaprint.PrintException(ex.Message); }
 }
 } }
--- a/winPEAS/winPEASexe/winPEAS/Checks/UserInfo.cs
+++ b/winPEAS/winPEASexe/winPEAS/Checks/UserInfo.cs
@@ -14,7 +14,7 @@ using winPEAS.Native.Structs;
 namespace winPEAS.Checks
 {
-    internal class UserInfo : ISystemCheck
+    internal partial class UserInfo : ISystemCheck
    {
        /* Colors Code
        * RED:
@@ -30,7 +30,8 @@ namespace winPEAS.Checks
       */
-        static string badgroups = "docker|Remote |DNSAdmins|AD Recycle Bin|Azure Admins|Admins|Server Operators";//The space in Remote is important to not mix with SeShutdownRemotePrivilege
+        static string badgroups = "docker|Remote |DNSAdmins|AD Recycle Bin|Azure Admins|Admins|Server Operators|Group Policy Creator Owners";// The space in "Remote " is important to not mix with SeShutdownRemotePrivilege
        // Added "Group Policy Creator Owners" as a high-value group since members can create/modify GPOs that can be abused to get SYSTEM on linked computers.
        static readonly string _badPasswd = "NotChange|NotExpi";
        static readonly string _badPrivileges = "SeImpersonatePrivilege|SeAssignPrimaryPrivilege|SeTcbPrivilege|SeBackupPrivilege|SeRestorePrivilege|SeCreateTokenPrivilege|SeLoadDriverPrivilege|SeTakeOwnershipPrivilege|SeDebugPrivilege";
@@ -44,6 +45,7 @@ namespace winPEAS.Checks
                PrintCurrentUserIdleTime,
                PrintCurrentTenantInfo,
                PrintTokenP,
                PrintPotentialGpoAbuseIndicators,
                PrintClipboardText,
                PrintLoggedUsers,
                PrintLocalUsers,