mirror of
https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite.git
synced 2025-12-08 10:01:29 +00:00
Compare commits
1 Commits
20220201
...
refs/pull/
| Author | SHA1 | Date | |
|---|---|---|---|
|
d63d1ef32b |
57
.github/workflows/CI-master_tests.yml
vendored
57
.github/workflows/CI-master_tests.yml
vendored
@@ -5,9 +5,6 @@ on:
|
|||||||
branches:
|
branches:
|
||||||
- master
|
- master
|
||||||
|
|
||||||
schedule:
|
|
||||||
- cron: "5 4 * * SUN"
|
|
||||||
|
|
||||||
workflow_dispatch:
|
workflow_dispatch:
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
@@ -87,9 +84,9 @@ jobs:
|
|||||||
# copy the files
|
# copy the files
|
||||||
- name: Copy Dotfuscator generated files
|
- name: Copy Dotfuscator generated files
|
||||||
run: |
|
run: |
|
||||||
cp $env:DotFuscatorGeneratedPath\x64\winPEASx64.exe "winPEAS\winPEASexe\binaries\Obfuscated Releases\winPEASx64_ofs.exe"
|
cp $env:DotFuscatorGeneratedPath\x64\winPEASx64.exe "winPEAS\winPEASexe\binaries\Obfuscated Releases\winPEASx64.exe"
|
||||||
cp $env:DotFuscatorGeneratedPath\x86\winPEASx86.exe "winPEAS\winPEASexe\binaries\Obfuscated Releases\winPEASx86_ofs.exe"
|
cp $env:DotFuscatorGeneratedPath\x86\winPEASx86.exe "winPEAS\winPEASexe\binaries\Obfuscated Releases\winPEASx86.exe"
|
||||||
cp $env:DotFuscatorGeneratedPath\any\winPEASany.exe "winPEAS\winPEASexe\binaries\Obfuscated Releases\winPEASany_ofs.exe"
|
cp $env:DotFuscatorGeneratedPath\any\winPEASany.exe "winPEAS\winPEASexe\binaries\Obfuscated Releases\winPEASany.exe"
|
||||||
|
|
||||||
# Upload all the versions for the release
|
# Upload all the versions for the release
|
||||||
- name: Upload winpeasx64
|
- name: Upload winpeasx64
|
||||||
@@ -114,19 +111,19 @@ jobs:
|
|||||||
uses: actions/upload-artifact@v2
|
uses: actions/upload-artifact@v2
|
||||||
with:
|
with:
|
||||||
name: winPEASx64_ofs.exe
|
name: winPEASx64_ofs.exe
|
||||||
path: winPEAS\winPEASexe\binaries\Obfuscated Releases\winPEASx64_ofs.exe
|
path: winPEAS\winPEASexe\binaries\Obfuscated Releases\winPEASx64.exe
|
||||||
|
|
||||||
- name: Upload winpeasx86ofs
|
- name: Upload winpeasx86ofs
|
||||||
uses: actions/upload-artifact@v2
|
uses: actions/upload-artifact@v2
|
||||||
with:
|
with:
|
||||||
name: winPEASx86_ofs.exe
|
name: winPEASx86_ofs.exe
|
||||||
path: winPEAS\winPEASexe\binaries\Obfuscated Releases\winPEASx86_ofs.exe
|
path: winPEAS\winPEASexe\binaries\Obfuscated Releases\winPEASx86.exe
|
||||||
|
|
||||||
- name: Upload winpeasanyofs
|
- name: Upload winpeasanyofs
|
||||||
uses: actions/upload-artifact@v2
|
uses: actions/upload-artifact@v2
|
||||||
with:
|
with:
|
||||||
name: winPEASany_ofs.exe
|
name: winPEASany_ofs.exe
|
||||||
path: winPEAS\winPEASexe\binaries\Obfuscated Releases\winPEASany_ofs.exe
|
path: winPEAS\winPEASexe\binaries\Obfuscated Releases\winPEASany.exe
|
||||||
|
|
||||||
- name: Upload winpeas.bat
|
- name: Upload winpeas.bat
|
||||||
uses: actions/upload-artifact@v2
|
uses: actions/upload-artifact@v2
|
||||||
@@ -199,7 +196,7 @@ jobs:
|
|||||||
|
|
||||||
# Run linpeas as a test
|
# Run linpeas as a test
|
||||||
- name: Run linpeas
|
- name: Run linpeas
|
||||||
run: linPEAS/linpeas.sh -a -D
|
run: linPEAS/linpeas.sh -t -e
|
||||||
|
|
||||||
# Upload files for release
|
# Upload files for release
|
||||||
- name: Upload linpeas.sh
|
- name: Upload linpeas.sh
|
||||||
@@ -286,7 +283,7 @@ jobs:
|
|||||||
|
|
||||||
# Run macpeas parts to test it
|
# Run macpeas parts to test it
|
||||||
- name: Run macpeas
|
- name: Run macpeas
|
||||||
run: linPEAS/linpeas.sh -D -o system_information,container,procs_crons_timers_srvcs_sockets,network_information,users_information,software_information
|
run: linPEAS/linpeas.sh -o system_information,container,procs_crons_timers_srvcs_sockets,network_information,users_information,software_information
|
||||||
|
|
||||||
|
|
||||||
Publish_release:
|
Publish_release:
|
||||||
@@ -295,21 +292,6 @@ jobs:
|
|||||||
|
|
||||||
steps:
|
steps:
|
||||||
# Download files to release
|
# Download files to release
|
||||||
- name: Download winpeasx64ofs
|
|
||||||
uses: actions/download-artifact@v2
|
|
||||||
with:
|
|
||||||
name: winPEASx64_ofs.exe
|
|
||||||
|
|
||||||
- name: Download winpeasx86ofs
|
|
||||||
uses: actions/download-artifact@v2
|
|
||||||
with:
|
|
||||||
name: winPEASx86_ofs.exe
|
|
||||||
|
|
||||||
- name: Download winpeasanyofs
|
|
||||||
uses: actions/download-artifact@v2
|
|
||||||
with:
|
|
||||||
name: winPEASany_ofs.exe
|
|
||||||
|
|
||||||
- name: Download winpeasx64
|
- name: Download winpeasx64
|
||||||
uses: actions/download-artifact@v2
|
uses: actions/download-artifact@v2
|
||||||
with:
|
with:
|
||||||
@@ -325,6 +307,21 @@ jobs:
|
|||||||
with:
|
with:
|
||||||
name: winPEASany.exe
|
name: winPEASany.exe
|
||||||
|
|
||||||
|
- name: Download winpeasx64ofs
|
||||||
|
uses: actions/download-artifact@v2
|
||||||
|
with:
|
||||||
|
name: winPEASx64_ofs.exe
|
||||||
|
|
||||||
|
- name: Download winpeasx86ofs
|
||||||
|
uses: actions/download-artifact@v2
|
||||||
|
with:
|
||||||
|
name: winPEASx86_ofs.exe
|
||||||
|
|
||||||
|
- name: Download winpeasanyofs
|
||||||
|
uses: actions/download-artifact@v2
|
||||||
|
with:
|
||||||
|
name: winPEASany_ofs.exe
|
||||||
|
|
||||||
- name: Download winpeas.bat
|
- name: Download winpeas.bat
|
||||||
uses: actions/download-artifact@v2
|
uses: actions/download-artifact@v2
|
||||||
with:
|
with:
|
||||||
@@ -365,10 +362,6 @@ jobs:
|
|||||||
with:
|
with:
|
||||||
name: linpeas_darwin_arm64
|
name: linpeas_darwin_arm64
|
||||||
|
|
||||||
- name: Get current date
|
|
||||||
id: date
|
|
||||||
run: echo "::set-output name=date::$(date +'%Y%m%d')"
|
|
||||||
|
|
||||||
# Create the release
|
# Create the release
|
||||||
- name: Create Release
|
- name: Create Release
|
||||||
id: create_release
|
id: create_release
|
||||||
@@ -376,8 +369,8 @@ jobs:
|
|||||||
env:
|
env:
|
||||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||||
with:
|
with:
|
||||||
tag_name: ${{steps.date.outputs.date}}
|
tag_name: ${{ github.ref }}
|
||||||
release_name: Release ${{ github.ref }} ${{steps.date.outputs.date}}
|
release_name: Release ${{ github.ref }}
|
||||||
draft: false
|
draft: false
|
||||||
prerelease: false
|
prerelease: false
|
||||||
|
|
||||||
|
|||||||
@@ -19,7 +19,7 @@ These tools search for possible **local privilege escalation paths** that you co
|
|||||||
- **[LinPEAS](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS) - Linux local Privilege Escalation Awesome Script (.sh)**
|
- **[LinPEAS](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS) - Linux local Privilege Escalation Awesome Script (.sh)**
|
||||||
|
|
||||||
## Quick Start
|
## Quick Start
|
||||||
Find the **latest versions of all the scripts and binaries in [the releases page](https://github.com/carlospolop/PEASS-ng/releases/latest)**.
|
Find the **latest versions of all the scripts and binaries in [the releases page](https://github.com/carlospolop/PEASS-ng/releases/tag/refs%2Fheads%2Fmaster)**.
|
||||||
|
|
||||||
## Let's improve PEASS together
|
## Let's improve PEASS together
|
||||||
|
|
||||||
@@ -34,5 +34,8 @@ Are you a PEASS fan? Get now our merch at **[PEASS Shop](https://teespring.com/s
|
|||||||
All the scripts/binaries of the PEAS suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own machines and/or with the owner's permission.
|
All the scripts/binaries of the PEAS suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own machines and/or with the owner's permission.
|
||||||
|
|
||||||
|
|
||||||
|
## License
|
||||||
|
|
||||||
|
MIT License
|
||||||
|
|
||||||
By Polop<sup>(TM)</sup>
|
By Polop<sup>(TM)</sup>
|
||||||
|
|||||||
@@ -13,11 +13,11 @@ Check the **Local Linux Privilege Escalation checklist** from **[book.hacktricks
|
|||||||
Just execute `linpeas.sh` in a MacOS system and the **MacPEAS version will be automatically executed**
|
Just execute `linpeas.sh` in a MacOS system and the **MacPEAS version will be automatically executed**
|
||||||
|
|
||||||
## Quick Start
|
## Quick Start
|
||||||
Find the **latest versions of all the scripts and binaries in [the releases page](https://github.com/carlospolop/PEASS-ng/releases/latest)**.
|
Find the **latest versions of all the scripts and binaries in [the releases page](https://github.com/carlospolop/PEASS-ng/releases/tag/refs%2Fheads%2Fmaster)**.
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
# From github
|
# From github
|
||||||
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
|
curl -L https://github.com/carlospolop/PEASS-ng/releases/download/refs%2Fheads%2Fmaster/linpeas.sh | sh
|
||||||
```
|
```
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
@@ -42,7 +42,7 @@ less -r /dev/shm/linpeas.txt #Read with colors
|
|||||||
|
|
||||||
```bash
|
```bash
|
||||||
# Use a linpeas binary
|
# Use a linpeas binary
|
||||||
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas_linux_amd64
|
wget https://github.com/carlospolop/PEASS-ng/releases/download/refs%2Fheads%2Fmaster/linpeas_linux_amd64
|
||||||
chmod +x linpeas_linux_amd64
|
chmod +x linpeas_linux_amd64
|
||||||
./linpeas_linux_amd64
|
./linpeas_linux_amd64
|
||||||
```
|
```
|
||||||
@@ -203,5 +203,8 @@ If you find any issue, please report it using **[github issues](https://github.c
|
|||||||
|
|
||||||
All the scripts/binaries of the PEAS Suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
|
All the scripts/binaries of the PEAS Suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
|
||||||
|
|
||||||
|
## License
|
||||||
|
|
||||||
|
MIT License
|
||||||
|
|
||||||
By Polop<sup>(TM)</sup>
|
By Polop<sup>(TM)</sup>
|
||||||
@@ -21,11 +21,6 @@ else echo_not_found "sudo"
|
|||||||
fi
|
fi
|
||||||
echo ""
|
echo ""
|
||||||
|
|
||||||
#-- SY) CVE-2021-4021
|
|
||||||
if [ `command -v pkexec` ] && stat -c '%a' $(which pkexec) | grep -q 4755 && (stat -c '%y' $(which pkexec) | grep -qvE "2[0-9][2-9][3-9]-|2022-[0-1][2-9]-0[0-9]|2022-01-[2-3][0-9]|2022-01-1[2-9]" ) ; then
|
|
||||||
echo "Vulnerable to CVE-2021-4021" | sed -${E} "s,.*,${SED_RED_YELLOW},"
|
|
||||||
fi
|
|
||||||
|
|
||||||
#--SY) USBCreator
|
#--SY) USBCreator
|
||||||
if (busctl list 2>/dev/null | grep -q com.ubuntu.USBCreator) || [ "$DEBUG" ]; then
|
if (busctl list 2>/dev/null | grep -q com.ubuntu.USBCreator) || [ "$DEBUG" ]; then
|
||||||
print_2title "USBCreator"
|
print_2title "USBCreator"
|
||||||
@@ -127,10 +122,9 @@ if [ "$(command -v bash 2>/dev/null)" ]; then
|
|||||||
print_2title "Executing Linux Exploit Suggester"
|
print_2title "Executing Linux Exploit Suggester"
|
||||||
print_info "https://github.com/mzet-/linux-exploit-suggester"
|
print_info "https://github.com/mzet-/linux-exploit-suggester"
|
||||||
les_b64="peass{LES}"
|
les_b64="peass{LES}"
|
||||||
|
echo $les_b64 | base64 -d | bash
|
||||||
if [ "$EXTRA_CHECKS" ]; then
|
if [ "$EXTRA_CHECKS" ]; then
|
||||||
echo $les_b64 | base64 -d | bash -s -- --checksec | sed "s,$(printf '\033')\\[[0-9;]*[a-zA-Z],,g" | sed -E "s,\[CVE-[0-9]+-[0-9]+\].*,${SED_RED},g"
|
echo $les_b64 | base64 -d | bash -s -- --checksec
|
||||||
else
|
|
||||||
echo $les_b64 | base64 -d | bash | sed "s,$(printf '\033')\\[[0-9;]*[a-zA-Z],,g" | grep -i "\[CVE" -A 10 | grep -Ev "^\-\-$" | sed -${E} "s,\[CVE-[0-9]+-[0-9]+\],*,${SED_RED},g"
|
|
||||||
fi
|
fi
|
||||||
echo ""
|
echo ""
|
||||||
fi
|
fi
|
||||||
@@ -139,7 +133,7 @@ if [ "$(command -v perl 2>/dev/null)" ]; then
|
|||||||
print_2title "Executing Linux Exploit Suggester 2"
|
print_2title "Executing Linux Exploit Suggester 2"
|
||||||
print_info "https://github.com/jondonas/linux-exploit-suggester-2"
|
print_info "https://github.com/jondonas/linux-exploit-suggester-2"
|
||||||
les2_b64="peass{LES2}"
|
les2_b64="peass{LES2}"
|
||||||
echo $les2_b64 | base64 -d | perl | sed "s,$(printf '\033')\\[[0-9;]*[a-zA-Z],,g" | grep -i "CVE" -B 1 -A 10 | grep -Ev "^\-\-$" | sed -${E} "s,CVE-[0-9]+-[0-9]+,${SED_RED},g"
|
echo $les2_b64 | base64 -d | perl
|
||||||
echo ""
|
echo ""
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|||||||
@@ -28,7 +28,7 @@ else
|
|||||||
echo ""
|
echo ""
|
||||||
|
|
||||||
#-- PCS) Binary processes permissions
|
#-- PCS) Binary processes permissions
|
||||||
print_2title "Binary processes permissions (non 'root root' and not belonging to current user)"
|
print_2title "Binary processes permissions (non 'root root' and not beloging to current user)"
|
||||||
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#processes"
|
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#processes"
|
||||||
binW="IniTialiZZinnggg"
|
binW="IniTialiZZinnggg"
|
||||||
ps auxwww 2>/dev/null | awk '{print $11}' | while read bpath; do
|
ps auxwww 2>/dev/null | awk '{print $11}' | while read bpath; do
|
||||||
|
|||||||
@@ -60,9 +60,9 @@ fi
|
|||||||
#-- UI) Sudo -l
|
#-- UI) Sudo -l
|
||||||
print_2title "Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d"
|
print_2title "Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d"
|
||||||
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid"
|
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid"
|
||||||
(echo '' | timeout 1 sudo -S -l | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoB,${SED_RED},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed "s,\!root,${SED_RED},") 2>/dev/null || echo_not_found "sudo"
|
(echo '' | sudo -S -l | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoB,${SED_RED},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed "s,\!root,${SED_RED},") 2>/dev/null || echo_not_found "sudo"
|
||||||
if [ "$PASSWORD" ]; then
|
if [ "$PASSWORD" ]; then
|
||||||
(echo "$PASSWORD" | timeout 1 sudo -S -l | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoB,${SED_RED},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW},") 2>/dev/null || echo_not_found "sudo"
|
(echo "$PASSWORD" | sudo -S -l | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoB,${SED_RED},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW},") 2>/dev/null || echo_not_found "sudo"
|
||||||
fi
|
fi
|
||||||
( grep -Iv "^$" cat /etc/sudoers | grep -v "#" | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,pwfeedback,${SED_RED},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW},") 2>/dev/null || echo_not_found "/etc/sudoers"
|
( grep -Iv "^$" cat /etc/sudoers | grep -v "#" | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,pwfeedback,${SED_RED},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW},") 2>/dev/null || echo_not_found "/etc/sudoers"
|
||||||
if ! [ "$IAMROOT" ] && [ -w '/etc/sudoers.d/' ]; then
|
if ! [ "$IAMROOT" ] && [ -w '/etc/sudoers.d/' ]; then
|
||||||
|
|||||||
@@ -37,7 +37,7 @@ class MetasploitModule < Msf::Post
|
|||||||
))
|
))
|
||||||
register_options(
|
register_options(
|
||||||
[
|
[
|
||||||
OptString.new('PEASS_URL', [true, 'Path to the PEASS script. Accepted: http(s):// URL or absolute local path. Linpeas: https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh', "https://github.com/carlospolop/PEASS-ng/releases/latest/download/winPEASany_ofs.exe"]),
|
OptString.new('PEASS_URL', [true, 'Path to the PEASS script. Accepted: http(s):// URL or absolute local path. Linpeas: https://raw.githubusercontent.com/carlospolop/PEASS-ng/master/linPEAS/linpeas.sh', "https://raw.githubusercontent.com/carlospolop/PEASS-ng/master/winPEAS/winPEASexe/binaries/Obfuscated%20Releases/winPEASany.exe"]),
|
||||||
OptString.new('PASSWORD', [false, 'Password to encrypt and obfuscate the script (randomly generated). The length must be 32B. If no password is set, only base64 will be used.', rand(36**32).to_s(36)]),
|
OptString.new('PASSWORD', [false, 'Password to encrypt and obfuscate the script (randomly generated). The length must be 32B. If no password is set, only base64 will be used.', rand(36**32).to_s(36)]),
|
||||||
OptString.new('TEMP_DIR', [false, 'Path to upload the obfuscated PEASS script inside the compromised machine. By default "C:\Windows\System32\spool\drivers\color" is used in Windows and "/tmp" in Unix.', '']),
|
OptString.new('TEMP_DIR', [false, 'Path to upload the obfuscated PEASS script inside the compromised machine. By default "C:\Windows\System32\spool\drivers\color" is used in Windows and "/tmp" in Unix.', '']),
|
||||||
OptString.new('PARAMETERS', [false, 'Parameters to pass to the script', nil]),
|
OptString.new('PARAMETERS', [false, 'Parameters to pass to the script', nil]),
|
||||||
|
|||||||
@@ -7,7 +7,7 @@ Check the **Local Windows Privilege Escalation checklist** from **[book.hacktric
|
|||||||
Check more **information about how to exploit** found misconfigurations in **[book.hacktricks.xyz](https://book.hacktricks.xyz/windows/windows-local-privilege-escalation)**
|
Check more **information about how to exploit** found misconfigurations in **[book.hacktricks.xyz](https://book.hacktricks.xyz/windows/windows-local-privilege-escalation)**
|
||||||
|
|
||||||
## Quick Start
|
## Quick Start
|
||||||
Find the **latest versions of all the scripts and binaries in [the releases page](https://github.com/carlospolop/PEASS-ng/releases/latest)**.
|
Find the **latest versions of all the scripts and binaries in [the releases page](https://github.com/carlospolop/PEASS-ng/releases/tag/refs%2Fheads%2Fmaster)**.
|
||||||
|
|
||||||
## WinPEAS .exe and .bat
|
## WinPEAS .exe and .bat
|
||||||
- [Link to WinPEAS .bat project](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS/winPEASbat)
|
- [Link to WinPEAS .bat project](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS/winPEASbat)
|
||||||
@@ -26,4 +26,8 @@ Are you a PEASS fan? Get now our merch at **[PEASS Shop](https://teespring.com/s
|
|||||||
|
|
||||||
All the scripts/binaries of the PEAS Suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
|
All the scripts/binaries of the PEAS Suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
|
||||||
|
|
||||||
|
## License
|
||||||
|
|
||||||
|
MIT License
|
||||||
|
|
||||||
By Polop<sup>(TM)</sup>
|
By Polop<sup>(TM)</sup>
|
||||||
|
|||||||
@@ -137,5 +137,8 @@ This is the kind of outpuf that you have to look for when usnig the winPEAS.bat
|
|||||||
|
|
||||||
All the scripts/binaries of the PEAS Suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
|
All the scripts/binaries of the PEAS Suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
|
||||||
|
|
||||||
|
## License
|
||||||
|
|
||||||
|
MIT License
|
||||||
|
|
||||||
By Polop<sup>(TM)</sup>
|
By Polop<sup>(TM)</sup>
|
||||||
|
|||||||
@@ -237,7 +237,7 @@ CALL :T_Progress 2
|
|||||||
:RemodeDeskCredMgr
|
:RemodeDeskCredMgr
|
||||||
CALL :ColorLine " %E%33m[+]%E%97m Remote Desktop Credentials Manager"
|
CALL :ColorLine " %E%33m[+]%E%97m Remote Desktop Credentials Manager"
|
||||||
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#remote-desktop-credential-manager
|
ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#remote-desktop-credential-manager
|
||||||
IF exist "%LOCALAPPDATA%\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings" ECHO.Found: RDCMan.settings in %AppLocal%\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings, check for credentials in .rdg files
|
IF exist "%AppLocal%\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings" ECHO.Found: RDCMan.settings in %AppLocal%\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings, check for credentials in .rdg files
|
||||||
ECHO.
|
ECHO.
|
||||||
CALL :T_Progress 1
|
CALL :T_Progress 1
|
||||||
|
|
||||||
|
|||||||
@@ -13,24 +13,22 @@ Check also the **Local Windows Privilege Escalation checklist** from **[book.hac
|
|||||||
**.Net >= 4.5.2 is required**
|
**.Net >= 4.5.2 is required**
|
||||||
|
|
||||||
Precompiled binaries:
|
Precompiled binaries:
|
||||||
- Download the **[latest obfuscated and not obfuscated versions from here](https://github.com/carlospolop/PEASS-ng/releases/latest)** or **compile it yourself** (read instructions for compilation).
|
- Download the **[latest obfuscated and not obfuscated versions from here](https://github.com/carlospolop/PEASS-ng/releases/tag/refs%2Fheads%2Fmaster)** or **compile it yourself** (read instructions for compilation).
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
# Get latest release
|
#One liner to download and execute winPEASany from memory in a PS shell
|
||||||
$url = "https://github.com/carlospolop/PEASS-ng/releases/latest/download/winPEASany_ofs.exe"
|
$wp=[System.Reflection.Assembly]::Load([byte[]](Invoke-WebRequest "https://github.com/carlospolop/PEASS-ng/releases/download/refs%2Fheads%2Fmaster/winPEASany_ofs.exe" -UseBasicParsing | Select-Object -ExpandProperty Content)); [winPEAS.Program]::Main("")
|
||||||
|
|
||||||
# One liner to download and execute winPEASany from memory in a PS shell
|
#Before cmd in 3 lines
|
||||||
$wp=[System.Reflection.Assembly]::Load([byte[]](Invoke-WebRequest "$url" -UseBasicParsing | Select-Object -ExpandProperty Content)); [winPEAS.Program]::Main("")
|
$url = "https://github.com/carlospolop/PEASS-ng/releases/download/refs%2Fheads%2Fmaster/winPEASany_ofs.exe"
|
||||||
|
|
||||||
# Before cmd in 3 lines
|
|
||||||
$wp=[System.Reflection.Assembly]::Load([byte[]](Invoke-WebRequest "$url" -UseBasicParsing | Select-Object -ExpandProperty Content));
|
$wp=[System.Reflection.Assembly]::Load([byte[]](Invoke-WebRequest "$url" -UseBasicParsing | Select-Object -ExpandProperty Content));
|
||||||
[winPEAS.Program]::Main("") #Put inside the quotes the winpeas parameters you want to use
|
[winPEAS.Program]::Main("") #Put inside the quotes the winpeas parameters you want to use
|
||||||
|
|
||||||
# Load from disk in memory and execute:
|
#Load from disk in memory and execute:
|
||||||
$wp = [System.Reflection.Assembly]::Load([byte[]]([IO.File]::ReadAllBytes("D:\Users\victim\winPEAS.exe")));
|
$wp = [System.Reflection.Assembly]::Load([byte[]]([IO.File]::ReadAllBytes("D:\Users\victim\winPEAS.exe")));
|
||||||
[winPEAS.Program]::Main("") #Put inside the quotes the winpeas parameters you want to use
|
[winPEAS.Program]::Main("") #Put inside the quotes the winpeas parameters you want to use
|
||||||
|
|
||||||
# Load from disk in base64 and execute
|
#Load from disk in base64 and execute
|
||||||
##Generate winpeas in Base64:
|
##Generate winpeas in Base64:
|
||||||
[Convert]::ToBase64String([IO.File]::ReadAllBytes("D:\Users\user\winPEAS.exe")) | Out-File -Encoding ASCII D:\Users\user\winPEAS.txt
|
[Convert]::ToBase64String([IO.File]::ReadAllBytes("D:\Users\user\winPEAS.exe")) | Out-File -Encoding ASCII D:\Users\user\winPEAS.txt
|
||||||
##Now upload the B64 string to the victim inside a file or copy it to the clipboard
|
##Now upload the B64 string to the victim inside a file or copy it to the clipboard
|
||||||
@@ -43,7 +41,7 @@ $thecontent = "aaaaaaaa..." #Where "aaa..." is the winpeas base64 string
|
|||||||
$wp = [System.Reflection.Assembly]::Load([Convert]::FromBase64String($thecontent))
|
$wp = [System.Reflection.Assembly]::Load([Convert]::FromBase64String($thecontent))
|
||||||
[winPEAS.Program]::Main("") #Put inside the quotes the winpeas parameters you want to use
|
[winPEAS.Program]::Main("") #Put inside the quotes the winpeas parameters you want to use
|
||||||
|
|
||||||
# Loading from file and executing a winpeas obfuscated version
|
#Loading from file and executing a winpeas obfuscated version
|
||||||
##Load obfuscated version
|
##Load obfuscated version
|
||||||
$wp = [System.Reflection.Assembly]::Load([byte[]]([IO.File]::ReadAllBytes("D:\Users\victim\winPEAS-Obfuscated.exe")));
|
$wp = [System.Reflection.Assembly]::Load([byte[]]([IO.File]::ReadAllBytes("D:\Users\victim\winPEAS-Obfuscated.exe")));
|
||||||
$wp.EntryPoint #Get the name of the ReflectedType, in obfuscated versions sometimes this is different from "winPEAS.Program"
|
$wp.EntryPoint #Get the name of the ReflectedType, in obfuscated versions sometimes this is different from "winPEAS.Program"
|
||||||
@@ -105,13 +103,9 @@ REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1
|
|||||||
|
|
||||||
Below you have some indications about what does each color means exacty, but keep in mind that **Red** is for something interesting (from a pentester perspective) and **Green** is something well configured (from a defender perspective).
|
Below you have some indications about what does each color means exacty, but keep in mind that **Red** is for something interesting (from a pentester perspective) and **Green** is something well configured (from a defender perspective).
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## Instructions to compile you own obfuscated version
|
## Instructions to compile you own obfuscated version
|
||||||
|
|
||||||
<details>
|
|
||||||
<summary>Details</summary>
|
|
||||||
|
|
||||||
In order to compile an **ofuscated version** of Winpeas and bypass some AVs you need to ** install dotfuscator ** in *VisualStudio*.
|
In order to compile an **ofuscated version** of Winpeas and bypass some AVs you need to ** install dotfuscator ** in *VisualStudio*.
|
||||||
|
|
||||||
To install it *open VisualStudio --> Go to Search (CTRL+Q) --> Write "dotfuscator"* and just follow the instructions to install it.
|
To install it *open VisualStudio --> Go to Search (CTRL+Q) --> Write "dotfuscator"* and just follow the instructions to install it.
|
||||||
@@ -129,9 +123,10 @@ Once you have installed and activated it you need to:
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
**IMPORTANT**: Note that Defender will higly probable delete the winpeas iintial unobfuscated version, so you need to set as expections the origin folder of Winpeas and the folder were the obfuscated version will be saved:
|
|
||||||
|
## Colors
|
||||||
</details>
|
|
||||||
|
|
||||||
|
|
||||||
## Checks
|
## Checks
|
||||||
|
|
||||||
@@ -284,5 +279,8 @@ If you find any issue, please report it using **[github issues](https://github.c
|
|||||||
|
|
||||||
All the scripts/binaries of the PEAS Suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
|
All the scripts/binaries of the PEAS Suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
|
||||||
|
|
||||||
|
## License
|
||||||
|
|
||||||
|
MIT License
|
||||||
|
|
||||||
By Polop<sup>(TM)</sup>, makikvues (makikvues2[at]gmail[dot].com)
|
By Polop<sup>(TM)</sup>, makikvues (makikvues2[at]gmail[dot].com)
|
||||||
|
|||||||
Reference in New Issue
Block a user