File json2pdf.py modified by AICoder

Fix Timeout parameter in Peass Metasploit module

.github/ISSUE_TEMPLATE.md

@@ -1,4 +1,5 @@
 If you are going to suggest something, please remove the following template. 
+If your issue is related with WinPEAS.ps1 please mention https://github.com/RandolphConley
 
 #### Issue description
 

.github/workflows/CI-master_tests.yml

@@ -4,6 +4,8 @@ on:
   push:
     branches:
       - master
+    paths-ignore:
+        - '.github/**'
   
   schedule:
     - cron: "5 4 * * SUN"
@@ -47,9 +49,9 @@ jobs:
       - name: run MSBuild
         run: msbuild $env:Solution_Path
         
-      # Execute all unit tests in the solution
-      - name: Execute unit tests
-        run: dotnet test $env:Solution_Path
+      # Execute all unit tests in the solution - It's broken :(
+      #- name: Execute unit tests
+      #  run: dotnet test $env:Solution_Path
         
       # Build & update all versions
       - name: Build all versions
@@ -138,6 +140,12 @@ jobs:
           name: winPEAS.bat
           path: winPEAS\winPEASbat\winPEAS.bat
       
+      - name: Upload winpeas.ps1
+        uses: actions/upload-artifact@v2
+        with:
+          name: winPEAS.ps1
+          path: winPEAS\winPEASps1\winPEAS.ps1
+          
       # Git add
       #- name: Create local changes
       #  run: |

.github/workflows/aicoder.yml

@@ -0,0 +1,23 @@
+name: aicoder
+
+on:
+  workflow_dispatch:
+
+jobs:
+  Build_and_test_winpeas_master:
+    runs-on: ubuntu-latest
+
+    steps:
+      # checkout
+      - name: AICoder GH Action
+        uses: AICoderHub/GH_Action@v0.11
+        with:
+          INPUT_MODE: 'file-optimizer'
+          INPUT_PROMPT: ''
+          INPUT_OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
+          INPUT_MODEL: 'gpt-4'
+          TEMPLATE_FILES: ''
+          ORIGIN_BRANCH: 'aicoder'
+          TO_BRANCH: 'master'
+          CHECK_PATH: './parsers/json2pdf.py'
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

AICoder.py

@@ -0,0 +1,208 @@
+import argparse
+import os
+import sys
+import string
+import random
+from typing import List
+import openai
+import json
+import subprocess
+import tiktoken
+import requests
+from github import Github
+
+#########################
+#### OPENAI FUNCTIONS ###
+#########################
+
+def reportTokens(prompt, model="gpt-4"):
+    encoding = tiktoken.encoding_for_model(model)
+    print("\033[37m" + str(len(encoding.encode(prompt))) + " tokens\033[0m" + " in prompt: " + "\033[92m" + prompt[:50] + "\033[0m" + ("..." if len(prompt) > 50 else ""))
+
+def write_file(file_path: str, content: str):
+    """Write content to a file creating the needed directories first"""
+    os.makedirs(os.path.dirname(file_path), exist_ok=True)
+
+    with open(file_path, "w") as file:
+        file.write(content)
+
+def delete_file(file_path: str):
+    """Delete a file if it exists"""
+
+    if os.path.isfile(file_path):
+        os.remove(file_path)
+
+openai_available_functions = {
+    "write_file": write_file, "delete_file": delete_file
+}
+
+openai_functions = [
+    {
+        "name": "write_file",
+        "description": "Write a file giving the path and the content",
+        "parameters": {
+            "type": "object",
+            "properties": {
+                "file_path": {
+                    "type": "string",
+                    "description": "Path to the file to write",
+                },
+                "content": {
+                    "type": "string",
+                    "description": "Content to write in the file",
+                },
+            },
+            "required": ["file_path", "content"],
+        },
+    },
+    {
+        "name": "delete_file",
+        "description": "Delete a file",
+        "parameters": {
+            "type": "object",
+            "properties": {
+                "file_path": {
+                    "type": "string",
+                    "description": "Path to the file to write",
+                }
+            },
+            "required": ["file_path"],
+        },
+    }
+]
+
+
+#########################
+#### GIT FUNCTIONS ######
+#########################
+
+
+def create_pull_request(branch_name, commit_message, github_token):
+    github = Github(github_token)
+    repo = github.get_repo(os.environ["GITHUB_REPOSITORY"])
+
+    # Create a new branch
+    base_branch = repo.get_branch(repo.default_branch)
+    repo.create_git_ref(ref=f"refs/heads/{branch_name}", sha=base_branch.commit.sha)
+
+    # Commit changes to the new branch
+    subprocess.run(["git", "checkout", branch_name])
+    subprocess.run(["git", "add", "."])
+    subprocess.run(["git", "commit", "-m", commit_message])
+    subprocess.run(["git", "push", "origin", branch_name])
+
+    # Create a pull request
+    pr = repo.create_pull(
+        title=commit_message,
+        body="Generated by OpenAI Github Action",
+        head=branch_name,
+        base=repo.default_branch
+    )
+
+    return pr.html_url
+
+
+#########################
+#### FILE PROCESSING ####
+#########################
+
+
+def process_file(prompt: str, api_key: str, file_path: str, model: str="gpt-4") -> str:
+    with open(file_path, "r") as file:
+        file_content = file.read()
+
+    messages = [
+        {"role": "system", "content": f"You are a developer and your goal is to generate code. The user will ask you to improve and modify some code. Your response must be a valid JSON with the path of each file to write as keys and the content of the files as values. Several files can be written at the same time."},
+        {"role": "user", "content": prompt},
+        {"role": "user", "content": f"This is the code from the file '{file_path}':\n\n{file_content}"}
+    ]
+    openai.api_key = api_key
+
+    reportTokens(f"This is the code from the file '{file_path}':\n\n{file_content}")
+
+    response = openai.ChatCompletion.create(
+        model=model,
+        messages=messages,
+        temperature=0
+    )
+    response_message = response["choices"][0]["message"]
+
+     # Step 2: check if GPT wanted to call a function
+    if response_message.get("function_call"):
+        
+        function_name = response_message["function_call"]["name"]
+        fuction_to_call = openai_available_functions[function_name]
+        function_args = json.loads(response_message["function_call"]["arguments"])
+        fuction_to_call(**function_args)
+
+
+def process_folder(prompt: str, api_key: str, folder_path: str, model: str="gpt-4") -> List[str]:
+    responses = []
+    for root, _, files in os.walk(folder_path):
+        for file in files:
+            file_path = os.path.join(root, file)
+            response = process_file(prompt, api_key, file_path, model)
+            responses.append(response)
+
+
+#########################
+#### MAIN FUNCTION ######
+#########################
+
+
+def get_random_string(length):
+    # With combination of lower and upper case
+    letters = string.ascii_letters
+    result_str = ''.join(random.choice(letters) for i in range(length))
+    return result_str
+
+def main(prompt: str, api_key: str, file_path: str, github_token: str, model: str="gpt-4"):
+    if os.path.isfile(file_path):
+        process_file(prompt, api_key, file_path, model)
+    elif os.path.isdir(file_path):
+        process_folder(prompt, api_key, file_path, model)
+    else:
+        print("Error: Invalid file path.")
+        sys.exit(1)
+
+    try:
+        create_pull_request(get_random_string(5), f"Modified {file_path}", github_token)
+    except Exception as e:
+        print(f"Error: Failed to create pull request. {e}")
+        sys.exit(1)
+
+if __name__ == "__main__":
+    # Setup the argument parser
+    parser = argparse.ArgumentParser()
+
+    # Add arguments for prompt, api_key, file_path and github_token
+    parser.add_argument('--prompt', default=None, type=str, help='Input prompt')
+    parser.add_argument('--api-key', default=None, type=str, help='Input API key')
+    parser.add_argument('--path', default=None, type=str, help='Input file/folder path')
+    parser.add_argument('--github-token', default=None, type=str, help='Github token')
+    parser.add_argument('--model', default="gpt-4", type=str, help='Model to use')
+
+    # Parse the arguments
+    args = parser.parse_args()
+    prompt = os.environ.get("INPUT_PROMPT", args.prompt)
+    api_key = os.environ.get("INPUT_API_KEY", args.api_key)
+    file_path = os.environ.get("INPUT_FILE_PATH", args.path)
+    github_token = os.environ.get("GITHUB_TOKEN", args.github_token)
+    model = os.environ.get("INPUT_MODEL", args.model)
+
+    if not prompt or not api_key or not file_path:
+        print("Error: Missing required inputs.")
+        sys.exit(1)
+    
+    #if not github_token:
+    #    print("Error: Missing github token.")
+    #    sys.exit(1)
+
+    if os.path.exists(prompt):
+        with open(prompt, "r") as file:
+            prompt = file.read()
+    
+    if prompt.startswith("http"):
+        prompt = requests.get(prompt).text
+    
+    main(prompt, api_key, file_path, github_token, model)

README.md

@@ -30,7 +30,7 @@ Do you want to have **access the latest version of Hacktricks and PEASS**, obtai
 
 **LinPEAS, WinPEAS and MacPEAS** aren’t enough for you? Welcome [**The PEASS Family**](https://opensea.io/collection/the-peass-family/), a limited collection of [**exclusive NFTs**](https://opensea.io/collection/the-peass-family/) of our favourite PEASS in disguise, designed by my team. Go **get your favourite and make it yours!** And if you are a **PEASS & Hacktricks enthusiast**, you can get your hands now on **our [custom swag](https://peass.creator-spring.com/) and show how much you like our projects!**
 
-You can also, join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) to learn about latest news in cybersecurity and meet other cybersecurity enthusiasts, or follow me on Twitter 🐦 [@carlospolopm](https://twitter.com/carlospolopm).
+You can also, join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) to learn about latest news in cybersecurity and meet other cybersecurity enthusiasts, or follow me on Twitter 🐦 [@hacktricks_live](https://twitter.com/hacktricks_live).
 
 ## Let's improve PEASS together
 

build_lists/sensitive_files.yaml

@@ -1141,6 +1141,15 @@ search:
           - name: "authorized_keys"
             value: 
                 good_regex: 'from=[\w\._\-]+'
+                bad_regex: "command=.*"
+                type: f
+                search_in: 
+                  - common
+          
+          - name: "*.pub"
+            value:
+                bad_regex: "command=.*"
+                only_bad_lines: True
                 type: f
                 search_in: 
                   - common
@@ -1376,6 +1385,12 @@ search:
                 search_in: 
                   - common
           
+          - name: "ErrorRecords" #Azure logs can contain creentials
+            value: 
+                type: d
+                search_in: 
+                  - common
+          
           - name: "TokenCache.dat"
             value: 
                 bad_regex: ".*"
@@ -1699,7 +1714,31 @@ search:
         files:
           - name: "sip.conf"
             value: 
-                bad_regex: "secret.*"
+                bad_regex: "secret.*|allowguest.*=.*true"
+                remove_empty_lines: True
+                type: f
+                search_in: 
+                  - common
+          
+          - name: "amportal.conf"
+            value: 
+                bad_regex: ".*PASS.*=.*"
+                remove_empty_lines: True
+                type: f
+                search_in: 
+                  - common
+                  
+          - name: "FreePBX.conf"
+            value: 
+                bad_regex: ".*AMPDB.*=.*"
+                only_bad_lines: True
+                type: f
+                search_in: 
+                  - common
+                  
+          - name: "Elastix.conf"
+            value: 
+                bad_regex: ".*pwd.*=.*"
                 remove_empty_lines: True
                 type: f
                 search_in: 

linPEAS/builder/linpeas_base.sh

@@ -246,7 +246,7 @@ print_support () {
     |                             ${BLUE}Do you like PEASS?${GREEN}                                  |
     |---------------------------------------------------------------------------------| 
     |         ${YELLOW}Get the latest version${GREEN}    :     ${RED}https://github.com/sponsors/carlospolop${GREEN} |
-    |         ${YELLOW}Follow on Twitter${GREEN}         :     ${RED}@carlospolopm${GREEN}                           |
+    |         ${YELLOW}Follow on Twitter${GREEN}         :     ${RED}@hacktricks_live${GREEN}                          |
     |         ${YELLOW}Respect on HTB${GREEN}            :     ${RED}SirBroccoli            ${GREEN}                 |
     |---------------------------------------------------------------------------------|
     |                                 ${BLUE}Thank you! ${GREEN}                                     |
@@ -3378,7 +3378,7 @@ peass{NFS Exports}
 kadmin_exists="$(command -v kadmin)"
 klist_exists="$(command -v klist)"
 kinit_exists="$(command -v kinit)"
-if [ "$kadmin_exists" ] || [ "$klist_exists" ] || [ "$kinit_exists" ] || [ "$PSTORAGE_KERBEROS" ] || [ "$DEBUG" ]; then
+if [ "$kadmin_exists" ] || [ "$klist_exists" ] || [ "$kinit_exists" ] || [ "$PSTORAGE_KERBEROS" ] || [ "$DEBUG" ]; then
   print_2title "Searching kerberos conf files and tickets"
   print_info "http://book.hacktricks.xyz/linux-hardening/privilege-escalation/linux-active-directory"
 
@@ -3925,7 +3925,7 @@ echo ""
 ##-- IPF) Misconfigured ld.so
 if ! [ "$SEARCH_IN_FOLDER" ] && ! [ "$IAMROOT" ]; then
   print_2title "Checking misconfigurations of ld.so"
-  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#ld-so"
+  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#ld.so"
   if [ -f "/etc/ld.so.conf" ] && [ -w "/etc/ld.so.conf" ]; then 
     echo "You have write privileges over /etc/ld.so.conf" | sed -${E} "s,.*,${SED_RED_YELLOW},"; 
     printf $RED$ITALIC"/etc/ld.so.conf\n"$NC;

linPEAS/builder/linpeas_parts/1_system_information.sh

@@ -99,145 +99,3 @@ if [ "$(command -v smbutil)" ] || [ "$DEBUG" ]; then
     warn_exec smbutil statshares -a
     echo ""
 fi
-
-#-- SY) Environment vars
-print_2title "Environment"
-print_info "Any private information inside environment variables?"
-(env || printenv || set) 2>/dev/null | grep -v "RELEVANT*|FIND*|^VERSION=|dbuslistG|mygroups|ldsoconfdG|pwd_inside_history|kernelDCW_Ubuntu_Precise|kernelDCW_Ubuntu_Trusty|kernelDCW_Ubuntu_Xenial|kernelDCW_Rhel|^sudovB=|^rootcommon=|^mounted=|^mountG=|^notmounted=|^mountpermsB=|^mountpermsG=|^kernelB=|^C=|^RED=|^GREEN=|^Y=|^B=|^NC=|TIMEOUT=|groupsB=|groupsVB=|knw_grps=|sidG|sidB=|sidVB=|sidVB2=|sudoB=|sudoG=|sudoVB=|timersG=|capsB=|notExtensions=|Wfolders=|writeB=|writeVB=|_usrs=|compiler=|PWD=|LS_COLORS=|pathshG=|notBackup=|processesDump|processesB|commonrootdirs|USEFUL_SOFTWARE|PSTORAGE_KUBERNETES" | sed -${E} "s,[pP][wW][dD]|[pP][aA][sS][sS][wW]|[aA][pP][iI][kK][eE][yY]|[aA][pP][iI][_][kK][eE][yY]|KRB5CCNAME,${SED_RED},g" || echo_not_found "env || set"
-echo ""
-
-#-- SY) Dmesg
-if [ "$(command -v dmesg 2>/dev/null)" ] || [ "$DEBUG" ]; then
-    print_2title "Searching Signature verification failed in dmesg"
-    print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#dmesg-signature-verification-failed"
-    (dmesg 2>/dev/null | grep "signature") || echo_not_found "dmesg"
-    echo ""
-fi
-
-#-- SY) Kernel extensions
-if [ "$MACPEAS" ]; then
-    print_2title "Kernel Extensions not belonging to apple"
-    kextstat 2>/dev/null | grep -Ev " com.apple."
-
-    print_2title "Unsigned Kernel Extensions"
-    macosNotSigned /Library/Extensions
-    macosNotSigned /System/Library/Extensions
-fi
-
-if [ "$(command -v bash 2>/dev/null)" ]; then
-    print_2title "Executing Linux Exploit Suggester"
-    print_info "https://github.com/mzet-/linux-exploit-suggester"
-    les_b64="peass{LES}"
-    echo $les_b64 | base64 -d | bash | sed "s,$(printf '\033')\\[[0-9;]*[a-zA-Z],,g" | grep -i "\[CVE" -A 10 | grep -Ev "^\-\-$" | sed -${E} "s,\[CVE-[0-9]+-[0-9]+\].*,${SED_RED},g"
-    echo ""
-fi
-
-if [ "$(command -v perl 2>/dev/null)" ]; then
-    print_2title "Executing Linux Exploit Suggester 2"
-    print_info "https://github.com/jondonas/linux-exploit-suggester-2"
-    les2_b64="peass{LES2}"
-    echo $les2_b64 | base64 -d | perl 2>/dev/null | sed "s,$(printf '\033')\\[[0-9;]*[a-zA-Z],,g" | grep -i "CVE" -B 1 -A 10 | grep -Ev "^\-\-$" | sed -${E} "s,CVE-[0-9]+-[0-9]+,${SED_RED},g"
-    echo ""
-fi
-
-if [ "$MACPEAS" ] && [ "$(command -v brew 2>/dev/null)" ]; then
-    print_2title "Brew Doctor Suggestions"
-    brew doctor
-    echo ""
-fi
-
-
-
-#-- SY) AppArmor
-print_2title "Protections"
-print_list "AppArmor enabled? .............. "$NC
-if [ "$(command -v aa-status 2>/dev/null)" ]; then
-    aa-status 2>&1 | sed "s,disabled,${SED_RED},"
-elif [ "$(command -v apparmor_status 2>/dev/null)" ]; then
-    apparmor_status 2>&1 | sed "s,disabled,${SED_RED},"
-elif [ "$(ls -d /etc/apparmor* 2>/dev/null)" ]; then
-    ls -d /etc/apparmor*
-else
-    echo_not_found "AppArmor"
-fi
-
-#-- SY) AppArmor2
-print_list "AppArmor profile? .............. "$NC
-(cat /proc/self/attr/current 2>/dev/null || echo "unconfined") | sed "s,unconfined,${SED_RED}," | sed "s,kernel,${SED_GREEN},"
-
-#-- SY) LinuxONE
-print_list "is linuxONE? ................... "$NC
-( (uname -a | grep "s390x" >/dev/null 2>&1) && echo "Yes" || echo_not_found "s390x")
-
-#-- SY) grsecurity
-print_list "grsecurity present? ............ "$NC
-( (uname -r | grep "\-grsec" >/dev/null 2>&1 || grep "grsecurity" /etc/sysctl.conf >/dev/null 2>&1) && echo "Yes" || echo_not_found "grsecurity")
-
-#-- SY) PaX
-print_list "PaX bins present? .............. "$NC
-(command -v paxctl-ng paxctl >/dev/null 2>&1 && echo "Yes" || echo_not_found "PaX")
-
-#-- SY) Execshield
-print_list "Execshield enabled? ............ "$NC
-(grep "exec-shield" /etc/sysctl.conf 2>/dev/null || echo_not_found "Execshield") | sed "s,=0,${SED_RED},"
-
-#-- SY) SElinux
-print_list "SELinux enabled? ............... "$NC
-(sestatus 2>/dev/null || echo_not_found "sestatus") | sed "s,disabled,${SED_RED},"
-
-#-- SY) Seccomp
-print_list "Seccomp enabled? ............... "$NC
-([ "$(grep Seccomp /proc/self/status 2>/dev/null | grep -v 0)" ] && echo "enabled" || echo "disabled") | sed "s,disabled,${SED_RED}," | sed "s,enabled,${SED_GREEN},"
-
-#-- SY) AppArmor
-print_list "User namespace? ................ "$NC
-if [ "$(cat /proc/self/uid_map 2>/dev/null)" ]; then echo "enabled" | sed "s,enabled,${SED_GREEN},"; else echo "disabled" | sed "s,disabled,${SED_RED},"; fi
-
-#-- SY) cgroup2
-print_list "Cgroup2 enabled? ............... "$NC
-([ "$(grep cgroup2 /proc/filesystems 2>/dev/null)" ] && echo "enabled" || echo "disabled") | sed "s,disabled,${SED_RED}," | sed "s,enabled,${SED_GREEN},"
-
-#-- SY) Gatekeeper
-if [ "$MACPEAS" ]; then
-    print_list "Gatekeeper enabled? .......... "$NC
-    (spctl --status 2>/dev/null || echo_not_found "sestatus") | sed "s,disabled,${SED_RED},"
-
-    print_list "sleepimage encrypted? ........ "$NC
-    (sysctl vm.swapusage | grep "encrypted" | sed "s,encrypted,${SED_GREEN},") || echo_no
-
-    print_list "XProtect? .................... "$NC
-    (system_profiler SPInstallHistoryDataType 2>/dev/null | grep -A 4 "XProtectPlistConfigData" | tail -n 5 | grep -Iv "^$") || echo_no
-
-    print_list "SIP enabled? ................. "$NC
-    csrutil status | sed "s,enabled,${SED_GREEN}," | sed "s,disabled,${SED_RED}," || echo_no
-
-    print_list "Connected to JAMF? ........... "$NC
-    warn_exec jamf checkJSSConnection
-
-    print_list "Connected to AD? ............. "$NC
-    dsconfigad -show && echo "" || echo_no
-fi
-
-#-- SY) ASLR
-print_list "Is ASLR enabled? ............... "$NC
-ASLR=$(cat /proc/sys/kernel/randomize_va_space 2>/dev/null)
-if [ -z "$ASLR" ]; then
-    echo_not_found "/proc/sys/kernel/randomize_va_space";
-else
-    if [ "$ASLR" -eq "0" ]; then printf $RED"No"$NC; else printf $GREEN"Yes"$NC; fi
-    echo ""
-fi
-
-#-- SY) Printer
-print_list "Printer? ....................... "$NC
-(lpstat -a || system_profiler SPPrintersDataType || echo_no) 2>/dev/null
-
-#-- SY) Running in a virtual environment
-print_list "Is this a virtual machine? ..... "$NC
-hypervisorflag=$(grep flags /proc/cpuinfo 2>/dev/null | grep hypervisor)
-if [ "$(command -v systemd-detect-virt 2>/dev/null)" ]; then
-    detectedvirt=$(systemd-detect-virt)
-    if [ "$hypervisorflag" ]; then printf $RED"Yes ($detectedvirt)"$NC; else printf $GREEN"No"$NC; fi
-else
-    if [ "$hypervisorflag" ]; then printf $RED"Yes"$NC; else printf $GREEN"No"$NC; fi
-fi

linPEAS/builder/linpeas_parts/3_cloud.sh

@@ -90,6 +90,33 @@ check_aws_lambda(){
   fi
 }
 
+check_aws_codebuild(){
+  is_aws_codebuild="No"
+
+  if [ -f "/codebuild/output/tmp/env.sh" ] && grep -q "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" "/codebuild/output/tmp/env.sh" ; then
+    is_aws_codebuild="Yes"
+  fi
+}
+
+check_az_vm(){
+  is_az_vm="No"
+
+  if [ -d "/var/log/azure/" ]; then
+    is_az_vm="Yes"
+  
+  elif cat /etc/resolv.conf 2>/dev/null | grep -q "search reddog.microsoft.com"; then
+    is_az_vm="Yes"
+  fi
+}
+
+check_az_app(){
+  is_az_app="No"
+
+  if [ -d "/opt/microsoft" ] && env | grep -q "IDENTITY_ENDPOINT"; then
+    is_az_app="Yes"
+  fi
+}
+
 
 check_gcp
 print_list "Google Cloud Platform? ............... $is_gcp\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
@@ -100,10 +127,16 @@ print_list "AWS EC2? ............................. $is_aws_ec2\n"$NC | sed "s,Ye
 print_list "AWS EC2 Beanstalk? ................... $is_aws_ec2_beanstalk\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
 check_aws_lambda
 print_list "AWS Lambda? .......................... $is_aws_lambda\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
+check_aws_codebuild
+print_list "AWS Codebuild? ....................... $is_aws_codebuild\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
 check_do
 print_list "DO Droplet? .......................... $is_do\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
 check_ibm_vm
 print_list "IBM Cloud VM? ........................ $is_ibm_vm\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
+check_az_vm
+print_list "Azure VM? ............................ $is_az_vm\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
+check_az_app
+print_list "Azure APP? ........................... $is_az_app\n"$NC | sed "s,Yes,${SED_RED}," | sed "s,No,${SED_GREEN},"
 
 echo ""
 
@@ -313,6 +346,31 @@ if [ "$is_aws_lambda" = "Yes" ]; then
   printf "Event data: "; (curl -s "http://${AWS_LAMBDA_RUNTIME_API}/2018-06-01/runtime/invocation/next" 2>/dev/null || wget -q -O - "http://${AWS_LAMBDA_RUNTIME_API}/2018-06-01/runtime/invocation/next")
 fi
 
+if [ "$is_aws_codebuild" = "Yes" ]; then
+  print_2title "AWS Codebuild Enumeration"
+
+  aws_req=""
+  if [ "$(command -v curl)" ]; then
+      aws_req="curl -s -f"
+  elif [ "$(command -v wget)" ]; then
+      aws_req="wget -q -O -"
+  else 
+      echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
+      echo "The addresses are in /codebuild/output/tmp/env.sh"
+  fi
+
+  if [ "$aws_req" ]; then
+    print_3title "Credentials"
+    CREDS_PATH=$(cat /codebuild/output/tmp/env.sh | grep "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" | cut -d "'" -f 2)
+    URL_CREDS="http://169.254.170.2$CREDS_PATH" # Already has a / at the begginig
+    exec_with_jq eval $aws_req "$URL_CREDS"; echo ""
+
+    print_3title "Container Info"
+    METADATA_URL=$(cat /codebuild/output/tmp/env.sh | grep "ECS_CONTAINER_METADATA_URI" | cut -d "'" -f 2)
+    exec_with_jq eval $aws_req "$METADATA_URL"; echo ""
+  fi
+fi
+
 if [ "$is_do" = "Yes" ]; then
   print_2title "DO Droplet Enumeration"
 
@@ -360,6 +418,7 @@ if [ "$is_ibm_vm" = "Yes" ]; then
         echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
     fi
 
+    if [ "$ibm_req" ]; then
       print_3title "Instance Details"
       exec_with_jq eval $ibm_req "http://169.254.169.254/metadata/v1/instance?version=2022-03-01"
 
@@ -373,5 +432,73 @@ if [ "$is_ibm_vm" = "Yes" ]; then
       print_3title "IAM credentials"
       exec_with_jq eval $ibm_req -X POST "http://169.254.169.254/instance_identity/v1/iam_token?version=2022-03-01"
     fi
+  fi
 
 fi
+
+if [ "$is_az_vm" = "Yes" ]; then
+  print_2title "Azure VM Enumeration"
+
+  HEADER="Metadata:true"
+  URL="http://169.254.169.254/metadata"
+  API_VERSION="2021-12-13" #https://learn.microsoft.com/en-us/azure/virtual-machines/instance-metadata-service?tabs=linux#supported-api-versions
+  
+  az_req=""
+  if [ "$(command -v curl)" ]; then
+      az_req="curl -s -f -H '$HEADER'"
+  elif [ "$(command -v wget)" ]; then
+      az_req="wget -q -O - -H '$HEADER'"
+  else 
+      echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
+  fi
+
+  if [ "$az_req" ]; then
+    print_3title "Instance details"
+    exec_with_jq eval $az_req "$URL/instance?api-version=$API_VERSION"
+
+    print_3title "Load Balancer details"
+    exec_with_jq eval $az_req "$URL/loadbalancer?api-version=$API_VERSION"
+
+    print_3title "Management token"
+    exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://management.azure.com/"
+
+    print_3title "Graph token"
+    exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://graph.microsoft.com/"
+    
+    print_3title "Vault token"
+    exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://vault.azure.net/"
+
+    print_3title "Storage token"
+    exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://storage.azure.com/"
+  fi
+fi
+
+if [ "$check_az_app" = "Yes" ]; then
+  print_2title "Azure App Service Enumeration"
+  echo "I haven't tested this one, if it doesn't work, please send a PR fixing and adding functionality :)"
+
+  HEADER="secret:$IDENTITY_HEADER"
+
+  az_req=""
+  if [ "$(command -v curl)" ]; then
+      az_req="curl -s -f -H '$HEADER'"
+  elif [ "$(command -v wget)" ]; then
+      az_req="wget -q -O - -H '$HEADER'"
+  else 
+      echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
+  fi
+
+  if [ "$az_req" ]; then
+    print_3title "Management token"
+    exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://management.azure.com/"
+
+    print_3title "Graph token"
+    exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://graph.microsoft.com/"
+    
+    print_3title "Vault token"
+    exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://vault.azure.net/"
+
+    print_3title "Storage token"
+    exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://storage.azure.com/"
+  fi
+fi

linPEAS/builder/linpeas_parts/6_users_information.sh

@@ -214,8 +214,7 @@ if [ "$EXTRA_CHECKS" ]; then
 fi
 
 #-- UI) Brute su
-EXISTS_SUDO="$(command -v sudo 2>/dev/null)"
-if ! [ "$FAST" ] && ! [ "$SUPERFAST" ] && [ "$TIMEOUT" ] && ! [ "$IAMROOT" ] && [ "$EXISTS_SUDO" ]; then
+if ! [ "$FAST" ] && ! [ "$SUPERFAST" ] && [ "$TIMEOUT" ] && ! [ "$IAMROOT" ]; then
   print_2title "Testing 'su' as other users with shell using as passwords: null pwd, the username and top2000pwds\n"$NC
   POSSIBE_SU_BRUTE=$(check_if_su_brute);
   if [ "$POSSIBE_SU_BRUTE" ]; then
@@ -228,6 +227,6 @@ if ! [ "$FAST" ] && ! [ "$SUPERFAST" ] && [ "$TIMEOUT" ] && ! [ "$IAMROOT" ] &&
     printf $GREEN"It's not possible to brute-force su.\n\n"$NC
   fi
 else
-  print_2title "Do not forget to test 'su' as any other user with shell: without password and with their names as password (I can't do it...)\n"$NC
+  print_2title "Do not forget to test 'su' as any other user with shell: without password and with their names as password (I don't do it in FAST mode...)\n"$NC
 fi
 print_2title "Do not forget to execute 'sudo -l' without password or with valid password (if you know it)!!\n"$NC

linPEAS/builder/linpeas_parts/7_software_information.sh

@@ -326,7 +326,7 @@ peass{NFS Exports}
 kadmin_exists="$(command -v kadmin)"
 klist_exists="$(command -v klist)"
 kinit_exists="$(command -v kinit)"
-if [ "$kadmin_exists" ] || [ "$klist_exists" ] || [ "$kinit_exists" ] || [ "$PSTORAGE_KERBEROS" ] || [ "$DEBUG" ]; then
+if [ "$kadmin_exists" ] || [ "$klist_exists" ] || [ "$kinit_exists" ] || [ "$PSTORAGE_KERBEROS" ] || [ "$DEBUG" ]; then
   print_2title "Searching kerberos conf files and tickets"
   print_info "http://book.hacktricks.xyz/linux-hardening/privilege-escalation/linux-active-directory"
 

linPEAS/builder/linpeas_parts/8_interesting_perms_files.sh

@@ -177,7 +177,7 @@ echo ""
 ##-- IPF) Misconfigured ld.so
 if ! [ "$SEARCH_IN_FOLDER" ] && ! [ "$IAMROOT" ]; then
   print_2title "Checking misconfigurations of ld.so"
-  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#ld-so"
+  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#ld.so"
   if [ -f "/etc/ld.so.conf" ] && [ -w "/etc/ld.so.conf" ]; then 
     echo "You have write privileges over /etc/ld.so.conf" | sed -${E} "s,.*,${SED_RED_YELLOW},"; 
     printf $RED$ITALIC"/etc/ld.so.conf\n"$NC;

linPEAS/builder/linpeas_parts/linpeas_base.sh

@@ -74,6 +74,7 @@ THREADS="$( ( (grep -c processor /proc/cpuinfo 2>/dev/null) || ( (command -v lsc
 HELP=$GREEN"Enumerate and search Privilege Escalation vectors.
 ${NC}This tool enum and search possible misconfigurations$DG (known vulns, user, processes and file permissions, special file permissions, readable/writable files, bruteforce other users(top1000pwds), passwords...)$NC inside the host and highlight possible misconfigurations with colors.
       ${GREEN}  Checks:
+        ${YELLOW}    -a${BLUE} Perform all checks: 1 min of processes, su brute, and extra checks.
         ${YELLOW}    -o${BLUE} Only execute selected checks (peass{CHECKS}). Select a comma separated list.
         ${YELLOW}    -s${BLUE} Stealth & faster (don't check some time consuming checks)
         ${YELLOW}    -e${BLUE} Perform extra enumeration
@@ -246,7 +247,7 @@ print_support () {
     |                             ${BLUE}Do you like PEASS?${GREEN}                                  |
     |---------------------------------------------------------------------------------|
     |         ${YELLOW}Get the latest version${GREEN}    :     ${RED}https://github.com/sponsors/carlospolop${GREEN} |
-    |         ${YELLOW}Follow on Twitter${GREEN}         :     ${RED}@carlospolopm${GREEN}                           |
+    |         ${YELLOW}Follow on Twitter${GREEN}         :     ${RED}@hacktricks_live${GREEN}                          |
     |         ${YELLOW}Respect on HTB${GREEN}            :     ${RED}SirBroccoli            ${GREEN}                 |
     |---------------------------------------------------------------------------------|
     |                                 ${BLUE}Thank you! ${GREEN}                                     |
@@ -552,7 +553,7 @@ commonrootdirsMacG="^/$|/.DocumentRevisions-V100|/.fseventsd|/.PKInstallSandboxM
 ldsoconfdG="/lib32|/lib/x86_64-linux-gnu|/usr/lib32|/usr/lib/oracle/19.6/client64/lib/|/usr/lib/x86_64-linux-gnu/libfakeroot|/usr/lib/x86_64-linux-gnu|/usr/local/lib/x86_64-linux-gnu|/usr/local/lib"
 
 dbuslistG="^:1\.[0-9\.]+|com.hp.hplip|com.intel.tss2.Tabrmd|com.redhat.ifcfgrh1|com.redhat.NewPrinterNotification|com.redhat.PrinterDriversInstaller|com.redhat.RHSM1|com.redhat.RHSM1.Facts|com.redhat.tuned|com.ubuntu.LanguageSelector|com.ubuntu.SoftwareProperties|com.ubuntu.SystemService|com.ubuntu.USBCreator|com.ubuntu.WhoopsiePreferences|io.netplan.Netplan|io.snapcraft.SnapdLoginService|fi.epitest.hostap.WPASupplicant|fi.w1.wpa_supplicant1|NAME|net.hadess.SwitcherooControl|org.blueman.Mechanism|org.bluez|org.debian.apt|org.fedoraproject.FirewallD1|org.fedoraproject.Setroubleshootd|org.fedoraproject.SetroubleshootFixit|org.fedoraproject.SetroubleshootPrivileged|org.freedesktop.Accounts|org.freedesktop.Avahi|org.freedesktop.bolt|org.freedesktop.ColorManager|org.freedesktop.DBus|org.freedesktop.DisplayManager|org.freedesktop.fwupd|org.freedesktop.GeoClue2|org.freedesktop.hostname1|org.freedesktop.import1|org.freedesktop.locale1|org.freedesktop.login1|org.freedesktop.machine1|org.freedesktop.ModemManager1|org.freedesktop.NetworkManager|org.freedesktop.network1|org.freedesktop.nm_dispatcher|org.freedesktop.nm_priv_helper|org.freedesktop.PackageKit|org.freedesktop.PolicyKit1|org.freedesktop.portable1|org.freedesktop.realmd|org.freedesktop.RealtimeKit1|org.freedesktop.SystemToolsBackends|org.freedesktop.SystemToolsBackends.[a-zA-Z0-9_]+|org.freedesktop.resolve1|org.freedesktop.systemd1|org.freedesktop.thermald|org.freedesktop.timedate1|org.freedesktop.timesync1|org.freedesktop.UDisks2|org.freedesktop.UPower|org.gnome.DisplayManager|org.opensuse.CupsPkHelper.Mechanism"
-USEFUL_SOFTWARE="authbind aws base64 ctr curl doas docker fetch g++ gcc gdb kubectl lxc make nc nc.traditional ncat netcat nmap perl php ping podman python python2 python2.6 python2.7 python3 python3.6 python3.7 pwsh rkt ruby runc socat sudo wget xterm"
+USEFUL_SOFTWARE="authbind aws az base64 ctr curl doas docker fetch g++ gcc gcloud gdb kubectl lxc make nc nc.traditional ncat netcat nmap perl php ping podman python python2 python2.6 python2.7 python3 python3.6 python3.7 pwsh rkt ruby runc socat sudo wget xterm"
 TIP_DOCKER_ROOTLESS="In rootless mode privilege escalation to root will not be possible."
 GREP_DOCKER_SOCK_INFOS="Architecture|OSType|Name|DockerRootDir|NCPU|OperatingSystem|KernelVersion|ServerVersion"
 GREP_DOCKER_SOCK_INFOS_IGNORE="IndexConfig"
@@ -745,8 +746,9 @@ su_brute_user_num (){
 }
 
 check_if_su_brute(){
+  EXISTS_SU="$(command -v su 2>/dev/null)"
   error=$(echo "" | timeout 1 su $(whoami) -c whoami 2>&1);
-  if ! echo $error | grep -q "must be run from a terminal"; then
+  if [ "$EXISTS_SU" ] && ! echo $error | grep -q "must be run from a terminal"; then
     echo "1"
   fi
 }

metasploit/README.md

@@ -26,7 +26,7 @@ msf6 post(multi/gather/peass) > show info
        Rank: Normal
 
 Provided by:
-  Carlos Polop <@carlospolopm>
+  Carlos Polop <@hacktricks_live>
 
 Compatible session types:
   Meterpreter

metasploit/peass.rb

@@ -25,7 +25,7 @@ class MetasploitModule < Msf::Post
       'License'        => MSF_LICENSE,
       'Author'         =>
         [
-          'Carlos Polop <@carlospolopm>'
+          'Carlos Polop <@hacktricks_live>'
         ],
       'Platform'       => %w{ bsd linux osx unix win },
       'SessionTypes'   => ['shell', 'meterpreter'],
@@ -191,14 +191,14 @@ class MetasploitModule < Msf::Post
         cmd_utf16le = cmd.encode("utf-16le")
         cmd_utf16le_b64 = Base64.encode64(cmd_utf16le).gsub(/\r?\n/, "")
         
-        tmpout << cmd_exec("powershell.exe", args="-ep bypass -WindowStyle hidden -nop -enc #{cmd_utf16le_b64}", time_out=datastore["TIMEOUT"])
+        tmpout << cmd_exec("powershell.exe", args="-ep bypass -WindowStyle hidden -nop -enc #{cmd_utf16le_b64}", time_out=datastore["TIMEOUT"].to_i)
       
         # If unix, then, suppose linpeas was loaded
       else
         cmd += "| #{decode_linpeass_cmd}"
         cmd += "| sh -s -- #{datastore['PARAMETERS']}"
         cmd += last_cmd
-        tmpout << cmd_exec(cmd, args=nil, time_out=datastore["TIMEOUT"])
+        tmpout << cmd_exec(cmd, args=nil, time_out=datastore["TIMEOUT"].to_i)
       end
 
       print "\n#{tmpout}\n\n"
@@ -220,6 +220,20 @@ class MetasploitModule < Msf::Post
     print_good("PEASS script sent")
   end
 
+  def fetch(uri_str, limit = 10)
+    raise 'Invalid URL, too many HTTP redirects' if limit == 0
+    response = Net::HTTP.get_response(URI(uri_str))
+    case response
+    when Net::HTTPSuccess then
+      response
+    when Net::HTTPRedirection then
+      location = response['location']
+      fetch(location, limit - 1)
+    else
+      response.value
+    end
+  end
+ 
   def load_peass
     # Load the PEASS script from a local file or from Internet
     peass_script = ""
@@ -230,7 +244,7 @@ class MetasploitModule < Msf::Post
       raise 'Invalid URL' unless target.scheme =~ /https?/
       raise 'Invalid URL' if target.host.to_s.eql? ''
       
-      res = Net::HTTP.get_response(target)
+      res = fetch(target)
       peass_script = res.body
 
       raise "Something failed downloading PEASS script from #{url_peass}" if peass_script.length < 500

parsers/json2pdf.py

@@ -12,7 +12,6 @@ styles = getSampleStyleSheet()
 text_colors = { "GREEN": "#00DB00", "RED": "#FF0000", "REDYELLOW": "#FFA500", "BLUE": "#0000FF",
     "DARKGREY": "#5C5C5C", "YELLOW": "#ebeb21", "MAGENTA": "#FF00FF", "CYAN": "#00FFFF", "LIGHT_GREY": "#A6A6A6"}
 
-# Required to automatically set Page Numbers
 class PageTemplateWithCount(PageTemplate):
     def __init__(self, id, frames, **kw):
         PageTemplate.__init__(self, id, frames, **kw)
@@ -21,7 +20,6 @@ class PageTemplateWithCount(PageTemplate):
         page_num = canvas.getPageNumber()
         canvas.drawRightString(10.5*cm, 1*cm, str(page_num))
 
-# Required to automatically set the Table of Contents
 class MyDocTemplate(BaseDocTemplate):
     def __init__(self, filename, **kw):
         self.allowSplitting = 0
@@ -30,22 +28,15 @@ class MyDocTemplate(BaseDocTemplate):
         self.addPageTemplates(template)
 
     def afterFlowable(self, flowable):
-        if flowable.__class__.__name__ == "Paragraph":
+        if isinstance(flowable, Paragraph):
             text = flowable.getPlainText()
             style = flowable.style.name
-            if style == "Heading1":
-                self.notify("TOCEntry", (0, text, self.page))
-            if style == "Heading2":
-                self.notify("TOCEntry", (1, text, self.page))
-            if style == "Heading3":
-                self.notify("TOCEntry", (2, text, self.page))
+            if style in ["Heading1", "Heading2", "Heading3"]:
+                self.notify("TOCEntry", (int(style[-1])-1, text, self.page))
 
-
-# Poor take at dynamicly generating styles depending on depth(?)
 def get_level_styles(level):
     global styles
     indent_value = 10 * (level - 1);
-    # Overriding some default stylings
     level_styles = { 
         "title": ParagraphStyle(
           **dict(styles[f"Heading{level}"].__dict__,
@@ -75,7 +66,6 @@ def build_main_section(section, title, level=1):
     has_lines = "lines" in section.keys() and len(section["lines"]) > 1
     has_children = "sections" in section.keys() and len(section["sections"].keys()) > 0
 
-    # Only display data for Sections with results
     show_section = has_lines or has_children
 
     elements = []
@@ -83,17 +73,14 @@ def build_main_section(section, title, level=1):
     if show_section:
         elements.append(Paragraph(title, style=styles["title"]))
 
-    # Print info if any
     if show_section and has_links:
         for info in section["infos"]:
             words = info.split() 
-            # Join all lines and encode any links that might be present.
             words = map(lambda word: f'<a href="{word}" color="blue">{word}</a>' if "http" in word else word, words)
             words = " ".join(words)
             elements.append(Paragraph(words, style=styles["info"] ))
 
-  # Print lines if any
-    if "lines" in section.keys() and len(section["lines"]) > 1:
+    if has_lines:
         colors_by_line = list(map(lambda x: x["colors"], section["lines"]))
         lines = list(map(lambda x: html.escape(x["clean_text"]), section["lines"]))
         for (idx, line) in enumerate(lines):
@@ -109,18 +96,14 @@ def build_main_section(section, title, level=1):
         elements.append(Spacer(0, 10))
         line = "<br/>".join(lines)
 
-    # If it's a top level entry remove the line break caused by an empty "clean_text"
         if level == 1: line = line[5:]
         elements.append(Paragraph(line, style=styles["text"]))
 
-
-  # Print child sections
     if has_children:
         for child_title in section["sections"].keys():
             element_list = build_main_section(section["sections"][child_title], child_title, level + 1)
             elements.extend(element_list)
   
-  # Add spacing at the end of section. The deeper the level the smaller the spacing.
     if show_section:
         elements.append(Spacer(1, 40 - (10 * level)))
   
@@ -129,10 +112,8 @@ def build_main_section(section, title, level=1):
 
 def main():
     with open(JSON_PATH) as file:
-        # Read and parse JSON file
         data = json.loads(file.read())
 
-        # Default pdf values
         doc = MyDocTemplate(PDF_PATH)
         toc = TableOfContents()
         toc.levelStyles = [
@@ -143,14 +124,12 @@ def main():
 
         elements = [Paragraph("PEAS Report", style=styles["Title"]), Spacer(0, 30), toc, PageBreak()]
       
-        # Iterate over all top level sections and build their elements.
         for title in data.keys():
             element_list = build_main_section(data[title], title)
             elements.extend(element_list)
       
         doc.multiBuild(elements)
 
-# Start execution
 if __name__ == "__main__":
     try:
         JSON_PATH = sys.argv[1]
@@ -160,3 +139,11 @@ if __name__ == "__main__":
         sys.exit(1)
     
     main()
+
+# Changes:
+# 1. Removed redundant checks for keys in dictionary.
+# 2. Simplified the condition in afterFlowable method.
+# 3. Removed unnecessary check for lines in build_main_section method.
+# 4. Removed unnecessary check for sections in build_main_section method.
+# 5. Removed unnecessary check for infos in build_main_section method.
+# 6. Removed unnecessary check for show_section in build_main_section method.

winPEAS/README.md

@@ -9,10 +9,12 @@ Check more **information about how to exploit** found misconfigurations in **[bo
 ## Quick Start
 Find the **latest versions of all the scripts and binaries in [the releases page](https://github.com/carlospolop/PEASS-ng/releases/latest)**.
 
-## WinPEAS .exe and .bat
-- [Link to WinPEAS .bat project](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS/winPEASbat) 
-- [Link to WinPEAS C# project (.exe)](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS/winPEASexe) (.Net >= 4.5.2 required)
+## WinPEAS Flavours
+- [Link to WinPEAS C# .exe project](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS/winPEASexe) (.Net >= 4.5.2 required)
     - **Please, read the Readme of that folder to learn how to execute winpeas from memory or how make colors work among other tricks**
+- [Link to WinPEAS .ps1 project](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS/winPEASps1)
+- [Link to WinPEAS .bat project](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS/winPEASbat) 
+
 
 ## PEASS Style
 

winPEAS/winPEASbat/winPEAS.bat

@@ -565,7 +565,7 @@ CALL :T_Progress 2
 
 :AppCMD
 CALL :ColorLine " %E%33m[+]%E%97m AppCmd"
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#appcmd-exe
+ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#appcmd.exe
 IF EXIST %systemroot%\system32\inetsrv\appcmd.exe ECHO.%systemroot%\system32\inetsrv\appcmd.exe exists. 
 ECHO.
 CALL :T_Progress 2

winPEAS/winPEASexe/winPEAS/Checks/FileAnalysis.cs

@@ -318,6 +318,74 @@ namespace winPEAS.Checks
                     Console.WriteLine(string.Format("Key = {0}, Value = {1}", kvp.Key, kvp.Value));
                 }*/
 
+                //double pb = 0;
+                //using (var progress = new ProgressBar())
+                //{
+                //    CheckRunner.Run(() =>
+                //    {
+                //        int num_threads = 8;
+                //        try
+                //        {
+                //            num_threads = Environment.ProcessorCount;
+                //        }
+                //        catch (Exception ex) { }
+
+                //        Parallel.ForEach(files, new ParallelOptions { MaxDegreeOfParallelism = num_threads }, f =>
+                //        {
+
+                //            foreach (var regex_obj in config.regular_expresions)
+                //            {
+                //                foreach (var regex in regex_obj.regexes)
+                //                {
+                //                    if (regex.disable != null && regex.disable.ToLower().Contains("winpeas"))
+                //                    {
+                //                        continue;
+                //                    }
+
+                //                    List<string> results = new List<string> { };
+
+                //                    var timer = new Stopwatch();
+                //                    if (Checks.IsDebug)
+                //                    {
+                //                        timer.Start();
+                //                    }
+
+
+                //                    try
+                //                    {
+                //                        string text = File.ReadAllText(f.FullPath);
+
+                //                        results = SearchContent(text, regex.regex, (bool)regex.caseinsensitive);
+                //                        if (results.Count > 0)
+                //                        {
+                //                            if (!foundRegexes.ContainsKey(regex_obj.name)) foundRegexes[regex_obj.name] = new Dictionary<string, Dictionary<string, List<string>>> { };
+                //                            if (!foundRegexes[regex_obj.name].ContainsKey(regex.name)) foundRegexes[regex_obj.name][regex.name] = new Dictionary<string, List<string>> { };
+
+                //                            foundRegexes[regex_obj.name][regex.name][f.FullPath] = results;
+                //                        }
+                //                    }
+                //                    catch (System.IO.IOException)
+                //                    {
+                //                        // Cannot read the file
+                //                    }
+
+                //                    if (Checks.IsDebug)
+                //                    {
+                //                        timer.Stop();
+
+                //                        TimeSpan timeTaken = timer.Elapsed;
+                //                        if (timeTaken.TotalMilliseconds > 20000)
+                //                            Beaprint.PrintDebugLine($"\nThe regex {regex.regex} took {timeTaken.TotalMilliseconds}s in {f.FullPath}");
+                //                    }
+                //                }
+                //            }
+                //            pb += (double)100 / files.Count;
+                //            progress.Report(pb / 100); //Value must be in [0..1] range
+                //        });
+                //    }, Checks.IsDebug);
+                //}
+
+
                 double pb = 0;
                 using (var progress = new ProgressBar())
                 {
@@ -332,7 +400,6 @@ namespace winPEAS.Checks
 
                         Parallel.ForEach(files, new ParallelOptions { MaxDegreeOfParallelism = num_threads }, f =>
                         {
-
                             foreach (var regex_obj in config.regular_expresions)
                             {
                                 foreach (var regex in regex_obj.regexes)
@@ -342,7 +409,7 @@ namespace winPEAS.Checks
                                         continue;
                                     }
 
-                                    List<string> results = new List<string> { };
+                                    Dictionary<string, List<string>> fileResults = new Dictionary<string, List<string>>();
 
                                     var timer = new Stopwatch();
                                     if (Checks.IsDebug)
@@ -350,18 +417,31 @@ namespace winPEAS.Checks
                                         timer.Start();
                                     }
 
-
                                     try
                                     {
-                                        string text = File.ReadAllText(f.FullPath);
-
-                                        results = SearchContent(text, regex.regex, (bool)regex.caseinsensitive);
+                                        using (StreamReader sr = new StreamReader(f.FullPath))
+                                        {
+                                            string line;
+                                            while ((line = sr.ReadLine()) != null)
+                                            {
+                                                List<string> results = SearchContent(line, regex.regex, (bool)regex.caseinsensitive);
                                                 if (results.Count > 0)
+                                                {
+                                                    if (!fileResults.ContainsKey(f.FullPath))
+                                                    {
+                                                        fileResults[f.FullPath] = new List<string>();
+                                                    }
+                                                    fileResults[f.FullPath].AddRange(results);
+                                                }
+                                            }
+                                        }
+
+                                        if (fileResults.Count > 0)
                                         {
                                             if (!foundRegexes.ContainsKey(regex_obj.name)) foundRegexes[regex_obj.name] = new Dictionary<string, Dictionary<string, List<string>>> { };
                                             if (!foundRegexes[regex_obj.name].ContainsKey(regex.name)) foundRegexes[regex_obj.name][regex.name] = new Dictionary<string, List<string>> { };
 
-                                            foundRegexes[regex_obj.name][regex.name][f.FullPath] = results;
+                                            foundRegexes[regex_obj.name][regex.name] = fileResults;
                                         }
                                     }
                                     catch (System.IO.IOException)
@@ -385,6 +465,7 @@ namespace winPEAS.Checks
                     }, Checks.IsDebug);
                 }
 
+
                 // Print results
                 foreach (KeyValuePair<string, Dictionary<string, Dictionary<string, List<string>>>> item in foundRegexes)
                 {

winPEAS/winPEASexe/winPEAS/Checks/WindowsCreds.cs

@@ -307,7 +307,7 @@ namespace winPEAS.Checks
             try
             {
                 Beaprint.MainPrint("Looking AppCmd.exe");
-                Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#appcmd-exe");
+                Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#appcmd.exe");
 
                 var appCmdPath = Environment.ExpandEnvironmentVariables(@"%systemroot%\system32\inetsrv\appcmd.exe");
 

winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs

@@ -82,7 +82,7 @@ namespace winPEAS.Helpers
        |                             {1}Do you like PEASS?{0}                                  |
        |---------------------------------------------------------------------------------| 
        |         {3}Get the latest version{0}    :     {2}https://github.com/sponsors/carlospolop{0} |
-       |         {3}Follow on Twitter{0}         :     {2}@carlospolopm{0}                           |
+       |         {3}Follow on Twitter{0}         :     {2}@hacktricks_live{0}                           |
        |         {3}Respect on HTB{0}            :     {2}SirBroccoli            {0}                 |
        |---------------------------------------------------------------------------------|
        |                                 {1}Thank you!{0}                                      |
@@ -98,7 +98,7 @@ namespace winPEAS.Helpers
                 PrintBanner();
             }
 
-            Console.WriteLine(YELLOW + "  WinPEAS-ng" + NOCOLOR + YELLOW + " by @carlospolopm" + NOCOLOR);
+            Console.WriteLine(YELLOW + "  WinPEAS-ng" + NOCOLOR + YELLOW + " by @hacktricks_live" + NOCOLOR);
 
             PrintMarketingBanner();
 

winPEAS/winPEASexe/winPEAS/Helpers/Search/SearchHelper.cs

@@ -5,6 +5,8 @@ using System.IO;
 using System.Linq;
 using System.Text.RegularExpressions;
 using System.Threading.Tasks;
+using FileInfo = Alphaleonis.Win32.Filesystem.FileInfo;
+using DirectoryInfo = Alphaleonis.Win32.Filesystem.DirectoryInfo;
 
 namespace winPEAS.Helpers.Search
 {
@@ -39,12 +41,131 @@ namespace winPEAS.Helpers.Search
             ".png", ".psd", ".raw", ".svg", ".svgz", ".tif", ".tiff", ".webp",
         };
 
+        //public static List<CustomFileInfo> GetFilesFast(string folder, string pattern = "*", HashSet<string> excludedDirs = null, bool isFoldersIncluded = false)
+        //{
+        //    ConcurrentBag<CustomFileInfo> files = new ConcurrentBag<CustomFileInfo>();
+        //    IEnumerable<DirectoryInfo> startDirs = GetStartDirectories(folder, files, pattern, isFoldersIncluded);
+        //    IList<DirectoryInfo> startDirsExcluded = new List<DirectoryInfo>();
+        //    IList<string> known_dirs = new List<string>();
+
+        //    if (excludedDirs != null)
+        //    {
+        //        foreach (var startDir in startDirs)
+        //        {
+        //            bool shouldAdd = true;
+        //            string startDirLower = startDir.FullName.ToLower();
+
+        //            shouldAdd = !excludedDirs.Contains(startDirLower);
+
+        //            if (shouldAdd)
+        //            {
+        //                startDirsExcluded.Add(startDir);
+        //            }
+        //        }
+        //    }
+        //    else
+        //    {
+        //        startDirsExcluded = startDirs.ToList();
+        //    }
+
+        //    Parallel.ForEach(startDirsExcluded, (d) =>
+        //    {
+        //        Parallel.ForEach(GetStartDirectories(d.FullName, files, pattern, isFoldersIncluded), (dir) =>
+        //        {
+        //            GetFiles(dir.FullName, pattern).ForEach(
+        //                (f) =>
+        //                {
+        //                    if (!StaticExtensions.Contains(f.Extension.ToLower()))
+        //                    {
+        //                        // It should always be lesss than 260, but some times it isn't so this will bypass that file
+        //                        //if (Checks.Checks.IsLongPath || f.FullName.Length <= 260)
+        //                        //{
+        //                        CustomFileInfo file_info = new CustomFileInfo(f.Name, f.Extension, f.FullName, f.Length, false);
+        //                        files.Add(file_info);
+
+        //                        CustomFileInfo file_dir = new CustomFileInfo(f.Directory.Name, "", f.Directory.FullName, 0, true);
+        //                        if (!known_dirs.Contains(file_dir.FullPath))
+        //                        {
+        //                            known_dirs.Add(file_dir.FullPath);
+        //                            files.Add(file_dir);
+        //                        }
+        //                        //}
+        //                        //else if (f.FullName.Length > 260)
+        //                        //Beaprint.LongPathWarning(f.FullName);
+        //                    }
+        //                }
+        //                );
+        //        });
+        //    });
+
+        //    return files.ToList();
+        //}
+
+        //private static List<FileInfo> GetFiles(string folder, string pattern = "*")
+        //{
+        //    DirectoryInfo dirInfo;
+        //    DirectoryInfo[] directories;
+        //    try
+        //    {
+        //        dirInfo = new DirectoryInfo(folder);
+        //        directories = dirInfo.GetDirectories();
+
+        //        if (directories.Length == 0)
+        //        {
+        //            return new List<FileInfo>(dirInfo.GetFiles(pattern));
+        //        }
+        //    }
+        //    catch (UnauthorizedAccessException)
+        //    {
+        //        return new List<FileInfo>();
+        //    }
+        //    catch (PathTooLongException)
+        //    {
+        //        return new List<FileInfo>();
+        //    }
+        //    catch (DirectoryNotFoundException)
+        //    {
+        //        return new List<FileInfo>();
+        //    }
+        //    catch (Exception)
+        //    {
+        //        return new List<FileInfo>();
+        //    }
+
+        //    List<FileInfo> result = new List<FileInfo>();
+
+        //    foreach (var d in directories)
+        //    {
+        //        result.AddRange(GetFiles(d.FullName, pattern));
+        //    }
+
+        //    try
+        //    {
+        //        result.AddRange(dirInfo.GetFiles(pattern));
+        //    }
+        //    catch (UnauthorizedAccessException)
+        //    {
+        //    }
+        //    catch (PathTooLongException)
+        //    {
+        //    }
+        //    catch (DirectoryNotFoundException)
+        //    {
+        //    }
+        //    catch (Exception)
+        //    {
+        //    }
+
+        //    return result;
+        //}
+
+
         public static List<CustomFileInfo> GetFilesFast(string folder, string pattern = "*", HashSet<string> excludedDirs = null, bool isFoldersIncluded = false)
         {
             ConcurrentBag<CustomFileInfo> files = new ConcurrentBag<CustomFileInfo>();
             IEnumerable<DirectoryInfo> startDirs = GetStartDirectories(folder, files, pattern, isFoldersIncluded);
             IList<DirectoryInfo> startDirsExcluded = new List<DirectoryInfo>();
-            IList<string> known_dirs = new List<string>();
+            ConcurrentDictionary<string, byte> known_dirs = new ConcurrentDictionary<string, byte>();
 
             if (excludedDirs != null)
             {
@@ -68,37 +189,27 @@ namespace winPEAS.Helpers.Search
 
             Parallel.ForEach(startDirsExcluded, (d) =>
             {
-                Parallel.ForEach(GetStartDirectories(d.FullName, files, pattern, isFoldersIncluded), (dir) =>
+                var foundFiles = GetFiles(d.FullName, pattern);
+                foreach (var f in foundFiles)
                 {
-                    GetFiles(dir.FullName, pattern).ForEach(
-                        (f) =>
-                        {
-                            if (!StaticExtensions.Contains(f.Extension.ToLower()))
-                            {
-                                // It should always be lesss than 260, but some times it isn't so this will bypass that file
-                                if (Checks.Checks.IsLongPath || f.FullName.Length <= 260)
+                    if (f != null && !StaticExtensions.Contains(f.Extension.ToLower()))
                     {
                         CustomFileInfo file_info = new CustomFileInfo(f.Name, f.Extension, f.FullName, f.Length, false);
                         files.Add(file_info);
 
                         CustomFileInfo file_dir = new CustomFileInfo(f.Directory.Name, "", f.Directory.FullName, 0, true);
-                                    if (!known_dirs.Contains(file_dir.FullPath))
+                        if (known_dirs.TryAdd(file_dir.FullPath, 0))
                         {
-                                        known_dirs.Add(file_dir.FullPath);
                             files.Add(file_dir);
                         }
                     }
-                                else if (f.FullName.Length > 260)
-                                    Beaprint.LongPathWarning(f.FullName);
                 }
-                        }
-                        );
-                });
             });
 
             return files.ToList();
         }
 
+
         private static List<FileInfo> GetFiles(string folder, string pattern = "*")
         {
             DirectoryInfo dirInfo;
@@ -130,16 +241,22 @@ namespace winPEAS.Helpers.Search
                 return new List<FileInfo>();
             }
 
-            List<FileInfo> result = new List<FileInfo>();
+            ConcurrentBag<FileInfo> result = new ConcurrentBag<FileInfo>();
 
-            foreach (var d in directories)
+            Parallel.ForEach(directories, (d) =>
             {
-                result.AddRange(GetFiles(d.FullName, pattern));
+                foreach (var file in GetFiles(d.FullName, pattern))
+                {
+                    result.Add(file);
                 }
+            });
 
             try
             {
-                result.AddRange(dirInfo.GetFiles(pattern));
+                foreach (var file in dirInfo.GetFiles(pattern))
+                {
+                    result.Add(file);
+                }
             }
             catch (UnauthorizedAccessException)
             {
@@ -154,7 +271,7 @@ namespace winPEAS.Helpers.Search
             {
             }
 
-            return result;
+            return result.ToList();
         }
 
         private static IEnumerable<DirectoryInfo> GetStartDirectories(string folder, ConcurrentBag<CustomFileInfo> files, string pattern, bool isFoldersIncluded = false)

winPEAS/winPEASexe/winPEAS/Info/SystemInfo/SystemInfo.cs

@@ -1,4 +1,5 @@
 using System;
+using System.Diagnostics;
 using System.Collections.Generic;
 using System.Globalization;
 using System.IO;
@@ -7,9 +8,11 @@ using System.Management;
 using System.Net;
 using System.Net.NetworkInformation;
 using System.Windows.Forms;
+using System.Text.RegularExpressions;
 using winPEAS.Helpers;
 using winPEAS.Helpers.Registry;
 
+
 namespace winPEAS.Info.SystemInfo
 {
     class SystemInfo
@@ -49,6 +52,60 @@ namespace winPEAS.Info.SystemInfo
         public static Dictionary<string, string> GetBasicOSInfo()
         {
             Dictionary<string, string> results = new Dictionary<string, string>();
+
+            // Systeminfo from cmd to be able to use wes-ng
+            ///////////////////////////////////////////////
+            
+            Process process = new Process();
+
+            // Configure the process to run the systeminfo command
+            process.StartInfo.FileName = "systeminfo.exe";
+            process.StartInfo.UseShellExecute = false;
+            process.StartInfo.RedirectStandardOutput = true;
+
+            // Start the process
+            process.Start();
+
+            // Read the output of the command
+            string output = process.StandardOutput.ReadToEnd();
+
+            // Wait for the command to finish
+            process.WaitForExit();
+
+
+            // Split the output by newline characters
+            string[] lines = output.Split(new[] { '\n' }, StringSplitOptions.RemoveEmptyEntries);
+            
+            string osname = @".*?Microsoft[\(R\)]{0,3} Windows[\(R\)?]{0,3} ?(Serverr? )?(\d+\.?\d?( R2)?|XP|VistaT).*";
+            string osversion = @".*?((\d+\.?){3}) ((Service Pack (\d)|N\/\w|.+) )?[ -\xa5]+ (\d+).*";
+            // Iterate over each line and add key-value pairs to the dictionary
+            foreach (string line in lines)
+            {
+                int index = line.IndexOf(':');
+                if (index != -1)
+                {
+                    string key = line.Substring(0, index).Trim();
+                    string value = line.Substring(index + 1).Trim();
+                    if (Regex.IsMatch(value, osname, RegexOptions.IgnoreCase))
+                    {
+                        results["OS Name"] = value;
+                    }
+                    //I have to find a better way. Maybe use regex from wes-ng
+                    if (Regex.IsMatch(value, osversion, RegexOptions.IgnoreCase))
+                    {
+                        results["OS Version"] = value;
+                    }
+
+                    if (value.Contains("based PC")) 
+                    {
+                        results["System Type"] = value;
+                    }
+                    
+                }
+            }
+
+            // ENDING Systeminfo from cmd to be able to use wes-ng
+            ///////////////////////////////////////////////
             try
             {
                 string ProductName = RegistryHelper.GetRegValue("HKLM", "Software\\Microsoft\\Windows NT\\CurrentVersion", "ProductName");

winPEAS/winPEASexe/winPEAS/KnownFileCreds/Putty.cs

@@ -129,6 +129,24 @@ namespace winPEAS.KnownFileCreds
             else
             {
                 string[] subKeys = RegistryHelper.GetRegSubkeys("HKCU", "Software\\SimonTatham\\PuTTY\\Sessions\\");
+                RegistryKey selfKey = Registry.CurrentUser.OpenSubKey(@"Software\\SimonTatham\\PuTTY\\Sessions"); // extract own Sessions registry keys           
+
+                if (selfKey != null)
+                {
+                    string[] subKeyNames = selfKey.GetValueNames();
+                    foreach (string name in subKeyNames)
+                    {
+                        Dictionary<string, string> putty_sess_key = new Dictionary<string, string>()
+                        {
+                            { "RegKey Name", name },
+                            { "RegKey Value", (string)selfKey.GetValue(name) },
+                        };
+
+                        results.Add(putty_sess_key);
+                    }
+                    selfKey.Close();
+                }
+                
                 foreach (string sessionName in subKeys)
                 {
                     Dictionary<string, string> putty_sess = new Dictionary<string, string>()

winPEAS/winPEASexe/winPEAS/packages.config

@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="utf-8"?>
+<packages>
+  <package id="AlphaFS" version="2.2.6" targetFramework="net452" />
+</packages>

winPEAS/winPEASexe/winPEAS/winPEAS.csproj

@@ -114,12 +114,16 @@
     </StartupObject>
   </PropertyGroup>
   <ItemGroup>
+    <Reference Include="AlphaFS, Version=2.2.0.0, Culture=neutral, PublicKeyToken=4d31a58f7d7ad5c9, processorArchitecture=MSIL">
+      <HintPath>..\packages\AlphaFS.2.2.6\lib\net452\AlphaFS.dll</HintPath>
+    </Reference>
     <Reference Include="System" />
     <Reference Include="System.Core" />
     <Reference Include="System.DirectoryServices.AccountManagement" />
     <Reference Include="System.Management" />
     <Reference Include="System.Security" />
     <Reference Include="System.ServiceProcess" />
+    <Reference Include="System.Transactions" />
     <Reference Include="System.Web.Extensions" />
     <Reference Include="System.Windows.Forms" />
     <Reference Include="System.Xml.Linq" />
@@ -696,6 +700,7 @@
       <Link>sensitive_files.yaml</Link>
     </EmbeddedResource>
     <None Include="App.config" />
+    <None Include="packages.config" />
     <None Include="TaskScheduler\V1\TaskSchedulerV1Schema.xsd">
       <SubType>Designer</SubType>
     </None>

winPEAS/winPEASps1/README.md

@@ -0,0 +1,26 @@
+# Windows Privilege Escalation Awesome Script (.ps1)
+
+![](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/raw/master/winPEAS/winPEASexe/images/winpeas.png)
+
+**WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on [book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation)**
+
+Check also the **Local Windows Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation)**
+
+## Mantainer
+
+The official **maintainer of this script is [RandolphConley](https://github.com/RandolphConley)**.
+
+## Quick Start
+
+Download the **[latest releas from here](https://github.com/carlospolop/PEASS-ng/releases/latest)**.
+
+```bash
+powershell "IEX(New-Object Net.WebClient).downloadString('https://raw.githubusercontent.com/carlospolop/PEASS-ng/master/winPEAS/winPEASps1/WinPeas.ps1')"
+```
+
+## Advisory
+
+All the scripts/binaries of the PEAS Suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
+
+
+By Polop