Merge pull request #506 from tropkal/tropkal-patch-1

Update the regex for the sudo version

.github/workflows/PR-tests.yml

@@ -0,0 +1,201 @@
+name: PR-tests
+
+on:
+  pull_request:
+    branches:
+      - master
+      - main
+    paths-ignore:
+      - '.github/**'
+
+jobs:
+  Build_and_test_winpeas_pr:
+    runs-on: windows-latest
+    
+    # environment variables
+    env:
+      Solution_Path: 'winPEAS\winPEASexe\winPEAS.sln'
+      Configuration: 'Release'
+
+    steps:
+      # checkout
+      - name: Checkout
+        uses: actions/checkout@master
+        with:
+          ref: ${{ github.head_ref }}
+      
+      - name: Download regexes
+        run: |
+          powershell.exe -ExecutionPolicy Bypass -File build_lists/download_regexes.ps1
+            
+      # Add MSBuild to the PATH
+      - name: Setup MSBuild.exe
+        uses: microsoft/setup-msbuild@v1.0.2
+       
+      # Setup NuGet
+      - name: Setup NuGet.exe
+        uses: nuget/setup-nuget@v1  
+        
+      # Restore the packages for testing
+      - name: Restore the application       
+        run: nuget restore $env:Solution_Path
+        
+      # build
+      - name: run MSBuild
+        run: msbuild $env:Solution_Path
+        
+      # Build all versions
+      - name: Build all versions
+        run: |
+            echo "build x64"
+            msbuild -m $env:Solution_Path /t:Rebuild /p:Configuration=$env:Configuration /p:Platform="x64"
+            
+            echo "build x86"
+            msbuild -m $env:Solution_Path /t:Rebuild /p:Configuration=$env:Configuration /p:Platform="x86"
+            
+            echo "build Any CPU"
+            msbuild -m $env:Solution_Path /t:Rebuild /p:Configuration=$env:Configuration /p:Platform="Any CPU"
+      
+      - name: Execute winPEAS -h
+        shell: pwsh
+        run: |
+          $Configuration = "Release"
+          $exePath = "winPEAS/winPEASexe/winPEAS/bin/$Configuration/winPEAS.exe"
+          if (Test-Path $exePath) {
+            & $exePath -h
+          } else {
+            Write-Error "winPEAS.exe not found at $exePath"
+          }
+
+      - name: Execute winPEAS cloudinfo
+        shell: pwsh
+        run: |
+          $Configuration = "Release"
+          $exePath = "winPEAS/winPEASexe/winPEAS/bin/$Configuration/winPEAS.exe"
+          if (Test-Path $exePath) {
+            & $exePath cloudinfo
+          } else {
+            Write-Error "winPEAS.exe not found at $exePath"
+          }
+
+      - name: Execute winPEAS systeminfo
+        shell: pwsh
+        run: |
+          $Configuration = "Release"
+          $exePath = "winPEAS/winPEASexe/winPEAS/bin/$Configuration/winPEAS.exe"
+          if (Test-Path $exePath) {
+            & $exePath systeminfo
+          } else {
+            Write-Error "winPEAS.exe not found at $exePath"
+          }
+      
+      - name: Execute winPEAS networkinfo
+        shell: pwsh
+        run: |
+          $Configuration = "Release"
+          $exePath = "winPEAS/winPEASexe/winPEAS/bin/$Configuration/winPEAS.exe"
+          if (Test-Path $exePath) {
+            & $exePath networkinfo
+          } else {
+            Write-Error "winPEAS.exe not found at $exePath"
+          }
+
+  Build_and_test_linpeas_pr:
+    runs-on: ubuntu-latest
+
+    steps:
+      # Download repo
+      - uses: actions/checkout@v2
+        with:
+          ref: ${{ github.head_ref }}
+      
+      # Setup go
+      - uses: actions/setup-go@v2
+        with:
+          go-version: 1.17.0-rc1
+          stable: false
+      - run: go version
+      
+      # Build linpeas
+      - name: Build linpeas
+        run: |
+          python3 -m pip install PyYAML
+          cd linPEAS
+          python3 -m builder.linpeas_builder --all --output linpeas_fat.sh
+          python3 -m builder.linpeas_builder --all-no-fat --output linpeas.sh
+          python3 -m builder.linpeas_builder --small --output linpeas_small.sh
+      
+      # Run linpeas help as quick test
+      - name: Run linpeas help
+        run: linPEAS/linpeas_fat.sh -h && linPEAS/linpeas.sh -h && linPEAS/linpeas_small.sh -h
+      
+      # Run linpeas as a test
+      - name: Run linpeas system_information
+        run: linPEAS/linpeas_fat.sh -o system_information -a
+      
+      - name: Run linpeas container
+        run: linPEAS/linpeas_fat.sh -o container -a
+      
+      - name: Run linpeas cloud
+        run: linPEAS/linpeas_fat.sh -o cloud -a
+      
+      - name: Run linpeas procs_crons_timers_srvcs_sockets
+        run: linPEAS/linpeas_fat.sh -o procs_crons_timers_srvcs_sockets -a
+      
+      - name: Run linpeas network_information
+        run: linPEAS/linpeas_fat.sh -o network_information -t -a
+      
+      - name: Run linpeas users_information
+        run: linPEAS/linpeas_fat.sh -o users_information -a
+      
+      - name: Run linpeas software_information
+        run: linPEAS/linpeas_fat.sh -o software_information -a
+      
+      - name: Run linpeas interesting_perms_files
+        run: linPEAS/linpeas_fat.sh -o interesting_perms_files -a
+      
+      - name: Run linpeas interesting_files
+        run: linPEAS/linpeas_fat.sh -o interesting_files -a
+
+  Build_and_test_macpeas_pr:
+    runs-on: macos-latest
+
+    steps:
+      # Download repo
+      - uses: actions/checkout@v2
+        with:
+          ref: ${{ github.head_ref }}
+      
+      # Build linpeas (macpeas)
+      - name: Build macpeas
+        run: |
+          python3 -m pip install PyYAML --break-system-packages
+          python3 -m pip install requests --break-system-packages
+          cd linPEAS
+          python3 -m builder.linpeas_builder --all --output linpeas_fat.sh
+      
+      # Run linpeas help as quick test
+      - name: Run macpeas help
+        run: linPEAS/linpeas_fat.sh -h
+      
+      # Run macpeas parts to test it
+      - name: Run macpeas system_information
+        run: linPEAS/linpeas_fat.sh -o system_information -a
+      
+      - name: Run macpeas container
+        run: linPEAS/linpeas_fat.sh -o container -a
+      
+      - name: Run macpeas cloud
+        run: linPEAS/linpeas_fat.sh -o cloud -a
+      
+      - name: Run macpeas procs_crons_timers_srvcs_sockets
+        run: linPEAS/linpeas_fat.sh -o procs_crons_timers_srvcs_sockets -a
+      
+      - name: Run macpeas network_information
+        run: linPEAS/linpeas_fat.sh -o network_information -t -a
+      
+      - name: Run macpeas users_information
+        run: linPEAS/linpeas_fat.sh -o users_information -a
+      
+      - name: Run macpeas software_information
+        run: linPEAS/linpeas_fat.sh -o software_information -a

build_lists/sensitive_files.yaml

@@ -896,6 +896,14 @@ search:
                 search_in: 
                   - common
           
+          - name: "credentials.tfrc.json"
+            value: 
+                type: f
+                bad_regex: ".*"
+                search_in:
+                  - common
+                  
+
   - name: Racoon
     value:
         config:

linPEAS/README.md

@@ -170,7 +170,7 @@ LinPEAS uses colors to indicate where does each section begin. But **it also use
 
 - The ![](https://placehold.it/15/b32400/000000?text=+) **Red** color is used for identifing suspicious configurations that could lead to privilege escalation.
 
-- The ![](https://placehold.it/15/66ff33/000000?text=+) **Green** color is used for known good configurations (based on the name not on the conten!)
+- The ![](https://placehold.it/15/66ff33/000000?text=+) **Green** color is used for known good configurations (based on the name not on the content!)
 
 - The ![](https://placehold.it/15/0066ff/000000?text=+) **Blue** color is used for: Users without shell & Mounted devices
 

linPEAS/builder/linpeas_builder.py

@@ -33,7 +33,7 @@ if __name__ == "__main__":
     parser.add_argument('--small', action='store_true', help='Build small version of linpeas.')
     parser.add_argument('--include', type=str, help='Build linpeas only with the modules indicated you can indicate section names or module IDs).')
     parser.add_argument('--exclude', type=str, help='Exclude the given modules (you can indicate section names or module IDs).')
-    parser.add_argument('--output', required=True, type=str, help='Parth to write the final linpeas file to.')
+    parser.add_argument('--output', required=True, type=str, help='Path to write the final linpeas file to.')
     args = parser.parse_args()
 
     all_modules = args.all

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/15_Rcommands_trust.sh

@@ -0,0 +1,139 @@
+# Title: Processes & Cron & Services & Timers - Legacy r-commands and host-based trust
+# ID: PR_Rcommands_trust
+# Author: HT Bot
+# Last Update: 27-08-2025
+# Description: Detect legacy r-services (rsh/rlogin/rexec) exposure and dangerous host-based trust (.rhosts/hosts.equiv),
+#              which can allow passwordless root via hostname/DNS manipulation.
+# License: GNU GPL
+# Version: 1.0
+# Functions Used: print_2title, print_3title, echo_not_found
+# Global Variables:
+# Initial Functions:
+# Generated Global Variables: $rfile, $perms, $owner, $g, $o, $any_rhosts, $shown, $f, $p
+# Fat linpeas: 0
+# Small linpeas: 1
+
+if ! [ "$SEARCH_IN_FOLDER" ]; then
+  print_2title "Legacy r-commands (rsh/rlogin/rexec) and host-based trust"
+
+  echo ""
+  print_3title "Listening r-services (TCP 512-514)"
+  if command -v ss >/dev/null 2>&1; then
+    ss -ltnp 2>/dev/null | awk '$1 ~ /^LISTEN$/ && $4 ~ /:(512|513|514)$/ {print}' || echo_not_found "ss"
+  elif command -v netstat >/dev/null 2>&1; then
+    netstat -ltnp 2>/dev/null | awk '$6 ~ /LISTEN/ && $4 ~ /:(512|513|514)$/ {print}' || echo_not_found "netstat"
+  else
+    echo_not_found "ss|netstat"
+  fi
+
+  echo ""
+  print_3title "systemd units exposing r-services"
+  if command -v systemctl >/dev/null 2>&1; then
+    systemctl list-unit-files 2>/dev/null | grep -E '^(rlogin|rsh|rexec)\.(socket|service)\b' || echo_not_found "rlogin|rsh|rexec units"
+    systemctl list-sockets 2>/dev/null | grep -E '\b(rlogin|rsh|rexec)\.socket\b' || true
+  else
+    echo_not_found "systemctl"
+  fi
+
+  echo ""
+  print_3title "inetd/xinetd configuration for r-services"
+  if [ -f /etc/inetd.conf ]; then
+    grep -vE '^\s*#|^\s*$' /etc/inetd.conf 2>/dev/null | grep -Ei '\b(shell|login|exec|rsh|rlogin|rexec)\b' 2>/dev/null || echo "  No r-services found in /etc/inetd.conf"
+  else
+    echo_not_found "/etc/inetd.conf"
+  fi
+  if [ -d /etc/xinetd.d ]; then
+    # Print enabled r-services in xinetd
+    for f in /etc/xinetd.d/*; do
+      [ -f "$f" ] || continue
+      if grep -qiE '\b(service|disable)\b' "$f" 2>/dev/null; then
+        if grep -qiE 'service\s+(rsh|rlogin|rexec|shell|login|exec)\b' "$f" 2>/dev/null; then
+          # Only warn if not disabled
+          if ! grep -qiE '^\s*disable\s*=\s*yes\b' "$f" 2>/dev/null; then
+            echo "  $(basename "$f") may enable r-services:"; grep -iE '^(\s*service|\s*disable)' "$f" 2>/dev/null | sed 's/^/    /'
+          fi
+        fi
+      fi
+    done
+  else
+    echo_not_found "/etc/xinetd.d"
+  fi
+
+  echo ""
+  print_3title "Installed r-service server packages"
+  if command -v dpkg >/dev/null 2>&1; then
+    dpkg -l 2>/dev/null | grep -E '\b(rsh-server|rsh-redone-server|krb5-rsh-server|inetutils-inetd|openbsd-inetd|xinetd|netkit-rsh)\b' || echo "  No related packages found via dpkg"
+  elif command -v rpm >/dev/null 2>&1; then
+    rpm -qa 2>/dev/null | grep -Ei '\b(rsh|rlogin|rexec|xinetd)\b' || echo "  No related packages found via rpm"
+  else
+    echo_not_found "dpkg|rpm"
+  fi
+
+  echo ""
+  print_3title "/etc/hosts.equiv and /etc/shosts.equiv"
+  for f in /etc/hosts.equiv /etc/shosts.equiv; do
+    if [ -f "$f" ]; then
+      perms=$(stat -c %a "$f" 2>/dev/null)
+      owner=$(stat -c %U "$f" 2>/dev/null)
+      echo "  $f (perm $perms, owner $owner)"
+      # Print non-comment lines
+      awk 'NF && $0 !~ /^\s*#/ {print "    " $0}' "$f" 2>/dev/null
+      if grep -qEv '^\s*#|^\s*$' "$f" 2>/dev/null; then
+        if grep -qE '(^|\s)\+' "$f" 2>/dev/null; then
+          echo "    [!] Wildcard '+' trust found"
+        fi
+      fi
+    fi
+  done
+
+  echo ""
+  print_3title "Per-user .rhosts files"
+  any_rhosts=false
+  for rfile in /root/.rhosts /home/*/.rhosts; do
+    if [ -f "$rfile" ]; then
+      any_rhosts=true
+      perms=$(stat -c %a "$rfile" 2>/dev/null)
+      owner=$(stat -c %U "$rfile" 2>/dev/null)
+      echo "  $rfile (perm $perms, owner $owner)"
+      awk 'NF && $0 !~ /^\s*#/ {print "    " $0}' "$rfile" 2>/dev/null
+      # Warn on insecure perms (group/other write)
+      g=$(printf "%s" "$perms" | cut -c2)
+      o=$(printf "%s" "$perms" | cut -c3)
+      if [ "${g:-0}" -ge 2 ] || [ "${o:-0}" -ge 2 ]; then
+        echo "    [!] Insecure permissions (group/other write)"
+      fi
+    fi
+  done
+  if ! $any_rhosts; then echo_not_found ".rhosts"; fi
+
+  echo ""
+  print_3title "PAM rhosts authentication"
+  shown=false
+  for p in /etc/pam.d/rlogin /etc/pam.d/rsh; do
+    if [ -f "$p" ]; then
+      shown=true
+      echo "  $p:"
+      (grep -nEi 'pam_rhosts|pam_rhosts_auth' "$p" 2>/dev/null || echo "    no pam_rhosts* lines") | sed 's/^/    /'
+    fi
+  done
+  if ! $shown; then echo_not_found "/etc/pam.d/rlogin|rsh"; fi
+
+  echo ""
+  print_3title "SSH HostbasedAuthentication"
+  if [ -f /etc/ssh/sshd_config ]; then
+    if grep -qiE '^[^#]*HostbasedAuthentication\s+yes' /etc/ssh/sshd_config 2>/dev/null; then
+      echo "  HostbasedAuthentication yes (check /etc/shosts.equiv or ~/.shosts)"
+    else
+      echo "  HostbasedAuthentication no or not set"
+    fi
+  else
+    echo_not_found "/etc/ssh/sshd_config"
+  fi
+
+  echo ""
+  print_3title "Potential DNS control indicators (local)"
+  (ps -eo comm,args 2>/dev/null | grep -Ei '(^|/)(pdns|pdns_server|pdns_recursor|powerdns-admin)( |$)' | grep -Ev 'grep|bash' || echo "  Not detected")
+
+  echo ""
+fi
+

linPEAS/builder/linpeas_parts/7_software_information/Mysql.sh

@@ -8,7 +8,7 @@
 # Functions Used: print_2title
 # Global Variables: $DEBUG, $knw_usrs, $nosh_usrs, $sh_usrs, $DEBUG, $USER, $STRINGS
 # Initial Functions:
-# Generated Global Variables: $mysqluser, $mysqlexec, $mysqlconnect, $mysqlconnectnopass
+# Generated Global Variables: $mysqluser, $mysqlexec, $mysqlconnect, $mysqlconnectnopass, $mysqluser, $version_output, $major_version, $version, $process_info
 # Fat linpeas: 0
 # Small linpeas: 1
 
@@ -103,3 +103,41 @@ if [ "$(command -v mysql || echo -n '')" ] || [ "$(command -v mysqladmin || echo
   fi
   echo ""
 fi
+
+### This section checks if MySQL (mysqld) is running as root and if its version is 4.x or 5.x to refer a known local privilege escalation exploit! ###
+
+# Find the mysqld process
+process_info=$(ps aux | grep '[m]ysqld' | head -n1)
+
+if [ -z "$process_info" ]; then
+  echo "MySQL process not found." | sed -${E} "s,.*,${SED_GREEN},"
+else
+
+  # Extract the process user
+  mysqluser=$(echo "$process_info" | awk '{print $1}')
+
+  # Get the MySQL version string
+  version_output=$(mysqld --version 2>&1)
+
+  # Extract the version number (expects format like X.Y.Z)
+  version=$(echo "$version_output" | grep -oE '[0-9]+\.[0-9]+\.[0-9]+' | head -n1)
+
+  if [ -z "$version" ]; then
+    echo "Unable to determine MySQL version." | sed -${E} "s,.*,${SED_GREEN},"
+  else
+
+    # Extract the major version number (X from X.Y.Z)
+    major_version=$(echo "$version" | cut -d. -f1)
+
+    # Check if MySQL is running as root and if the version is either 4.x or 5.x
+    if [ "$mysqluser" = "root" ] && { [ "$major_version" -eq 4 ] || [ "$major_version" -eq 5 ]; }; then
+      echo "MySQL is running as root with version $version. This is a potential local privilege escalation vulnerability!" | sed -${E} "s,.*,${SED_RED},"
+      echo "\tRefer to: https://www.exploit-db.com/exploits/1518" | sed -${E} "s,.*,${SED_YELLOW},"
+      echo "\tRefer to: https://medium.com/r3d-buck3t/privilege-escalation-with-mysql-user-defined-functions-996ef7d5ceaf" | sed -${E} "s,.*,${SED_YELLOW},"
+    else
+      echo "MySQL is running as user '$mysqluser' with version $version." | sed -${E} "s,.*,${SED_GREEN},"
+    fi
+    ### ------------------------------------------------------------------------------------------------------------------------------------------------ ###
+  
+  fi
+fi

linPEAS/builder/linpeas_parts/variables/sudovB.sh

@@ -1,7 +1,7 @@
 # Title: Variables - sudovB
 # ID: sudovB
 # Author: Carlos Polop
-# Last Update: 22-08-2023
+# Last Update: 04-10-2025
 # Description: Sudo version bad regex
 # License: GNU GPL
 # Version: 1.0
@@ -13,4 +13,4 @@
 # Small linpeas: 1
 
 
-sudovB="[01].[012345678].[0-9]+|1.9.[01234][^0-9]|1.9.[01234]$|1.9.5p1"
+sudovB="[01].[012345678].[0-9]+|1.9.[01234][^0-9]|1.9.[01234]$|1.9.5p1|1\.9\.[6-9]|1\.9\.1[0-7]"

linPEAS/builder/src/linpeasBaseBuilder.py

@@ -292,9 +292,12 @@ class LinpeasBaseBuilder:
         all_module_paths += self.enumerate_directory(LINPEAS_PARTS["variables"])
         
         for module in LINPEAS_PARTS["modules"]:
+            exclude = False
             for ex_module in exclude_modules:
                 if ex_module in module["folder_path"] or ex_module in [module["name"], module["name_check"]]:
-                    continue
+                    exclude = True
+                    break
+            if exclude: continue
             all_module_paths += self.enumerate_directory(module["folder_path"])
         
         for module in all_module_paths:

linPEAS/builder/src/linpeasBuilder.py

@@ -402,9 +402,9 @@ class LinpeasBuilder:
 
 
     def __replace_mark(self, mark: str, find_calls: list, join_char: str):
-        """Substitude the markup with the actual code"""
+        """Substitute the markup with the actual code"""
 
-        self.linpeas_sh = self.linpeas_sh.replace(mark, join_char.join(find_calls)) #New line char is't needed
+        self.linpeas_sh = self.linpeas_sh.replace(mark, join_char.join(find_calls)) #New line char isn't needed
     
     def write_linpeas(self, path):
         """Write on disk the final linpeas"""

parsers/peas2json.py

@@ -106,8 +106,6 @@ def parse_line(line: str):
 
     global FINAL_JSON, C_SECTION, C_MAIN_SECTION, C_2_SECTION, C_3_SECTION
 
-    if "Cron jobs" in line:
-        a=1
 
     if is_section(line, TITLE1_PATTERN):
         title = parse_title(line)
@@ -145,14 +143,23 @@ def parse_line(line: str):
 
 
 def parse_peass(outputpath: str, jsonpath: str = ""):
-    global OUTPUT_PATH, JSON_PATH
+    global OUTPUT_PATH, JSON_PATH, FINAL_JSON, C_SECTION, C_MAIN_SECTION, C_2_SECTION, C_3_SECTION
 
     OUTPUT_PATH = outputpath
     JSON_PATH = jsonpath
 
-    for line in open(OUTPUT_PATH, 'r', encoding="utf8").readlines():
+    # Reset globals to avoid data leaking between executions
+    FINAL_JSON = {}
+    C_SECTION = FINAL_JSON
+    C_MAIN_SECTION = FINAL_JSON
+    C_2_SECTION = FINAL_JSON
+    C_3_SECTION = FINAL_JSON
+
+    with open(OUTPUT_PATH, 'r', encoding="utf8") as f:
+        for line in f.readlines():
             line = line.strip()
-        if not line or not clean_colors(line): #Remove empty lines or lines just with colors hex
+            # Remove empty lines or lines containing only color codes
+            if not line or not clean_colors(line):
                 continue
 
             parse_line(line)

winPEAS/winPEASexe/README.md

@@ -74,10 +74,23 @@ winpeas.exe -lolbas  #Execute also additional LOLBAS search check
 
 The goal of this project is to search for possible **Privilege Escalation Paths** in Windows environments.
 
+New in this version:
+- Detect potential GPO abuse by flagging writable SYSVOL paths for GPOs applied to the current host and by highlighting membership in the "Group Policy Creator Owners" group.
+
+
 It should take only a **few seconds** to execute almost all the checks and **some seconds/minutes during the lasts checks searching for known filenames** that could contain passwords (the time depened on the number of files in your home folder). By default only **some** filenames that could contain credentials are searched, you can use the **searchall** parameter to search all the list (this could will add some minutes).
 
 The tool is based on **[SeatBelt](https://github.com/GhostPack/Seatbelt)**.
 
+### New (AD-aware) checks
+
+- Active Directory quick checks now include:
+  - gMSA readable managed passwords: enumerate msDS-GroupManagedServiceAccount objects and report those where the current user/group is allowed to retrieve the managed password (PrincipalsAllowedToRetrieveManagedPassword).
+  - AD CS (ESC4) hygiene: enumerate published certificate templates and highlight templates where the current user/group has dangerous control rights (GenericAll/WriteDacl/WriteOwner/WriteProperty/ExtendedRight) that could allow template abuse (e.g., ESC4 -> ESC1).
+
+These checks are lightweight, read-only, and only run when the host is domain-joined.
+
+
 ## Where are my COLORS?!?!?!
 
 The **ouput will be colored** using **ansi** colors. If you are executing `winpeas.exe` **from a Windows console**, you need to set a registry value to see the colors (and open a new CMD):

winPEAS/winPEASexe/Tests/App.config

@@ -39,7 +39,7 @@
       </dependentAssembly>
       <dependentAssembly>
         <assemblyIdentity name="System.Text.RegularExpressions" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />
-        <bindingRedirect oldVersion="0.0.0.0-4.1.1.0" newVersion="4.1.1.0" />
+        <bindingRedirect oldVersion="0.0.0.0-4.1.0.0" newVersion="4.1.0.0" />
       </dependentAssembly>
       <dependentAssembly>
         <assemblyIdentity name="System.Linq" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />

winPEAS/winPEASexe/Tests/packages.config

@@ -39,7 +39,7 @@
   <package id="System.Runtime.Numerics" version="4.3.0" targetFramework="net452" />
   <package id="System.Text.Encoding" version="4.3.0" targetFramework="net452" />
   <package id="System.Text.Encoding.Extensions" version="4.3.0" targetFramework="net452" />
-  <package id="System.Text.RegularExpressions" version="4.3.0" targetFramework="net452" requireReinstallation="true" />
+  <package id="System.Text.RegularExpressions" version="4.3.1" targetFramework="net48" />
   <package id="System.Threading" version="4.3.0" targetFramework="net452" />
   <package id="System.Threading.Tasks" version="4.3.0" targetFramework="net452" />
   <package id="System.Threading.Timer" version="4.3.0" targetFramework="net452" />

winPEAS/winPEASexe/Tests/winPEAS.Tests.csproj

@@ -83,6 +83,10 @@
     <Reference Include="System.Runtime.InteropServices.RuntimeInformation, Version=4.0.1.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
       <HintPath>..\packages\System.Runtime.InteropServices.RuntimeInformation.4.3.0\lib\net45\System.Runtime.InteropServices.RuntimeInformation.dll</HintPath>
     </Reference>
+    <Reference Include="System.Text.RegularExpressions, Version=4.1.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a">
+      <HintPath>..\packages\System.Text.RegularExpressions.4.3.1\lib\net463\System.Text.RegularExpressions.dll</HintPath>
+      <Private>True</Private>
+    </Reference>
     <Reference Include="System.Xml.Linq" />
     <Reference Include="System.Data.DataSetExtensions" />
     <Reference Include="Microsoft.CSharp" />

winPEAS/winPEASexe/winPEAS/App.config

@@ -32,7 +32,7 @@
       </dependentAssembly>
       <dependentAssembly>
         <assemblyIdentity name="Microsoft.Bcl.AsyncInterfaces" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />
-        <bindingRedirect oldVersion="0.0.0.0-8.0.0.0" newVersion="8.0.0.0" />
+        <bindingRedirect oldVersion="0.0.0.0-9.0.0.1" newVersion="9.0.0.1" />
       </dependentAssembly>
       <dependentAssembly>
         <assemblyIdentity name="Microsoft.Win32.Primitives" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />
@@ -156,7 +156,7 @@
       </dependentAssembly>
       <dependentAssembly>
         <assemblyIdentity name="System.Text.Encodings.Web" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />
-        <bindingRedirect oldVersion="0.0.0.0-8.0.0.0" newVersion="8.0.0.0" />
+        <bindingRedirect oldVersion="0.0.0.0-9.0.0.1" newVersion="9.0.0.1" />
       </dependentAssembly>
       <dependentAssembly>
         <assemblyIdentity name="System.Text.RegularExpressions" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />

winPEAS/winPEASexe/winPEAS/Checks/ActiveDirectoryInfo.cs

@@ -0,0 +1,275 @@
+using System;
+using System.Collections.Generic;
+using System.DirectoryServices;
+using System.Security.AccessControl;
+using System.Security.Principal;
+using winPEAS.Helpers;
+
+namespace winPEAS.Checks
+{
+    // Lightweight AD-oriented checks for common escalation paths (gMSA readable password, AD CS template control)
+    internal class ActiveDirectoryInfo : ISystemCheck
+    {
+        public void PrintInfo(bool isDebug)
+        {
+            Beaprint.GreatPrint("Active Directory Quick Checks");
+
+            new List<Action>
+            {
+                PrintGmsaReadableByCurrentPrincipal,
+                PrintAdcsEsc4LikeTemplates
+            }.ForEach(action => CheckRunner.Run(action, isDebug));
+        }
+
+        private static HashSet<string> GetCurrentSidSet()
+        {
+            var sids = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
+            try
+            {
+                var id = WindowsIdentity.GetCurrent();
+                sids.Add(id.User.Value);
+                foreach (var g in id.Groups)
+                {
+                    sids.Add(g.Value);
+                }
+            }
+            catch (Exception ex)
+            {
+                Beaprint.GrayPrint("    [!] Error obtaining current SIDs: " + ex.Message);
+            }
+            return sids;
+        }
+
+        private static string GetRootDseProp(string prop)
+        {
+            try
+            {
+                using (var root = new DirectoryEntry("LDAP://RootDSE"))
+                {
+                    return root.Properties[prop]?.Value as string;
+                }
+            }
+            catch (Exception ex)
+            {
+                Beaprint.GrayPrint($"    [!] Error accessing RootDSE ({prop}): {ex.Message}");
+                return null;
+            }
+        }
+
+        private static string GetProp(SearchResult r, string name)
+        {
+            return (r.Properties.Contains(name) && r.Properties[name].Count > 0)
+                ? r.Properties[name][0]?.ToString()
+                : null;
+        }
+
+        // Detect gMSA objects where the current principal (or one of its groups) can retrieve the managed password
+        private void PrintGmsaReadableByCurrentPrincipal()
+        {
+            try
+            {
+                Beaprint.MainPrint("gMSA readable managed passwords");
+                Beaprint.LinkPrint(
+                    "https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/gmsa.html",
+                    "Look for Group Managed Service Accounts you can read (msDS-ManagedPassword)");
+
+                if (!Checks.IsPartOfDomain)
+                {
+                    Beaprint.GrayPrint("  [-] Host is not domain-joined. Skipping.");
+                    return;
+                }
+
+                var defaultNC = GetRootDseProp("defaultNamingContext");
+                if (string.IsNullOrEmpty(defaultNC))
+                {
+                    Beaprint.GrayPrint("  [-] Could not resolve defaultNamingContext.");
+                    return;
+                }
+
+                var currentSidSet = GetCurrentSidSet();
+                int total = 0, readable = 0;
+
+                using (var baseDe = new DirectoryEntry("LDAP://" + defaultNC))
+                using (var ds = new DirectorySearcher(baseDe))
+                {
+                    ds.PageSize = 300;
+                    ds.Filter = "(&(objectClass=msDS-GroupManagedServiceAccount))";
+                    ds.PropertiesToLoad.Add("sAMAccountName");
+                    ds.PropertiesToLoad.Add("distinguishedName");
+                    // Who can read the managed password
+                    ds.PropertiesToLoad.Add("PrincipalsAllowedToRetrieveManagedPassword");
+
+                    foreach (SearchResult r in ds.FindAll())
+                    {
+                        total++;
+                        var name = GetProp(r, "sAMAccountName") ?? GetProp(r, "distinguishedName") ?? "<unknown>";
+                        var dn = GetProp(r, "distinguishedName") ?? "";
+
+                        bool canRead = false;
+                        // Attribute may be absent or empty
+                        var allowedDns = r.Properties["principalsallowedtoretrievemanagedpassword"];
+                        if (allowedDns != null)
+                        {
+                            foreach (var val in allowedDns)
+                            {
+                                try
+                                {
+                                    using (var de = new DirectoryEntry("LDAP://" + val.ToString()))
+                                    {
+                                        var sidObj = de.Properties["objectSid"]?.Value as byte[];
+                                        if (sidObj == null) continue;
+                                        var sid = new SecurityIdentifier(sidObj, 0).Value;
+                                        if (currentSidSet.Contains(sid))
+                                        {
+                                            canRead = true;
+                                        }
+                                    }
+                                }
+                                catch { /* ignore DN resolution issues */ }
+                            }
+                        }
+
+                        if (canRead)
+                        {
+                            readable++;
+                            Beaprint.BadPrint($"  You can retrieve managed password for gMSA: {name}  (DN: {dn})");
+                        }
+                    }
+                }
+
+                if (readable == 0)
+                {
+                    Beaprint.GrayPrint($"  [-] No gMSA with readable managed password found (checked {total}).");
+                }
+                else
+                {
+                    Beaprint.GrayPrint($"  [*] Hint: If such gMSA is member of Builtin\\Remote Management Users on a target, WinRM may be allowed.");
+                }
+            }
+            catch (Exception ex)
+            {
+                Beaprint.PrintException(ex.Message);
+            }
+        }
+
+        // Detect AD CS certificate templates where current principal has dangerous control rights (ESC4-style)
+        private void PrintAdcsEsc4LikeTemplates()
+        {
+            try
+            {
+                Beaprint.MainPrint("AD CS templates with dangerous ACEs (ESC4)");
+                Beaprint.LinkPrint(
+                    "https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/ad-certificates.html#esc4",
+                    "If you can modify a template (WriteDacl/WriteOwner/GenericAll), you can abuse ESC4");
+
+                if (!Checks.IsPartOfDomain)
+                {
+                    Beaprint.GrayPrint("  [-] Host is not domain-joined. Skipping.");
+                    return;
+                }
+
+                var configNC = GetRootDseProp("configurationNamingContext");
+                if (string.IsNullOrEmpty(configNC))
+                {
+                    Beaprint.GrayPrint("  [-] Could not resolve configurationNamingContext.");
+                    return;
+                }
+
+                var currentSidSet = GetCurrentSidSet();
+                int checkedTemplates = 0;
+                int vulnerable = 0;
+
+                var templatesDn = $"LDAP://CN=Certificate Templates,CN=Public Key Services,CN=Services,{configNC}";
+
+                using (var deBase = new DirectoryEntry(templatesDn))
+                using (var ds = new DirectorySearcher(deBase))
+                {
+                    ds.PageSize = 300;
+                    ds.Filter = "(objectClass=pKICertificateTemplate)";
+                    ds.PropertiesToLoad.Add("cn");
+
+                    foreach (SearchResult r in ds.FindAll())
+                    {
+                        checkedTemplates++;
+                        string templateCn = GetProp(r, "cn") ?? "<unknown>";
+
+                        // Fetch security descriptor (DACL)
+                        DirectoryEntry de = null;
+                        try
+                        {
+                            de = r.GetDirectoryEntry();
+                            de.Options.SecurityMasks = SecurityMasks.Dacl;
+                            de.RefreshCache(new[] { "ntSecurityDescriptor" });
+                        }
+                        catch (Exception)
+                        {
+                            de?.Dispose();
+                            continue;
+                        }
+
+                        try
+                        {
+                            var sd = de.ObjectSecurity; // ActiveDirectorySecurity
+                            var rules = sd.GetAccessRules(true, true, typeof(SecurityIdentifier));
+                            bool hit = false;
+                            var hitRights = new HashSet<string>();
+
+                            foreach (ActiveDirectoryAccessRule rule in rules)
+                            {
+                                if (rule.AccessControlType != AccessControlType.Allow) continue;
+                                var sid = (rule.IdentityReference as SecurityIdentifier)?.Value;
+                                if (string.IsNullOrEmpty(sid)) continue;
+                                if (!currentSidSet.Contains(sid)) continue;
+
+                                var rights = rule.ActiveDirectoryRights;
+                                bool dangerous =
+                                    rights.HasFlag(ActiveDirectoryRights.GenericAll) ||
+                                    rights.HasFlag(ActiveDirectoryRights.WriteDacl) ||
+                                    rights.HasFlag(ActiveDirectoryRights.WriteOwner) ||
+                                    rights.HasFlag(ActiveDirectoryRights.WriteProperty) ||
+                                    rights.HasFlag(ActiveDirectoryRights.ExtendedRight);
+
+                                if (dangerous)
+                                {
+                                    hit = true;
+                                    if (rights.HasFlag(ActiveDirectoryRights.GenericAll)) hitRights.Add("GenericAll");
+                                    if (rights.HasFlag(ActiveDirectoryRights.WriteDacl)) hitRights.Add("WriteDacl");
+                                    if (rights.HasFlag(ActiveDirectoryRights.WriteOwner)) hitRights.Add("WriteOwner");
+                                    if (rights.HasFlag(ActiveDirectoryRights.WriteProperty)) hitRights.Add("WriteProperty");
+                                    if (rights.HasFlag(ActiveDirectoryRights.ExtendedRight)) hitRights.Add("ExtendedRight");
+                                }
+                            }
+
+                            if (hit)
+                            {
+                                vulnerable++;
+                                Beaprint.BadPrint($"  Dangerous rights over template: {templateCn}  (Rights: {string.Join(",", hitRights)})");
+                            }
+                        }
+                        catch (Exception)
+                        {
+                            // ignore templates we couldn't read
+                        }
+                        finally
+                        {
+                            de?.Dispose();
+                        }
+                    }
+                }
+
+                if (vulnerable == 0)
+                {
+                    Beaprint.GrayPrint($"  [-] No templates with dangerous rights found (checked {checkedTemplates}).");
+                }
+                else
+                {
+                    Beaprint.GrayPrint("  [*] Tip: Abuse with tools like Certipy (template write -> ESC1 -> enroll).");
+                }
+            }
+            catch (Exception ex)
+            {
+                Beaprint.PrintException(ex.Message);
+            }
+        }
+    }
+}

winPEAS/winPEASexe/winPEAS/Checks/Checks.cs

@@ -90,6 +90,7 @@ namespace winPEAS.Checks
                 new SystemCheck("servicesinfo", new ServicesInfo()),
                 new SystemCheck("applicationsinfo", new ApplicationsInfo()),
                 new SystemCheck("networkinfo", new NetworkInfo()),
+                new SystemCheck("activedirectoryinfo", new ActiveDirectoryInfo()),
                 new SystemCheck("cloudinfo", new CloudInfo()),
                 new SystemCheck("windowscreds", new WindowsCreds()),
                 new SystemCheck("browserinfo", new BrowserInfo()),

winPEAS/winPEASexe/winPEAS/Checks/ProcessInfo.cs

@@ -102,17 +102,15 @@ namespace winPEAS.Checks
                 {
                     vulnHandlers = ProcessesInfo.GetVulnHandlers(progress);
                 }
+                Dictionary<string, string> colors = new Dictionary<string, string>();
+                colors[Checks.CurrentUserName] = Beaprint.ansi_color_bad;
+                colors[HandlesHelper.elevatedProcess] = Beaprint.ansi_color_bad;
 
                 foreach (Dictionary<string, string> handler in vulnHandlers)
                 {
-                    Dictionary<string, string> colors = new Dictionary<string, string>()
-                    {
-                        { Checks.CurrentUserName, Beaprint.ansi_color_bad },
-                        { handler["Reason"], Beaprint.ansi_color_bad },
-                    };
-
-                    Beaprint.DictPrint(vulnHandlers, colors, true);
+                    colors[handler["Reason"]] = Beaprint.ansi_color_bad;
                 }
+                Beaprint.DictPrint(vulnHandlers, colors, true);
             }
             catch (Exception ex)
             {

winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs

@@ -84,6 +84,7 @@ namespace winPEAS.Checks
                 PrintLSAInfo,
                 PrintNtlmSettings,
                 PrintLocalGroupPolicy,
+                PrintPotentialGPOAbuse,
                 AppLockerHelper.PrintAppLockerPolicy,
                 PrintPrintersWMIInfo,
                 PrintNamedPipes,
@@ -1131,6 +1132,94 @@ namespace winPEAS.Checks
             }
         }
 
+        private static void PrintPotentialGPOAbuse()
+        {
+            try
+            {
+                Beaprint.MainPrint("Potential GPO abuse vectors (applied domain GPOs writable by current user)");
+
+                if (!Checks.IsPartOfDomain)
+                {
+                    Beaprint.NoColorPrint("    Host is not joined to a domain or domain info is unavailable.");
+                    return;
+                }
+
+                // Build a friendly group list for the current user to quickly spot interesting memberships
+                var currentGroups = winPEAS.Info.UserInfo.User.GetUserGroups(Checks.CurrentUserName, Checks.CurrentUserDomainName) ?? new System.Collections.Generic.List<string>();
+                var hasGPCO = currentGroups.Any(g => string.Equals(g, "Group Policy Creator Owners", System.StringComparison.InvariantCultureIgnoreCase));
+
+                if (hasGPCO)
+                {
+                    Beaprint.BadPrint("    [!] Current user is member of 'Group Policy Creator Owners' — can create/own new GPOs. If you can link a GPO to an OU that applies here, you can execute code as SYSTEM via scheduled task/startup script.");
+                }
+
+                var infos = GroupPolicy.GetLocalGroupPolicyInfos();
+
+                bool anyFinding = false;
+                foreach (var info in infos)
+                {
+                    var fileSysPath = info.FileSysPath?.ToString();
+                    if (string.IsNullOrEmpty(fileSysPath))
+                    {
+                        continue;
+                    }
+
+                    // Only look at domain GPOs stored in SYSVOL
+                    var isSysvolPath = fileSysPath.StartsWith(@"\", System.StringComparison.InvariantCultureIgnoreCase) &&
+                                       fileSysPath.IndexOf(@"\SysVol\", System.StringComparison.InvariantCultureIgnoreCase) >= 0 &&
+                                       fileSysPath.IndexOf(@"\Policies\", System.StringComparison.InvariantCultureIgnoreCase) >= 0;
+
+                    if (!isSysvolPath)
+                    {
+                        continue;
+                    }
+
+                    // Check write/equivalent permissions on common abuse locations inside the GPO
+                    var pathsToCheck = new System.Collections.Generic.List<string>
+                    {
+                        fileSysPath,
+                        System.IO.Path.Combine(fileSysPath, @"Machine\Scripts\Startup"),
+                        System.IO.Path.Combine(fileSysPath, @"User\Scripts\Logon"),
+                        System.IO.Path.Combine(fileSysPath, @"Machine\Preferences\ScheduledTasks")
+                    };
+
+                    foreach (var p in pathsToCheck)
+                    {
+                        var perms = PermissionsHelper.GetPermissionsFolder(p, Checks.CurrentUserSiDs, PermissionType.WRITEABLE_OR_EQUIVALENT);
+                        if (perms != null && perms.Count > 0)
+                        {
+                            if (!anyFinding)
+                            {
+                                Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/gpo-abuse.html", "Why it matters");
+                            }
+                            anyFinding = true;
+                            Beaprint.BadPrint($"    [!] Writable applied GPO detected");
+                            Beaprint.NoColorPrint($"        GPO Display Name : {info.DisplayName}");
+                            Beaprint.NoColorPrint($"        GPO Name         : {info.GPOName}");
+                            Beaprint.NoColorPrint($"        GPO Link         : {info.Link}");
+                            Beaprint.NoColorPrint($"        Path             : {p}");
+                            foreach (var entry in perms)
+                            {
+                                Beaprint.NoColorPrint($"          -> {entry}");
+                            }
+                            Beaprint.GrayPrint("        Hint: Abuse by adding an immediate Scheduled Task or Startup script to execute as SYSTEM on gpupdate.");
+                        }
+                    }
+                }
+
+                if (!anyFinding && !hasGPCO)
+                {
+                    Beaprint.NoColorPrint("    No obvious GPO abuse via writable SYSVOL paths or GPCO membership detected.");
+                }
+            }
+            catch (Exception ex)
+            {
+                // Avoid noisy stack traces in normal runs
+                Beaprint.GrayPrint($"    [!] Error while checking potential GPO abuse: {ex.Message}");
+            }
+        }
+
+
         private static void PrintPowerShellSessionSettings()
         {
             try

winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs

@@ -129,6 +129,7 @@ namespace winPEAS.Helpers
             Console.WriteLine(LCYAN + "        servicesinfo" + GRAY + "         Search services information" + NOCOLOR);
             Console.WriteLine(LCYAN + "        applicationsinfo" + GRAY + "     Search installed applications information" + NOCOLOR);
             Console.WriteLine(LCYAN + "        networkinfo" + GRAY + "          Search network information" + NOCOLOR);
+            Console.WriteLine(LCYAN + "        activedirectoryinfo" + GRAY + "   Quick AD checks (gMSA readable passwords, AD CS template rights)" + NOCOLOR);
             Console.WriteLine(LCYAN + "        cloudinfo" + GRAY + "            Enumerate cloud information" + NOCOLOR);
             Console.WriteLine(LCYAN + "        windowscreds" + GRAY + "         Search windows credentials" + NOCOLOR);
             Console.WriteLine(LCYAN + "        browserinfo" + GRAY + "          Search browser information" + NOCOLOR);

winPEAS/winPEASexe/winPEAS/Helpers/HandlesHelper.cs

@@ -12,6 +12,7 @@ namespace winPEAS.Helpers
         private const int CNST_SYSTEM_EXTENDED_HANDLE_INFORMATION = 64;
         public const uint STATUS_INFO_LENGTH_MISMATCH = 0xC0000004;
         public const int DUPLICATE_SAME_ACCESS = 0x2;
+        public const string elevatedProcess = "Access denied, process is probably elevated";
 
         [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
         public struct FILE_NAME_INFO
@@ -171,7 +172,7 @@ namespace winPEAS.Helpers
                 // Hex perms from https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights and https://github.com/buffer/maltracer/blob/master/defines.py
 
                 //PROCESS_ALL_ACCESS
-                if ((h.GrantedAccess & 0x001F0FFF) == h.GrantedAccess)
+                if ((h.GrantedAccess & 0x001F0FFF) == h.GrantedAccess || (h.GrantedAccess & 0x1FFFFF) == h.GrantedAccess)
                 {
                     vulnHandler.isVuln = true;
                     vulnHandler.reason = "PROCESS_ALL_ACCESS";
@@ -454,6 +455,8 @@ namespace winPEAS.Helpers
             }
             catch
             {
+                data["name"] = elevatedProcess;
+                data["sid"] = elevatedProcess;
                 return data;
             }
             finally
@@ -469,12 +472,32 @@ namespace winPEAS.Helpers
         public static PT_RELEVANT_INFO getProcInfoById(int pid)
         {
             PT_RELEVANT_INFO pri = new PT_RELEVANT_INFO();
+            Process proc;
 
-            Process proc = Process.GetProcessById(pid);
+            try
+            {
+                proc = Process.GetProcessById(pid);
+            }
+            catch
+            {
+                pri.pid = pid;
+                pri.name = "Error, process may not exist";
+                pri.userName = "Error, process may not exist";
+                pri.userSid = "Error, process may not exist";
+                pri.imagePath = "Error, process may not exist";
+                return pri;
+            }
             Dictionary<string, string> user = GetProcU(proc);
-
             StringBuilder fileName = new StringBuilder(2000);
+
+            try
+            {
                 Native.Psapi.GetProcessImageFileName(proc.Handle, fileName, 2000);
+            }
+            catch
+            {
+                fileName = new StringBuilder(elevatedProcess);
+            }
 
             pri.pid = pid;
             pri.name = proc.ProcessName;

winPEAS/winPEASexe/winPEAS/winPEAS.csproj

@@ -172,6 +172,7 @@
       <Private>True</Private>
     </Reference>
     <Reference Include="System.DirectoryServices.AccountManagement" />
+    <Reference Include="System.DirectoryServices" />
     <Reference Include="System.Globalization.Calendars, Version=4.0.2.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
       <HintPath>..\packages\System.Globalization.Calendars.4.3.0\lib\net46\System.Globalization.Calendars.dll</HintPath>
       <Private>True</Private>
@@ -1186,6 +1187,7 @@
     <Compile Include="3rdParty\YamlSerializer\YamlTagValidator.cs" />
     <Compile Include="Checks\ApplicationsInfo.cs" />
     <Compile Include="Checks\BrowserInfo.cs" />
+    <Compile Include="Checks\ActiveDirectoryInfo.cs" />
     <Compile Include="Checks\CloudInfo.cs" />
     <Compile Include="Checks\FileAnalysis.cs" />
     <Compile Include="Checks\FilesInfo.cs" />