Merge pull request #462 from jahway603/jahway603-patch-1

Minor URL fix

linPEAS/builder/linpeas_parts/9_interesting_files/27_Passwords_in_logs.sh

@@ -15,6 +15,6 @@
 
 if ! [ "$SEARCH_IN_FOLDER" ]; then
   print_2title "Searching passwords inside logs (limit 70)"
-  (find /var/log/ /var/logs/ /private/var/log -type f -exec grep -R -i "pwd\|passw" "{}" \;) 2>/dev/null | sed '/^.\{150\}./d' | sort | uniq | grep -v "File does not exist:\|modules-config/config-set-passwords\|config-set-passwords already ran\|script not found or unable to stat:\|\"GET /.*\" 404" | head -n 70 | sed -${E} "s,pwd|passw,${SED_RED},"
+  (find /var/log/ /var/logs/ /private/var/log -type f -exec grep -R -H -i "pwd\|passw" "{}" \;) 2>/dev/null | sed '/^.\{150\}./d' | sort | uniq | grep -v "File does not exist:\|modules-config/config-set-passwords\|config-set-passwords already ran\|script not found or unable to stat:\|\"GET /.*\" 404" | head -n 70 | sed -${E} "s,pwd|passw,${SED_RED},"
   echo ""
-fi
+fi

metasploit/README.md

@@ -37,9 +37,10 @@ Basic options:
   ----        ---------------                                                           --------  -----------
   PARAMETERS                                                                            no        Parameters to pass to the script
   PASSWORD    um1xipfws17nkw1bi1ma3bh7tzt4mo3e                                          no        Password to encrypt and obfuscate the script (randomly generated). The length must be 32B. If no password is set, only base64 will be used
-                                                                                                  .
-  PEASS_URL   https://raw.githubusercontent.com/peass-ng/PEASS-ng/master/winPEAS/wi  yes       Path to the PEASS script. Accepted: http(s):// URL or absolute local path. Linpeas: https://raw.githubusercontent.com/peass-ng/PEASS-ng
-              nPEASexe/binaries/Obfuscated%20Releases/winPEASany.exe                              /master/linPEAS/linpeas.sh
+
+  WINPEASS    true                                                                      yes       Use PEASS for Windows or PEASS for linux. Default is windows change to false for linux.
+  CUSTOM_URL                                                                            no        Path to the PEASS script. Accepted: http(s):// URL or absolute local path.
+                                            
   SESSION                                                                               yes       The session to run this module on.
   SRVHOST                                                                               no        Set your metasploit instance IP if you want to download the PEASS script from here via http(s) instead of uploading it.
   SRVPORT     443                                                                       no        Port to download the PEASS script from using http(s) (only used if SRVHOST)

metasploit/peass.rb

@@ -37,7 +37,8 @@ class MetasploitModule < Msf::Post
     ))
     register_options(
       [
-        OptString.new('PEASS_URL', [true, 'Path to the PEASS script. Accepted: http(s):// URL or absolute local path. Linpeas: https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh', "https://github.com/peass-ng/PEASS-ng/releases/latest/download/winPEASany_ofs.exe"]),
+        OptString.new('WINPEASS', [true, 'Which PEASS script to use. Use True for WinPeass and false for LinPEASS', true]),
+        OptString.new('CUSTOM_URL', [false, 'URL to download the PEASS script from (if not using the default one). Accepts http(s) or absolute path. Overrides the WINPEASS variable', '']),
         OptString.new('PASSWORD', [false, 'Password to encrypt and obfuscate the script (randomly generated). The length must be 32B. If no password is set, only base64 will be used.', rand(36**32).to_s(36)]),
         OptString.new('TEMP_DIR', [false, 'Path to upload the obfuscated PEASS script inside the compromised machine. By default "C:\Windows\System32\spool\drivers\color" is used in Windows and "/tmp" in Unix.', '']),
         OptString.new('PARAMETERS', [false, 'Parameters to pass to the script', nil]),
@@ -237,8 +238,14 @@ class MetasploitModule < Msf::Post
   def load_peass
     # Load the PEASS script from a local file or from Internet
     peass_script = ""
-    url_peass = datastore['PEASS_URL']
-    
+    url_peass = ""
+    # If no URL is set, use the default one
+    if datastore['CUSTOM_URL'] != ""
+      url_peass = datastore['CUSTOM_URL']
+    else
+      url_peass = datastore['WINPEASS'] ? "https://github.com/peass-ng/PEASS-ng/releases/latest/download/winPEASany_ofs.exe" : "https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh"
+    end
+    # If URL is set, check if it is a valid URL or local file
     if url_peass.include?("http://") || url_peass.include?("https://")
       target = URI.parse url_peass
       raise 'Invalid URL' unless target.scheme =~ /https?/

parsers/peas2json.py

@@ -144,7 +144,12 @@ def parse_line(line: str):
         })
 
 
-def main():
+def parse_peass(outputpath: str, jsonpath: str = ""):
+    global OUTPUT_PATH, JSON_PATH
+
+    OUTPUT_PATH = outputpath
+    JSON_PATH = jsonpath
+
     for line in open(OUTPUT_PATH, 'r', encoding="utf8").readlines():
         line = line.strip()
         if not line or not clean_colors(line): #Remove empty lines or lines just with colors hex
@@ -152,17 +157,21 @@ def main():
 
         parse_line(line)
 
-    with open(JSON_PATH, "w") as f:
-        json.dump(FINAL_JSON, f)
+    if JSON_PATH:
+        with open(JSON_PATH, "w") as f:
+            json.dump(FINAL_JSON, f)
+    
+    else:
+        return FINAL_JSON
 
 
 # Start execution
 if __name__ == "__main__":
     try:
-        OUTPUT_PATH = sys.argv[1]
-        JSON_PATH = sys.argv[2]
+        outputpath = sys.argv[1]
+        jsonpath = sys.argv[2]
+        parse_peass(outputpath, jsonpath)
     except IndexError as err:
         print("Error: Please pass the peas.out file and the path to save the json\npeas2json.py <output_file> <json_file.json>")
         sys.exit(1)
     
-    main()

winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs

@@ -594,7 +594,7 @@ namespace winPEAS.Checks
             try
             {
                 Beaprint.MainPrint("Checking KrbRelayUp");
-                Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#krbrelayupp");
+                Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#krbrelayup");
 
                 if (Checks.CurrentAdDomainName.Length > 0)
                 {

winPEAS/winPEASexe/winPEAS/Helpers/MyUtils.cs

@@ -184,9 +184,17 @@ namespace winPEAS.Helpers
         //////////////////////
         public static List<string> ListFolder(String path)
         {
-            string root = @Path.GetPathRoot(Environment.SystemDirectory) + path;
-            var dirs = from dir in Directory.EnumerateDirectories(root) select dir;
-            return dirs.ToList();
+            try
+            {
+                string root = @Path.GetPathRoot(Environment.SystemDirectory) + path;
+                var dirs = from dir in Directory.EnumerateDirectories(root) select dir;
+                return dirs.ToList();
+            }
+            catch(Exception ex)
+            {
+                //Path can't be accessed
+                return new List<string>();
+            }
         }
 
         internal static byte[] CombineArrays(byte[] first, byte[] second)

winPEAS/winPEASexe/winPEAS/Info/CloudInfo/AzureInfo.cs

@@ -2,6 +2,7 @@
 using System.Collections.Generic;
 using System.IO;
 using System.Net;
+using System.Diagnostics;
 
 namespace winPEAS.Info.CloudInfo
 {
@@ -28,7 +29,20 @@ namespace winPEAS.Info.CloudInfo
         const string API_VERSION = "2021-12-13";
         const string CONTAINER_API_VERSION = "2019-08-01";
 
-        // **New helper method to detect if running inside an Azure container**
+        public static bool DoesProcessExist(string processName)
+        {
+            // Return false if the process name is null or empty
+            if (string.IsNullOrEmpty(processName))
+            {
+                return false;
+            }
+
+            // Retrieve all processes matching the specified name
+            Process[] processes = Process.GetProcessesByName(processName);
+            return processes.Length > 0;
+        }
+
+        // New helper method to detect if running inside an Azure container
         private bool IsContainer()
         {
             return !string.IsNullOrEmpty(Environment.GetEnvironmentVariable("IDENTITY_ENDPOINT")) ||
@@ -123,6 +137,22 @@ namespace winPEAS.Info.CloudInfo
                         }
                     }
 
+                    string hwsRun = DoesProcessExist("HybridWorkerService") ? "Yes" : "No";
+                    _endpointDataList.Add(new EndpointData()
+                    {
+                        EndpointName = "HybridWorkerService.exe Running",
+                        Data = hwsRun,
+                        IsAttackVector = true
+                    });
+
+                    string OSRun = DoesProcessExist("Orchestrator.Sandbox") ? "Yes" : "No";
+                    _endpointDataList.Add(new EndpointData()
+                    {
+                        EndpointName = "Orchestrator.Sandbox.exe Running",
+                        Data = OSRun,
+                        IsAttackVector = true
+                    });
+
                     _endpointData.Add("General", _endpointDataList);
                 }
                 catch (Exception ex)