mirror of
https://github.com/peass-ng/PEASS-ng.git
synced 2026-01-06 01:58:07 -08:00
Compare commits
5 Commits
20250701-b
...
update_PEA
| Author | SHA1 | Date | |
|---|---|---|---|
|
c314cfd23d | ||
|
|
cc5ab76991 | ||
|
|
36001d644e | ||
|
|
fdd414f4aa | ||
|
|
c3e50dbdbf |
201
.github/workflows/PR-tests.yml
vendored
Normal file
201
.github/workflows/PR-tests.yml
vendored
Normal file
@@ -0,0 +1,201 @@
|
||||
name: PR-tests
|
||||
|
||||
on:
|
||||
pull_request:
|
||||
branches:
|
||||
- master
|
||||
- main
|
||||
paths-ignore:
|
||||
- '.github/**'
|
||||
|
||||
jobs:
|
||||
Build_and_test_winpeas_pr:
|
||||
runs-on: windows-latest
|
||||
|
||||
# environment variables
|
||||
env:
|
||||
Solution_Path: 'winPEAS\winPEASexe\winPEAS.sln'
|
||||
Configuration: 'Release'
|
||||
|
||||
steps:
|
||||
# checkout
|
||||
- name: Checkout
|
||||
uses: actions/checkout@master
|
||||
with:
|
||||
ref: ${{ github.head_ref }}
|
||||
|
||||
- name: Download regexes
|
||||
run: |
|
||||
powershell.exe -ExecutionPolicy Bypass -File build_lists/download_regexes.ps1
|
||||
|
||||
# Add MSBuild to the PATH
|
||||
- name: Setup MSBuild.exe
|
||||
uses: microsoft/setup-msbuild@v1.0.2
|
||||
|
||||
# Setup NuGet
|
||||
- name: Setup NuGet.exe
|
||||
uses: nuget/setup-nuget@v1
|
||||
|
||||
# Restore the packages for testing
|
||||
- name: Restore the application
|
||||
run: nuget restore $env:Solution_Path
|
||||
|
||||
# build
|
||||
- name: run MSBuild
|
||||
run: msbuild $env:Solution_Path
|
||||
|
||||
# Build all versions
|
||||
- name: Build all versions
|
||||
run: |
|
||||
echo "build x64"
|
||||
msbuild -m $env:Solution_Path /t:Rebuild /p:Configuration=$env:Configuration /p:Platform="x64"
|
||||
|
||||
echo "build x86"
|
||||
msbuild -m $env:Solution_Path /t:Rebuild /p:Configuration=$env:Configuration /p:Platform="x86"
|
||||
|
||||
echo "build Any CPU"
|
||||
msbuild -m $env:Solution_Path /t:Rebuild /p:Configuration=$env:Configuration /p:Platform="Any CPU"
|
||||
|
||||
- name: Execute winPEAS -h
|
||||
shell: pwsh
|
||||
run: |
|
||||
$Configuration = "Release"
|
||||
$exePath = "winPEAS/winPEASexe/winPEAS/bin/$Configuration/winPEAS.exe"
|
||||
if (Test-Path $exePath) {
|
||||
& $exePath -h
|
||||
} else {
|
||||
Write-Error "winPEAS.exe not found at $exePath"
|
||||
}
|
||||
|
||||
- name: Execute winPEAS cloudinfo
|
||||
shell: pwsh
|
||||
run: |
|
||||
$Configuration = "Release"
|
||||
$exePath = "winPEAS/winPEASexe/winPEAS/bin/$Configuration/winPEAS.exe"
|
||||
if (Test-Path $exePath) {
|
||||
& $exePath cloudinfo
|
||||
} else {
|
||||
Write-Error "winPEAS.exe not found at $exePath"
|
||||
}
|
||||
|
||||
- name: Execute winPEAS systeminfo
|
||||
shell: pwsh
|
||||
run: |
|
||||
$Configuration = "Release"
|
||||
$exePath = "winPEAS/winPEASexe/winPEAS/bin/$Configuration/winPEAS.exe"
|
||||
if (Test-Path $exePath) {
|
||||
& $exePath systeminfo
|
||||
} else {
|
||||
Write-Error "winPEAS.exe not found at $exePath"
|
||||
}
|
||||
|
||||
- name: Execute winPEAS networkinfo
|
||||
shell: pwsh
|
||||
run: |
|
||||
$Configuration = "Release"
|
||||
$exePath = "winPEAS/winPEASexe/winPEAS/bin/$Configuration/winPEAS.exe"
|
||||
if (Test-Path $exePath) {
|
||||
& $exePath networkinfo
|
||||
} else {
|
||||
Write-Error "winPEAS.exe not found at $exePath"
|
||||
}
|
||||
|
||||
Build_and_test_linpeas_pr:
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
# Download repo
|
||||
- uses: actions/checkout@v2
|
||||
with:
|
||||
ref: ${{ github.head_ref }}
|
||||
|
||||
# Setup go
|
||||
- uses: actions/setup-go@v2
|
||||
with:
|
||||
go-version: 1.17.0-rc1
|
||||
stable: false
|
||||
- run: go version
|
||||
|
||||
# Build linpeas
|
||||
- name: Build linpeas
|
||||
run: |
|
||||
python3 -m pip install PyYAML
|
||||
cd linPEAS
|
||||
python3 -m builder.linpeas_builder --all --output linpeas_fat.sh
|
||||
python3 -m builder.linpeas_builder --all-no-fat --output linpeas.sh
|
||||
python3 -m builder.linpeas_builder --small --output linpeas_small.sh
|
||||
|
||||
# Run linpeas help as quick test
|
||||
- name: Run linpeas help
|
||||
run: linPEAS/linpeas_fat.sh -h && linPEAS/linpeas.sh -h && linPEAS/linpeas_small.sh -h
|
||||
|
||||
# Run linpeas as a test
|
||||
- name: Run linpeas system_information
|
||||
run: linPEAS/linpeas_fat.sh -o system_information -a
|
||||
|
||||
- name: Run linpeas container
|
||||
run: linPEAS/linpeas_fat.sh -o container -a
|
||||
|
||||
- name: Run linpeas cloud
|
||||
run: linPEAS/linpeas_fat.sh -o cloud -a
|
||||
|
||||
- name: Run linpeas procs_crons_timers_srvcs_sockets
|
||||
run: linPEAS/linpeas_fat.sh -o procs_crons_timers_srvcs_sockets -a
|
||||
|
||||
- name: Run linpeas network_information
|
||||
run: linPEAS/linpeas_fat.sh -o network_information -t -a
|
||||
|
||||
- name: Run linpeas users_information
|
||||
run: linPEAS/linpeas_fat.sh -o users_information -a
|
||||
|
||||
- name: Run linpeas software_information
|
||||
run: linPEAS/linpeas_fat.sh -o software_information -a
|
||||
|
||||
- name: Run linpeas interesting_perms_files
|
||||
run: linPEAS/linpeas_fat.sh -o interesting_perms_files -a
|
||||
|
||||
- name: Run linpeas interesting_files
|
||||
run: linPEAS/linpeas_fat.sh -o interesting_files -a
|
||||
|
||||
Build_and_test_macpeas_pr:
|
||||
runs-on: macos-latest
|
||||
|
||||
steps:
|
||||
# Download repo
|
||||
- uses: actions/checkout@v2
|
||||
with:
|
||||
ref: ${{ github.head_ref }}
|
||||
|
||||
# Build linpeas (macpeas)
|
||||
- name: Build macpeas
|
||||
run: |
|
||||
python3 -m pip install PyYAML --break-system-packages
|
||||
python3 -m pip install requests --break-system-packages
|
||||
cd linPEAS
|
||||
python3 -m builder.linpeas_builder --all --output linpeas_fat.sh
|
||||
|
||||
# Run linpeas help as quick test
|
||||
- name: Run macpeas help
|
||||
run: linPEAS/linpeas_fat.sh -h
|
||||
|
||||
# Run macpeas parts to test it
|
||||
- name: Run macpeas system_information
|
||||
run: linPEAS/linpeas_fat.sh -o system_information -a
|
||||
|
||||
- name: Run macpeas container
|
||||
run: linPEAS/linpeas_fat.sh -o container -a
|
||||
|
||||
- name: Run macpeas cloud
|
||||
run: linPEAS/linpeas_fat.sh -o cloud -a
|
||||
|
||||
- name: Run macpeas procs_crons_timers_srvcs_sockets
|
||||
run: linPEAS/linpeas_fat.sh -o procs_crons_timers_srvcs_sockets -a
|
||||
|
||||
- name: Run macpeas network_information
|
||||
run: linPEAS/linpeas_fat.sh -o network_information -t -a
|
||||
|
||||
- name: Run macpeas users_information
|
||||
run: linPEAS/linpeas_fat.sh -o users_information -a
|
||||
|
||||
- name: Run macpeas software_information
|
||||
run: linPEAS/linpeas_fat.sh -o software_information -a
|
||||
@@ -170,7 +170,7 @@ LinPEAS uses colors to indicate where does each section begin. But **it also use
|
||||
|
||||
- The  **Red** color is used for identifing suspicious configurations that could lead to privilege escalation.
|
||||
|
||||
- The  **Green** color is used for known good configurations (based on the name not on the conten!)
|
||||
- The  **Green** color is used for known good configurations (based on the name not on the content!)
|
||||
|
||||
- The  **Blue** color is used for: Users without shell & Mounted devices
|
||||
|
||||
|
||||
@@ -74,6 +74,10 @@ winpeas.exe -lolbas #Execute also additional LOLBAS search check
|
||||
|
||||
The goal of this project is to search for possible **Privilege Escalation Paths** in Windows environments.
|
||||
|
||||
New in this version:
|
||||
- Detect potential GPO abuse by flagging writable SYSVOL paths for GPOs applied to the current host and by highlighting membership in the "Group Policy Creator Owners" group.
|
||||
|
||||
|
||||
It should take only a **few seconds** to execute almost all the checks and **some seconds/minutes during the lasts checks searching for known filenames** that could contain passwords (the time depened on the number of files in your home folder). By default only **some** filenames that could contain credentials are searched, you can use the **searchall** parameter to search all the list (this could will add some minutes).
|
||||
|
||||
The tool is based on **[SeatBelt](https://github.com/GhostPack/Seatbelt)**.
|
||||
|
||||
@@ -84,6 +84,7 @@ namespace winPEAS.Checks
|
||||
PrintLSAInfo,
|
||||
PrintNtlmSettings,
|
||||
PrintLocalGroupPolicy,
|
||||
PrintPotentialGPOAbuse,
|
||||
AppLockerHelper.PrintAppLockerPolicy,
|
||||
PrintPrintersWMIInfo,
|
||||
PrintNamedPipes,
|
||||
@@ -1131,6 +1132,94 @@ namespace winPEAS.Checks
|
||||
}
|
||||
}
|
||||
|
||||
private static void PrintPotentialGPOAbuse()
|
||||
{
|
||||
try
|
||||
{
|
||||
Beaprint.MainPrint("Potential GPO abuse vectors (applied domain GPOs writable by current user)");
|
||||
|
||||
if (!Checks.IsPartOfDomain)
|
||||
{
|
||||
Beaprint.NoColorPrint(" Host is not joined to a domain or domain info is unavailable.");
|
||||
return;
|
||||
}
|
||||
|
||||
// Build a friendly group list for the current user to quickly spot interesting memberships
|
||||
var currentGroups = winPEAS.Info.UserInfo.User.GetUserGroups(Checks.CurrentUserName, Checks.CurrentUserDomainName) ?? new System.Collections.Generic.List<string>();
|
||||
var hasGPCO = currentGroups.Any(g => string.Equals(g, "Group Policy Creator Owners", System.StringComparison.InvariantCultureIgnoreCase));
|
||||
|
||||
if (hasGPCO)
|
||||
{
|
||||
Beaprint.BadPrint(" [!] Current user is member of 'Group Policy Creator Owners' — can create/own new GPOs. If you can link a GPO to an OU that applies here, you can execute code as SYSTEM via scheduled task/startup script.");
|
||||
}
|
||||
|
||||
var infos = GroupPolicy.GetLocalGroupPolicyInfos();
|
||||
|
||||
bool anyFinding = false;
|
||||
foreach (var info in infos)
|
||||
{
|
||||
var fileSysPath = info.FileSysPath?.ToString();
|
||||
if (string.IsNullOrEmpty(fileSysPath))
|
||||
{
|
||||
continue;
|
||||
}
|
||||
|
||||
// Only look at domain GPOs stored in SYSVOL
|
||||
var isSysvolPath = fileSysPath.StartsWith(@"\", System.StringComparison.InvariantCultureIgnoreCase) &&
|
||||
fileSysPath.IndexOf(@"\SysVol\", System.StringComparison.InvariantCultureIgnoreCase) >= 0 &&
|
||||
fileSysPath.IndexOf(@"\Policies\", System.StringComparison.InvariantCultureIgnoreCase) >= 0;
|
||||
|
||||
if (!isSysvolPath)
|
||||
{
|
||||
continue;
|
||||
}
|
||||
|
||||
// Check write/equivalent permissions on common abuse locations inside the GPO
|
||||
var pathsToCheck = new System.Collections.Generic.List<string>
|
||||
{
|
||||
fileSysPath,
|
||||
System.IO.Path.Combine(fileSysPath, @"Machine\Scripts\Startup"),
|
||||
System.IO.Path.Combine(fileSysPath, @"User\Scripts\Logon"),
|
||||
System.IO.Path.Combine(fileSysPath, @"Machine\Preferences\ScheduledTasks")
|
||||
};
|
||||
|
||||
foreach (var p in pathsToCheck)
|
||||
{
|
||||
var perms = PermissionsHelper.GetPermissionsFolder(p, Checks.CurrentUserSiDs, PermissionType.WRITEABLE_OR_EQUIVALENT);
|
||||
if (perms != null && perms.Count > 0)
|
||||
{
|
||||
if (!anyFinding)
|
||||
{
|
||||
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/gpo-abuse.html", "Why it matters");
|
||||
}
|
||||
anyFinding = true;
|
||||
Beaprint.BadPrint($" [!] Writable applied GPO detected");
|
||||
Beaprint.NoColorPrint($" GPO Display Name : {info.DisplayName}");
|
||||
Beaprint.NoColorPrint($" GPO Name : {info.GPOName}");
|
||||
Beaprint.NoColorPrint($" GPO Link : {info.Link}");
|
||||
Beaprint.NoColorPrint($" Path : {p}");
|
||||
foreach (var entry in perms)
|
||||
{
|
||||
Beaprint.NoColorPrint($" -> {entry}");
|
||||
}
|
||||
Beaprint.GrayPrint(" Hint: Abuse by adding an immediate Scheduled Task or Startup script to execute as SYSTEM on gpupdate.");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (!anyFinding && !hasGPCO)
|
||||
{
|
||||
Beaprint.NoColorPrint(" No obvious GPO abuse via writable SYSVOL paths or GPCO membership detected.");
|
||||
}
|
||||
}
|
||||
catch (Exception ex)
|
||||
{
|
||||
// Avoid noisy stack traces in normal runs
|
||||
Beaprint.GrayPrint($" [!] Error while checking potential GPO abuse: {ex.Message}");
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
private static void PrintPowerShellSessionSettings()
|
||||
{
|
||||
try
|
||||
|
||||
Reference in New Issue
Block a user