1
mirror of https://github.com/carlospolop/PEASS-ng synced 2025-02-21 10:30:58 +01:00

winPEAS check permissions SIDs

This commit is contained in:
carlospolop 2020-01-28 15:11:35 -05:00
parent 02aeb9f347
commit 4cc980ee58
30 changed files with 765 additions and 615 deletions

@ -1569,13 +1569,13 @@ if [ "`echo $CHECKS | grep IntFiles`" ]; then
ls -alhR /opt/lampp/htdocs/ 2>/dev/null | head
echo ""
##-- 19IF) Interesting hidden files
printf $Y"[+] "$GREEN"Readable *_history, .sudo_as_admin_successful, profile, bashrc, httpd.conf, .plan, .htpasswd, .git-credentials, .git, .svn, .gitconfig, .rhosts, hosts.equiv, Dockerfile, docker-compose.yml\n"$NC
##-- 19IF) Interesting files
printf $Y"[+] "$GREEN"Readable *_history, .sudo_as_admin_successful, profile, bashrc, httpd.conf, .plan, .htpasswd, .gitconfig, .git-credentials, .git, .svn, .rhosts, hosts.equiv, Dockerfile, docker-compose.yml\n"$NC
printf $B"[i] "$Y"https://book.hacktricks.xyz/linux-unix/privilege-escalation#read-sensitive-data\n"$NC
fils=`find /etc /home /root /tmp /usr /opt /mnt /var/backups /var/www /var/opt /var/cache \( -name "*_history" -o -name ".sudo_as_admin_successful" -o -name ".profile" -o -name "*bashrc" -o -name "*httpd.conf" -o -name "*.plan" -o -name ".htpasswd" -o -name ".gitconfig" -o -name ".git-credentials" -o -name ".git" -o -name ".svn" -o -name "*.rhosts" -o -name "hosts.equiv" -o -name "Dockerfile" -o -name "docker-compose.yml" \) 2>/dev/null`
for f in $fils; do
if [ -r $f ]; then
ls -ld $f 2>/dev/null | sed "s,bash_history\|\.sudo_as_admin_successful\|\.plan\|\.htpasswd\|\.git-credentials\|.git\|.svn\|\.rhosts\|httpd.conf,${C}[1;31m&${C}[0m," | sed "s,$sh_usrs,${C}[1;96m&${C}[0m,g" | sed "s,$USER,${C}[1;95m&${C}[0m,g" | sed "s,root,${C}[1;31m&${C}[0m,g";
ls -ld $f 2>/dev/null | sed "s,_history\|\.sudo_as_admin_successful\|.profile\|bashrc\|httpd.conf\|\.plan\|\.htpasswd\|.gitconfig\|\.git-credentials\|.git\|.svn\|\.rhosts\|hosts.equiv\|Dockerfile\|docker-compose.yml,${C}[1;31m&${C}[0m," | sed "s,$sh_usrs,${C}[1;96m&${C}[0m,g" | sed "s,$USER,${C}[1;95m&${C}[0m,g" | sed "s,root,${C}[1;31m&${C}[0m,g";
if [ `echo $f | grep "_history"` ]; then
printf $GREEN"Looking for possible passwords inside $f\n"$NC
cat $f | grep $pwd_inside_history | sed "s,$pwd_inside_history,${C}[1;31m&${C}[0m,"
@ -1595,7 +1595,7 @@ if [ "`echo $CHECKS | grep IntFiles`" ]; then
##-- 20IF) All hidden files
printf $Y"[+] "$GREEN"All hidden files (not in /sys/ or the ones listed in the previous check) (limit 70)\n"$NC
find / -type f -iname ".*" -ls 2>/dev/null | grep -v "/sys/\|\.gitignore\|.npmignore\|_history$\|\.profile\|\.bashrc\|\.listing\|\.ignore\|\.uuid\|\.plan\|\.htpasswd\|\.git-credentials\|.rhosts\|.depend\|.placeholder\|.gitkeep\|.git$\|.svn$" | head -n 70
find / -type f -iname ".*" -ls 2>/dev/null | grep -v "/sys/\|_history$\|.sudo_as_admin_successful\|\.profile\|\.bashrc\|\.plan\|\.htpasswd\|.gitconfig\|\.git-credentials\|\.rhosts\|\.gitignore\|.npmignore\|\.listing\|\.ignore\|\.uuid\|.depend\|.placeholder\|.gitkeep" | head -n 70
echo ""
##-- 21IF) Readable files in /tmp, /var/tmp, /var/backups

@ -57,7 +57,7 @@ namespace winPEAS
foreach (string f in Directory.GetFiles(fpath))
{
results[f] = new Dictionary<string, string>(){
{ f, String.Join(", ", MyUtils.GetPermissionsFile(f, Program.interestingUsersGroups)) }
{ f, String.Join(", ", MyUtils.GetPermissionsFile(f, Program.currentUserSIDs)) }
};
}
foreach (string d in Directory.GetDirectories(fpath))
@ -97,8 +97,8 @@ namespace winPEAS
{ "Folder", folder },
{ "File", filepath },
{ "isWritableReg", ""},
{ "interestingFolderRights", String.Join(", ", MyUtils.GetPermissionsFolder(folder, Program.interestingUsersGroups))},
{ "interestingFileRights", String.Join(", ", MyUtils.GetPermissionsFile(filepath, Program.interestingUsersGroups))},
{ "interestingFolderRights", String.Join(", ", MyUtils.GetPermissionsFolder(folder, Program.currentUserSIDs))},
{ "interestingFileRights", String.Join(", ", MyUtils.GetPermissionsFile(filepath, Program.currentUserSIDs))},
{ "isUnquotedSpaced", "" }
});
}
@ -106,7 +106,7 @@ namespace winPEAS
return results;
}
public static List<Dictionary<string, string>> GetAutoRuns(List<string> NtAccountNames)
public static List<Dictionary<string, string>> GetAutoRuns(Dictionary<string,string> NtAccountNames)
{
List<Dictionary<string, string>> reg_autorus = ServicesInfo.GetRegistryAutoRuns(NtAccountNames);
List<Dictionary<string, string>> file_autorus = GetAutoRunsFolder();

@ -9,7 +9,8 @@ namespace winPEAS
{
class Beaprint
{
public static string GRAY = "\x1b[1;90m";
public static string GRAY = "\x1b[1;37m";
public static string DGRAY = "\x1b[1;90m";
static string RED = "\x1b[1;31m";
public static string LRED = "\x1b[1;31m";
static string GREEN = "\x1b[1;32m";
@ -33,6 +34,9 @@ namespace winPEAS
public static string ansi_current_user = MAGENTA;
/////////////////////////////////
///////// PRINT THINGS /////////
/////////////////////////////////
public static void PrintBanner()
{
try
@ -132,32 +136,6 @@ namespace winPEAS
System.Console.WriteLine(YELLOW + " [+] " + LYELLOW + "By default all checks (except CMD checks) are executed" + NOCOLOR);
}
public static void deleteColors()
{
GRAY = "";
RED = "";
LRED = "";
GREEN = "";
LGREEN = "";
YELLOW = "";
LYELLOW = "";
BLUE = "";
LBLUE = "";
MAGENTA = "";
LMAGENTA = "";
CYAN = "";
LCYAN = "";
REDYELLOW = "";
NOCOLOR = "";
ansi_color_bad = "";
ansi_color_good = "";
ansi_color_gray = "";
ansi_color_yellow = "";
ansi_users_active = "";
ansi_users_disabled = "";
ansi_current_user = "";
}
/////////////////////////////////
/// DIFFERENT PRINT FUNCTIONS ///
@ -182,7 +160,7 @@ namespace winPEAS
try
{
System.Console.WriteLine();
System.Console.WriteLine(YELLOW + " [+] " + GREEN + toPrint + YELLOW + "(" + GRAY + attackid + YELLOW + ")" + NOCOLOR);
System.Console.WriteLine(YELLOW + " [+] " + GREEN + toPrint + YELLOW + "(" + DGRAY + attackid + YELLOW + ")" + NOCOLOR);
}
catch (Exception ex)
{
@ -231,7 +209,7 @@ namespace winPEAS
public static void GrayPrint(string to_print)
{
System.Console.WriteLine(GRAY + to_print + NOCOLOR);
System.Console.WriteLine(DGRAY + to_print + NOCOLOR);
}
public static void PrintLineSeparator()
@ -357,7 +335,6 @@ namespace winPEAS
}
}
public static void DictPrint(List<Dictionary<string, string>> listdicprint, Dictionary<string, string> colors, bool delete_nulls, bool no_gray = false)
{
try
@ -407,5 +384,35 @@ namespace winPEAS
else
NotFoundPrint();
}
//////////////////////////////////
/// Delete Colors (nocolor) :( ///
/// //////////////////////////////
public static void deleteColors()
{
GRAY = "";
RED = "";
LRED = "";
GREEN = "";
LGREEN = "";
YELLOW = "";
LYELLOW = "";
BLUE = "";
LBLUE = "";
MAGENTA = "";
LMAGENTA = "";
CYAN = "";
LCYAN = "";
REDYELLOW = "";
NOCOLOR = "";
ansi_color_bad = "";
ansi_color_good = "";
ansi_color_gray = "";
ansi_color_yellow = "";
ansi_users_active = "";
ansi_users_disabled = "";
ansi_current_user = "";
}
}
}

@ -660,88 +660,91 @@ namespace winPEAS
public static List<Dictionary<string, string>> DumpVault()
{
List<Dictionary<string, string>> results = new List<Dictionary<string, string>>();
// pulled directly from @djhohnstein's SharpWeb project: https://github.com/djhohnstein/SharpWeb/blob/master/Edge/SharpEdge.cs
var OSVersion = Environment.OSVersion.Version;
var OSMajor = OSVersion.Major;
var OSMinor = OSVersion.Minor;
Type VAULT_ITEM;
if (OSMajor >= 6 && OSMinor >= 2)
try
{
VAULT_ITEM = typeof(VaultCli.VAULT_ITEM_WIN8);
}
else
{
VAULT_ITEM = typeof(VaultCli.VAULT_ITEM_WIN7);
}
// pulled directly from @djhohnstein's SharpWeb project: https://github.com/djhohnstein/SharpWeb/blob/master/Edge/SharpEdge.cs
var OSVersion = Environment.OSVersion.Version;
var OSMajor = OSVersion.Major;
var OSMinor = OSVersion.Minor;
Int32 vaultCount = 0;
IntPtr vaultGuidPtr = IntPtr.Zero;
var result = VaultCli.VaultEnumerateVaults(0, ref vaultCount, ref vaultGuidPtr);
Type VAULT_ITEM;
//var result = CallVaultEnumerateVaults(VaultEnum, 0, ref vaultCount, ref vaultGuidPtr);
if ((int)result != 0)
{
Console.WriteLine(" [ERROR] Unable to enumerate vaults. Error (0x" + result.ToString() + ")");
return results;
}
// Create dictionary to translate Guids to human readable elements
IntPtr guidAddress = vaultGuidPtr;
Dictionary<Guid, string> vaultSchema = new Dictionary<Guid, string>();
vaultSchema.Add(new Guid("2F1A6504-0641-44CF-8BB5-3612D865F2E5"), "Windows Secure Note");
vaultSchema.Add(new Guid("3CCD5499-87A8-4B10-A215-608888DD3B55"), "Windows Web Password Credential");
vaultSchema.Add(new Guid("154E23D0-C644-4E6F-8CE6-5069272F999F"), "Windows Credential Picker Protector");
vaultSchema.Add(new Guid("4BF4C442-9B8A-41A0-B380-DD4A704DDB28"), "Web Credentials");
vaultSchema.Add(new Guid("77BC582B-F0A6-4E15-4E80-61736B6F3B29"), "Windows Credentials");
vaultSchema.Add(new Guid("E69D7838-91B5-4FC9-89D5-230D4D4CC2BC"), "Windows Domain Certificate Credential");
vaultSchema.Add(new Guid("3E0E35BE-1B77-43E7-B873-AED901B6275B"), "Windows Domain Password Credential");
vaultSchema.Add(new Guid("3C886FF3-2669-4AA2-A8FB-3F6759A77548"), "Windows Extended Credential");
vaultSchema.Add(new Guid("00000000-0000-0000-0000-000000000000"), null);
for (int i = 0; i < vaultCount; i++)
{
// Open vault block
object vaultGuidString = System.Runtime.InteropServices.Marshal.PtrToStructure(guidAddress, typeof(Guid));
Guid vaultGuid = new Guid(vaultGuidString.ToString());
guidAddress = (IntPtr)(guidAddress.ToInt64() + System.Runtime.InteropServices.Marshal.SizeOf(typeof(Guid)));
IntPtr vaultHandle = IntPtr.Zero;
string vaultType;
if (vaultSchema.ContainsKey(vaultGuid))
if (OSMajor >= 6 && OSMinor >= 2)
{
vaultType = vaultSchema[vaultGuid];
VAULT_ITEM = typeof(VaultCli.VAULT_ITEM_WIN8);
}
else
{
vaultType = vaultGuid.ToString();
VAULT_ITEM = typeof(VaultCli.VAULT_ITEM_WIN7);
}
result = VaultCli.VaultOpenVault(ref vaultGuid, (UInt32)0, ref vaultHandle);
if (result != 0)
{
Console.WriteLine("Unable to open the following vault: " + vaultType + ". Error: 0x" + result.ToString());
continue;
}
// Vault opened successfully! Continue.
// Fetch all items within Vault
int vaultItemCount = 0;
IntPtr vaultItemPtr = IntPtr.Zero;
result = VaultCli.VaultEnumerateItems(vaultHandle, 512, ref vaultItemCount, ref vaultItemPtr);
if (result != 0)
Int32 vaultCount = 0;
IntPtr vaultGuidPtr = IntPtr.Zero;
var result = VaultCli.VaultEnumerateVaults(0, ref vaultCount, ref vaultGuidPtr);
//var result = CallVaultEnumerateVaults(VaultEnum, 0, ref vaultCount, ref vaultGuidPtr);
if ((int)result != 0)
{
Console.WriteLine("Unable to enumerate vault items from the following vault: " + vaultType + ". Error 0x" + result.ToString());
continue;
Console.WriteLine(" [ERROR] Unable to enumerate vaults. Error (0x" + result.ToString() + ")");
return results;
}
var structAddress = vaultItemPtr;
if (vaultItemCount > 0)
// Create dictionary to translate Guids to human readable elements
IntPtr guidAddress = vaultGuidPtr;
Dictionary<Guid, string> vaultSchema = new Dictionary<Guid, string>();
vaultSchema.Add(new Guid("2F1A6504-0641-44CF-8BB5-3612D865F2E5"), "Windows Secure Note");
vaultSchema.Add(new Guid("3CCD5499-87A8-4B10-A215-608888DD3B55"), "Windows Web Password Credential");
vaultSchema.Add(new Guid("154E23D0-C644-4E6F-8CE6-5069272F999F"), "Windows Credential Picker Protector");
vaultSchema.Add(new Guid("4BF4C442-9B8A-41A0-B380-DD4A704DDB28"), "Web Credentials");
vaultSchema.Add(new Guid("77BC582B-F0A6-4E15-4E80-61736B6F3B29"), "Windows Credentials");
vaultSchema.Add(new Guid("E69D7838-91B5-4FC9-89D5-230D4D4CC2BC"), "Windows Domain Certificate Credential");
vaultSchema.Add(new Guid("3E0E35BE-1B77-43E7-B873-AED901B6275B"), "Windows Domain Password Credential");
vaultSchema.Add(new Guid("3C886FF3-2669-4AA2-A8FB-3F6759A77548"), "Windows Extended Credential");
vaultSchema.Add(new Guid("00000000-0000-0000-0000-000000000000"), null);
for (int i = 0; i < vaultCount; i++)
{
// For each vault item...
for (int j = 1; j <= vaultItemCount; j++)
// Open vault block
object vaultGuidString = System.Runtime.InteropServices.Marshal.PtrToStructure(guidAddress, typeof(Guid));
Guid vaultGuid = new Guid(vaultGuidString.ToString());
guidAddress = (IntPtr)(guidAddress.ToInt64() + System.Runtime.InteropServices.Marshal.SizeOf(typeof(Guid)));
IntPtr vaultHandle = IntPtr.Zero;
string vaultType;
if (vaultSchema.ContainsKey(vaultGuid))
{
Dictionary<string, string> vault_cred = new Dictionary<string, string>() {
vaultType = vaultSchema[vaultGuid];
}
else
{
vaultType = vaultGuid.ToString();
}
result = VaultCli.VaultOpenVault(ref vaultGuid, (UInt32)0, ref vaultHandle);
if (result != 0)
{
Console.WriteLine("Unable to open the following vault: " + vaultType + ". Error: 0x" + result.ToString());
continue;
}
// Vault opened successfully! Continue.
// Fetch all items within Vault
int vaultItemCount = 0;
IntPtr vaultItemPtr = IntPtr.Zero;
result = VaultCli.VaultEnumerateItems(vaultHandle, 512, ref vaultItemCount, ref vaultItemPtr);
if (result != 0)
{
Console.WriteLine("Unable to enumerate vault items from the following vault: " + vaultType + ". Error 0x" + result.ToString());
continue;
}
var structAddress = vaultItemPtr;
if (vaultItemCount > 0)
{
// For each vault item...
for (int j = 1; j <= vaultItemCount; j++)
{
Dictionary<string, string> vault_cred = new Dictionary<string, string>() {
{ "GUID", String.Format("{0}", vaultGuid) },
{ "Type", vaultType },
{ "Resource", "" },
@ -752,72 +755,77 @@ namespace winPEAS
{ "Error", "" }
};
// Begin fetching vault item...
var currentItem = System.Runtime.InteropServices.Marshal.PtrToStructure(structAddress, VAULT_ITEM);
structAddress = (IntPtr)(structAddress.ToInt64() + System.Runtime.InteropServices.Marshal.SizeOf(VAULT_ITEM));
// Begin fetching vault item...
var currentItem = System.Runtime.InteropServices.Marshal.PtrToStructure(structAddress, VAULT_ITEM);
structAddress = (IntPtr)(structAddress.ToInt64() + System.Runtime.InteropServices.Marshal.SizeOf(VAULT_ITEM));
IntPtr passwordVaultItem = IntPtr.Zero;
// Field Info retrieval
FieldInfo schemaIdInfo = currentItem.GetType().GetField("SchemaId");
Guid schemaId = new Guid(schemaIdInfo.GetValue(currentItem).ToString());
FieldInfo pResourceElementInfo = currentItem.GetType().GetField("pResourceElement");
IntPtr pResourceElement = (IntPtr)pResourceElementInfo.GetValue(currentItem);
FieldInfo pIdentityElementInfo = currentItem.GetType().GetField("pIdentityElement");
IntPtr pIdentityElement = (IntPtr)pIdentityElementInfo.GetValue(currentItem);
FieldInfo dateTimeInfo = currentItem.GetType().GetField("LastModified");
UInt64 lastModified = (UInt64)dateTimeInfo.GetValue(currentItem);
IntPtr passwordVaultItem = IntPtr.Zero;
// Field Info retrieval
FieldInfo schemaIdInfo = currentItem.GetType().GetField("SchemaId");
Guid schemaId = new Guid(schemaIdInfo.GetValue(currentItem).ToString());
FieldInfo pResourceElementInfo = currentItem.GetType().GetField("pResourceElement");
IntPtr pResourceElement = (IntPtr)pResourceElementInfo.GetValue(currentItem);
FieldInfo pIdentityElementInfo = currentItem.GetType().GetField("pIdentityElement");
IntPtr pIdentityElement = (IntPtr)pIdentityElementInfo.GetValue(currentItem);
FieldInfo dateTimeInfo = currentItem.GetType().GetField("LastModified");
UInt64 lastModified = (UInt64)dateTimeInfo.GetValue(currentItem);
IntPtr pPackageSid = IntPtr.Zero;
if (OSMajor >= 6 && OSMinor >= 2)
{
// Newer versions have package sid
FieldInfo pPackageSidInfo = currentItem.GetType().GetField("pPackageSid");
pPackageSid = (IntPtr)pPackageSidInfo.GetValue(currentItem);
result = VaultCli.VaultGetItem_WIN8(vaultHandle, ref schemaId, pResourceElement, pIdentityElement, pPackageSid, IntPtr.Zero, 0, ref passwordVaultItem);
}
else
{
result = VaultCli.VaultGetItem_WIN7(vaultHandle, ref schemaId, pResourceElement, pIdentityElement, IntPtr.Zero, 0, ref passwordVaultItem);
}
IntPtr pPackageSid = IntPtr.Zero;
if (OSMajor >= 6 && OSMinor >= 2)
{
// Newer versions have package sid
FieldInfo pPackageSidInfo = currentItem.GetType().GetField("pPackageSid");
pPackageSid = (IntPtr)pPackageSidInfo.GetValue(currentItem);
result = VaultCli.VaultGetItem_WIN8(vaultHandle, ref schemaId, pResourceElement, pIdentityElement, pPackageSid, IntPtr.Zero, 0, ref passwordVaultItem);
}
else
{
result = VaultCli.VaultGetItem_WIN7(vaultHandle, ref schemaId, pResourceElement, pIdentityElement, IntPtr.Zero, 0, ref passwordVaultItem);
}
if (result != 0)
{
vault_cred["Error"] = "Occured while retrieving vault item. Error: 0x" + result.ToString();
continue;
}
object passwordItem = System.Runtime.InteropServices.Marshal.PtrToStructure(passwordVaultItem, VAULT_ITEM);
FieldInfo pAuthenticatorElementInfo = passwordItem.GetType().GetField("pAuthenticatorElement");
IntPtr pAuthenticatorElement = (IntPtr)pAuthenticatorElementInfo.GetValue(passwordItem);
// Fetch the credential from the authenticator element
object cred = GetVaultElementValue(pAuthenticatorElement);
object packageSid = null;
if (pPackageSid != IntPtr.Zero && pPackageSid != null)
{
packageSid = GetVaultElementValue(pPackageSid);
}
if (cred != null) // Indicates successful fetch
{
object resource = GetVaultElementValue(pResourceElement);
if (resource != null)
if (result != 0)
{
vault_cred["Resource"] = String.Format("{0}", resource);
vault_cred["Error"] = "Occured while retrieving vault item. Error: 0x" + result.ToString();
continue;
}
object identity = GetVaultElementValue(pIdentityElement);
if (identity != null)
object passwordItem = System.Runtime.InteropServices.Marshal.PtrToStructure(passwordVaultItem, VAULT_ITEM);
FieldInfo pAuthenticatorElementInfo = passwordItem.GetType().GetField("pAuthenticatorElement");
IntPtr pAuthenticatorElement = (IntPtr)pAuthenticatorElementInfo.GetValue(passwordItem);
// Fetch the credential from the authenticator element
object cred = GetVaultElementValue(pAuthenticatorElement);
object packageSid = null;
if (pPackageSid != IntPtr.Zero && pPackageSid != null)
{
vault_cred["Identity"] = String.Format("{0}", identity);
packageSid = GetVaultElementValue(pPackageSid);
}
if (packageSid != null)
if (cred != null) // Indicates successful fetch
{
vault_cred["PacakgeSid"] = String.Format("{0}", packageSid);
object resource = GetVaultElementValue(pResourceElement);
if (resource != null)
{
vault_cred["Resource"] = String.Format("{0}", resource);
}
object identity = GetVaultElementValue(pIdentityElement);
if (identity != null)
{
vault_cred["Identity"] = String.Format("{0}", identity);
}
if (packageSid != null)
{
vault_cred["PacakgeSid"] = String.Format("{0}", packageSid);
}
vault_cred["Credential"] = String.Format("{0}", cred);
vault_cred["Last Modified"] = String.Format("{0}", System.DateTime.FromFileTimeUtc((long)lastModified));
results.Add(vault_cred);
}
vault_cred["Credential"] = String.Format("{0}", cred);
vault_cred["Last Modified"] = String.Format("{0}", System.DateTime.FromFileTimeUtc((long)lastModified));
results.Add(vault_cred);
}
}
}
}
catch(Exception ex)
{
Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message));
}
return results;
}

@ -16,7 +16,63 @@ namespace winPEAS
{
class MyUtils
{
//////////////////////
/// IsDomainJoined ///
//////////////////////
/// The clases and functions here are dedicated to discover if the current host is joined in a domain or not, and get the domain name if so
/// It can be done using .Net (default) and WMI (used if .Net fails)
internal class Win32
{
public const int ErrorSuccess = 0;
[DllImport("Netapi32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
public static extern int NetGetJoinInformation(string server, out IntPtr domain, out NetJoinStatus status);
[DllImport("Netapi32.dll")]
public static extern int NetApiBufferFree(IntPtr Buffer);
public enum NetJoinStatus
{
NetSetupUnknownStatus = 0,
NetSetupUnjoined,
NetSetupWorkgroupName,
NetSetupDomainName
}
}
public static string IsDomainJoined()
{
// returns Compuer Domain if the system is inside an AD (an nothing if it is not)
try
{
Win32.NetJoinStatus status = Win32.NetJoinStatus.NetSetupUnknownStatus;
IntPtr pDomain = IntPtr.Zero;
int result = Win32.NetGetJoinInformation(null, out pDomain, out status);
if (pDomain != IntPtr.Zero)
{
Win32.NetApiBufferFree(pDomain);
}
if (result == Win32.ErrorSuccess)
{
// If in domain, return domain name, if not, return empty
if (status == Win32.NetJoinStatus.NetSetupDomainName)
return Environment.UserDomainName;
return "";
}
}
catch (Exception ex)
{
Beaprint.GrayPrint(String.Format(" [X] Exception: {0}\n Trying to check if domain is joined using WMI", ex.Message));
IsDomainJoinedWmi();
}
return "";
}
public static string IsDomainJoinedWmi()
{
// returns Compuer Domain if the system is inside an AD (an nothing if it is not)
try
@ -36,84 +92,16 @@ namespace winPEAS
{
Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message));
}
//By default true, because this way will check domain and local, but never should get here the code
//By default local
return "";
}
public static Dictionary<string, string> RemoveEmptyKeys(Dictionary<string, string> dic_in)
{
Dictionary<string, string> results = new Dictionary<string, string>();
try
{
foreach (KeyValuePair<string, string> entry in dic_in)
if (!String.IsNullOrEmpty(entry.Value.Trim()))
results[entry.Key] = entry.Value;
return results;
}
catch (Exception ex)
{
Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message));
}
return results;
}
public static List<string> ListFolder(String path)
{
string root = @Path.GetPathRoot(Environment.SystemDirectory) + path;
var dirs = from dir in Directory.EnumerateDirectories(root) select dir;
return dirs.ToList();
}
//From https://stackoverflow.com/questions/929276/how-to-recursively-list-all-the-files-in-a-directory-in-c
public static Dictionary<string, string> GecRecursivePrivs(string path)
{
/*string root = @Path.GetPathRoot(Environment.SystemDirectory) + path;
var dirs = from dir in Directory.EnumerateDirectories(root) select dir;
return dirs.ToList();*/
Dictionary<string, string> results = new Dictionary<string, string>();
results[path] = ""; //If you cant open, then there are no privileges for you (and the try will explode)
try
{
results[path] = String.Join(", ", GetPermissionsFolder(path, Program.interestingUsersGroups));
if (String.IsNullOrEmpty(results[path]))
{
foreach (string d in Directory.GetDirectories(path))
{
foreach (string f in Directory.GetFiles(d))
{
results[f] = String.Join(", ", GetPermissionsFile(f, Program.interestingUsersGroups));
}
results.Concat(GecRecursivePrivs(d)).ToDictionary(kvp => kvp.Key, kvp => kvp.Value);
}
}
}
catch
{
//Access denied to a path
}
return results;
}
//From Seatbelt
public static bool IsHighIntegrity()
{
// returns true if the current process is running with adminstrative privs in a high integrity context
WindowsIdentity identity = WindowsIdentity.GetCurrent();
WindowsPrincipal principal = new WindowsPrincipal(identity);
return principal.IsInRole(WindowsBuiltInRole.Administrator);
}
//From https://stackoverflow.com/questions/3519539/how-to-check-if-a-string-contains-any-of-some-strings
public static bool ContainsAnyRegex(string haystack, List<string> regexps)
{
foreach (string regex in regexps)
{
if (Regex.Match(haystack, regex, RegexOptions.IgnoreCase).Success)
return true;
}
return false;
}
// From Seatbelt
///////////////////////////////////////////
/// Interf. for Keys and Values in Reg. ///
///////////////////////////////////////////
/// Functions related to obtain keys and values from the registry
/// Some parts adapted from Seatbelt
public static string GetRegValue(string hive, string path, string value)
{
// returns a single registry value under the specified path in the specified hive (HKLM/HKCU)
@ -254,6 +242,241 @@ namespace winPEAS
}
}
///////////////////////////////////
//////// Check Permissions ////////
///////////////////////////////////
/// Get interesting permissions from Files, Folders and Registry
public static List<string> GetPermissionsFile(string path, Dictionary<string,string> SIDs)
{
/*Permisos especiales para carpetas
*https://docs.microsoft.com/en-us/windows/win32/secauthz/access-mask-format?redirectedfrom=MSDN
*https://docs.microsoft.com/en-us/windows/win32/fileio/file-security-and-access-rights?redirectedfrom=MSDN
*/
List<string> results = new List<string>();
path = path.Trim();
if (path == null || path == "")
return results;
Match reg_path = Regex.Match(path.ToString(), @"\W*([a-z]:\\.+?(\.[a-zA-Z0-9_-]+))\W*", RegexOptions.IgnoreCase);
string binaryPath = reg_path.Groups[1].ToString();
path = binaryPath;
if (path == null || path == "")
return results;
try
{
FileSecurity fSecurity = File.GetAccessControl(path);
results = GetMyPermissionsF(fSecurity, SIDs);
}
catch
{
//By some reason some times it cannot find a file or cannot get permissions (normally with some binaries inside system32)
}
return results;
}
public static List<string> GetPermissionsFolder(string path, Dictionary<string, string> SIDs)
{
List<string> results = new List<string>();
try
{
path = path.Trim();
if (String.IsNullOrEmpty(path))
return results;
path = GetFolderFromString(path);
if (String.IsNullOrEmpty(path))
return results;
FileSecurity fSecurity = File.GetAccessControl(path);
results = GetMyPermissionsF(fSecurity, SIDs);
}
catch
{
//Te exceptions here use to be "Not access to a file", nothing interesting
}
return results;
}
public static List<string> GetMyPermissionsF(FileSecurity fSecurity, Dictionary<string, string> SIDs)
{
// Get interesting permissions in fSecurity (Only files and folders)
List<string> results = new List<string>();
Dictionary<string, string> container = new Dictionary<string, string>();
foreach (FileSystemAccessRule rule in fSecurity.GetAccessRules(true, true, typeof(SecurityIdentifier)))
{
//First, check if the rule to check is interesting
int current_perm = (int)rule.FileSystemRights;
string current_perm_str = PermInt2Str(current_perm, false);
if (current_perm_str == "")
continue;
foreach (KeyValuePair<string, string> mySID in SIDs)
{
// If the rule is interesting, check if any of my SIDs is in the rule
if (rule.IdentityReference.Value.ToLower() == mySID.Key.ToLower())
{
string SID_name = String.IsNullOrEmpty(mySID.Value) ? mySID.Key : mySID.Value;
if (container.ContainsKey(SID_name))
{
if (!container[SID_name].Contains(current_perm_str))
container[SID_name] += " " + current_perm_str;
}
else
container[SID_name] = current_perm_str;
string to_add = String.Format("{0} [{1}]", SID_name, current_perm_str);
}
}
}
foreach (KeyValuePair<string, string> SID_input in container)
{
string to_add = String.Format("{0} [{1}]", SID_input.Key, SID_input.Value);
results.Add(to_add);
}
return results;
}
public static List<string> GetMyPermissionsR(RegistryKey key, Dictionary<string, string> SIDs)
{
// Get interesting permissions in rSecurity (Only Registry)
List<string> results = new List<string>();
Dictionary<string, string> container = new Dictionary<string, string>();
try
{
var rSecurity = key.GetAccessControl();
//Go through the rules returned from the DirectorySecurity
foreach (RegistryAccessRule rule in rSecurity.GetAccessRules(true, true, typeof(SecurityIdentifier)))
{
int current_perm = (int)rule.RegistryRights;
string current_perm_str = PermInt2Str(current_perm, true);
if (current_perm_str == "")
continue;
foreach (KeyValuePair<string, string> mySID in SIDs)
{
// If the rule is interesting, check if any of my SIDs is in the rule
if (rule.IdentityReference.Value.ToLower() == mySID.Key.ToLower())
{
string SID_name = String.IsNullOrEmpty(mySID.Value) ? mySID.Key : mySID.Value;
if (container.ContainsKey(SID_name))
{
if (!container[SID_name].Contains(current_perm_str))
container[SID_name] += " " + current_perm_str;
}
else
container[SID_name] = current_perm_str;
string to_add = String.Format("{0} [{1}]", SID_name, current_perm_str);
}
}
}
foreach (KeyValuePair<string, string> SID_input in container)
{
string to_add = String.Format("{0} [{1}]", SID_input.Key, SID_input.Value);
results.Add(to_add);
}
}
catch (Exception ex)
{
Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message));
}
return results;
}
public static string PermInt2Str(int current_perm, bool only_write_or_equivalent = false)
{
Dictionary<string, int> interesting_perms = new Dictionary<string, int>()
{
{ "AllAccess", 0xf01ff},
{ "GenericAll", 0x10000000},
{ "FullControl", (int)FileSystemRights.FullControl },
{ "TakeOwnership", (int)FileSystemRights.TakeOwnership },
{ "GenericWrite", 0x40000000 },
{ "WriteData/CreateFiles", (int)FileSystemRights.WriteData },
{ "Modify", (int)FileSystemRights.Modify },
{ "Write", (int)FileSystemRights.Write },
{ "ChangePermissions", (int)FileSystemRights.ChangePermissions },
{ "Delete", (int)FileSystemRights.Delete },
{ "DeleteSubdirectoriesAndFiles", (int)FileSystemRights.DeleteSubdirectoriesAndFiles },
{ "AppendData/CreateDirectories", (int)FileSystemRights.AppendData },
{ "WriteAttributes", (int)FileSystemRights.WriteAttributes },
{ "WriteExtendedAttributes", (int)FileSystemRights.WriteExtendedAttributes },
};
if (only_write_or_equivalent)
{
interesting_perms = new Dictionary<string, int>()
{
{ "AllAccess", 0xf01ff},
{ "GenericAll", 0x10000000},
{ "FullControl", (int)FileSystemRights.FullControl },
{ "TakeOwnership", (int)FileSystemRights.TakeOwnership },
{ "GenericWrite", 0x40000000 },
{ "WriteData/CreateFiles", (int)FileSystemRights.WriteData },
{ "Modify", (int)FileSystemRights.Modify },
{ "Write", (int)FileSystemRights.Write },
{ "ChangePermissions", (int)FileSystemRights.ChangePermissions },
};
}
try
{
foreach (KeyValuePair<string, int> entry in interesting_perms)
{
if ((entry.Value & current_perm) == entry.Value)
return entry.Key;
}
}
catch (Exception ex)
{
Beaprint.GrayPrint("Error in PermInt2Str: " + ex);
}
return "";
}
//From https://stackoverflow.com/questions/929276/how-to-recursively-list-all-the-files-in-a-directory-in-c
public static Dictionary<string, string> GecRecursivePrivs(string path)
{
/*string root = @Path.GetPathRoot(Environment.SystemDirectory) + path;
var dirs = from dir in Directory.EnumerateDirectories(root) select dir;
return dirs.ToList();*/
Dictionary<string, string> results = new Dictionary<string, string>();
results[path] = ""; //If you cant open, then there are no privileges for you (and the try will explode)
try
{
results[path] = String.Join(", ", GetPermissionsFolder(path, Program.currentUserSIDs));
if (String.IsNullOrEmpty(results[path]))
{
foreach (string d in Directory.GetDirectories(path))
{
foreach (string f in Directory.GetFiles(d))
{
results[f] = String.Join(", ", GetPermissionsFile(f, Program.currentUserSIDs));
}
results.Concat(GecRecursivePrivs(d)).ToDictionary(kvp => kvp.Key, kvp => kvp.Value);
}
}
}
catch
{
//Access denied to a path
}
return results;
}
////////////////////////////////////
/////// MISC - Files & Paths ///////
////////////////////////////////////
public static bool CheckIfDotNet(string path)
{
bool isDotNet = false;
@ -306,7 +529,7 @@ namespace winPEAS
string binaryPath = GetExecutableFromPath(path);
if (binaryPath == "")
{
binaryPath = GetExecutableFromPath(system32dir +"\\" + path);
binaryPath = GetExecutableFromPath(system32dir + "\\" + path);
if (!File.Exists(binaryPath))
{
binaryPath = GetExecutableFromPath(windowsdir + "\\" + path);
@ -323,55 +546,6 @@ namespace winPEAS
return binaryPath;
}
public static List<string> GetPermissionsFile(string path, List<string> lowgroups)
{
/*Permisos especiales para carpetas
*https://docs.microsoft.com/en-us/windows/win32/secauthz/access-mask-format?redirectedfrom=MSDN
*https://docs.microsoft.com/en-us/windows/win32/fileio/file-security-and-access-rights?redirectedfrom=MSDN
*/
List<string> results = new List<string>();
path = path.Trim();
if (path == null || path == "")
return results;
Match reg_path = Regex.Match(path.ToString(), @"\W*([a-z]:\\.+?(\.[a-zA-Z0-9_-]+))\W*", RegexOptions.IgnoreCase);
string binaryPath = reg_path.Groups[1].ToString();
path = binaryPath;
if (path == null || path == "")
return results;
try
{
FileSecurity fSecurity = File.GetAccessControl(path);
foreach (FileSystemAccessRule rule in fSecurity.GetAccessRules(true, true, typeof(NTAccount)))
{
int current_perm = (int)rule.FileSystemRights;
string current_perm_str = permInt2Str(current_perm);
if (current_perm_str == "")
continue;
foreach (string group in lowgroups)
{
if (rule.IdentityReference.Value.ToLower().Contains(group.ToLower()))
{
string to_add = String.Format("{0} [{1}]", rule.IdentityReference.Value, current_perm_str);
if (!results.Contains(to_add))
{
results.Add(to_add);
break;
}
}
}
}
}
catch
{
//By some reason some times it cannot find a file or cannot get permissions (normally with some binaries inside system32)
}
return results;
}
public static string GetFolderFromString(string path)
{
string fpath = path;
@ -387,102 +561,6 @@ namespace winPEAS
return fpath;
}
public static List<string> GetPermissionsFolder(string path, List<string> NtAccountNames)
{
List<string> results = new List<string>();
try
{
path = path.Trim();
if (String.IsNullOrEmpty(path))
return results;
path = GetFolderFromString(path);
if (String.IsNullOrEmpty(path))
return results;
FileSecurity fSecurity = File.GetAccessControl(path);
//Go through the rules returned from the DirectorySecurity
foreach (FileSystemAccessRule rule in fSecurity.GetAccessRules(true, true, typeof(NTAccount)))
{
int current_perm = (int)rule.FileSystemRights;
string current_perm_str = permInt2Str(current_perm);
if (current_perm_str == "")
continue;
//If we find one that matches the identity we are looking for
foreach (string name in NtAccountNames)
{
if (rule.IdentityReference.Value.ToLower().Contains(name.ToLower()))
{
string to_add = String.Format("{0} [{1}]", rule.IdentityReference.Value, current_perm_str);
if (!results.Contains(to_add))
{
results.Add(to_add);
break;
}
}
}
}
}
catch
{
//Te exceptions here use to be "Not access to a file", nothing interesting
}
return results;
}
public static string permInt2Str(int current_perm, bool only_write_or_equivalent=false)
{
Dictionary<string, int> interesting_perms = new Dictionary<string, int>()
{
{ "AllAccess", 0xf01ff},
{ "GenericAll", 0x10000000},
{ "FullControl", (int)FileSystemRights.FullControl },
{ "TakeOwnership", (int)FileSystemRights.TakeOwnership },
{ "GenericWrite", 0x40000000 },
{ "WriteData/CreateFiles", (int)FileSystemRights.WriteData },
{ "Modify", (int)FileSystemRights.Modify },
{ "Write", (int)FileSystemRights.Write },
{ "ChangePermissions", (int)FileSystemRights.ChangePermissions },
{ "Delete", (int)FileSystemRights.Delete },
{ "DeleteSubdirectoriesAndFiles", (int)FileSystemRights.DeleteSubdirectoriesAndFiles },
{ "AppendData/CreateDirectories", (int)FileSystemRights.AppendData },
{ "WriteAttributes", (int)FileSystemRights.WriteAttributes },
{ "WriteExtendedAttributes", (int)FileSystemRights.WriteExtendedAttributes },
};
if (only_write_or_equivalent)
{
interesting_perms = new Dictionary<string, int>()
{
{ "AllAccess", 0xf01ff},
{ "GenericAll", 0x10000000},
{ "FullControl", (int)FileSystemRights.FullControl },
{ "TakeOwnership", (int)FileSystemRights.TakeOwnership },
{ "GenericWrite", 0x40000000 },
{ "WriteData/CreateFiles", (int)FileSystemRights.WriteData },
{ "Modify", (int)FileSystemRights.Modify },
{ "Write", (int)FileSystemRights.Write },
{ "ChangePermissions", (int)FileSystemRights.ChangePermissions },
};
}
try
{
foreach (KeyValuePair<string, int> entry in interesting_perms)
{
if ((entry.Value & current_perm) == entry.Value)
return entry.Key;
}
}
catch (Exception ex)
{
Beaprint.GrayPrint("Error in permInt2Str: " + ex);
}
return "";
}
public static bool CheckQuoteAndSpace(string path)
{
@ -494,94 +572,6 @@ namespace winPEAS
return false;
}
//Adapted from https://social.msdn.microsoft.com/Forums/vstudio/en-US/378491d6-23a3-4ae7-a702-c52c5abb0e8d/access-to-both-32-and-64-bit-registry-using-c-and-regmultisz?forum=csharpgeneral
[DllImport("Advapi32.dll", EntryPoint = "RegOpenKeyExW", CharSet = CharSet.Unicode)]
static extern int RegOpenKeyEx(IntPtr hKey, [In] string lpSubKey, int ulOptions, int samDesired, out IntPtr phkResult);
[DllImport("Advapi32.dll", EntryPoint = "RegQueryValueExW", CharSet = CharSet.Unicode)]
static extern int RegQueryValueEx(IntPtr hKey, [In] string lpValueName, IntPtr lpReserved, out int lpType, [Out] byte[] lpData, ref int lpcbData);
[DllImport("advapi32.dll")]
static extern int RegCloseKey(IntPtr hKey);
static public readonly IntPtr HKEY_CLASSES_ROOT = new IntPtr(-2147483648);
static public readonly IntPtr HKEY_CURRENT_USER = new IntPtr(-2147483647);
static public readonly IntPtr HKEY_LOCAL_MACHINE = new IntPtr(-2147483646);
static public readonly IntPtr HKEY_USERS = new IntPtr(-2147483645);
static public readonly IntPtr HKEY_PERFORMANCE_DATA = new IntPtr(-2147483644);
static public readonly IntPtr HKEY_CURRENT_CONFIG = new IntPtr(-2147483643);
static public readonly IntPtr HKEY_DYN_DATA = new IntPtr(-2147483642);
public const int KEY_READ = 0x20019;
public const int KEY_WRITE = 0x20006;
public const int KEY_QUERY_VALUE = 0x0001;
public const int KEY_SET_VALUE = 0x0002;
public const int KEY_WOW64_64KEY = 0x0100;
public const int KEY_WOW64_32KEY = 0x0200;
public const int KEY_ALL_ACCESS = 0xF003F;
public const int REG_NONE = 0;
public const int REG_SZ = 1;
public const int REG_EXPAND_SZ = 2;
public const int REG_BINARY = 3;
public const int REG_DWORD = 4;
public const int REG_DWORD_BIG_ENDIAN = 5;
public const int REG_LINK = 6;
public const int REG_MULTI_SZ = 7;
public const int REG_RESOURCE_LIST = 8;
public const int REG_FULL_RESOURCE_DESCRIPTOR = 9;
public const int REG_RESOURCE_REQUIREMENTS_LIST = 10;
public const int REG_QWORD = 11;
[StructLayoutAttribute(LayoutKind.Sequential)]
public struct SECURITY_DESCRIPTOR
{
public byte revision;
public byte size;
public short control;
public IntPtr owner;
public IntPtr group;
public IntPtr sacl;
public IntPtr dacl;
}
public static List<string> CheckAccessReg(RegistryKey key, List<string> NtAccountNames)
{
List<string> results = new List<string>();
try
{
var security = key.GetAccessControl();
//Go through the rules returned from the DirectorySecurity
foreach (RegistryAccessRule rule in security.GetAccessRules(true, true, typeof(NTAccount)))
{
int current_perm = (int)rule.RegistryRights;
string current_perm_str = permInt2Str(current_perm, true);
if (current_perm_str == "" || current_perm_str == "WriteExtendedAttributes")
continue;
//If we find one that matches the identity we are looking for
foreach (string name in NtAccountNames)
{
if (rule.IdentityReference.Value.ToLower().Contains(name.ToLower()))
{
string to_add = String.Format("{0} [{1}]", rule.IdentityReference.Value, current_perm_str);
if (!results.Contains(to_add))
{
results.Add(to_add);
break;
}
}
}
}
}
catch (Exception ex)
{
Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message));
}
return results;
}
public static List<string> FindFiles(string path, string patterns)
{
// finds files matching one or more patterns under a given path, recursive
@ -629,6 +619,55 @@ namespace winPEAS
catch (PathTooLongException) { }
}
//////////////////////
//////// MISC ////////
//////////////////////
public static Dictionary<string, string> RemoveEmptyKeys(Dictionary<string, string> dic_in)
{
Dictionary<string, string> results = new Dictionary<string, string>();
try
{
foreach (KeyValuePair<string, string> entry in dic_in)
if (!String.IsNullOrEmpty(entry.Value.Trim()))
results[entry.Key] = entry.Value;
return results;
}
catch (Exception ex)
{
Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message));
}
return results;
}
public static List<string> ListFolder(String path)
{
string root = @Path.GetPathRoot(Environment.SystemDirectory) + path;
var dirs = from dir in Directory.EnumerateDirectories(root) select dir;
return dirs.ToList();
}
//From Seatbelt
public static bool IsHighIntegrity()
{
// returns true if the current process is running with adminstrative privs in a high integrity context
WindowsIdentity identity = WindowsIdentity.GetCurrent();
WindowsPrincipal principal = new WindowsPrincipal(identity);
return principal.IsInRole(WindowsBuiltInRole.Administrator);
}
//From https://stackoverflow.com/questions/3519539/how-to-check-if-a-string-contains-any-of-some-strings
public static bool ContainsAnyRegex(string haystack, List<string> regexps)
{
foreach (string regex in regexps)
{
if (Regex.Match(haystack, regex, RegexOptions.IgnoreCase).Success)
return true;
}
return false;
}
// From https://stackoverflow.com/questions/206323/how-to-execute-command-line-in-c-get-std-out-results
public static string ExecCMD(string args, string alternative_binary="")
{

@ -367,7 +367,7 @@ namespace winPEAS
//value meanings: http://msdn.microsoft.com/en-us/library/aa390438(v=vs.85).aspx
current_perm = Convert.ToInt32(result.Properties["ReturnValue"].Value);
perm_str = MyUtils.permInt2Str(current_perm);
perm_str = MyUtils.PermInt2Str(current_perm);
}
catch (ManagementException me)
{

@ -39,7 +39,6 @@ namespace winPEAS
// Create Dynamic blacklists
static string currentUserName = Environment.UserName;
public static List<string> interestingUsersGroups = new List<string> { "Everyone", @"Builtin\Users", "Todos", currentUserName }; //Authenticated Users (Authenticated left behin to avoid repetitions)
public static string currentUserDomainName = Environment.UserDomainName;
public static string currentADDomainName = "";
public static bool partofdomain = false;
@ -47,7 +46,7 @@ namespace winPEAS
static SelectQuery query = null;
static ManagementObjectSearcher searcher = null;
public static ManagementObjectCollection win32_users = null;
static List<string> currentUserGroups = new List<string>();
public static Dictionary<string,string> currentUserSIDs = new Dictionary<string, string>();
static string paint_activeUsers = "";
static string paint_activeUsers_no_Administrator = "";
static string paint_disabledUsers = "";
@ -60,7 +59,7 @@ namespace winPEAS
try
{
Beaprint.GrayPrint(" Creating Dynamic lists, this could take a while, please wait...");
Beaprint.GrayPrint(" - Getting AD info...");
Beaprint.GrayPrint(" - Checking if domain...");
currentADDomainName = MyUtils.IsDomainJoined();
partofdomain = currentADDomainName == "" ? false : true;
currentUserIsLocal = currentADDomainName != currentUserDomainName;
@ -84,8 +83,19 @@ namespace winPEAS
try {
Beaprint.GrayPrint(" - Creating current user groups list...");
currentUserGroups = UserInfo.GetUserGroups(currentUserName, currentUserDomainName);
interestingUsersGroups.AddRange(currentUserGroups);
WindowsIdentity identity = WindowsIdentity.GetCurrent();
IdentityReferenceCollection currentSIDs= identity.Groups;
foreach (IdentityReference group in identity.Groups)
{
string gName = "";
try
{
gName = UserInfo.SID2GroupName(group.ToString());
}
catch { }
currentUserSIDs[group.ToString()] = gName;
}
}
catch (Exception ex)
{
@ -301,27 +311,28 @@ namespace winPEAS
{
Beaprint.MainPrint("Drives Information", "T1120");
Beaprint.LinkPrint("", "Remember that you should search more info inside the other drives");
foreach (Dictionary<string, string> drive in SystemInfo.GetDrivesInfo())
{
string drive_permissions = String.Join(", ", MyUtils.GetPermissionsFolder(drive["Name"], interestingUsersGroups));
string dToPrint = " {0} (Type: {1})";
if (drive["Volume label"] != "")
dToPrint += "(Volume label: {2})";
if (drive["Filesystem"] != "")
dToPrint += "(Filesystem: {3})";
if (drive["Available space"] != "")
dToPrint += "(Available space: {4} GB)";
if (drive_permissions.Length > 0)
dToPrint += "(Permissions: {5})";
Dictionary<string, string> colorsSI = new Dictionary<string, string>()
Dictionary<string, string> colorsSI = new Dictionary<string, string>()
{
{ "Permissions.*", Beaprint.ansi_color_bad}
};
Beaprint.AnsiPrint(String.Format(dToPrint, drive["Name"], drive["Type"], drive["Volume label"], drive["Filesystem"], (((Int64.Parse(drive["Available space"]) / 1024) / 1024) / 1024).ToString(), drive_permissions), colorsSI);
foreach (Dictionary<string, string> drive in SystemInfo.GetDrivesInfo())
{
string drive_permissions = String.Join(", ", MyUtils.GetPermissionsFolder(drive["Name"], currentUserSIDs));
string dToPrint = String.Format(" {0} (Type: {1})", drive["Name"], drive["Type"]);
if (!String.IsNullOrEmpty(drive["Volume label"]))
dToPrint += "(Volume label: "+ drive["Volume label"] + ")";
if (!String.IsNullOrEmpty(drive["Filesystem"]))
dToPrint += "(Filesystem: "+ drive["Filesystem"] + ")";
if (!String.IsNullOrEmpty(drive["Available space"]))
dToPrint += "(Available space: "+ (((Int64.Parse(drive["Available space"]) / 1024) / 1024) / 1024).ToString() + " GB)";
if (drive_permissions.Length > 0)
dToPrint += "(Permissions: "+ drive_permissions + ")";
Beaprint.AnsiPrint(dToPrint, colorsSI);
}
}
catch (Exception ex)
@ -435,11 +446,19 @@ namespace winPEAS
{
try
{
Beaprint.MainPrint("Current users", "T1087&T1069&T1033");
Beaprint.MainPrint("Users", "T1087&T1069&T1033");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#users-and-groups", "Check if you have some admin equivalent privileges");
List<string> users_grps = UserInfo.GetMachineUsers(false, false, false, false, true);
Beaprint.AnsiPrint(" Current user: " + currentUserName, colorsU());
List<string> currentGroupsNames = new List<string>();
foreach (KeyValuePair<string,string> g in currentUserSIDs)
currentGroupsNames.Add(String.IsNullOrEmpty(g.Value) ? g.Key : g.Value);
Beaprint.AnsiPrint(" Current groups: " + String.Join(", ", currentGroupsNames), colorsU());
Beaprint.PrintLineSeparator();
Beaprint.ListPrint(users_grps, colorsU());
}
catch (Exception ex)
@ -582,7 +601,7 @@ namespace winPEAS
List<string> user_folders = UserInfo.GetUsersFolders();
foreach (string ufold in user_folders)
{
string perms = String.Join(", ", MyUtils.GetPermissionsFolder(ufold, interestingUsersGroups));
string perms = String.Join(", ", MyUtils.GetPermissionsFolder(ufold, currentUserSIDs));
if (perms.Length > 0)
Beaprint.BadPrint(" " + ufold + " : " + perms);
else
@ -661,10 +680,10 @@ namespace winPEAS
proc_info["Product"] = ProcessesInfo.browserProcesses[proc_info["Name"]].ToString();
}
List<string> file_rights = MyUtils.GetPermissionsFile(proc_info["ExecutablePath"], interestingUsersGroups);
List<string> file_rights = MyUtils.GetPermissionsFile(proc_info["ExecutablePath"], currentUserSIDs);
List<string> dir_rights = new List<string>();
if (proc_info["ExecutablePath"] != null && proc_info["ExecutablePath"] != "")
dir_rights = MyUtils.GetPermissionsFolder(Path.GetDirectoryName(proc_info["ExecutablePath"]), interestingUsersGroups);
dir_rights = MyUtils.GetPermissionsFolder(Path.GetDirectoryName(proc_info["ExecutablePath"]), currentUserSIDs);
string formString = " {0}({1})[{2}]";
if (proc_info["Product"] != null && proc_info["Product"].Length > 1)
@ -708,26 +727,20 @@ namespace winPEAS
/////////////////////////////////////////////////
private static void PrintInfoServices()
{
/// Start finding Modifiable services so any function could use them
Dictionary<string, string> mod_services = new Dictionary<string, string>();
try
{
mod_services = ServicesInfo.GetModifiableServices();
mod_services = ServicesInfo.GetModifiableServices(currentUserSIDs);
}
catch (Exception ex)
{
Beaprint.GrayPrint(String.Format("{0}", ex));
}
void PrintInterestingServices()
{
/* Colors Code
* RED:
* ---- Write privilege in path or path without quotes and some space
* ---- Startmode = Auto
* GREEN:
* ---- No write privileges
* ---- Startmode = Manual
*/
try
{
Beaprint.MainPrint("Interesting Services -non Microsoft-", "T1007");
@ -740,11 +753,11 @@ namespace winPEAS
foreach (Dictionary<string, string> service_info in services_info)
{
List<string> file_rights = MyUtils.GetPermissionsFile(service_info["FilteredPath"], interestingUsersGroups);
List<string> file_rights = MyUtils.GetPermissionsFile(service_info["FilteredPath"], currentUserSIDs);
List<string> dir_rights = new List<string>();
if (service_info["FilteredPath"] != null && service_info["FilteredPath"] != "")
dir_rights = MyUtils.GetPermissionsFolder(Path.GetDirectoryName(service_info["FilteredPath"]), interestingUsersGroups);
dir_rights = MyUtils.GetPermissionsFolder(Path.GetDirectoryName(service_info["FilteredPath"]), currentUserSIDs);
bool no_quotes_and_space = MyUtils.CheckQuoteAndSpace(service_info["PathName"]);
@ -826,7 +839,7 @@ namespace winPEAS
{
Beaprint.MainPrint("Looking if you can modify any service registry", "");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services-registry-permissions", "Check if you can modify the registry of a service");
List<Dictionary<string, string>> regPerms = ServicesInfo.GetWriteServiceRegs(interestingUsersGroups);
List<Dictionary<string, string>> regPerms = ServicesInfo.GetWriteServiceRegs(currentUserSIDs);
Dictionary<string, string> colorsWR = new Dictionary<string, string>()
{
@ -891,8 +904,8 @@ namespace winPEAS
{
Beaprint.MainPrint("Current Active Window Application", "T1010&T1518");
string title = ApplicationInfo.GetActiveWindowTitle();
List<string> permsFile = MyUtils.GetPermissionsFile(title, interestingUsersGroups);
List<string> permsFolder = MyUtils.GetPermissionsFolder(title, interestingUsersGroups);
List<string> permsFile = MyUtils.GetPermissionsFile(title, currentUserSIDs);
List<string> permsFolder = MyUtils.GetPermissionsFolder(title, currentUserSIDs);
if (permsFile.Count > 0)
{
Beaprint.BadPrint(" " + title);
@ -968,7 +981,7 @@ namespace winPEAS
{
Beaprint.MainPrint("Autorun Applications", "T1010");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#run-at-startup", "Check if you can modify other users AutoRuns binaries");
List<Dictionary<string, string>> apps = ApplicationInfo.GetAutoRuns(interestingUsersGroups);
List<Dictionary<string, string>> apps = ApplicationInfo.GetAutoRuns(currentUserSIDs);
foreach (Dictionary<string, string> app in apps)
{
@ -1028,8 +1041,8 @@ namespace winPEAS
foreach (Dictionary<string, string> sapp in scheduled_apps)
{
List<string> file_rights = MyUtils.GetPermissionsFile(sapp["Action"], interestingUsersGroups);
List<string> dir_rights = MyUtils.GetPermissionsFolder(sapp["Action"], interestingUsersGroups);
List<string> file_rights = MyUtils.GetPermissionsFile(sapp["Action"], currentUserSIDs);
List<string> dir_rights = MyUtils.GetPermissionsFolder(sapp["Action"], currentUserSIDs);
string formString = " ({0}) {1}: {2}";
if (file_rights.Count > 0)
formString += "\n Permissions file: {3}";
@ -1183,8 +1196,8 @@ namespace winPEAS
Beaprint.GrayPrint(" DENY rules:");
foreach (Dictionary<string, string> rule in NetworkInfo.GetFirewallRules())
{
string file_perms = String.Join(", ", MyUtils.GetPermissionsFile(rule["AppName"], interestingUsersGroups));
string folder_perms = String.Join(", ", MyUtils.GetPermissionsFolder(rule["AppName"], interestingUsersGroups));
string file_perms = String.Join(", ", MyUtils.GetPermissionsFile(rule["AppName"], currentUserSIDs));
string folder_perms = String.Join(", ", MyUtils.GetPermissionsFolder(rule["AppName"], currentUserSIDs));
string formString = " ({0}){1}[{2}]: {3} {4} {5} from {6} --> {7}";
if (file_perms.Length > 0)
formString += "\n File Permissions: {8}";
@ -1995,6 +2008,10 @@ namespace winPEAS
[STAThread]
static void Main(string[] args)
{
//WindowsIdentity identity = WindowsIdentity.GetCurrent();
//foreach(IdentityReference group in identity.Groups)
// System.Console.WriteLine(identity.Groups);
//Check parameters
bool check_all = true;
bool check_si = false;
@ -2138,7 +2155,7 @@ namespace winPEAS
* List Drivers ==> but how do I know if a driver is malicious?
*/
//System.Console.ReadLine(); //For debugging
System.Console.ReadLine(); //For debugging
}
}
}

@ -15,9 +15,13 @@ namespace winPEAS
{
class ServicesInfo
{
///////////////////////////////////////////////
//// Non Standard Services (Non Microsoft) ////
///////////////////////////////////////////////
public static List<Dictionary<string, string>> GetNonstandardServices()
{
List<Dictionary<string, string>> results = new List<Dictionary<string, string>>();
try
{
ManagementObjectSearcher wmiData = new ManagementObjectSearcher(@"root\cimv2", "SELECT * FROM win32_service");
@ -74,6 +78,7 @@ namespace winPEAS
foreach (string key in MyUtils.GetRegSubkeys("HKLM", @"SYSTEM\CurrentControlSet\Services"))
{
Dictionary<string, object> key_values = MyUtils.GetRegValues("HKLM", @"SYSTEM\CurrentControlSet\Services\" + key);
if (key_values.ContainsKey("DisplayName") && key_values.ContainsKey("ImagePath"))
{
string companyName = "";
@ -146,99 +151,11 @@ namespace winPEAS
return results;
}
public static List<Dictionary<string, string>> GetWriteServiceRegs(List<string> NtAccountNames)
{
List<Dictionary<string,string>> results = new List<Dictionary<string, string>>();
try
{
RegistryKey regKey = Registry.LocalMachine.OpenSubKey(@"system\currentcontrolset\services");
foreach (string serviceRegName in regKey.GetSubKeyNames())
{
RegistryKey key = Registry.LocalMachine.OpenSubKey(@"system\currentcontrolset\services\" + serviceRegName);
List<string> perms = MyUtils.CheckAccessReg(key, NtAccountNames);
if (perms.Count > 0)
{
results.Add(new Dictionary<string, string> {
{ "Path", @"HKLM\system\currentcontrolset\services\" + serviceRegName },
{ "Permissions", string.Join(", ", perms) }
});
}
}
}
catch (Exception ex)
{
Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message));
}
return results;
}
public static List<Dictionary<string, string>> GetRegistryAutoRuns(List<string> NtAccountNames)
{
List<Dictionary<string, string>> results = new List<Dictionary<string, string>>();
try
{
string[] autorunLocations = new string[] {
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce",
"SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run",
"SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce",
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunService",
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceService",
"SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunService",
"SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnceService"
};
foreach (string autorunLocation in autorunLocations)
{
Dictionary<string, object> settings = MyUtils.GetRegValues("HKLM", autorunLocation);
if ((settings != null) && (settings.Count != 0))
{
foreach (KeyValuePair<string, object> kvp in settings)
{
RegistryKey key = Registry.LocalMachine.OpenSubKey(autorunLocation);
string filepath = Environment.ExpandEnvironmentVariables(String.Format("{0}", kvp.Value));
string folder = System.IO.Path.GetDirectoryName(filepath.Replace("'", "").Replace("\"", ""));
results.Add(new Dictionary<string, string>() {
{ "Reg", "HKLM\\"+autorunLocation },
{ "Folder", folder },
{ "File", filepath },
{ "RegPermissions", string.Join(", ", MyUtils.CheckAccessReg(key, NtAccountNames)) },
{ "interestingFolderRights", String.Join(", ", MyUtils.GetPermissionsFolder(folder, Program.interestingUsersGroups))},
{ "interestingFileRights", String.Join(", ", MyUtils.GetPermissionsFile(filepath, Program.interestingUsersGroups))},
{ "isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(filepath).ToString() }
});
}
}
}
}
catch (Exception ex)
{
Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message));
}
return results;
}
public static Dictionary<string, string> GetPathDLLHijacking()
{
Dictionary<string, string> results = new Dictionary<string, string>();
try
{
var path_env = Environment.GetEnvironmentVariable("PATH");
List<string> folders = path_env.Split(';').ToList();
foreach (string folder in folders)
{
results[folder] = String.Join(", ", MyUtils.GetPermissionsFolder(folder, Program.interestingUsersGroups));
}
}
catch (Exception ex)
{
Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message));
}
return results;
}
//////////////////////////////////////////
/////// Find Modifiable Services ////////
//////////////////////////////////////////
/// Find services that you can modify using PS os sc for example
[DllImport("advapi32.dll", SetLastError = true)]
static extern bool QueryServiceObjectSecurity(
IntPtr serviceHandle,
@ -246,7 +163,7 @@ namespace winPEAS
byte[] lpSecDesrBuf,
uint bufSize,
out uint bufSizeNeeded);
public static Dictionary<string,string> GetModifiableServices()
public static Dictionary<string, string> GetModifiableServices(Dictionary<string, string> SIDs)
{
Dictionary<string, string> results = new Dictionary<string, string>();
@ -291,17 +208,15 @@ namespace winPEAS
RawAcl racl = rsd.DiscretionaryAcl;
DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, racl);
WindowsIdentity identity = WindowsIdentity.GetCurrent();
string permissions = "";
foreach (System.Security.AccessControl.CommonAce ace in dacl)
{
if (identity.Groups.Contains(ace.SecurityIdentifier))
if (SIDs.ContainsKey(ace.SecurityIdentifier.ToString()))
{
int serviceRights = ace.AccessMask;
string current_perm_str = MyUtils.permInt2Str(serviceRights, true);
string current_perm_str = MyUtils.PermInt2Str(serviceRights, true);
if (!String.IsNullOrEmpty(current_perm_str))
permissions += current_perm_str;
}
@ -309,7 +224,7 @@ namespace winPEAS
if (!String.IsNullOrEmpty(permissions))
results.Add(sc.ServiceName, permissions);
}
catch (Exception ex)
{
@ -318,5 +233,113 @@ namespace winPEAS
}
return results;
}
//////////////////////////////////////////
/////// Find Write reg. Services ////////
//////////////////////////////////////////
/// Find Services which Reg you have write or equivalent access
public static List<Dictionary<string, string>> GetWriteServiceRegs(Dictionary<string,string> NtAccountNames)
{
List<Dictionary<string,string>> results = new List<Dictionary<string, string>>();
try
{
RegistryKey regKey = Registry.LocalMachine.OpenSubKey(@"system\currentcontrolset\services");
foreach (string serviceRegName in regKey.GetSubKeyNames())
{
RegistryKey key = Registry.LocalMachine.OpenSubKey(@"system\currentcontrolset\services\" + serviceRegName);
List<string> perms = MyUtils.GetMyPermissionsR(key, NtAccountNames);
if (perms.Count > 0)
{
results.Add(new Dictionary<string, string> {
{ "Path", @"HKLM\system\currentcontrolset\services\" + serviceRegName },
{ "Permissions", string.Join(", ", perms) }
});
}
}
}
catch (Exception ex)
{
Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message));
}
return results;
}
//////////////////////////////////////
/////// Get Autorun Registry ////////
//////////////////////////////////////
/// Find Autoru registry where you have write or equivalent access
public static List<Dictionary<string, string>> GetRegistryAutoRuns(Dictionary<string,string> NtAccountNames)
{
List<Dictionary<string, string>> results = new List<Dictionary<string, string>>();
try
{
string[] autorunLocations = new string[] {
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce",
"SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run",
"SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce",
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunService",
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceService",
"SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunService",
"SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnceService"
};
foreach (string autorunLocation in autorunLocations)
{
Dictionary<string, object> settings = MyUtils.GetRegValues("HKLM", autorunLocation);
if ((settings != null) && (settings.Count != 0))
{
foreach (KeyValuePair<string, object> kvp in settings)
{
RegistryKey key = Registry.LocalMachine.OpenSubKey(autorunLocation);
string filepath = Environment.ExpandEnvironmentVariables(String.Format("{0}", kvp.Value));
string folder = System.IO.Path.GetDirectoryName(filepath.Replace("'", "").Replace("\"", ""));
results.Add(new Dictionary<string, string>() {
{ "Reg", "HKLM\\"+autorunLocation },
{ "Folder", folder },
{ "File", filepath },
{ "RegPermissions", string.Join(", ", MyUtils.GetMyPermissionsR(key, NtAccountNames)) },
{ "interestingFolderRights", String.Join(", ", MyUtils.GetPermissionsFolder(folder, Program.currentUserSIDs))},
{ "interestingFileRights", String.Join(", ", MyUtils.GetPermissionsFile(filepath, Program.currentUserSIDs))},
{ "isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(filepath).ToString() }
});
}
}
}
}
catch (Exception ex)
{
Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message));
}
return results;
}
//////////////////////////////////////
//////// PATH DLL Hijacking /////////
//////////////////////////////////////
/// Look for write or equivalent permissions on ay folder in PATH
public static Dictionary<string, string> GetPathDLLHijacking()
{
Dictionary<string, string> results = new Dictionary<string, string>();
try
{
// grabbed from the registry instead of System.Environment.GetEnvironmentVariable to prevent false positives
string path = MyUtils.GetRegValue("HKLM", "SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment", "Path");
if (String.IsNullOrEmpty(path))
path = Environment.GetEnvironmentVariable("PATH");
List<string> folders = path.Split(';').ToList();
foreach (string folder in folders)
results[folder] = String.Join(", ", MyUtils.GetPermissionsFolder(folder, Program.currentUserSIDs));
}
catch (Exception ex)
{
Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message));
}
return results;
}
}
}

@ -349,6 +349,53 @@ namespace winPEAS
return myItems;
}
public static string SID2GroupName(string SID)
{
string groupName = "";
ContextType ct = ContextType.Domain;
if (Program.currentUserIsLocal)
ct = ContextType.Machine;
try
{
groupName = GetSIDGroupName(SID, ct);
}
catch (Exception ex)
{
Beaprint.GrayPrint(String.Format(" [X] Exception: {0}\n Checking using the other Principal Context", ex.Message));
try
{
if (ct == ContextType.Machine)
groupName = GetSIDGroupName(SID, ContextType.Domain);
else
groupName = GetSIDGroupName(SID, ContextType.Machine);
}
catch
{
Beaprint.GrayPrint(String.Format(" [X] Exception: {0}\n Checking using the other Principal Context"));
}
}
return groupName;
}
public static string GetSIDGroupName(string SID, ContextType ct)
{
string groupName = "";
try
{
var ctx = new PrincipalContext(ct);
var group = GroupPrincipal.FindByIdentity(ctx, IdentityType.Sid, SID);
return group.SamAccountName.ToString();
}
catch (Exception ex)
{
Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message));
}
return groupName;
}
public static UserPrincipal GetUser(string sUserName, string domain)
{
UserPrincipal user = null;

@ -7,3 +7,12 @@ D:\shared\privilege-escalation-awesome-script-suite\winPEAS\winPEASexe\winPEAS\o
D:\shared\privilege-escalation-awesome-script-suite\winPEAS\winPEASexe\winPEAS\obj\x64\Debug\winPEAS.csproj.CopyComplete
D:\shared\privilege-escalation-awesome-script-suite\winPEAS\winPEASexe\winPEAS\obj\x64\Debug\winPEAS.exe
D:\shared\privilege-escalation-awesome-script-suite\winPEAS\winPEASexe\winPEAS\obj\x64\Debug\winPEAS.pdb
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\x64\Debug\winPEAS.exe.config
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\x64\Debug\winPEAS.exe
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\x64\Debug\winPEAS.pdb
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\bin\x64\Debug\Microsoft.Win32.TaskScheduler.xml
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\obj\x64\Debug\winPEAS.csprojAssemblyReference.cache
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\obj\x64\Debug\winPEAS.csproj.Fody.CopyLocal.cache
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\obj\x64\Debug\winPEAS.csproj.CopyComplete
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\obj\x64\Debug\winPEAS.exe
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\winPEAS\obj\x64\Debug\winPEAS.pdb

@ -1 +1 @@
D:\shared\privilege-escalation-awesome-script-suite\winPEAS\winPEASexe\packages\TaskScheduler.2.8.16\lib\net40\Microsoft.Win32.TaskScheduler.xml
D:\shared\privilege-escalation-awesome-scripts-suite-master\winPEAS\winPEASexe\packages\TaskScheduler.2.8.16\lib\net40\Microsoft.Win32.TaskScheduler.xml

@ -11,7 +11,7 @@
<StartArguments>cmd fast</StartArguments>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Release|x64'">
<StartArguments>help</StartArguments>
<StartArguments>fast</StartArguments>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Debug|x86'">
<StartArguments>