Add Powershell history file

2024-11-20 12:39:21 +01:00 · 2020-06-22 18:35:13 +02:00 · 2020-06-22 18:35:13 +02:00 · 7618fc38f0
commit 7618fc38f0
parent c951fddf8e
2 changed files with 43 additions and 0 deletions
--- a/winPEAS/winPEASexe/winPEAS/InterestingFiles.cs
+++ b/winPEAS/winPEASexe/winPEAS/InterestingFiles.cs
@ -437,6 +437,23 @@ namespace winPEAS
            return results;
        }

+        public static string GetConsoleHostHistory()
+        {
+            string result = "";
+            try
+            {
+                
+                string searchLocation = String.Format("{0}\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadline\\ConsoleHost_history.txt", Environment.GetEnvironmentVariable("USERPROFILE"));
+                if (System.IO.File.Exists(searchLocation))
+                    result = searchLocation;
+            }
+            catch (Exception ex)
+            {
+                Beaprint.GrayPrint("Error: " + ex);
+            }
+            return result;
+        }
+
        public static List<Dictionary<string, string>> GetRecycleBin()
        {
            List<Dictionary<string, string>> results = new List<Dictionary<string, string>>();
--- a/winPEAS/winPEASexe/winPEAS/Program.cs
+++ b/winPEAS/winPEASexe/winPEAS/Program.cs
@ -1959,6 +1959,31 @@ namespace winPEAS
                }
            }

+            void PrintConsoleHostHistory()
+            {
+                try
+                {
+                    Beaprint.MainPrint("Powershell History", "");
+                    string console_host_history = InterestingFiles.GetConsoleHostHistory();
+                    if (console_host_history != "")
+                    {
+                        
+                        string text = File.ReadAllText(console_host_history);
+                        List<string> credStringsRegexPowershell = new List<string>(credStringsRegex);
+                        credStringsRegexPowershell.Add("CONVERTTO-SECURESTRING");
+
+                        if (MyUtils.ContainsAnyRegex(text.ToUpper(), credStringsRegexPowershell))
+                            Beaprint.BadPrint("    " + console_host_history + " (Potential credentials found)");
+                        else
+                            System.Console.WriteLine("    " + console_host_history);
+                    }
+                }
+                catch (Exception ex)
+                {
+                    Beaprint.GrayPrint(String.Format("{0}", ex));
+                }
+            }
+
            void PrintSAMBackups()
            {
                try
@ -2182,6 +2207,7 @@ namespace winPEAS
            PrintSSHKeysReg();
            PrintCloudCreds();
            PrintUnattendFiles();
+            PrintConsoleHostHistory();
            PrintSAMBackups();
            PrintMcAffeSitelistFiles();
            PrintCachedGPPPassword();