winPEAS "hangs" at end of scan

[Tib3rius]

I've started using winPEAS and I love it, however I've noticed that for some reason it doesn't seem to ever "finish" running, even with basic checks that don't search the filesystem, for example. In order to complete the scan, you have to press Enter and it will show the command prompt again. This isn't an issue most of the time, but it does cause issues when running winPEAS in a reverse shell, because pressing Enter doesn't do anything, so you are left with a useless shell.

I tested it on the latest Windows 10 using winPEASany.exe.

[carlospolop]

Hi @Tib3rius, Thank you for using winPEAS, I'm glad that you like it. The last check made by winPEAS I to go through the entire hard drive looking for interesting files. In my tests this took 5-10mins (already a lot) but I have seen than in other hosts (with more files) this can take forever. This is no longer going to be a problem with the next version (I will upload the new version this weekend/next week) but at the moment, please, take a look at the available arguments. There is one called "fast" that will avoid this last check, so you won't longer have this problem (although winPEAS won't check for interesting files).

Please, feel free to reopen the issue if this doesn't fix your problem.

[Tib3rius]

Hi @carlospolop unfortunately this doesn't fix the issue. As I initially stated, this happens even with basic checks that don't search the filesystem. For example:

.\winPEASany.exe quiet fast userinfo

This runs through the user checks very quickly, and then hangs. If I press "Enter" the program seems to exit and I get a command prompt back. This is fine when running the program in a native command prompt, however when running via a reverse shell, pressing Enter does nothing, the program still hangs and it effectively makes the shell useless.

[carlospolop]

Oh, that is quiet weird as I have used it in some reverse shells and didn't have any problem. Could I know which reverse are you using to try to recreate the environment?

[Tib3rius]

Sure thing. This was done on Windows 10. I used msfvenom's windows/x64/shell_reverse_tcp payload (saved to .exe format). Simple netcat listener to catch the shell.

You can totally see this happen in a regular Windows command prompt though. After running the winPEAS command, you'll get output, and then winPEAS will hang, and you won't see a regular command prompt (i.e. C:\Windows>) until you press Enter, at which point it will appear. That seems like the underlying issue, that for whatever reason after finishing it doesn't "properly" exit the program back to the command prompt. I'm not really that familiar with the Windows command prompt though, so I can't really comment on why it could be happening.

[Tib3rius]

I just looked over the code. Is it possible this is the culprit?

https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/8477b159e2be009ba9a91b40b00d8d0996994d91/winPEAS/winPEASexe/winPEAS/Program.cs#L2154

ReadLine() could be blocking until it receives input from the command line (in my case, pressing Enter).

[carlospolop]

You are right I forgot to comment that line. I'm so sorry for that man, I was so excited when I discover dotfuscator for minimising the size and evade Defender that I forgot about commenting that line. This will be solved in the next version and I will try to release it asap. Thank you for letting me know.

[Tib3rius]

Awesome, I may try to compile it myself either way. :)

[carlospolop]

Yeah, let me know if you have any problems compiling with dotfuscator!

[carlospolop]

Hi @Tib3rius , This problem was fixed in the new version. Thank you for notifying it. I would like to invite you to the telegram PEASS group for commenting future bugs/improvements faster.