search

peass-ng / PEASS-ng

PEASS - Privilege Escalation Awesome Scripts SUITE (with colors)
https://book.hacktricks.xyz
Other
15.73k stars 3.05k forks source link

WinPEAS.ps1 uses `%username%` in STARTUP APPLICATIONS #376

Closed zjkmxy closed 1 year ago

zjkmxy commented 1 year ago

If you are going to suggest something, please remove the following template. If your issue is related with WinPEAS.ps1 please mention https://github.com/RandolphConley: @RandolphConley

Issue description

In the STARTUP APPLICATIONS Vulnerable Check section, the script uses %username% in one path:

https://github.com/carlospolop/PEASS-ng/blob/667bb5220d0d2fc5341e088c446e63622deea42e/winPEAS/winPEASps1/winPEAS.ps1#L730-L730

This path does not work in powershell. I think it should be $env:USERNAME.

Steps to reproduce the issue

  1. Run gci "C:\Documents and Settings\$env:USERNAME\Start Menu\Programs\Startup" and check the folder is non-empty.
  2. Run .\winPEAS.ps1
  3. The path C:\Documents and Settings\<current user name>\Start Menu is missing in the output

Which parameters did you use for executing the script and how did you execute it?

None.

If winpeas, did you use a clean or obfuscated winpeas, and for which architecture?

N/A

Is there any AV / Threat protection in the system?

Yes but irrelevant.

Please, indicate the OS, the OS version, and the kernel version (build number in case of Windows)

Please, indicate the check that is failing and add a screenshot showing the problem

The output of winPEAS.ps1 is

Identity BUILTIN\Administrators has 'FullControl' perms for C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Identity BUILTIN\Administrators BUILTIN\Administrators has 'FullControl' perms for C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
Identity BUILTIN\Administrators has 'FullControl' perms for C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup

But if we check the desired folder manually, it is non-empty

gci "C:\Documents and Settings\$env:USERNAME\Start Menu\Programs\Startup"

    Directory: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a---            7/2/2023    01:37           1316 Send to OneNote.lnk

And the current user has access to it:

(get-acl "C:\Documents and Settings\$env:USERNAME\Start Menu\Programs\Startup\Send to OneNote.lnk").Owner -like "*\$env:USERNAME"

True

How did you expect it to work?

MACHINENAME\Administrator has ownership of C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
Identity MACHINENAME\Administrator has 'FullControl' perms for C:\Documents and Settings\Administrator\Start Menu\Programs\Startup

Additional details / screenshot

RandolphConley commented 1 year ago

Thank you for pointing this out! This will be fixed with the next pull request.

carlospolop commented 1 year ago

I think this was fixed. Feel free to reopen if it wasn't