If you are going to suggest something, please remove the following template.
If your issue is related with WinPEAS.ps1 please mention https://github.com/RandolphConley: @RandolphConley
Issue description
In the STARTUP APPLICATIONS Vulnerable Check section, the script uses %username% in one path:
This path does not work in powershell. I think it should be $env:USERNAME.
Steps to reproduce the issue
Run gci "C:\Documents and Settings\$env:USERNAME\Start Menu\Programs\Startup" and check the folder is non-empty.
Run .\winPEAS.ps1
The path C:\Documents and Settings\<current user name>\Start Menu is missing in the output
Which parameters did you use for executing the script and how did you execute it?
None.
If winpeas, did you use a clean or obfuscated winpeas, and for which architecture?
N/A
Is there any AV / Threat protection in the system?
Yes but irrelevant.
Please, indicate the OS, the OS version, and the kernel version (build number in case of Windows)
Windows 11 10.0.23466
PowerShell 7.3.6
Windows PowerShell 5.1.23466.1001
Please, indicate the check that is failing and add a screenshot showing the problem
The output of winPEAS.ps1 is
Identity BUILTIN\Administrators has 'FullControl' perms for C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Identity BUILTIN\Administrators BUILTIN\Administrators has 'FullControl' perms for C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
Identity BUILTIN\Administrators has 'FullControl' perms for C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
But if we check the desired folder manually, it is non-empty
gci "C:\Documents and Settings\$env:USERNAME\Start Menu\Programs\Startup"
Directory: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 7/2/2023 01:37 1316 Send to OneNote.lnk
And the current user has access to it:
(get-acl "C:\Documents and Settings\$env:USERNAME\Start Menu\Programs\Startup\Send to OneNote.lnk").Owner -like "*\$env:USERNAME"
True
How did you expect it to work?
MACHINENAME\Administrator has ownership of C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
Identity MACHINENAME\Administrator has 'FullControl' perms for C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
If you are going to suggest something, please remove the following template. If your issue is related with WinPEAS.ps1 please mention https://github.com/RandolphConley: @RandolphConley
Issue description
In the STARTUP APPLICATIONS Vulnerable Check section, the script uses
%username%
in one path:https://github.com/carlospolop/PEASS-ng/blob/667bb5220d0d2fc5341e088c446e63622deea42e/winPEAS/winPEASps1/winPEAS.ps1#L730-L730
This path does not work in powershell. I think it should be
$env:USERNAME
.Steps to reproduce the issue
gci "C:\Documents and Settings\$env:USERNAME\Start Menu\Programs\Startup"
and check the folder is non-empty..\winPEAS.ps1
C:\Documents and Settings\<current user name>\Start Menu
is missing in the outputWhich parameters did you use for executing the script and how did you execute it?
None.
If winpeas, did you use a clean or obfuscated winpeas, and for which architecture?
N/A
Is there any AV / Threat protection in the system?
Yes but irrelevant.
Please, indicate the OS, the OS version, and the kernel version (build number in case of Windows)
Please, indicate the check that is failing and add a screenshot showing the problem
The output of
winPEAS.ps1
isBut if we check the desired folder manually, it is non-empty
And the current user has access to it:
How did you expect it to work?
Additional details / screenshot