WinPEAS.ps1 uses `%username%` in STARTUP APPLICATIONS
zjkmxy opened this issue · comments
If you are going to suggest something, please remove the following template.
If your issue is related with WinPEAS.ps1 please mention https://github.com/RandolphConley: @RandolphConley
Issue description
In the STARTUP APPLICATIONS Vulnerable Check section, the script uses %username%
in one path:
This path does not work in powershell. I think it should be $env:USERNAME
.
Steps to reproduce the issue
- Run
gci "C:\Documents and Settings\$env:USERNAME\Start Menu\Programs\Startup"
and check the folder is non-empty. - Run
.\winPEAS.ps1
- The path
C:\Documents and Settings\<current user name>\Start Menu
is missing in the output
Which parameters did you use for executing the script and how did you execute it?
None.
If winpeas, did you use a clean or obfuscated winpeas, and for which architecture?
N/A
Is there any AV / Threat protection in the system?
Yes but irrelevant.
Please, indicate the OS, the OS version, and the kernel version (build number in case of Windows)
- Windows 11 10.0.23466
- PowerShell 7.3.6
- Windows PowerShell 5.1.23466.1001
Please, indicate the check that is failing and add a screenshot showing the problem
The output of winPEAS.ps1
is
Identity BUILTIN\Administrators has 'FullControl' perms for C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Identity BUILTIN\Administrators BUILTIN\Administrators has 'FullControl' perms for C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
Identity BUILTIN\Administrators has 'FullControl' perms for C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
But if we check the desired folder manually, it is non-empty
gci "C:\Documents and Settings\$env:USERNAME\Start Menu\Programs\Startup"
Directory: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 7/2/2023 01:37 1316 Send to OneNote.lnk
And the current user has access to it:
(get-acl "C:\Documents and Settings\$env:USERNAME\Start Menu\Programs\Startup\Send to OneNote.lnk").Owner -like "*\$env:USERNAME"
True
How did you expect it to work?
MACHINENAME\Administrator has ownership of C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
Identity MACHINENAME\Administrator has 'FullControl' perms for C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
Additional details / screenshot
Thank you for pointing this out! This will be fixed with the next pull request.
I think this was fixed. Feel free to reopen if it wasn't