Giters

peass-ng / PEASS-ng

PEASS - Privilege Escalation Awesome Scripts SUITE (with colors)

Home Page:https://book.hacktricks.xyz

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

WinPEAS.ps1 uses `%username%` in STARTUP APPLICATIONS

zjkmxy opened this issue · comments

commented

If you are going to suggest something, please remove the following template.
If your issue is related with WinPEAS.ps1 please mention https://github.com/RandolphConley: @RandolphConley

Issue description

In the STARTUP APPLICATIONS Vulnerable Check section, the script uses %username% in one path:

https://github.com/carlospolop/PEASS-ng/blob/667bb5220d0d2fc5341e088c446e63622deea42e/winPEAS/winPEASps1/winPEAS.ps1#L730-L730

This path does not work in powershell. I think it should be $env:USERNAME.

Steps to reproduce the issue

  1. Run gci "C:\Documents and Settings\$env:USERNAME\Start Menu\Programs\Startup" and check the folder is non-empty.
  2. Run .\winPEAS.ps1
  3. The path C:\Documents and Settings\<current user name>\Start Menu is missing in the output

Which parameters did you use for executing the script and how did you execute it?

None.

If winpeas, did you use a clean or obfuscated winpeas, and for which architecture?

N/A

Is there any AV / Threat protection in the system?

Yes but irrelevant.

Please, indicate the OS, the OS version, and the kernel version (build number in case of Windows)

  • Windows 11 10.0.23466
  • PowerShell 7.3.6
  • Windows PowerShell 5.1.23466.1001

Please, indicate the check that is failing and add a screenshot showing the problem

The output of winPEAS.ps1 is

Identity BUILTIN\Administrators has 'FullControl' perms for C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Identity BUILTIN\Administrators BUILTIN\Administrators has 'FullControl' perms for C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
Identity BUILTIN\Administrators has 'FullControl' perms for C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup

But if we check the desired folder manually, it is non-empty

gci "C:\Documents and Settings\$env:USERNAME\Start Menu\Programs\Startup"

    Directory: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a---            7/2/2023    01:37           1316 Send to OneNote.lnk

And the current user has access to it:

(get-acl "C:\Documents and Settings\$env:USERNAME\Start Menu\Programs\Startup\Send to OneNote.lnk").Owner -like "*\$env:USERNAME"

True

How did you expect it to work?

MACHINENAME\Administrator has ownership of C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
Identity MACHINENAME\Administrator has 'FullControl' perms for C:\Documents and Settings\Administrator\Start Menu\Programs\Startup

Additional details / screenshot

commented

Thank you for pointing this out! This will be fixed with the next pull request.

commented

I think this was fixed. Feel free to reopen if it wasn't