From 8ea67f3cc2d394bebd459902bea90f8cc4616978 Mon Sep 17 00:00:00 2001 From: Gildasio Junior Date: Fri, 28 Feb 2025 19:54:44 -0300 Subject: [PATCH 1/4] Set grep to show filename that contains passwords This way one can identify which file contains the relevant information, eg: /var/log/responder/Poisoners-Session.log:2025-02-09 21:12:12,701 - [*] Skipping previously captured cleartext password for donald /var/log/responder/Responder-Session.log:11/02/2025 12:33:11 PM - [HTTP] Basic Password : bambam /var/log/responder/Responder-Session.log:11/02/2025 12:36:12 PM - [HTTP] Basic Password : estrella --- .../linpeas_parts/9_interesting_files/27_Passwords_in_logs.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/linPEAS/builder/linpeas_parts/9_interesting_files/27_Passwords_in_logs.sh b/linPEAS/builder/linpeas_parts/9_interesting_files/27_Passwords_in_logs.sh index 9cce13c..fe3cfc9 100644 --- a/linPEAS/builder/linpeas_parts/9_interesting_files/27_Passwords_in_logs.sh +++ b/linPEAS/builder/linpeas_parts/9_interesting_files/27_Passwords_in_logs.sh @@ -15,6 +15,6 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then print_2title "Searching passwords inside logs (limit 70)" - (find /var/log/ /var/logs/ /private/var/log -type f -exec grep -R -i "pwd\|passw" "{}" \;) 2>/dev/null | sed '/^.\{150\}./d' | sort | uniq | grep -v "File does not exist:\|modules-config/config-set-passwords\|config-set-passwords already ran\|script not found or unable to stat:\|\"GET /.*\" 404" | head -n 70 | sed -${E} "s,pwd|passw,${SED_RED}," + (find /var/log/ /var/logs/ /private/var/log -type f -exec grep -R -H -i "pwd\|passw" "{}" \;) 2>/dev/null | sed '/^.\{150\}./d' | sort | uniq | grep -v "File does not exist:\|modules-config/config-set-passwords\|config-set-passwords already ran\|script not found or unable to stat:\|\"GET /.*\" 404" | head -n 70 | sed -${E} "s,pwd|passw,${SED_RED}," echo "" -fi \ No newline at end of file +fi From 0b041ad69481eedd671b862cf348ffc3b063087b Mon Sep 17 00:00:00 2001 From: Signum21 Date: Sun, 16 Mar 2025 05:43:48 +0100 Subject: [PATCH 2/4] Handle path access denied The program crashes when trying to access a path that is not allowed. An exampe of this can be found on the latest HackTheBox machine (TheFrizz) where the starting user can't access the path C:\Users --- winPEAS/winPEASexe/winPEAS/Helpers/MyUtils.cs | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/winPEAS/winPEASexe/winPEAS/Helpers/MyUtils.cs b/winPEAS/winPEASexe/winPEAS/Helpers/MyUtils.cs index c183446..5fb7e50 100644 --- a/winPEAS/winPEASexe/winPEAS/Helpers/MyUtils.cs +++ b/winPEAS/winPEASexe/winPEAS/Helpers/MyUtils.cs @@ -184,9 +184,17 @@ namespace winPEAS.Helpers ////////////////////// public static List ListFolder(String path) { - string root = @Path.GetPathRoot(Environment.SystemDirectory) + path; - var dirs = from dir in Directory.EnumerateDirectories(root) select dir; - return dirs.ToList(); + try + { + string root = @Path.GetPathRoot(Environment.SystemDirectory) + path; + var dirs = from dir in Directory.EnumerateDirectories(root) select dir; + return dirs.ToList(); + } + catch(Exception ex) + { + //Path can't be accessed + return new List(); + } } internal static byte[] CombineArrays(byte[] first, byte[] second) From d63e737b631741e71867d5c58d92c54a7b24b0a5 Mon Sep 17 00:00:00 2001 From: jahway603 Date: Tue, 18 Mar 2025 12:33:50 -0400 Subject: [PATCH 3/4] Minor URL fix --- winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs index 5d6b00a..a5c5935 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs @@ -594,7 +594,7 @@ namespace winPEAS.Checks try { Beaprint.MainPrint("Checking KrbRelayUp"); - Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#krbrelayupp"); + Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#krbrelayup"); if (Checks.CurrentAdDomainName.Length > 0) { From 99e8eb7813a3a07301e2367bdc8cf8deca6d1e0d Mon Sep 17 00:00:00 2001 From: spkal01 Date: Sat, 29 Mar 2025 21:45:58 +0200 Subject: [PATCH 4/4] Rework PEASS url logic for the metasploit module --- metasploit/README.md | 7 ++++--- metasploit/peass.rb | 13 ++++++++++--- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/metasploit/README.md b/metasploit/README.md index 4a4cd71..dcc1968 100644 --- a/metasploit/README.md +++ b/metasploit/README.md @@ -37,9 +37,10 @@ Basic options: ---- --------------- -------- ----------- PARAMETERS no Parameters to pass to the script PASSWORD um1xipfws17nkw1bi1ma3bh7tzt4mo3e no Password to encrypt and obfuscate the script (randomly generated). The length must be 32B. If no password is set, only base64 will be used - . - PEASS_URL https://raw.githubusercontent.com/peass-ng/PEASS-ng/master/winPEAS/wi yes Path to the PEASS script. Accepted: http(s):// URL or absolute local path. Linpeas: https://raw.githubusercontent.com/peass-ng/PEASS-ng - nPEASexe/binaries/Obfuscated%20Releases/winPEASany.exe /master/linPEAS/linpeas.sh + + WINPEASS true yes Use PEASS for Windows or PEASS for linux. Default is windows change to false for linux. + CUSTOM_URL no Path to the PEASS script. Accepted: http(s):// URL or absolute local path. + SESSION yes The session to run this module on. SRVHOST no Set your metasploit instance IP if you want to download the PEASS script from here via http(s) instead of uploading it. SRVPORT 443 no Port to download the PEASS script from using http(s) (only used if SRVHOST) diff --git a/metasploit/peass.rb b/metasploit/peass.rb index c9057f1..0a78e35 100644 --- a/metasploit/peass.rb +++ b/metasploit/peass.rb @@ -37,7 +37,8 @@ class MetasploitModule < Msf::Post )) register_options( [ - OptString.new('PEASS_URL', [true, 'Path to the PEASS script. Accepted: http(s):// URL or absolute local path. Linpeas: https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh', "https://github.com/peass-ng/PEASS-ng/releases/latest/download/winPEASany_ofs.exe"]), + OptString.new('WINPEASS', [true, 'Which PEASS script to use. Use True for WinPeass and false for LinPEASS', true]), + OptString.new('CUSTOM_URL', [false, 'URL to download the PEASS script from (if not using the default one). Accepts http(s) or absolute path. Overrides the WINPEASS variable', '']), OptString.new('PASSWORD', [false, 'Password to encrypt and obfuscate the script (randomly generated). The length must be 32B. If no password is set, only base64 will be used.', rand(36**32).to_s(36)]), OptString.new('TEMP_DIR', [false, 'Path to upload the obfuscated PEASS script inside the compromised machine. By default "C:\Windows\System32\spool\drivers\color" is used in Windows and "/tmp" in Unix.', '']), OptString.new('PARAMETERS', [false, 'Parameters to pass to the script', nil]), @@ -237,8 +238,14 @@ class MetasploitModule < Msf::Post def load_peass # Load the PEASS script from a local file or from Internet peass_script = "" - url_peass = datastore['PEASS_URL'] - + url_peass = "" + # If no URL is set, use the default one + if datastore['CUSTOM_URL'] != "" + url_peass = datastore['CUSTOM_URL'] + else + url_peass = datastore['WINPEASS'] ? "https://github.com/peass-ng/PEASS-ng/releases/latest/download/winPEASany_ofs.exe" : "https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh" + end + # If URL is set, check if it is a valid URL or local file if url_peass.include?("http://") || url_peass.include?("https://") target = URI.parse url_peass raise 'Invalid URL' unless target.scheme =~ /https?/