From f5155d5eb42b92e0f5f719ae78cd579887369c0e Mon Sep 17 00:00:00 2001
From: makikvues <makikvues2@gmail.com>
Date: Sun, 24 Jan 2021 13:19:52 +0100
Subject: [PATCH] - added PrintOtherUsersInterestingFiles check - cleanup

---
 .../winPEAS/Checks/ApplicationsInfo.cs        |  4 +-
 winPEAS/winPEASexe/winPEAS/Checks/Checks.cs   |  2 +-
 .../winPEASexe/winPEAS/Checks/FilesInfo.cs    | 59 ++++++++++++++++++-
 winPEAS/winPEASexe/winPEAS/Helpers/MyUtils.cs |  8 ++-
 .../winPEAS/Helpers/Search/SearchHelper.cs    | 14 ++++-
 .../winPEASexe/winPEAS/Info/UserInfo/User.cs  | 30 ++++++++++
 6 files changed, 107 insertions(+), 10 deletions(-)

diff --git a/winPEAS/winPEASexe/winPEAS/Checks/ApplicationsInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/ApplicationsInfo.cs
index 4fe3fec..0cc2e08 100644
--- a/winPEAS/winPEASexe/winPEAS/Checks/ApplicationsInfo.cs
+++ b/winPEAS/winPEASexe/winPEAS/Checks/ApplicationsInfo.cs
@@ -32,7 +32,7 @@ namespace winPEAS.Checks
                 if (permsFile.Count > 0)
                 {
                     Beaprint.BadPrint("    " + title);
-                    Beaprint.BadPrint("    FilePermissions: " + string.Join(",", permsFile));
+                    Beaprint.BadPrint("    File Permissions: " + string.Join(",", permsFile));
                 }
                 else
                 {
@@ -42,7 +42,7 @@ namespace winPEAS.Checks
                 if (permsFolder.Count > 0)
                 {
                     Beaprint.BadPrint("    Possible DLL Hijacking, folder is writable: " + PermissionsHelper.GetFolderFromString(title));
-                    Beaprint.BadPrint("    FolderPermissions: " + string.Join(",", permsFile));
+                    Beaprint.BadPrint("    Folder Permissions: " + string.Join(",", permsFile));
                 }
             }
             catch (Exception ex)
diff --git a/winPEAS/winPEASexe/winPEAS/Checks/Checks.cs b/winPEAS/winPEASexe/winPEAS/Checks/Checks.cs
index 0b67aef..667600e 100644
--- a/winPEAS/winPEASexe/winPEAS/Checks/Checks.cs
+++ b/winPEAS/winPEASexe/winPEAS/Checks/Checks.cs
@@ -301,7 +301,7 @@ namespace winPEAS.Checks
             catch (Exception ex)
             {
                 Beaprint.GrayPrint("Error while creating directory list: " + ex);
-            }           
+            }
         }
 
         private static void CheckRegANSI()
diff --git a/winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs
index c10cc21..b43cffc 100644
--- a/winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs
+++ b/winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs
@@ -5,6 +5,7 @@ using System.Linq;
 using System.Text.RegularExpressions;
 using winPEAS.Helpers;
 using winPEAS.Helpers.Search;
+using winPEAS.Info.UserInfo;
 using winPEAS.InterestingFiles;
 using winPEAS.KnownFileCreds;
 
@@ -123,7 +124,8 @@ namespace winPEAS.Checks
                 PrintUsersInterestingFiles,
                 PrintUsersDocsKeys,
                 PrintRecentFiles,
-                PrintRecycleBin
+                PrintRecycleBin,
+                PrintOtherUsersInterestingFiles
             }.ForEach(action => CheckRunner.Run(action, isDebug));
         }
 
@@ -484,5 +486,60 @@ namespace winPEAS.Checks
                 Beaprint.PrintException(ex.Message);
             }
         }
+
+        void PrintOtherUsersInterestingFiles()
+        {
+            try
+            {
+                Beaprint.MainPrint("Searching interesting files in other users home directories (can be slow)\n");
+                
+                // check if admin already, if yes, print a message, if not, try to enumerate all files
+                if (MyUtils.IsHighIntegrity())
+                {
+                    Beaprint.BadPrint("     You are already Administrator, check users home folders manually.");
+                }
+                else
+                // get all files and check them
+                {
+                    var users = User.GetOtherUsersFolders();
+
+                    foreach (var user in users)
+                    {
+                        Beaprint.GoodPrint($"     Checking folder: {user}\n");
+
+                        var files = SearchHelper.GetFilesFast(user, isFoldersIncluded: true);
+
+                        foreach (var file in files)
+                        {
+                            FileAttributes attr = File.GetAttributes(file.FullPath);
+                            if ((attr & FileAttributes.Directory) == FileAttributes.Directory)
+                            {
+                                List<string> dirRights = PermissionsHelper.GetPermissionsFolder(file.FullPath, Checks.CurrentUserSiDs, isOnlyWriteOrEquivalentCheck: true);
+
+                                if (dirRights.Count > 0)
+                                {
+                                    Beaprint.BadPrint($"     Folder Permissions \"{file.FullPath}\": " + string.Join(",", dirRights));
+                                }
+                            }
+                            else
+                            {
+                                List<string> fileRights = PermissionsHelper.GetPermissionsFile(file.FullPath, Checks.CurrentUserSiDs, isOnlyWriteOrEquivalentCheck: true);
+
+                                if (fileRights.Count > 0)
+                                {
+                                    Beaprint.BadPrint($"     File Permissions \"{file.FullPath}\": " + string.Join(",", fileRights));
+                                }
+                            }
+                        }
+
+                        Beaprint.PrintLineSeparator();
+                    }
+                }
+            }
+            catch (Exception ex)
+            {
+                Beaprint.PrintException(ex.Message);
+            }
+        }
     }
 }
diff --git a/winPEAS/winPEASexe/winPEAS/Helpers/MyUtils.cs b/winPEAS/winPEASexe/winPEAS/Helpers/MyUtils.cs
index 1a99d2e..ea40c78 100644
--- a/winPEAS/winPEASexe/winPEAS/Helpers/MyUtils.cs
+++ b/winPEAS/winPEASexe/winPEAS/Helpers/MyUtils.cs
@@ -140,9 +140,11 @@ namespace winPEAS.Helpers
         public static bool IsHighIntegrity()
         {
             // returns true if the current process is running with adminstrative privs in a high integrity context
-            WindowsIdentity identity = WindowsIdentity.GetCurrent();
-            WindowsPrincipal principal = new WindowsPrincipal(identity);
-            return principal.IsInRole(WindowsBuiltInRole.Administrator);
+            using (WindowsIdentity identity = WindowsIdentity.GetCurrent())
+            {
+                WindowsPrincipal principal = new WindowsPrincipal(identity);
+                return principal.IsInRole(WindowsBuiltInRole.Administrator);
+            }
         }
 
         //From https://stackoverflow.com/questions/3519539/how-to-check-if-a-string-contains-any-of-some-strings
diff --git a/winPEAS/winPEASexe/winPEAS/Helpers/Search/SearchHelper.cs b/winPEAS/winPEASexe/winPEAS/Helpers/Search/SearchHelper.cs
index ece04d6..ace7329 100644
--- a/winPEAS/winPEASexe/winPEAS/Helpers/Search/SearchHelper.cs
+++ b/winPEAS/winPEASexe/winPEAS/Helpers/Search/SearchHelper.cs
@@ -19,7 +19,7 @@ namespace winPEAS.Helpers.Search
        // private static List<CustomFileInfo> GroupPolicyHistoryLegacy;
        
 
-        public static List<CustomFileInfo> GetFilesFast(string folder, string pattern = "*", HashSet<string> excludedDirs = null)
+        public static List<CustomFileInfo> GetFilesFast(string folder, string pattern = "*", HashSet<string> excludedDirs = null, bool isFoldersIncluded = false)
         {
             ConcurrentBag<CustomFileInfo> files = new ConcurrentBag<CustomFileInfo>();
             IEnumerable<DirectoryInfo> startDirs = GetStartDirectories(folder, files, pattern);
@@ -54,7 +54,7 @@ namespace winPEAS.Helpers.Search
 
             Parallel.ForEach(startDirsExcluded, (d) =>
             {
-                Parallel.ForEach(GetStartDirectories(d.FullName, files, pattern), (dir) =>
+                Parallel.ForEach(GetStartDirectories(d.FullName, files, pattern, isFoldersIncluded), (dir) =>
                 {
                     GetFiles(dir.FullName, pattern).ForEach(
                         (f) =>
@@ -119,7 +119,7 @@ namespace winPEAS.Helpers.Search
 
         
 
-        private static List<DirectoryInfo> GetStartDirectories(string folder, ConcurrentBag<CustomFileInfo> files, string pattern)
+        private static List<DirectoryInfo> GetStartDirectories(string folder, ConcurrentBag<CustomFileInfo> files, string pattern, bool isFoldersIncluded = false)
         {
             DirectoryInfo dirInfo = null;
             DirectoryInfo[] directories = null;
@@ -128,6 +128,14 @@ namespace winPEAS.Helpers.Search
                 dirInfo = new DirectoryInfo(folder);
                 directories = dirInfo.GetDirectories();
 
+                if (isFoldersIncluded)
+                {
+                    foreach (var directory in directories)
+                    {
+                        files.Add(new CustomFileInfo(null, null, directory.FullName));
+                    }
+                }
+
                 foreach (var f in dirInfo.GetFiles(pattern))
                 {
                     files.Add(new CustomFileInfo(f.Name, f.Extension, f.FullName));
diff --git a/winPEAS/winPEASexe/winPEAS/Info/UserInfo/User.cs b/winPEAS/winPEASexe/winPEAS/Info/UserInfo/User.cs
index 056e3a2..8651342 100644
--- a/winPEAS/winPEASexe/winPEAS/Info/UserInfo/User.cs
+++ b/winPEAS/winPEASexe/winPEAS/Info/UserInfo/User.cs
@@ -1,6 +1,7 @@
 using System;
 using System.Collections.Generic;
 using System.DirectoryServices.AccountManagement;
+using System.IO;
 using System.Management;
 using System.Security.Principal;
 using winPEAS.Helpers;
@@ -184,5 +185,34 @@ namespace winPEAS.Info.UserInfo
         {
             return MyUtils.ListFolder("Users");
         }
+
+        public static HashSet<string> GetOtherUsersFolders()
+        {
+            HashSet<string> result = new HashSet<string>();
+            string currentUsername = Environment.UserName?.ToLower();
+            var usersBaseDirectory = Path.Combine(Path.GetPathRoot(Environment.SystemDirectory), "Users");
+
+            SelectQuery query = new SelectQuery("Win32_UserAccount");
+            using (ManagementObjectSearcher searcher = new ManagementObjectSearcher(query))
+            {
+                foreach (ManagementObject envVar in searcher.Get())
+                {
+                    string username = (string)envVar["Name"];
+                    username = username?.ToLower();
+
+                    if (currentUsername != username)
+                    {
+                        string userDirectory = Path.Combine(usersBaseDirectory, username);
+
+                        if (Directory.Exists(userDirectory))
+                        {
+                            result.Add(userDirectory.ToLower());
+                        }
+                    }
+                }
+            }
+
+            return result;
+        }
     }
 }