linpeas update

2025-04-27 12:00:12 +02:00 · 2025-04-27 12:00:12 +02:00 · 90ccb07e94
commit 90ccb07e94
parent 78f91195f2
5 changed files with 3149 additions and 3176 deletions
--- a/linpeas.sh
+++ b/linpeas.sh
--- a/update.sh
+++ b/update.sh
@ -52,13 +52,13 @@ download https://raw.githubusercontent.com/topotam/PetitPotam/main/PetitPotam.py
 echo ""
 echo "Updating LinPEAS + WinPEAS…"
-peas_version=$(get_latest_version carlospolop/PEASS-ng)
+peas_version=$(get_latest_version peass-ng/PEASS-ng)
 if [ ! -z "$peas_version" ]; then
  echo "Got PEAS version: $peas_version"
-  download https://github.com/carlospolop/PEASS-ng/releases/download/$peas_version/linpeas.sh linpeas.sh
+  download https://github.com/peass-ng/PEASS-ng/releases/download/$peas_version/linpeas.sh linpeas.sh
-  download https://github.com/carlospolop/PEASS-ng/releases/download/$peas_version/winPEASx86.exe win/winPEAS.exe
+  download https://github.com/peass-ng/PEASS-ng/releases/download/$peas_version/winPEASx86.exe win/winPEAS.exe
-  download https://github.com/carlospolop/PEASS-ng/releases/download/$peas_version/winPEASx64.exe win/winPEASx64.exe
+  download https://github.com/peass-ng/PEASS-ng/releases/download/$peas_version/winPEASx64.exe win/winPEASx64.exe
-  download https://github.com/carlospolop/PEASS-ng/releases/download/$peas_version/winPEAS.bat win/winPEAS.bat
+  download https://github.com/peass-ng/PEASS-ng/releases/download/$peas_version/winPEAS.bat win/winPEAS.bat
 else
  echo "Unable to determine latest PEAS version"
 fi
--- a/win/winPEAS.bat
+++ b/win/winPEAS.bat
@ -63,7 +63,7 @@ ECHO.
 CALL :ColorLine "%E%32m[*]%E%97m BASIC SYSTEM INFO"
 CALL :ColorLine " %E%33m[+]%E%97m WINDOWS OS"
 ECHO.   [i] Check for vulnerabilities for the OS version with the applied patches
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#kernel-exploits
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#version-exploits
 systeminfo
 ECHO.
 CALL :T_Progress 2
@ -147,12 +147,20 @@ ECHO.
 CALL :T_Progress 1
 :LAPSInstallCheck
-CALL :ColorLine " %E%33m[+]%E%97m LAPS installed?"
+CALL :ColorLine " %E%33m[+]%E%97m Legacy Microsoft LAPS installed?"
 ECHO.   [i] Check what is being logged
 REG QUERY "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft Services\AdmPwd" /v AdmPwdEnabled 2>nul
 ECHO.
 CALL :T_Progress 1
 :WindowsLAPSInstallCheck
 CALL :ColorLine " %E%33m[+]%E%97m Windows LAPS installed?"
 ECHO.   [i] Check what is being logged: 0x00 Disabled, 0x01 Backup to Entra, 0x02 Backup to Active Directory
 REG QUERY "HKEY_LOCAL_MACHINE\Software\Microsoft\Policies\LAPS" /v BackupDirectory 2>nul
 REG QUERY "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\LAPS" /v BackupDirectory 2>nul
 ECHO.
 CALL :T_Progress 1
 :LSAProtectionCheck
 CALL :ColorLine " %E%33m[+]%E%97m LSA protection?"
 ECHO.   [i] Active if "1"
@ -182,7 +190,7 @@ CALL :T_Progress 1
 :UACSettings
 CALL :ColorLine " %E%33m[+]%E%97m UAC Settings"
 ECHO.   [i] If the results read ENABLELUA REG_DWORD 0x1, part or all of the UAC components are on
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control.html#very-basic-uac-bypass-full-file-system-access
 REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA 2>nul
 ECHO.
 CALL :T_Progress 1
@ -233,7 +241,7 @@ CALL :T_Progress 1
 :InstalledSoftware
 CALL :ColorLine " %E%33m[+]%E%97m INSTALLED SOFTWARE"
 ECHO.   [i] Some weird software? Check for vulnerabilities in unknow software installed
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#software
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#applications
 ECHO.
 dir /b "C:\Program Files" "C:\Program Files (x86)" | sort
 reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall /s | findstr InstallLocation | findstr ":\\"
@ -244,7 +252,7 @@ CALL :T_Progress 2
 :RemodeDeskCredMgr
 CALL :ColorLine " %E%33m[+]%E%97m Remote Desktop Credentials Manager"
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#remote-desktop-credential-manager
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#remote-desktop-credential-manager
 IF exist "%LOCALAPPDATA%\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings" ECHO.Found: RDCMan.settings in %AppLocal%\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings, check for credentials in .rdg files
 ECHO.
 CALL :T_Progress 1
@ -252,7 +260,7 @@ CALL :T_Progress 1
 :WSUS
 CALL :ColorLine " %E%33m[+]%E%97m WSUS"
 ECHO.   [i] You can inject 'fake' updates into non-SSL WSUS traffic (WSUXploit)
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#wsus
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#wsus
 reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\ 2>nul | findstr /i "wuserver" | findstr /i "http://"
 ECHO.
 CALL :T_Progress 1
@ -260,7 +268,7 @@ CALL :T_Progress 1
 :RunningProcesses
 CALL :ColorLine " %E%33m[+]%E%97m RUNNING PROCESSES"
 ECHO.   [i] Something unexpected is running? Check for vulnerabilities
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#running-processes
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#running-processes
 tasklist /SVC
 ECHO.
 CALL :T_Progress 2
@ -281,7 +289,7 @@ CALL :T_Progress 3
 :RunAtStartup
 CALL :ColorLine " %E%33m[+]%E%97m RUN AT STARTUP"
 ECHO.   [i] Check if you can modify any binary that is going to be executed by admin or if you can impersonate a not found binary
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#run-at-startup
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#run-at-startup
 ::(autorunsc.exe -m -nobanner -a * -ct /accepteula 2>nul || wmic startup get caption,command 2>nul | more & ^
 reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run 2>nul & ^
 reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce 2>nul & ^
@ -305,7 +313,7 @@ CALL :T_Progress 2
 :AlwaysInstallElevated
 CALL :ColorLine " %E%33m[+]%E%97m AlwaysInstallElevated?"
 ECHO.   [i] If '1' then you can install a .msi file with admin privileges ;)
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#alwaysinstallelevated
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#alwaysinstallelevated-1
 reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated 2> nul
 reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated 2> nul
 ECHO.
@ -363,13 +371,13 @@ CALL :T_Progress 1
 :WifiCreds
 CALL :ColorLine " %E%33m[+]%E%97m WIFI"
-for /f "tokens=3,* delims=: " %%a in ('netsh wlan show profiles ^| find "Profile "') do (netsh wlan show profiles name=%%b key=clear | findstr "SSID Cipher Content" | find /v "Number" & ECHO.)
+for /f "tokens=4 delims=: " %%a in ('netsh wlan show profiles ^| find "Profile "') do (netsh wlan show profiles name=%%a key=clear | findstr "SSID Cipher Content" | find /v "Number" & ECHO.)
 CALL :T_Progress 1
 :BasicUserInfo
 CALL :ColorLine "%E%32m[*]%E%97m BASIC USER INFO
 ECHO.   [i] Check if you are inside the Administrators group or if you have enabled any token that can be use to escalate privileges like SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebbugPrivilege
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#users-and-groups
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#users--groups
 ECHO.
 CALL :ColorLine " %E%33m[+]%E%97m CURRENT USER"
 net user %username%
@ -443,7 +451,7 @@ ECHO.
 :ServiceBinaryPermissions
 CALL :ColorLine " %E%33m[+]%E%97m SERVICE BINARY PERMISSIONS WITH WMIC and ICACLS"
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#services
 for /f "tokens=2 delims='='" %%a in ('cmd.exe /c wmic service list full ^| findstr /i "pathname" ^|findstr /i /v "system32"') do (
    for /f eol^=^"^ delims^=^" %%b in ("%%a") do icacls "%%b" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos usuarios %username%" && ECHO.
 )
@ -452,7 +460,7 @@ CALL :T_Progress 1
 :CheckRegistryModificationAbilities
 CALL :ColorLine " %E%33m[+]%E%97m CHECK IF YOU CAN MODIFY ANY SERVICE REGISTRY"
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#services
 for /f %%a in ('reg query hklm\system\currentcontrolset\services') do del %temp%\reg.hiv >nul 2>&1 & reg save %%a %temp%\reg.hiv >nul 2>&1 && reg restore %%a %temp%\reg.hiv >nul 2>&1 && ECHO.You can modify %%a
 ECHO.
 CALL :T_Progress 1
@ -461,7 +469,7 @@ CALL :T_Progress 1
 CALL :ColorLine " %E%33m[+]%E%97m UNQUOTED SERVICE PATHS"
 ECHO.   [i] When the path is not quoted (ex: C:\Program files\soft\new folder\exec.exe) Windows will try to execute first 'C:\Program.exe', then 'C:\Program Files\soft\new.exe' and finally 'C:\Program Files\soft\new folder\exec.exe'. Try to create 'C:\Program Files\soft\new.exe'
 ECHO.   [i] The permissions are also checked and filtered using icacls
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#services
 for /f "tokens=2" %%n in ('sc query state^= all^| findstr SERVICE_NAME') do (
 	for /f "delims=: tokens=1*" %%r in ('sc qc "%%~n" ^| findstr BINARY_PATH_NAME ^| findstr /i /v /l /c:"c:\windows\system32" ^| findstr /v /c:""""') do (
 		ECHO.%%~s ^| findstr /r /c:"[a-Z][ ][a-Z]" >nul 2>&1 && (ECHO.%%n && ECHO.%%~s && icacls %%s | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%") && ECHO.
@ -476,7 +484,7 @@ ECHO.
 CALL :ColorLine "%E%32m[*]%E%97m DLL HIJACKING in PATHenv variable"
 ECHO.   [i] Maybe you can take advantage of modifying/creating some binary in some of the following locations
 ECHO.   [i] PATH variable entries permissions - place binary or DLL to execute instead of legitimate
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dll-hijacking
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#dll-hijacking
 for %%A in ("%path:;=";"%") do ( cmd.exe /c icacls "%%~A" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO. )
 ECHO.
 CALL :T_Progress 1
@ -485,7 +493,7 @@ CALL :T_Progress 1
 CALL :ColorLine "%E%32m[*]%E%97m CREDENTIALS"
 ECHO.
 CALL :ColorLine " %E%33m[+]%E%97m WINDOWS VAULT"
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#windows-vault
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#credentials-manager--windows-vault
 cmdkey /list
 ECHO.
 CALL :T_Progress 2
@ -493,14 +501,14 @@ CALL :T_Progress 2
 :DPAPIMasterKeys
 CALL :ColorLine " %E%33m[+]%E%97m DPAPI MASTER KEYS"
 ECHO.   [i] Use the Mimikatz 'dpapi::masterkey' module with appropriate arguments (/rpc) to decrypt
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#dpapi
 powershell -command "Get-ChildItem %appdata%\Microsoft\Protect" 2>nul
 powershell -command "Get-ChildItem %localappdata%\Microsoft\Protect" 2>nul
 CALL :T_Progress 2
 CALL :ColorLine " %E%33m[+]%E%97m DPAPI MASTER KEYS"
 ECHO.   [i] Use the Mimikatz 'dpapi::cred' module with appropriate /masterkey to decrypt
 ECHO.   [i] You can also extract many DPAPI masterkeys from memory with the Mimikatz 'sekurlsa::dpapi' module
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#dpapi
 ECHO.
 ECHO.Looking inside %appdata%\Microsoft\Credentials\
 ECHO.
@ -573,7 +581,7 @@ CALL :T_Progress 2
 :AppCMD
 CALL :ColorLine " %E%33m[+]%E%97m AppCmd"
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#appcmd.exe
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#appcmdexe
 IF EXIST %systemroot%\system32\inetsrv\appcmd.exe ECHO.%systemroot%\system32\inetsrv\appcmd.exe exists. 
 ECHO.
 CALL :T_Progress 2
@ -581,7 +589,7 @@ CALL :T_Progress 2
 :RegFilesCredentials
 CALL :ColorLine " %E%33m[+]%E%97m Files in registry that may contain credentials"
 ECHO.   [i] Searching specific files that may contains credentials.
-ECHO.   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files
+ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#files-and-registry-credentials
 ECHO.Looking inside HKCU\Software\ORL\WinVNC3\Password
 reg query HKCU\Software\ORL\WinVNC3\Password 2>nul
 CALL :T_Progress 2
--- a/win/winPEAS.exe
+++ b/win/winPEAS.exe
--- a/win/winPEASx64.exe
+++ b/win/winPEASx64.exe