#peass-ng

<@&937047799441268746>

@lyric sable yes?

It's deleted now. Some (adult?) discord spam was on every channel.

Hi all

@trim belfry Hi 👋 I have already buy subscription on 18$ and received Book in pdf, BUT what about linpeas private version, where I can download it ? Thx 🙏

Trying to run one liner for PEASS Windows and I'm getting an error message. Here is the one liner that I choose to run:

$wp=[System.Reflection.Assembly]::Load([byte[]](Invoke-WebRequest "$url" -UseBasicParsing | Select-Object -ExpandProperty Content)); [winPEAS.Program]::Main("")

Here is the error message:
Exception calling "Load" with "1" argument(s): "Could not load file or assembly '1833984 bytes loaded from Anonymously
Hosted DynamicMethods Assembly, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null' or one of its dependencies. An
attempt was made to load a program with an incorrect format."

Hey lolly, sorry for the late reply. Thats a different subscription, you have the details in github.com/sponsors/carlospolop

have you tried compiling it in the same PC and trying to load taht one?

🙏🏼

Hello Brothers!

Anyone facing issues with linpeas build... When i am trying to build the linpeas i am getting multiple exception errors. Any help would be much appreciated.

someone please help

trying to get the winpeas binaries but when I git clone the binaries folders appear empty?

Do you make the binaries?

https://github.com/carlospolop/PEASS-ng/releases/tag/20230115 maybe you are looking for these precompiled binaries

are you behind a web proxy

No I am not... It seems like a dns issue for that suggestor site

...maybe? But if it was dns it seems like you would get a timeout, but your error suggests an SSL issue, which would lead me to think there is something doing SSL decryption/inspection that breaks the connection.

how are you uploading winpeas on host with CS on it?

I'm having an issue with linpeas.sh just trying to make sure it's not me doing something wrong...it gives a syntax error: unterminated quoted string

@trim belfry I have subscribed to the $18 tier, i have access to the hacktricks PDF but was wondering if this tier gives me access to the latest PEASS-ng releases?

Hey! thanks for the sponsoring, unfortunately the PDF and the last version of PEAS are 2 different sponsorships

Hey @trim belfry how are you? I hope you are doing great. I got one question that i just cant seem to find the answer. In Windows, when you have a reverse shell, there are some machines where executing .exe files or other binaries dont work which is very odd

For example, you get a rev shell in a Windows machine and try to execute winpeas.exe but Windows instead of executing the binary, just prints the name of it:

C:\Program Files\apache-tomcat-7.0.81>.\winpeas.exe
.\winpeas.exe

Do you got any ideas on what could be the problem here? It happens to me very often :C

(hablo español igual por si acaso)

Thats a very good question and unfortunately I don't know the answer.
In the past it helped me compiling winpeas in the machine. But I don't know if it could be related with the windows version's differences with the one the exe was created, or .Net version or what

thanks for the answer carlos 😄 it remains a mystery i see hehe. Well someone also told me that it has to do with the .NET version of the machine and that maybe compiling these executables with that .NET version would probably work but i guess it is not that straightforward nor a reliable solution. Thanks again!

could it be an antivirus thing? or will that also usually delete the .exe as well?

BRO
FRЕЕ GIFТ DISСОRD NIТRO - https://cutt.us/get-discordgift

hey guys, i'm new to winpeas, can someone help me figure out where the logs go after you run it? i can't seem to find it. searching through my entire pc for "peas" or "peass" shows nothing

the output should be in the console where you executed it

the console closes out on its own after maybe 20 seconds

how are you executing it?

i just run "winpeasx64.exe"
tried as normal and as admin

The AV is probably stopping it

Have you disabled defender?

i don't have any AV, defender is permenantly disabled/removed

Hey there! I am facing the same issue when trying to execute winpeas using the one-liner and three-liner Carlos mentioned on the github page

Can anyone pls provide any help with this?

Everyone here is a bot, or forever idle

Yes sir, I am a bot

Beep boop

Boop beep

Can I know where to find MacPEASS? I can't seem to find the link or any relevant file anywhere. Can anyone point me in the right direction?

MacPEASS is inside linpeas, just execute it in a mac

Oh thank you so much 🙂

Hi !
How can I build localy linpeas ? 🙂

I saw the sln for winpeas but the python linpeas_builder.py error out

up

🥲

Hey man! So it should be fixed already.
Let me know if you have any troubles

Thanks Carlos 🫶

Found this little typo @trim belfry
URL -> https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters

could you send a PR fixing it if you don't mid?

What do mean by PR?

Pull request

https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request

I will do that. Thanks

question - was the auto exploitation that was added previously moved to a flag enabled by ... autopwn or was that funcitonliaty just removed entirely?

See conflicting information and im not sure which it is

hola - hows everyone?

Freaking amazing work on the .bat logic. Old school batter here

thanks, but never again hahaha

Just wanted to say I love peass-ng. When doing CTFs I use it constantly and when the machine is solved and I have root access I run it one last time. I keep all the outputs for every machine in do in git. When bored Ill look through the root peass runs for additional ways to root a box.

Would anyone mind sharing some cheap but good hands-on complete pen testing courses or intensive training resources?

Here: https://book.hacktricks.xyz/
https://tryhackme.com/paths

Htb academy has a deal for students

So that’s good

What does this have to do with #peass-ng?

You don’t have any other channels to post.

I don’t own the server, but this channel is specific to discussions about the tool, peass-ng

That’s fine. Removed

#general might be a better bet

I have created a new channel for generic cybersecurity questions!

THM has student discount, too 🙂

Can someone explain what a 2FAbypass is

when u bypass a two factor auth

lol

like what else needs to be said abt this XD

https://tenor.com/view/wolfangkillers-aberration-scream-gif-26769413

2-Factor Authentication is where you have to submit a code in order to log into an application, secondary to your password. Hence it's the "second factor" related to your authentication.

You can bypass it by phishing someone's two-factor codes (google authenticator, SMS, etc...), by finding logic bugs in the application which allow you to skip the second factor authentication, or raw vulnerabilities which allow you to brute force the 2FA codes or some manipulation of the login flow which allows you to skip that step altogether.

thx G for showing me this exceptional gif. Ill send it to my discord kittens when they refuse to send me a picture of their toes dipped in peanutbutter

I have query that how would I know if my mail server is hacked or not?with facts
Can anyone guide me with this.
Also suggest me good tools to analyse the same
One more thing , are there any tools available to track mail delivery from sender to reciever?If yes, then tell me name of those tools.
How would I know if someone is intercepting my mail?

It's likely not

What do you use for your mail server?

https://www.youtube.com/shorts/QCVifTm5mYk?feature=share

Using for business purposes

Like providing IT services, billing details & everything

https://h5-metamax.com/#/reg?ic=702166

Hey there, why does WinPeas get stuck here?

It shouldn't happen, but it might if the PC have very little resources and Winpeas doesn't manage to cache file paths. Where have you seen this? How many RAM and processors has the machine where you are running winpeas?

It was a HTB Box, on other discord they told me that might be that my console wasn't interactive

yep, that could also be, if not I guess more people would have complained about winpeas not working in that machine. Did you try to launch it again?

try also executing it in other formats (binary, web request to shell..)

Hello everyone! I would really appreciate it if someone could provide me with some guidance and understanding about how SUID/SGID binaries could potentially lead to privesc and how they work in different scenarios.

Here are the questions I hope someone can help clear my mind up.

Firstly, looking at the 1_SUID.sh file in LinPEAS, line 30-52ish:

#REDACTED
sname="$(echo $s | awk '{print $9}')"
  if [ "$sname" = "."  ] || [ "$sname" = ".."  ]; then
    true #Don't do nothing
  elif ! [ "$IAMROOT" ] && [ -O "$sname" ]; then
    echo "You own the SUID file: $sname" | sed -${E} "s,.*,${SED_RED},"
  elif ! [ "$IAMROOT" ] && [ -w "$sname" ]; then #If write permision, win found (no check exploits)
    echo "You can write SUID file: $sname" | sed -${E} "s,.*,${SED_RED_YELLOW},"
  else
    c="a"
    for b in $sidB; do
      if echo $s | grep -q $(echo $b | cut -d % -f 1); then
        echo "$s" | sed -${E} "s,$(echo $b | cut -d % -f 1),${C}[1;31m&  --->  $(echo $b | cut -d % -f 2)${C}[0m,"
        c=""
        break;
      fi
    done;
    if [ "$c" ]; then
      if echo "$s" | grep -qE "$sidG1" || echo "$s" | grep -qE "$sidG2" || echo "$s" | grep -qE "$sidG3" || echo "$s" | grep -qE "$sidG4" || echo "$s" | grep -qE "$sidVB" || echo "$s" | grep -qE "$sidVB2"; then
        echo "$s" | sed -${E} "s,$sidG1,${SED_GREEN}," | sed -${E} "s,$sidG2,${SED_GREEN}," | sed -${E} "s,$sidG3,${SED_GREEN}," | sed -${E} "s,$sidG4,${SED_GREEN}," | sed -${E} "s,$sidVB,${SED_RED_YELLOW}," | sed -${E} "s,$sidVB2,${SED_RED_YELLOW},"
      else
        echo "$s (Unknown SUID binary!)" | sed -${E} "s,/.*,${SED_RED},"
        printf $ITALIC
        if ! [ "$FAST" ]; then
        #REDACTED

1. Near the top, why does linPEAS need to check if the user is root? What's the use of the tool when the user running it is already root?

With this,
1.1 Why is it when running as root, it does not have to check if they own the file and if they can write to the file?

My guess would be because root usually owns the file and can write to them? If this is the case, does that mean all SUID binaries are usually owned by root? won't there be cases where binaries might not necessary be owned by root and still can lead to privesc such as escalating to other users that's non root if I can write to it.

The reason I'm asking these is because I want to work on a script where part of it will be able to scan the system to make sure it is safe from all potential SUID/SGID risks that could lead to privesc.

I would assume such a script is best to require it be run as the root user only? So that it can scan more stuff on the system. Please correct me if I'm wrong though.

2.1 So, with such a script running as root and from the perspective of root, what should be all the cases that I should check for to prevent privesc through SUID/SGID?

What I have in mind right now is:

Known vulnerable binaries
Binaries vulnerable to shared object injection and hijacking

2.2 Should I check for corner cases as well such as when it's writable by other users?

2.2.1
I don't know how I should check for these cases, such as binaries that are writable by non-authorized/non-privileged users. Should I just check to see if all the SUID binaries have the write permission in the 'group' and/or 'others'? I feel like there might be some cases I'm missing that might require such permissions legitimately but I'm not sure.

2.2.2
Other cases would be like: should I check if the binaries have permissions for other users that are not root? For example, a vulnerable SUID binary might not be exploited if it does not have any permission for other users other than the root user. This should not be flagged as a risk, right?

This part is really getting to me as I can't figure out all the cases for securing the binaries.

TLDR Long story short, Im trying to work out a script that could scan the system and make sure it is safe from all the privesc path through SUID/SGID but I'm not certain about all the checks that should be performed from the perspective of the root user

Sorry for the amount of questions 😅 but I really hope that someone could help me out 🙏 Thank you!

Hi @polar briar !

• LinPEAS is meant to find privescs paths based on the user that executes it. If linpeas is already root several checks are skipped cause if not everything in the output will be red. However, it might be interesting to run linpeas as root to find other vulnerabilities (like docker escapes) or leaks

• Yes, you can privesc to other users SUID/SGID files, so you can check this if you want. But note that the fact that a binary is SUID doesn't make it vulnerable. Only vulenrable binaries with that permission are exploitable.

• You have some questions about "what you should check" with your new tool. My recommendation for you is to first understand how all the privilege escalation abusing SUI/SGID binaries work and then create the tool with that knowledge (not the other way around). Moreover, if you have questions about what you should check just read writeups of people abusing SUID/SGID binaries in the past, do HTB machines with these type of vulnerabilities and do your own research with the edge cases you don't understand. Not trying to be rude here, but you are usually the only one that really understand your own questions and do your own tests to answer those questions is more valuable than any response anyone can give you (usually)

thanks a lot 🙏🏻❤️

you can also check this site if you need more info about exploiting SUID on a specific binary: https://gtfobins.github.io/

has anyone else often experinced hangs with linpeas_fat.sh when it preforms the am i containered checks?

ive noticed on three seperate systems that linpeas_fat.sh will hang at the point where it says looking for docker.sock(with and without the -e flag i experince the issue) and was wondering if others had seen it too?

Hello, what is the point of the current released winpeas.bat when windows antivirus deletes it and does not let me run it. What are the options to bypass this without administrative rights on the machine?

Current AVs detect all the peass since years ago.
If you need to run it find the signatures and remove them. Or in the case of the .exe version bypass AMSI an run it from me memory

Hey folks, has anyone come up against any false positives when using GCPPEAS.py ? I had a number of hits for paths to potential exploit but after manual review the account I was using didn't end up having the required permissions GCPPEAS.py had listed when it ran

wow, that shouldn't happen. Is this in some lab of GRTE where I could check myself? Or did it happened in some private environment?

I can DM you if it helps Carlos?

ofc!

Please help me

Hack your phone

does anyone know an easy way to get the current permission set in gcp?

the json file here is quite old

https://github.com/peass-ng/CloudPEASS/blob/main/GCPPEAS.py#L66C33-L66C86

the repo that provides it has some code to pull it but seems google updated the documentation

https://github.com/iann0036/iam-dataset/blob/main/util/gcp_get_permissions.py

it seems to be currently stored here from what i can see https://docs.cloud.google.com/iam/docs/roles-permissions/accessapproval

which is more effort to parse ig but should be doable

made some slop that should update once a day ...

https://raw.githubusercontent.com/sm1l3z-code/cloud_perms/refs/heads/main/gcp_permissions.txt

before

after

the list is no json anymore since its taking only the keys anyways ... uuuh PR appreciated ?

Noticed AzurePEAS doesn't seem to enumerate MI or SPs permissions in Entra, but it looks like its possible to assign an SP / MI Entra permissions if you use CLI? https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/assign-app-role-managed-identity-powershell is this avoided on purpose or is it a gap? https://www.rndtechgroup.com/post/assign-permissions-to-entra-managed-identity

for example in this lab: https://pwnedlabs.io/labs/passwordless-credentials-for-access-and-escalation from pwned labs, azurepeas misses the the next step.

Initially it was intended. SPs need have specific entraID permissions to be able to enumerate even their own entraID permissions. But it's true it wouldn't do any harm to add it.
Would you like to add it/vibecode it, test in and send a PR?

i'll give it a shot 🫡

@winged kelp

@winged kelp

@trim belfry I put in a PR request for thread usage on linpeas
https://github.com/peass-ng/PEASS-ng/pull/611

@trim belfry I got MITRE mapping done, just not tested yet. https://github.com/giveen/PEASS-ng/tree/mitre

Hello @trim belfry,

I did my first PR on your repo, I hope you will accept it !
https://github.com/peass-ng/PEASS-ng/pull/634

@everyone 7 years ago, I promised a Linux Privilege Escalation course focused on mastering LinPEAS.
It took longer than expected… but it’s finally here!
This weekend we’re launching LHE — Linux Hardening Expert, the new expert-level certification at HackTricks Training.
Inside the course, you’ll learn how to understand, exploit, and harden Linux systems using real-world techniques and tooling, including LinPEAS.
And for the pre-release, we’re making it available at an apprentice-level price plus extra 20% off for a limited time.
Get early access here:
https://lnkd.in/e-EQecKE

The token waiting for 2nd may 😎 lets do a first blood 😈

Btw, we will not be able to access early, even if we have voucher now ?

nop, access is open for everybody on Saturday

Noted.

Hello,

Here a PR for Dirty Frag:

https://github.com/peass-ng/PEASS-ng/pull/640

Tested on Ubuntu

Hi guys! You can now transform the PEASS output to HTML and PDF with https://github.com/carlospolop/PEASS-ng/tree/master/parsers

Oh that's super awesome, this really is a next generation tool compared to the earlier PEASS version.

Awesome🥳

Hi guys, for anyone interested in knowing more about linpeas and it's surroundings: https://www.youtube.com/watch?v=a9FK3YR-K0I

watched LinPEAS being used in last night's hacking esports competition on twitch

Might be a silly question - but I just did a git pull on my directory that I had cloned and it seems to have deleted all the executables (linpeas.sh , both the x64 and x86 winpeas.exe) any idea on how they can be redownloaded/recompiled

they have been moved to the releases page (https://github.com/carlospolop/PEASS-ng/releases/latest/) you can see that in the readmes

Hi guys! Remember to update Winpeas, some bugs have been fixed and the output of the searched files is cleaner now!

hi all, i have a specific question regarding the autologon passwords search in winpeas. if i understand the source code correctly then winpeas does query the registry "hklm\software\microsoft\windows nt\currentversion\winlogon" for DefaultUsername and DefaultPassword. I have a situation where winpeas shows me actual autologon credentials. But when I do the same registry query, the entries are empty. So my question is, what am i missing. Is there an additional condition that needs to be satisfied which winpeas takes care of? see screenshots below... the manual query was done in the same shell right after winpeas finished and found the creds. the first screenshot is the winpeas result, the second the manual request and the third is the source code i am referring to. what am i missing here ?

this is driving me nuts. why can winpeas read these credentials but the manual check doesnt show any values in the same registry key(s) ???

I don't know what to tell you because as you said winpeas is just checking those registry values

have you tried querying the values of DefaultUserName and DefaultPassword specifically instead of the parent registry as you showed in the picture?

Hi , yes i tried the same as in the winpeas Sourcecode, calling the reg keys directly. This is so weird

so i just checked the winpeas.bat vs. the winpeas.exe ... funny thing is the winpeas.bat does not find the autologon creds either, but the winpeas.exe does.

ok, so when using the NET framework in powershell it also works manually like $reg = [Microsoft.Win32.RegistryKey]::OpenBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine, [Microsoft.Win32.RegistryView]::Registry64) $regVal=$reg.OpenSubKey("Software\Microsoft\Windows NT\CurrentVersion\WinLogon").GetValue("DefaultUsername") . That works, a friend just confirmed this.

haha that's pretty weird

hey, i think we figured it out. it has to do with the fact that there is 32bit registry entries and 64bit registry entries (for the same keys). if you do the manual query like reg query hklm\software\microsoft\windows nt\currentversion\winlogon /v DefaultUserName you query the 32bit entries of the registry. to query the 64 bit entries you need to do reg query hklm\software\microsoft\windows nt\currentversion\winlogon /v DefaultUserName /reg:64 and the same for the other keys. that is the reason why the winPEAS.bat wont show the entries but the winPEAS.exe (compiled ANY or x64) will show. see also https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/view-system-registry-with-64-bit-windows for reference. so i guess you could handle both cases in the winPEAS.bat . other scripts like for example Get-RegistryAutoLogon from PowerUp.ps1 have the same issue

nice one, do you want to send a PR to winpeas.bat to query both types of registries?

Yes, i think that would be a great Addition to the script

can someone help me?

I've got a www-data shell on meta machine, but I don't know what to do with privilege escalation

Hey you still need help ?

yeah man, I am working on it

Not sure if this is the right place for typos feedback but in https://book.hacktricks.xyz/linux-unix/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation there's the following note:
If you find this error Error: No storage pool found. Please create a new storage pool
Run lxc init and repeat the previous chunk of commands
It should be lxd init

fixed, thanks, the correct channel would have been the one dedicated to hacktricks but its ok!

Hey everyone! 🥷
I realized while working on a security tool that I mainly hack Linux boxes and that a good part of the reason is the defender app in windows. I was wondering if there is a 'defender-on' utility like winpeas-ng? Currently script gets shut off & removed if I try to run. Perhaps an option to run winpeas.bat with a defender-friendly option?

There are ways to execute winpeas even if defender is enabled, I would recommend you to search for AV bypass on the Internet or how to execute things from memory

Hi guys! I would like to present you The PEASS Family! https://opensea.io/collection/the-peass-family/

It is a collection of exclusive and limited edition NFTs, designed by my team and based on our beloved PEASS.

The first batch of The PEASS Family is out now! Get them while they last!

Hi guys!
The latest versions of PEASS-ng & HackTricks are now available through https://github.com/sponsors/carlospolop?frequency=one-time
You can find more checks in win/linpeas, more stable versions and several new tricks in HackTricks (new being added everyday!)
The idea is to be able to develop more content for people highly interested on it (subscribers) while updating every X time the community versions to also improve the free content!

hello, two questions if i may:
Looks like the binaries for winpeas are no longer pushed with a clone of the repo? Not sure when this change occured (or maybe my memory is mistaken) ...

Can someone say what the difference is between winpeasany and winpeasany_ofs ?

The latest version of the PEASS community version are in https://github.com/carlospolop/PEASS-ng/releases
winpeasany_ofs is an obfuscated version of winpeasany

The PEASS-ng scripts (https://github.com/carlospolop/PEASS-ng) are so close to reach 10K stars in Github (9.1K currently).
Help me to reach 10K this summer and I will add several checks from the exclusive version to the public one!
Moreover, if you need to access the exclusive version to find as much vulns as possible check: https://github.com/sponsors/ carlospolop

Hi all - Is this group still looking for help regarding the winpeas.ps1 project? I have about 2 years of PowerShell scripting experience and would love to get involved in this effort!

Yes! Definitely