private static void PrintSCClient()
{
try
{
Beaprint.MainPrint("Looking SSClient.exe");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#scclient-sccm");
if (File.Exists(Environment.ExpandEnvironmentVariables(@"%systemroot%\Windows\CCM\SCClient.exe")))
{
Beaprint.BadPrint(" SCClient.exe was found in " + Environment.ExpandEnvironmentVariables(@"%systemroot%\Windows\CCM\SCClient.exe DLL Side loading?"));
}
else
{
Beaprint.NotFoundPrint();
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
static void PrintUACInfo()
{
try
{
Beaprint.MainPrint("UAC Status");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access", "If you are in the Administrators group check how to bypass the UAC");
Dictionary <string, string> uacDict = Info.SystemInfo.SystemInfo.GetUACSystemPolicies();
Dictionary <string, string> colorsSI = new Dictionary <string, string>()
{
{ badUAC, Beaprint.ansi_color_bad },
{ goodUAC, Beaprint.ansi_color_good }
};
Beaprint.DictPrint(uacDict, colorsSI, false);
if ((uacDict["EnableLUA"] == "") || (uacDict["EnableLUA"] == "0"))
{
Beaprint.BadPrint(" [*] EnableLUA != 1, UAC policies disabled.\r\n [+] Any local account can be used for lateral movement.");
}
if ((uacDict["EnableLUA"] == "1") && (uacDict["LocalAccountTokenFilterPolicy"] == "1"))
{
Beaprint.BadPrint(" [*] LocalAccountTokenFilterPolicy set to 1.\r\n [+] Any local account can be used for lateral movement.");
}
if ((uacDict["EnableLUA"] == "1") && (uacDict["LocalAccountTokenFilterPolicy"] != "1") && (uacDict["FilterAdministratorToken"] != "1"))
{
Beaprint.GoodPrint(" [*] LocalAccountTokenFilterPolicy set to 0 and FilterAdministratorToken != 1.\r\n [-] Only the RID-500 local admin account can be used for lateral movement.");
}
if ((uacDict["EnableLUA"] == "1") && (uacDict["LocalAccountTokenFilterPolicy"] != "1") && (uacDict["FilterAdministratorToken"] == "1"))
{
Beaprint.GoodPrint(" [*] LocalAccountTokenFilterPolicy set to 0 and FilterAdministratorToken == 1.\r\n [-] No local accounts can be used for lateral movement.");
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
private static void PrintHistBookChrome()
{
try
{
Beaprint.MainPrint("Looking for GET credentials in Chrome history");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history");
Dictionary <string, List <string> > chromeHistBook = Chrome.GetChromeHistBook();
List <string> history = chromeHistBook["history"];
List <string> bookmarks = chromeHistBook["bookmarks"];
if (history.Count > 0)
{
Dictionary <string, string> colorsB = new Dictionary <string, string>()
{
{ Globals.PrintCredStrings, Beaprint.ansi_color_bad },
};
foreach (string url in history)
{
if (MyUtils.ContainsAnyRegex(url.ToUpper(), Browser.CredStringsRegex))
{
Beaprint.AnsiPrint(" " + url, colorsB);
}
}
Console.WriteLine();
}
else
{
Beaprint.NotFoundPrint();
}
Beaprint.MainPrint("Chrome bookmarks");
Beaprint.ListPrint(bookmarks);
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
void PrintRecycleBin()
{
try
{
//string pattern_bin = _patternsFileCreds + ";*password*;*credential*";
string pattern_bin = string.Join(";", patternsFileCreds) + ";*password*;*credential*";
Dictionary <string, string> colorF = new Dictionary <string, string>()
{
{ _patternsFileCredsColor + "|.*password.*|.*credential.*", Beaprint.ansi_color_bad },
};
Beaprint.MainPrint("Looking inside the Recycle Bin for creds files");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files");
List <Dictionary <string, string> > recy_files = InterestingFiles.InterestingFiles.GetRecycleBin();
foreach (Dictionary <string, string> rec_file in recy_files)
{
foreach (string pattern in pattern_bin.Split(';'))
{
if (Regex.Match(rec_file["Name"], pattern.Replace("*", ".*"), RegexOptions.IgnoreCase).Success)
{
Beaprint.DictPrint(rec_file, colorF, true);
System.Console.WriteLine();
}
}
}
if (recy_files.Count <= 0)
{
Beaprint.NotFoundPrint();
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
static void PrintCredentialGuard()
{
Beaprint.MainPrint("Credentials Guard");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#credential-guard", "If enabled, a driver is needed to read LSASS memory");
string lsaCfgFlags = RegistryHelper.GetRegValue("HKLM", @"System\CurrentControlSet\Control\LSA", "LsaCfgFlags");
if (lsaCfgFlags == "1")
{
System.Console.WriteLine(" Please, note that this only checks the LsaCfgFlags key value. This is not enough to enable Credentials Guard (but it's a strong indicator).");
Beaprint.GoodPrint(" CredentialGuard is active with UEFI lock");
}
else if (lsaCfgFlags == "2")
{
System.Console.WriteLine(" Please, note that this only checks the LsaCfgFlags key value. This is not enough to enable Credentials Guard (but it's a strong indicator).");
Beaprint.GoodPrint(" CredentialGuard is active without UEFI lock");
}
else
{
Beaprint.BadPrint(" CredentialGuard is not enabled");
}
CredentialGuard.PrintInfo();
}
void PrintModifiableServices()
{
try
{
Beaprint.MainPrint("Modifiable Services");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services", "Check if you can modify any service");
if (modifiableServices.Count > 0)
{
Beaprint.BadPrint(" LOOKS LIKE YOU CAN MODIFY OR START/STOP SOME SERVICE/s:");
Dictionary <string, string> colorsMS = new Dictionary <string, string>()
{
// modify
{ "AllAccess", Beaprint.ansi_color_bad },
{ "ChangeConfig", Beaprint.ansi_color_bad },
{ "WriteDac", Beaprint.ansi_color_bad },
{ "WriteOwner", Beaprint.ansi_color_bad },
{ "AccessSystemSecurity", Beaprint.ansi_color_bad },
{ "GenericAll", Beaprint.ansi_color_bad },
{ "GenericWrite (ChangeConfig)", Beaprint.ansi_color_bad },
// start/stop
{ "GenericExecute (Start/Stop)", Beaprint.ansi_color_yellow },
{ "Start", Beaprint.ansi_color_yellow },
{ "Stop", Beaprint.ansi_color_yellow },
};
Beaprint.DictPrint(modifiableServices, colorsMS, false, true);
}
else
{
Beaprint.GoodPrint(" You cannot modify any service");
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
private static void PrintBasicSystemInfo()
{
try
{
Beaprint.MainPrint("Basic System Information");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#kernel-exploits", "Check if the Windows versions is vulnerable to some known exploit");
Dictionary <string, string> basicDictSystem = Info.SystemInfo.SystemInfo.GetBasicOSInfo();
basicDictSystem["Hotfixes"] = Beaprint.ansi_color_good + basicDictSystem["Hotfixes"] + Beaprint.NOCOLOR;
Dictionary <string, string> colorsSI = new Dictionary <string, string>
{
{ Globals.StrTrue, Beaprint.ansi_color_bad },
};
Beaprint.DictPrint(basicDictSystem, colorsSI, false);
System.Console.WriteLine();
Watson.FindVulns();
//To update Watson, update the CVEs and add the new ones and update the main function so it uses new CVEs (becausfull with the Beaprints inside the FindVulns function)
//Usually you won't need to do anything with the classes Wmi, Vulnerability and VulnerabilityCollection
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
void PrintPathDllHijacking()
{
try
{
Beaprint.MainPrint("Checking write permissions in PATH folders (DLL Hijacking)");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dll-hijacking", "Check for DLL Hijacking in PATH folders");
Dictionary <string, string> path_dllhijacking = ServicesInfoHelper.GetPathDLLHijacking();
foreach (KeyValuePair <string, string> entry in path_dllhijacking)
{
if (string.IsNullOrEmpty(entry.Value))
{
Beaprint.GoodPrint(" " + entry.Key);
}
else
{
Beaprint.BadPrint(" (DLL Hijacking) " + entry.Key + ": " + entry.Value);
}
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
private static void PrintHistFavIE()
{
try
{
Beaprint.MainPrint("Looking for GET credentials in IE history");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#browsers-history");
Dictionary <string, List <string> > chromeHistBook = InternetExplorer.GetIEHistFav();
List <string> history = chromeHistBook["history"];
List <string> favorites = chromeHistBook["favorites"];
if (history.Count > 0)
{
Dictionary <string, string> colorsB = new Dictionary <string, string>()
{
{ Globals.PrintCredStrings, Beaprint.ansi_color_bad },
};
foreach (string url in history)
{
if (MyUtils.ContainsAnyRegex(url.ToUpper(), Browser.CredStringsRegex))
{
Beaprint.AnsiPrint(" " + url, colorsB);
}
}
Console.WriteLine();
}
Beaprint.MainPrint("IE favorites");
Beaprint.ListPrint(favorites);
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
private static void PrintAutoRuns()
{
try
{
Beaprint.MainPrint("Autorun Applications");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries", "Check if you can modify other users AutoRuns binaries (Note that is normal that you can modify HKCU registry and binaries indicated there)");
List <Dictionary <string, string> > apps = AutoRuns.GetAutoRuns(Checks.CurrentUserSiDs);
foreach (Dictionary <string, string> app in apps)
{
var colorsA = new Dictionary <string, string>
{
{ "FolderPerms:.*", Beaprint.ansi_color_bad },
{ "FilePerms:.*", Beaprint.ansi_color_bad },
{ "(Unquoted and Space detected)", Beaprint.ansi_color_bad },
{ "(PATH Injection)", Beaprint.ansi_color_bad },
{ "RegPerms: .*", Beaprint.ansi_color_bad },
{ (app["Folder"].Length > 0) ? app["Folder"].Replace("\\", "\\\\").Replace("(", "\\(").Replace(")", "\\)").Replace("]", "\\]").Replace("[", "\\[").Replace("?", "\\?").Replace("+", "\\+") : "ouigyevb2uivydi2u3id2ddf3", !string.IsNullOrEmpty(app["interestingFolderRights"]) ? Beaprint.ansi_color_bad : Beaprint.ansi_color_good },
{ (app["File"].Length > 0) ? app["File"].Replace("\\", "\\\\").Replace("(", "\\(").Replace(")", "\\)").Replace("]", "\\]").Replace("[", "\\[").Replace("?", "\\?").Replace("+", "\\+") : "adu8v298hfubibuidiy2422r", !string.IsNullOrEmpty(app["interestingFileRights"]) ? Beaprint.ansi_color_bad : Beaprint.ansi_color_good },
{ (app["Reg"].Length > 0) ? app["Reg"].Replace("\\", "\\\\").Replace("(", "\\(").Replace(")", "\\)").Replace("]", "\\]").Replace("[", "\\[").Replace("?", "\\?").Replace("+", "\\+") : "o8a7eduia37ibduaunbf7a4g7ukdhk4ua", (app["RegPermissions"].Length > 0) ? Beaprint.ansi_color_bad : Beaprint.ansi_color_good },
};
string line = "";
if (!string.IsNullOrEmpty(app["Reg"]))
{
line += "\n RegPath: " + app["Reg"];
}
if (app["RegPermissions"].Length > 0)
{
line += "\n RegPerms: " + app["RegPermissions"];
}
if (!string.IsNullOrEmpty(app["RegKey"]))
{
line += "\n Key: " + app["RegKey"];
}
if (!string.IsNullOrEmpty(app["Folder"]))
{
line += "\n Folder: " + app["Folder"];
}
else
{
if (!string.IsNullOrEmpty(app["Reg"]))
{
line += "\n Folder: None (PATH Injection)";
}
}
if (!string.IsNullOrEmpty(app["interestingFolderRights"]))
{
line += "\n FolderPerms: " + app["interestingFolderRights"];
}
string filepath_mod = app["File"].Replace("\"", "").Replace("'", "");
if (!string.IsNullOrEmpty(app["File"]))
{
line += "\n File: " + filepath_mod;
}
if (app["isUnquotedSpaced"].ToLower() == "true")
{
line += " (Unquoted and Space detected)";
}
if (!string.IsNullOrEmpty(app["interestingFileRights"]))
{
line += "\n FilePerms: " + app["interestingFileRights"];
}
Beaprint.AnsiPrint(line, colorsA);
Beaprint.PrintLineSeparator();
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
void PrintInterestingProcesses()
{
try
{
Beaprint.MainPrint("Interesting Processes -non Microsoft-");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#running-processes", "Check if any interesting processes for memory dump or if you could overwrite some binary running");
List <Dictionary <string, string> > processesInfo = ProcessesInfo.GetProcInfo();
foreach (Dictionary <string, string> procInfo in processesInfo)
{
Dictionary <string, string> colorsP = new Dictionary <string, string>()
{
{ " " + Checks.CurrentUserName, Beaprint.ansi_current_user },
{ "Permissions:.*", Beaprint.ansi_color_bad },
{ "Possible DLL Hijacking.*", Beaprint.ansi_color_bad },
};
if (DefensiveProcesses.Definitions.ContainsKey(procInfo["Name"]))
{
if (!string.IsNullOrEmpty(DefensiveProcesses.Definitions[procInfo["Name"]]))
{
procInfo["Product"] = DefensiveProcesses.Definitions[procInfo["Name"]];
}
colorsP[procInfo["Product"]] = Beaprint.ansi_color_good;
}
else if (InterestingProcesses.Definitions.ContainsKey(procInfo["Name"]))
{
if (!string.IsNullOrEmpty(InterestingProcesses.Definitions[procInfo["Name"]]))
{
procInfo["Product"] = InterestingProcesses.Definitions[procInfo["Name"]];
}
colorsP[procInfo["Product"]] = Beaprint.ansi_color_bad;
}
List <string> fileRights = PermissionsHelper.GetPermissionsFile(procInfo["ExecutablePath"], Checks.CurrentUserSiDs);
List <string> dirRights = new List <string>();
if (procInfo["ExecutablePath"] != null && procInfo["ExecutablePath"] != "")
{
dirRights = PermissionsHelper.GetPermissionsFolder(Path.GetDirectoryName(procInfo["ExecutablePath"]), Checks.CurrentUserSiDs);
}
colorsP[procInfo["ExecutablePath"].Replace("\\", "\\\\").Replace("(", "\\(").Replace(")", "\\)").Replace("]", "\\]").Replace("[", "\\[").Replace("?", "\\?").Replace("+", "\\+") + "[^\"^']"] = (fileRights.Count > 0 || dirRights.Count > 0) ? Beaprint.ansi_color_bad : Beaprint.ansi_color_good;
string formString = " {0}({1})[{2}]";
if (procInfo["Product"] != null && procInfo["Product"].Length > 1)
{
formString += ": {3}";
}
if (procInfo["Owner"].Length > 1)
{
formString += " -- POwn: {4}";
}
if (procInfo["isDotNet"].Length > 1)
{
formString += " -- {5}";
}
if (fileRights.Count > 0)
{
formString += "\n Permissions: {6}";
}
if (dirRights.Count > 0)
{
formString += "\n Possible DLL Hijacking folder: {7} ({8})";
}
if (procInfo["CommandLine"].Length > 1)
{
formString += "\n " + Beaprint.ansi_color_gray + "Command Line: {9}";
}
Beaprint.AnsiPrint(string.Format(formString, procInfo["Name"], procInfo["ProcessID"], procInfo["ExecutablePath"], procInfo["Product"], procInfo["Owner"], procInfo["isDotNet"], string.Join(", ", fileRights), dirRights.Count > 0 ? Path.GetDirectoryName(procInfo["ExecutablePath"]) : "", string.Join(", ", dirRights), procInfo["CommandLine"]), colorsP);
Beaprint.PrintLineSeparator();
}
}
catch (Exception ex)
{
Beaprint.GrayPrint(ex.Message);
}
}
void PrintInterestingServices()
{
try
{
Beaprint.MainPrint("Interesting Services -non Microsoft-");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services", "Check if you can overwrite some service binary or perform a DLL hijacking, also check for unquoted paths");
List <Dictionary <string, string> > services_info = ServicesInfoHelper.GetNonstandardServices();
if (services_info.Count < 1)
{
services_info = ServicesInfoHelper.GetNonstandardServicesFromReg();
}
foreach (Dictionary <string, string> serviceInfo in services_info)
{
List <string> fileRights = PermissionsHelper.GetPermissionsFile(serviceInfo["FilteredPath"], winPEAS.Checks.Checks.CurrentUserSiDs);
List <string> dirRights = new List <string>();
if (serviceInfo["FilteredPath"] != null && serviceInfo["FilteredPath"] != "")
{
dirRights = PermissionsHelper.GetPermissionsFolder(Path.GetDirectoryName(serviceInfo["FilteredPath"]), winPEAS.Checks.Checks.CurrentUserSiDs);
}
bool noQuotesAndSpace = MyUtils.CheckQuoteAndSpace(serviceInfo["PathName"]);
string formString = " {0}(";
if (serviceInfo["CompanyName"] != null && serviceInfo["CompanyName"].Length > 1)
{
formString += "{1} - ";
}
if (serviceInfo["DisplayName"].Length > 1)
{
formString += "{2}";
}
formString += ")";
if (serviceInfo["PathName"].Length > 1)
{
formString += "[{3}]";
}
if (serviceInfo["StartMode"].Length > 1)
{
formString += " - {4}";
}
if (serviceInfo["State"].Length > 1)
{
formString += " - {5}";
}
if (serviceInfo["isDotNet"].Length > 1)
{
formString += " - {6}";
}
if (noQuotesAndSpace)
{
formString += " - {7}";
}
if (modifiableServices.ContainsKey(serviceInfo["Name"]))
{
if (modifiableServices[serviceInfo["Name"]] == "Start")
{
formString += "\n You can START this service";
}
else
{
formString += "\n YOU CAN MODIFY THIS SERVICE: " + modifiableServices[serviceInfo["Name"]];
}
}
if (fileRights.Count > 0)
{
formString += "\n File Permissions: {8}";
}
if (dirRights.Count > 0)
{
formString += "\n Possible DLL Hijacking in binary folder: {9} ({10})";
}
if (serviceInfo["Description"].Length > 1)
{
formString += "\n " + Beaprint.ansi_color_gray + "{11}";
}
{
Dictionary <string, string> colorsS = new Dictionary <string, string>()
{
{ "File Permissions:.*", Beaprint.ansi_color_bad },
{ "Possible DLL Hijacking.*", Beaprint.ansi_color_bad },
{ "No quotes and Space detected", Beaprint.ansi_color_bad },
{ "YOU CAN MODIFY THIS SERVICE:.*", Beaprint.ansi_color_bad },
{ " START ", Beaprint.ansi_color_bad },
{ serviceInfo["PathName"].Replace("\\", "\\\\").Replace("(", "\\(").Replace(")", "\\)").Replace("]", "\\]").Replace("[", "\\[").Replace("?", "\\?").Replace("+", "\\+"), (fileRights.Count > 0 || dirRights.Count > 0 || noQuotesAndSpace) ? Beaprint.ansi_color_bad : Beaprint.ansi_color_good },
};
Beaprint.AnsiPrint(string.Format(formString, serviceInfo["Name"], serviceInfo["CompanyName"], serviceInfo["DisplayName"], serviceInfo["PathName"], serviceInfo["StartMode"], serviceInfo["State"], serviceInfo["isDotNet"], "No quotes and Space detected", string.Join(", ", fileRights), dirRights.Count > 0 ? Path.GetDirectoryName(serviceInfo["FilteredPath"]) : "", string.Join(", ", dirRights), serviceInfo["Description"]), colorsS);
}
Beaprint.PrintLineSeparator();
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
