Skip to content

[WINPEAS] Add privilege escalation check: HTB TheFrizz (High-level, redacted for s... #494

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Sep 3, 2025
Merged

[WINPEAS] Add privilege escalation check: HTB TheFrizz (High-level, redacted for s... #494

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions winPEAS/winPEASexe/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,10 @@ winpeas.exe -lolbas #Execute also additional LOLBAS search check

The goal of this project is to search for possible **Privilege Escalation Paths** in Windows environments.

New in this version:
- Detect potential GPO abuse by flagging writable SYSVOL paths for GPOs applied to the current host and by highlighting membership in the "Group Policy Creator Owners" group.


It should take only a **few seconds** to execute almost all the checks and **some seconds/minutes during the lasts checks searching for known filenames** that could contain passwords (the time depened on the number of files in your home folder). By default only **some** filenames that could contain credentials are searched, you can use the **searchall** parameter to search all the list (this could will add some minutes).

The tool is based on **[SeatBelt](https://github.com/GhostPack/Seatbelt)**.
Expand Down
89 changes: 89 additions & 0 deletions winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,7 @@ public void PrintInfo(bool isDebug)
PrintLSAInfo,
PrintNtlmSettings,
PrintLocalGroupPolicy,
PrintPotentialGPOAbuse,
AppLockerHelper.PrintAppLockerPolicy,
PrintPrintersWMIInfo,
PrintNamedPipes,
Expand Down Expand Up @@ -1131,6 +1132,94 @@ private static void PrintLocalGroupPolicy()
}
}

private static void PrintPotentialGPOAbuse()
{
try
{
Beaprint.MainPrint("Potential GPO abuse vectors (applied domain GPOs writable by current user)");

if (!Checks.IsPartOfDomain)
{
Beaprint.NoColorPrint(" Host is not joined to a domain or domain info is unavailable.");
return;
}

// Build a friendly group list for the current user to quickly spot interesting memberships
var currentGroups = winPEAS.Info.UserInfo.User.GetUserGroups(Checks.CurrentUserName, Checks.CurrentUserDomainName) ?? new System.Collections.Generic.List<string>();
var hasGPCO = currentGroups.Any(g => string.Equals(g, "Group Policy Creator Owners", System.StringComparison.InvariantCultureIgnoreCase));

if (hasGPCO)
{
Beaprint.BadPrint(" [!] Current user is member of 'Group Policy Creator Owners' — can create/own new GPOs. If you can link a GPO to an OU that applies here, you can execute code as SYSTEM via scheduled task/startup script.");
}

var infos = GroupPolicy.GetLocalGroupPolicyInfos();

bool anyFinding = false;
foreach (var info in infos)
{
var fileSysPath = info.FileSysPath?.ToString();
if (string.IsNullOrEmpty(fileSysPath))
{
continue;
}

// Only look at domain GPOs stored in SYSVOL
var isSysvolPath = fileSysPath.StartsWith(@"\", System.StringComparison.InvariantCultureIgnoreCase) &&
fileSysPath.IndexOf(@"\SysVol\", System.StringComparison.InvariantCultureIgnoreCase) >= 0 &&
fileSysPath.IndexOf(@"\Policies\", System.StringComparison.InvariantCultureIgnoreCase) >= 0;

if (!isSysvolPath)
{
continue;
}

// Check write/equivalent permissions on common abuse locations inside the GPO
var pathsToCheck = new System.Collections.Generic.List<string>
{
fileSysPath,
System.IO.Path.Combine(fileSysPath, @"Machine\Scripts\Startup"),
System.IO.Path.Combine(fileSysPath, @"User\Scripts\Logon"),
System.IO.Path.Combine(fileSysPath, @"Machine\Preferences\ScheduledTasks")
};

foreach (var p in pathsToCheck)
{
var perms = PermissionsHelper.GetPermissionsFolder(p, Checks.CurrentUserSiDs, PermissionType.WRITEABLE_OR_EQUIVALENT);
if (perms != null && perms.Count > 0)
{
if (!anyFinding)
{
Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/gpo-abuse.html", "Why it matters");
}
anyFinding = true;
Beaprint.BadPrint($" [!] Writable applied GPO detected");
Beaprint.NoColorPrint($" GPO Display Name : {info.DisplayName}");
Beaprint.NoColorPrint($" GPO Name : {info.GPOName}");
Beaprint.NoColorPrint($" GPO Link : {info.Link}");
Beaprint.NoColorPrint($" Path : {p}");
foreach (var entry in perms)
{
Beaprint.NoColorPrint($" -> {entry}");
}
Beaprint.GrayPrint(" Hint: Abuse by adding an immediate Scheduled Task or Startup script to execute as SYSTEM on gpupdate.");
}
}
}

if (!anyFinding && !hasGPCO)
{
Beaprint.NoColorPrint(" No obvious GPO abuse via writable SYSVOL paths or GPCO membership detected.");
}
}
catch (Exception ex)
{
// Avoid noisy stack traces in normal runs
Beaprint.GrayPrint($" [!] Error while checking potential GPO abuse: {ex.Message}");
}
}


private static void PrintPowerShellSessionSettings()
{
try
Expand Down
Loading