alessandroz / beroot Goto Github PK
View Code? Open in Web Editor NEWPrivilege Escalation Project - Windows / Linux / Mac
Privilege Escalation Project - Windows / Linux / Mac
Can you please share how the exe is compiled? Trying to perform some modifications to bypass defender.
Please set up a license https://choosealicense.com/no-permission/
-------------- Get System Priv with WebClient --------------
[!] Checking WebClient vulnerability
################ Error on: check_webclient ################
Traceback (most recent call last):
File "beroot\run_checks.py", line 315, in check_all
File "beroot\run_checks.py", line 277, in check_webclient
File "beroot\modules\checks\webclient\webclient.py", line 206, in run
File "beroot\modules\checks\webclient\webclient.py", line 101, in startWebclie
nt
ValueError: Procedure probably called with not enough arguments (4 bytes missing
)
I got the X86 precompiled version v1.01
In case OpenSCMnager returns ERROR_ACCESS_DENIED(0x5) it will be successfully casted to integer and check_services_creation_with_openscmanager() will return True.
def check_services_creation_with_openscmanager():
isPossible = False
try:
# open the SCM with "SC_MANAGER_CREATE_SERVICE" rights
createServ = OpenSCManager(None, None, SC_MANAGER_CREATE_SERVICE)
try:
if int(createServ) != 0:
return True
# if the int cast failed (when it is an HANDLE)
except:
return True
except:
pass
return False
Hey,
I tried to run for the first time with python 3.8.0 with windows and get this output:
Traceback (most recent call last):
File "xr.py", line 45, in
from lib.beroot.run import check_all, get_sofwares
File "C:\Users\james\Desktop\Support-master\dev\lib\beroot\run.py", line 6, in
from .modules.checks.services_checks import check_services_creation_with_openscmanager, check_service_permissions
File "C:\Users\james\Desktop\Support-master\dev\lib\beroot\modules\checks\services_checks.py", line 3, in
from ..objects.winstructures import OpenSCManager, SC_MANAGER_CREATE_SERVICE
File "C:\Users\james\Desktop\Support-master\dev\lib\beroot\modules\objects\winstructures.py", line 66
STANDARD_RIGHTS_REQUIRED = 0x000F0000L
Do you get any idea why?
While running this on Windows Server 2008 R2 x64 (Metasploitable 3) I get this error:
-------------- Error on: check_webclient --------------
Traceback (most recent call last):
File "beroot\run_checks.py", line 315, in check_all
File "beroot\run_checks.py", line 277, in check_webclient
File "beroot\modules\checks\webclient\webclient.py", line 187, in run
File "beroot\modules\checks\webclient\webclient.py", line 130, in isServiceRunning
error: (1060, 'OpenService', 'The specified service does not exist as an installed service.')
[!] Elapsed time = 0.18799996376
I'm using version 1 x64 precompiled binary.
Traceback (most recent call last):
File "C:\Users\0x00\Desktop\BeRoot\Windows\BeRoot\beroot.py", line 50, in
for r in run_check_all(args.list):
File "C:\Users\0x00\Desktop\BeRoot\Windows\BeRoot\beroot.py", line 30, in run_check_all
for r in f():
File "C:\Users\0x00\Desktop\BeRoot\Windows\BeRoot\beroot\run.py", line 255, in check_all
checks = RunChecks()
File "C:\Users\0x00\Desktop\BeRoot\Windows\BeRoot\beroot\run.py", line 32, in init
self.service = s.get_services(self.service)
File "C:\Users\0x00\Desktop\BeRoot\Windows\BeRoot\beroot\modules\get_info\from_scmanager_services.py", line 21, in get_services
for i in EnumServicesStatus(scm):
File "C:\Users\0x00\Desktop\BeRoot\Windows\BeRoot\beroot\modules\objects\winstructures.py", line 294, in EnumServicesStatus
services_buffer = create_string_buffer("", cbBytesNeeded.value)
File "C:\Users\0x00\AppData\Local\Programs\Python\Python39\lib\ctypes_init_.py", line 66, in create_string_buffer
raise TypeError(init)
TypeError
Hi,
I got this error
c:\TMP>beRoot.exe
|====================================================================|
| |
| Windows Privilege Escalation |
| |
| ! BANG BANG ! |
| |
|====================================================================|
Traceback (most recent call last):
File "beRoot.py", line 95, in
File "beRoot.py", line 60, in run
File "beroot\run_checks.py", line 298, in check_all
File "beroot\run_checks.py", line 30, in init
File "beroot\modules\get_info\from_taskscheduler.py", line 122, in tasksList
File "ntpath.py", line 331, in expandvars
TypeError: argument of type 'NoneType' is not iterable
[13636] Failed to execute script beRoot
c:\TMP>
can it be fixed somehow?
services_checks.py
does not check the permission of the service executable, can you add that?
The exploit path is replace the binary then restart the service.
Hey,
thank you for the tool. Thank you for your hard work.
Could you explain why the tool reports writable directory, while it is not really writable by a user? I have so many false positives reporting writing possible to c:\ or c:\windows\system32 .
thanks
It could be worth going over this repo, and see if there are more methods worth implementing here as well:
https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite
$python beRoot.py
Traceback (most recent call last):
File "beRoot.py", line 2, in
from beroot.run_checks import check_all, get_sofwares
File "/home/kevin/Documenti/PENTEST/BeRoot/BeRoot/beroot/run_checks.py", line 1, in
from modules.checks.path_manipulation_checks import isRootDirectoryWritable, space_and_no_quotes, exe_with_writable_directory
File "/home/kevin/Documenti/PENTEST/BeRoot/BeRoot/beroot/modules/checks/path_manipulation_checks.py", line 2, in
import win32con
ImportError: No module named win32con
Getting this at the end of the output when running it with 32-bit python on a x64 Windows 10:
################ Check user admin ################
[!] Is user in the administrator group
True
-------------- Get System Priv with WebClient --------------
[!] Checking WebClient vulnerability
################ Error on: check_webclient ################
Traceback (most recent call last):
File "D:\PTs\Utils\Programs\BeRoot\Windows\BeRoot\beroot\run.py", line 336, in check_all
results = c(cmd)
File "D:\PTs\Utils\Programs\BeRoot\Windows\BeRoot\beroot\run.py", line 297, in check_webclient
b = w.run(self.service, cmd)
File "D:\PTs\Utils\Programs\BeRoot\Windows\BeRoot\beroot\modules\checks\webclient\webclient.py", line 218, in run
if self.start_webclient():
File "D:\PTs\Utils\Programs\BeRoot\Windows\BeRoot\beroot\modules\checks\webclient\webclient.py", line 114, in start_webclient
if self.EventWrite(hReg, byref(event_desc), 0, None) == 0:
ValueError: Procedure probably called with not enough arguments (4 bytes missing)
It should probably either be fixed, or replaced with a more descriptive error (it's easy to check the bitness of python and of the system...).
Running it with 64-bit python works.
C:\Users\IEUser\Downloads\BeRoot-1.0\BeRoot-1.0\BeRoot>python beRoot.py
|====================================================================|
| |
| Windows Privilege Escalation |
| |
| ! BANG BANG ! |
| |
|====================================================================|
-------------- Check user admin --------------
[!] Is user in the administrator group
True
-------------- Check well known dlls hijacking --------------
[!] Writeable path on the path environment variable
C:\Python27\
C:\Python27\Scripts
[!] Check if well known vulnerable services are present
Associated dll: wlbsctrl.dll
Service: ikeext
-------------- Get System Priv with WebClient --------------
[!] Checking WebClient vulnerability
-------------- Error on: check_webclient --------------
Traceback (most recent call last):
File "C:\Users\IEUser\Downloads\BeRoot-1.0\BeRoot-1.0\BeRoot\beroot\run_checks
.py", line 315, in check_all
results = c(cmd)
File "C:\Users\IEUser\Downloads\BeRoot-1.0\BeRoot-1.0\BeRoot\beroot\run_checks
.py", line 277, in check_webclient
b = w.run(self.service, cmd)
File "C:\Users\IEUser\Downloads\BeRoot-1.0\BeRoot-1.0\BeRoot\beroot\modules\ch
ecks\webclient\webclient.py", line 190, in run
if self.startWebclient():
File "C:\Users\IEUser\Downloads\BeRoot-1.0\BeRoot-1.0\BeRoot\beroot\modules\ch
ecks\webclient\webclient.py", line 96, in startWebclient
if self.EventWrite(hReg, byref(event_desc), 0, None) == 0:
ValueError: Procedure probably called with not enough arguments (4 bytes missing
)
[!] Elapsed time = 0.125
IE 8 on Windows 7 - 32-bits vm from https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/
I have installed python 2.7.13, pywin32 and py2exe.
C:\Users\IEUser\Downloads\BeRoot-1.0\BeRoot-1.0\BeRoot>pip freeze
impacket==0.9.15
py2exe==0.6.9
pyasn1==0.2.3
pycrypto==2.6.1
pywin32==221
Traceback (most recent call last):
File "C:\Users\0x00\Desktop\BeRoot\Windows\BeRoot\beroot.py", line 3, in
from beroot.run import check_all, get_sofwares
File "C:\Users\0x00\Desktop\BeRoot\Windows\BeRoot\beroot\run.py", line 6, in
from .modules.checks.services_checks import check_services_creation_with_openscmanager, check_service_permissions
File "C:\Users\0x00\Desktop\BeRoot\Windows\BeRoot\beroot\modules\checks\services_checks.py", line 3, in
from ..objects.winstructures import OpenSCManager, SC_MANAGER_CREATE_SERVICE
File "C:\Users\0x00\Desktop\BeRoot\Windows\BeRoot\beroot\modules\objects\winstructures.py", line 66
STANDARD_RIGHTS_REQUIRED = 0x000F0000L
^
SyntaxError: invalid syntax
[-] Failed to start the service RasMan
[?] The authentication process has not reached the end, try to check the standard output
[!] Elapsed time = 24.728000164
Hi,
Could you provide a setup.py please?
Python packaging
There is only a 64-bits pre-compiled version of the tool on https://github.com/AlessandroZ/BeRoot/releases/download/1.0/beRoot.zip .
It would be great to have 32-bits too.
Did you use py2exe for binary compilation?
If I run the BeRoot for linux script I get:
python3 ./beroot.py
|====================================================================|
| |
| Linux Privilege Escalation |
| |
| ! BANG BANG ! |
| |
|====================================================================|
Traceback (most recent call last):
File "/mnt/ubie/mark/secur/BeRoot/Linux/beroot/modules/services.py", line 50, in _get_services_systemd
argv0 = unicode(argv0)
NameError: name 'unicode' is not defined
Getting permissions of sensitive files. Could take some time...
Checking for suid bins. Could take some time...
################ Suid Binaries ################
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/fusermount
/usr/bin/mount
[+] gtfobins found:
- sudo mount -o bind /bin/sh /bin/mount
- sudo mount
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/umount
/usr/bin/passwd
/usr/bin/su
/usr/sbin/pppd
/usr/sbin/mount.nfs
/usr/share/skypeforlinux/chrome-sandbox
/usr/share/teams/chrome-sandbox
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/cupsPPD/prlinuxcupsppd
/usr/lib/xorg/Xorg.wrap
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/chromium-browser/chrome-sandbox
/usr/lib/openssh/ssh-keysign
Traceback (most recent call last):
File "./beroot.py", line 28, in
run(arguments.password)
File "/mnt/ubie/mark/secur/BeRoot/Linux/beroot/run.py", line 192, in run
results = c()
File "/mnt/ubie/mark/secur/BeRoot/Linux/beroot/run.py", line 74, in sudo_list
rules = self.sudolist.rules_from_sudo_ll()
File "/mnt/ubie/mark/secur/BeRoot/Linux/beroot/modules/sudo/sudo_list.py", line 53, in rules_from_sudo_ll
sudo_rules = self._parse_sudo_list(sudo_list)
File "/mnt/ubie/mark/secur/BeRoot/Linux/beroot/modules/sudo/sudo_list.py", line 65, in _parse_sudo_list
if 'LD_PRELOAD' in sudo_list:
TypeError: a bytes-like object is required, not 'str'
I'm on Ubuntu 20.04.
uname -a
Linux fusion 5.8.0-36-generic #40~20.04.1-Ubuntu SMP Wed Jan 6 10:15:55 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
python3 --version
Python 3.8.5
$ wget https://github.com/AlessandroZ/BeRoot/releases/download/1.0.1/beRoot.zip
$ unzip beRoot.zip
Moved it to the windows server.
beRoot.exe
|====================================================================|
| |
| Windows Privilege Escalation |
| |
| ! BANG BANG ! |
| |
|====================================================================|
################ Service ################
[!] Permission to create a service with openscmanager
True
-------------- Get System Priv with WebClient --------------
[!] Checking WebClient vulnerability
################ Error on: check_webclient ################
Traceback (most recent call last):
File "beroot\run_checks.py", line 315, in check_all
File "beroot\run_checks.py", line 277, in check_webclient
File "beroot\modules\checks\webclient\webclient.py", line 206, in run
File "beroot\modules\checks\webclient\webclient.py", line 101, in startWebclient
ValueError: Procedure probably called with not enough arguments (4 bytes missing)
[!] Elapsed time = 0.569000005722
Hey, first of all congrats on this awsome proj!
in order to run the script on target systems i'm packaging it in a zip and renaming beroot.py to main.py (the linux version), so that i can run python beroot.zip
as a standalone.
it can be useful in case you can't run it with pupy, which is my scenario
Hey,
Why are you putting the whole code of linux exploit suggester straight into a var in your code ?
What happens if the project is updated ?
cheers
Hi,
I tried to install the dependancies, but I could not download win32net with pip, or in any other source in the web. Can you help?
Hello,
The script is running fine, until sudoers file part. There I get this error:
Traceback (most recent call last):
File "./beroot.py", line 28, in
run(arguments.password)
File "/root/BeRoot/Linux/beroot/run.py", line 190, in run
results = c()
File "/root/BeRoot/Linux/beroot/run.py", line 73, in sudo_list
rules = self.sudolist.rules_from_sudo_ll()
File "/root/BeRoot/Linux/beroot/modules/sudo/sudo_list.py", line 53, in rules_from_sudo_ll
sudo_rules = self._parse_sudo_list(sudo_list)
File "/root/BeRoot/Linux/beroot/modules/sudo/sudo_list.py", line 68, in _parse_sudo_list
user = sudo_list[sudo_list.index('User '):].split(' ')[1]
ValueError: substring not found
|====================================================================|
| |
| Windows Privilege Escalation |
| |
| ! BANG BANG ! |
| |
|====================================================================|
beRoot.exe : [4332] Failed to execute script beRoot
+ CategoryInfo : NotSpecified: ([4332] Failed to execute script beRoot:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
Traceback (most recent call last):
File "beRoot.py", line 95, in <module>
File "beRoot.py", line 60, in run
File "beroot\run_checks.py", line 298, in check_all
File "beroot\run_checks.py", line 26, in __init__
File "beroot\modules\get_info\from_scmanager_services.py", line 10, in get_services
pywintypes.error: (5, 'OpenSCManager', 'Access is denied.')
flake8 testing of https://github.com/AlessandroZ/BeRoot on Python 3.6.3
$ flake8 . --count --select=E901,E999,F821,F822,F823 --show-source --statistics
./Linux/beroot.py:14:13: E999 SyntaxError: invalid syntax
print banner
^
./Linux/beroot/analyse/analyse.py:55:39: E999 SyntaxError: invalid syntax
print '[+] Writable file: {file}\n'.format(file=fm.file.path)
^
./Linux/beroot/conf/files.py:185:21: E999 SyntaxError: invalid syntax
except Exception, e:
^
./Windows/BeRoot/beRoot.py:49:11: E999 SyntaxError: invalid syntax
print str(st)
^
./Windows/BeRoot/beroot/run_checks.py:273:72: E999 SyntaxError: invalid syntax
print '-------------- Get System Priv with WebClient --------------\n'
^
./Windows/BeRoot/beroot/modules/checks/filesystem_checks.py:24:2: E999 SyntaxError: (unicode error) 'unicodeescape' codec can't decode bytes in position 8-9: truncated \UXXXXXXXX escape
"\Panther\Unattend.xml",
^
./Windows/BeRoot/beroot/modules/checks/system.py:6:49: E999 SyntaxError: invalid syntax
READ_CONTROL = 0x00020000L
^
./Windows/BeRoot/beroot/modules/checks/webclient/attack.py:31:19: E999 SyntaxError: invalid syntax
except Exception, e:
^
./Windows/BeRoot/beroot/modules/checks/webclient/httpserver.py:80:21: E999 SyntaxError: invalid syntax
except Exception, e:
^
./Windows/BeRoot/beroot/modules/checks/webclient/secretsdump.py:468:31: E999 SyntaxError: invalid syntax
except DCERPCException, e:
^
./Windows/BeRoot/beroot/modules/checks/webclient/smbclient.py:98:30: E999 SyntaxError: invalid syntax
print "SessionSetup Error!"
^
./Windows/BeRoot/beroot/modules/checks/webclient/webclient.py:120:34: E999 SyntaxError: invalid syntax
print '[+] Service %s found' % s.name
^
./Windows/BeRoot/beroot/modules/get_info/softwares_list.py:20:37: E999 SyntaxError: (unicode error) 'unicodeescape' codec can't decode bytes in position 41-42: truncated \UXXXXXXXX escape
hkey = OpenKey(HKEY_LOCAL_MACHINE, "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\\", 0, accessRead)
^
13 E999 SyntaxError: invalid syntax
13
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.