 So first of all, thank you very much for having me here today. I'm very excited to be here at Defcon in the adversary village. And I hope you like this presentation, which is called New Generation of Peace. We are going to discuss a little bit about this piece and why is there a new generation. My name is Carlos Palop. I work as senior security engineer at Merrill. I have some certifications. I play CDF analysis stuff. So if you want to know something else about me, just check my LinkedIn. And you can also contact me via Twitter or even email for the more traditional stuff. So in this talk, we are going to talk a little bit about the Peace Suite, what it is, why is it useful, why is there a new generation. Then I'm going to very briefly introduce Hactress and how can it be useful in combination with the Peace Suite. And then we are going to see some demos about Limpies, Mac Peace, and Wimpies. At the end, we are going to very briefly see what is a both piece, the last being edited just one or two months ago. And then I want to talk a little bit about the to-do in order to indicate the community how you can help to the Peace Suite if you like it. So Sweet Peace. Peace is the name piece. It comes from Privileged Escalation Awesome Script Suite. Basically, this suite is a combination of scripts that will allow you to enumerate the most common hosts. And I'm talking about Windows, Linux, Unix in general, and even Mac, in order to find easy ways to escalate privilege. So before the Peace Suite, there were already a few scripts that performed these actions. But I like them, but I didn't feel very comfortable with them because there were a lot of data that was mostly useless, and I didn't want to lose my time reading this data and figuring out if you can use it in any way or not. And because they didn't have enough text, or at least they didn't have the text I wanted to enumerate. So that's the reason I started this suite. So in Peace, we are going to find very comprehensive scripts for enumerate hosts and see how hard they are and how you can escalate privilege. You are not going to find endless data lists. So you are going to know where you need to focus in order to find these vulnerabilities you are looking for. They have more text than any other tool. At least I tried this, and this is because I mostly had probably one new check per week. So that's a very, very cool way to update the scripts. As we have said before, the piece can be executed for Linux, MacOS, mostly any Unix flavor, and also Windows, which is great. Anything is the only privilege escalation enumeration tool that can be executed in this amount of different operative systems. But I think the fact that most people love about the piece is that the output is colored. This means that you are going to find, for example, the color red, where something is suspicious, or the color green, where something is well configured. And this is very useful in order to know where you need to focus or where you should focus in order to try to find vulnerabilities. Last of the characteristics is the monetization. We will talk about this later, because actually you cannot use any monetization at the moment, but my idea with these piece new generation scripts is that you are going to be able to execute the piece in a host as frequently as you want and be able to compare different results in order to see how good you are doing hardening your systems. As I have said, this is not available yet, but I hope this will be soon. Well, the more help the community gives me, the sooner this will be prepared. But before going into depth with this, I want to show you what is hacktree, because this is going to be highly useful when using these tools. So I'm going to open this link. And you can see that hacktree is basically a book with a lot of cool tricks of hacking, but now I want us to focus on the previous escalation checklist for Linux and Windows. And in a few weeks, I hope I will create one specifically for Mac, where you can basically see some checklist of things that you should search on each computer in order to try to find vulnerabilities and improve the security or exploit the vulnerabilities, depending if you are in a routine or in a routine. Also, hacktree is pretty useful, because when you execute these tools, you are going to see broadly some links to some parts of the book. And this is because if you don't understand the tech that the script is performing, you can access this URL and you are going to have the theory about the tech, what, why it's being performed, and what you should check for, and how can you exploit a vulnerability phone in that section, if any. You have it for Linux, for macOS in the future, I'm just starting, and for Windows. And to give you a very brief example, for example, let's say that you find some vulnerability which is related to access tokens, and you don't know what access tokens in a Windows environment, you can just come here and have a description about what is the access token, how to enumerate them, how can they be in abuse, and everything. Basically, this is pretty useful to know why are the P's performing the techs they are doing, how can you exploit them if you find any vulnerability. Also, you have here the URL. This is free for everyone. You can just access the book and use it as it is. So let's continue. Now we are going to start with the demos. We are going, first we are going to perform our Linux with Limpies, and then our demo with MacPies. So I have, here I have a pretty vulnerable and very outdated Debian machine that we are going to, where we are going to execute Limpies just to see the vulnerabilities that it is finding. So I have already accessed this machine via SSH. So I'm logged it. I'm on my, I'm the user-user. And I'm in this very outdated Debian machine. I have also already uploaded Limpies. So we are just going to execute it. First of all, take a look at the options because Limpies and with P's have several options that may be useful. For example, in Limpies, you can find the dash A. This means to perform all techs. And this is because there are some techs that are very, very slow or that are very noisy that by default they aren't executed. But if you are playing a CTF or you don't care about being noisy or about the time, I completely recommend you to execute the same test what more techs are going to be executed. So you have the superfax option. And you also have some options that will allow you to perform network region just using Limpies, which is kind of cool because just with Limpies you will be able to enumerate the machine, but also to enumerate the network if you don't want to upload any other tools. So let's execute Limpies. We are just going to run it without dash A. We were just going to run Limpies in a normal version. So here we can see that Limpies start with a very, very, very beautiful banner. Here we can find the version, we can find the legend. This means what the legend indicates, what the color means, which is kind of awesome because here we can see that the red yellow indicates a 90%, 95% chance of previous installation vector, red means that we'll just take a look at it. And green basically means well configure things or common things that you really shouldn't care about because this was found in other machines. We have some basic information, some information about the tools that are available to enumerate the network. And then we start enumerating the system. So here we can find system information. We can see just in red that the kernel is pretty real. The pseudo version is also a little bit old, so probably they are vulnerable. We can see a little more information about the systems. If you're in for environment, you may be able to find some passwords here. We enumerate also some Linux protections, like is a Linux enabled, is ASLR, is this a virtual machine? Actually this is, so we have here just some information about the container, if this was a container, but we are an inside a container, so nothing interesting here. Devices, available software, it's good to know if you have some compiler available to compile possible kernel exploits. Then we start taking a look to processes that may be vulnerable to scalability less, binary process permissions, ground jobs, and here we can find the first highly probable privilege escalation vector that Limpis has found. So for example here, this user is able to write in a path that is being used in a Chrome, that is then being executed by route without indicating the path. So for example, if we create a file called override.sh with a river cell in this folder, this is going to be executed by route, and we are going to obtain a river cell executed by route. Here we can see that Limpis enumerates, enumerating more information. Also network is always important to know where you are in a network, and with other networks, new networks, you can access and enumerate them. Here we have just an enumerated local network, and we are even checking if we can sniff traffic using gcp.com. Then we are enumerating some user information, and here we can see that there are a bunch of ways to escalate privilege by executing different binaries with pseudo. More information about the users, software information. This is pretty interesting, and it's one of the main themes of Limpis and Wimpis, and it's one of the main new topics in the new generation scripts. So we are going to talk about them later, but basically here we are just looking for sensitive files that, for files that maybe contain sensitive informations related to some specific software. For example, some Tomcat configuration files that may have passwords inside of it. You can see that we are looking for a bunch of them, actually. We'll talk about this later. So we are going to continue till the last section, which is interesting files. These files, the files that are here are here just because they have some interesting fact that will make Limpis to enumerate them. For example, here we can find all the QID files. Some of them has been vulnerable in the history, so we have here some information about in which systems this QID binaries are vulnerable, and also the QID binaries that aren't known, but Limpis are going to be executed in order to perform a few checks to see if we can abuse these files to execute arbitrary commands on Scali privilege. Same thing for SDID files. Again, if you don't know what these files are, you can follow this link and you will find all the information. Taking misconfigurations. Well, we are taking more misconfigurations. We can write a few files and folders here that we can abuse to Scali privilege, so this is very cool. With all the other files, so basically here you are going to see that well Limpis is looking for a lot of information that maybe give you our sensitive information or the power to Scali privilege. Always take a look to everything because you can find something interesting. So this is Limpis. Now we are going to continue with a Mac piece demo, but there is something important that you need to know. First of all, there is no Mac piece script because Mac piece is actually inside of Limpis. If you execute Limpis inside a Mac host, Mac piece is going to be executed. And I have created this script this way because the code that both scripts, both flavors of the script serves is like 90%. So almost every part of the code is served. So I just generate some specific parts for the Mac version in order to run these parts in a Mac computer instead of their regular Limpis. But as you can see here, just execute Limpis in a Mac host system and the Mac piece version will be automatically executed. So this is very cool because you only need to know how one script works in order to execute it in Linux, in Mac host calls and potentially any flavor of Unix. So my current host is a Mac. So I have already executed the Limpis version in my Mac. Actually, I can execute it from file, but I have executed it from memory. I have just downloaded from GitHub and piped into a SHL. So this way the script is never going to touch the disk. Yeah, here we can see that. I have already executed because as my host have a lot of more files than a virtual machine this could take instead of taking just one minute, this could take around five minutes to minutes and I don't want to keep you waiting. So here we can see that the banner is much more ugly. I really definitely needs to improve that, but well, it's not all my priorities. Again, here we can see some basic information. We can see some system info and we can mostly see the same information from Limpis in Mac piece. The difference is like underneath, there are different binaries being executed to obtain the same information, but it's pretty cool. So because you just need to execute one, it is going to be intelligent enough to distinguish between Mac or Linux and just the correct version is going to be executed well. As I have said, you are going to find most of the same information as before. So we can pass this output. You can just test it in your own. Okay, okay. So Limpis, we can start. Also, there are all their more stealthy ways to execute Limpis. A bunch of them are mentioned in the ROOTME, even ways to bypass antiviruses. So check this out because it's going to be very cool for you to learn how you can execute Limpis probably just using Netcat and Kool or even without that, using bus pipes. So yeah, that's all for Limpis. Okay. So let's continue with WIMPIS. WIMPIS is obviously the, well the Windows version of the script. Okay. So here I have a Windows virtual machine where we are going to execute WIMPIS. Obviously, WIMPIS is using a completely different script that Limpis. Actually, there are two different projects for WIMPIS. One is the BATS version and the other one is the XC version. The BATS version is less maintained than the X version and is mostly created for all Windows machines. So the most maintained version of WIMPIS is going to be the X one and is the one that you recommend you to execute if you can. Obviously, there are some requirements like the .NET version, but mostly you are going to, in our days, Windows, you are going to be able to execute it so I definitely recommend you to execute this version. So here also we have a quick start and we also have a few ways to execute a WIMPIS from memory or WIMPIS or execute WIMPIS while doing some kind of stealthy things in order to avoid antivirus to detect that we are executing the binary. I recommend you to take a look at it because it is pretty interesting. WIMPIS also have some interesting parameters. For example, WIMPIS allows you to execute WIMPIS and this is very cool because if you find in a Windows, the Windows subsystem for Linux, you can execute WIMPIS because it is a BAS script. So if you just indicates to WIMPIS, the URL where it can find WIMPIS, it is going to download and execute it from memory, I think. Also, you don't even need to host your version of WIMPIS, you can just indicate the URL for WIMPIS inside GitHub. Oh, well, you have also more health information, basic information. Where are my colors? When you execute WIMPIS without doing anything in a new Windows host, you are not going to see any color. You need to execute this first in order to indicate the registry that, hey, I want you to interpret the colors that are going to be displayed. Just run this, you don't need to be root or anything, the colors will magically appear. Well, you need to start another power cell. Okay, so I have already run WIMPIS in this host. We can see that we have another very beautiful banner. We have some information about the creators. And we start with LIMPIS, we start seeing some system information. We have integrated Watson inside WIMPIS, so this is pretty cool because it will just run with WIMPIS. Here we can find that we have, we are numerating the hot fixes that has been applied to this virtual machine. In this case, information about environment variables, information about audit, web, labs, WG digest. Again, if you don't know what, for example, if you don't know what is WG digest, you can just access this URL inside hot tricks and you will learn what is this and why is this important. Same LSA protection, protection of guards. So the main difference between WIMPIS and LIMPIS apart from the obvious one is that you are not going to find these red, yellow colors in WIMPIS that you will find them in LIMPIS and this is because maybe in WIMPIS is more complicated to be so sure that something is going to give you a privileged escalation path, so I haven't implemented those yet, but I may do that in the future. Well, as you can see in WIMPIS is enumerating a lot of things, interesting events. Now we have some user informations. In red, you can find interesting things for attackers. So here you can find the user administrator, home site folder, something interesting about WIMPIS is that it is taking every path that appears. So for example, if this path was reachable by our current user, this will appear on red and we'll tell you, hey, you can write this binary, maybe you can escalate privilege because this is being executed as you can see here. Obviously you cannot escalate privilege over writing WIMPIS because this is a binary of the user we are using, but maybe if this was being ruined by another user which is an administrator and you can write the binary, you may be able to escalate privilege. Same for services information, actually here you can see an example of what I have been talking about and is that this service, this binary of this service is reachable by everyone. So here you have a privileged escalation path. Also WIMPIS is taking for no quotes and space in the beam path of the services. So you may be able to abuse this misconfiguration also to escalate privilege. More information about applications, how to run, same. You may find some places that you can write and your binary is going to be executed with higher privilege. So that's pretty awesome. And I want to show you a few more things. Network information again is very important to know where you are inside an internal network if you're inside an internal network or any way which other networks you can access that you weren't able to access before. And also it's important to check the ports. I don't have well, UDP, the ports that are listening just in localhosts because maybe these services are vulnerable and you can, well, escalate privilege of using those. We found some, well, the NLM has of our current user I think, user, yeah. We found the unattended file. This may have credentials of the administrator user. And this is pretty awesome because you can see here this section, the fine analysis section and that we are also looking for a lot of files that may be storing sensitive information. So before the piece new generation, every time I wanted to search for a file that may be containing sensitive information, I needed to add a specific tech to LIMPIS and then a specific tech to LIMPIS. Which was pretty awful because, well, it was kind of hard and well, it took several minutes. With the new generation scripts, we have this build list inside this build list folder. We have this sensitive file gemel where you can find all the sensitive potential files that can storage sensitive information. This is pretty awesome because for example, file figure is specifying to search the folder with the name file figure and inside this folder to search the file called site manager dot dot XML. And if it is found, print in red, all the lines that contain some of those reg access. So this is pretty awesome because LIMPIS and WIMPIS are automatically created using this gemel. So both of them are going to search all these files and if they found them while executing, they are going to bring them to you. This is very awesome because now, in order to just add a new tech, if I discover a new file that may be containing sensitive information, I can just add it to this gemel and the new LIMPIS and WIMPIS are going to automatically be built and are going to be searching for the new sensitive file. So this is very easy to maintain and also is very easy for the community to help me adding new files that may be storing sensitive information. Actually, you have here a few examples well explained. So if you want to just contribute to this script because you know about this file that may be containing credentials that aren't included yet, just take a look to the example, include the new gemel, create a pull request to master and the new versions are going to be automatically built. So it's just awesome. As I have said before, WIMPIS has another flavor, which is the BATS one, which is meant for all machines. Actually, the syntax is a little bit more complicated because BATS is not very flexible. Anyway, if you need to use it at any point, you can find it here and also take a look to this explanation of how to understand the permissions because you will need it in order to find the paths to escalate privilege because here you are not going to find colors or because BATS is not very, very, very flexible. So we are ending this presentation. We are going to continue with BATS PIS. I created this like one or two months ago, I think. This is a very, very simple script. This is basically monitoring new CVS and the ones that are related to privilege escalation are going to be indicated in this group of telegram and in this group we also discuss about HAC3's PIS and latest news in cybersecurity. So it's free for everyone. Do you feel free to join it? And also you can find BOT PIS in GitHub. You can find it here. And actually, this bot allows you to create your own bot in order to monitor the CVS you are interested in. So basically you can modify this Jamel and set your own keywords and then put your slab web hood or your telegram token. And the bot will send you all the new CVS that are this color that contains the keywords that you have specified here. In this case, we are just looking for things related to privilege escalation. Yeah, things related to privilege escalation or docker container escape. Okay, so yeah, feel free to join the group if you please. Finally, about the to-do. So we have the, we now have in this new generation too, we have the capability of create GA zones from the raw output and you can find the script to generate these GA zones in the parcel folder. So you can basically execute the piece parser, give the path to the output of one piece script and generate the JSON. I'm looking forward to someone that from that JSON can generate a beautiful report PDF HTML reports. That will be awesome. Also, I want to develop web piece which is going to be the, well, the centralized agent that will allow you to automatically execute lean piece or wind piece and compare the results and even add new features. So I'm really looking for someone with experience in front end or back end. So if you want to help me develop in web piece in order to allow to perform this constant monetization, just contact me. And finally, obviously, wind piece and lean piece are very big scripts, but can be bigger. So if you know about new techs or if you want to help update in the list that they are using, just contact me because well, this is a huge project that needs a few help. The help of everybody that can, any help that you can bring me. So I hope you have enjoyed this talk. Thank you very much. I hope you are enjoying DevCon and now I will be in the Discord channel if you have any questions. Thank you for your time again.