PEASS-ng icon indicating copy to clipboard operation
PEASS-ng copied to clipboard

Published 20 hours ago verified publisher icon peass-ng

Potentially unnecessary ╚ character

Open Schrubitteflau opened this issue 1 year ago • 3 comments

Hello,

I was trying to use peas2json.py parser on a Winpeas output when I encountered a bug :

Traceback (most recent call last):
  File "peas2json.py", line 177, in <module>
    main_with_opened_file(open("out3.txt"))
  File "peas2json.py", line 169, in main_with_opened_file
    parse_line(line)
  File "peas2json.py", line 135, in parse_line
    C_SECTION["infos"].append(title)
KeyError: 'infos'

This error is raised at the beginning, when the line \x1b[1;36m╚ \x1b[1;34mYou can find a Windows local PE Checklist here: \x1b[1;33mhttps://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation\x1b[0m is parsed.

The problem is that character is usually used as a prefix for displaying informations within a section, but it's here printed before actually any section, so a parsing error occurs. Catching this kind of specific cases would be possible inside the parser, but it seems that this caracter is not present at the beginning of the "equivalent line" of linpeas : [1;34mLinux Privesc Checklist: [1;33mhttps://book.hacktricks.xyz/linux-unix/linux-privilege-escalation-checklist, so my suggestion is to simply delete it !

https://github.com/carlospolop/PEASS-ng/blob/f1f321be44e027866250151763a41215f8152781/winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs#L181

Which parameters did you use for executing the script and how did you execute it? just winPEASany.exe, without any parameter

If winpeas, did you use a clean or obfuscated winpeas, and for which architecture? any

Have a good day :smile:

Schrubitteflau avatar Aug 11 '22 13:08 Schrubitteflau

Hi @Schrubitteflau, Sorry for the waiting. I'm afraid peas2json.py for Winpeas output still have some bugs, it would be awesome if you could send a PR fixing them if you have the time. I have known this for a while but it has been complicated for me to find time to fix it.

carlospolop avatar Sep 01 '22 18:09 carlospolop

Hi @carlospolop

A way to fix the bug while keeping relevant results would be, in my opinion, to hardcode a condition to ignore the section if the line contains You can find a Windows local PE Checklist here, but that's very static (remember that ╚ indicates the beginning of a section, in peas2json.py).

I'm going to check it out during the next few days.

Have a good day

Schrubitteflau avatar Sep 07 '22 14:09 Schrubitteflau

I appreciate your help with this man as I'm completely overloaded. Let me know what you finally think would be the best solution to make pes2json.py work for Winpeas once and for all!

carlospolop avatar Sep 07 '22 18:09 carlospolop

I've sent a PR. I think just removing ╚ is fine

fredtep avatar Oct 06 '22 13:10 fredtep

Wow sorry I completely forgot about this issue I opened :( But yeah I really think that removing this character is fine. I ran some tests and not having this character makes peas2json work properly, without a "You can find a Windows local PE Checklist here" section that could complicate the scan interpretation

Schrubitteflau avatar Oct 06 '22 16:10 Schrubitteflau

This is now fixed

carlospolop avatar Oct 07 '22 09:10 carlospolop