beRoot

This is the default output of beRoot when run with no other arguments.

|====================================================================|
|                                                                    |
|                    Windows Privilege Escalation                    |
|                                                                    |
|                          ! BANG BANG !                             |
|                                                                    |
|====================================================================|
 
 
 
################ Service ################
 
[!] Permission to create a service with openscmanager
True
 
[!] Path containing spaces without quotes
permissions: {'change_config': False, 'start': False, 'stop': False}
Name: Video Stream
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Video Stream
Full path: C:\Program Files\VideoStream\1337 Log\checklog.exe
Writables path found:
        - C:\
        - C:\Program Files\VideoStream
 
 
[!] Binary located on a writable directory
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AarSvc
Full path: C:\WINDOWS\system32\svchost.exe -k AarSvcGroup -p
Writable directory: C:\WINDOWS\system32
Name: AarSvc
 
permissions: {'change_config': False, 'start': False, 'stop': False}
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AarSvc_1df1243
Full path: C:\WINDOWS\system32\svchost.exe -k AarSvcGroup -p
Writable directory: C:\WINDOWS\system32
Name: AarSvc_1df1243
 
permissions: {'change_config': False, 'start': False, 'stop': False}
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AJRouter
Full path: C:\WINDOWS\system32\svchost.exe -k LocalServiceNetworkRestricted -p
Writable directory: C:\WINDOWS\system32
Name: AJRouter
 
permissions: {'change_config': False, 'start': False, 'stop': False}
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ALG
Full path: C:\WINDOWS\System32\alg.exe
Writable directory: C:\WINDOWS\System32
Name: ALG
...
permissions: {'change_config': False, 'start': False, 'stop': False}
Name: Sense
Writable directory: C:\Program Files\Windows Defender Advanced Threat Protection
Full path: "C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe"
 
 
 
################ Startup Keys ################
 
[!] Registry key with writable access
HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run
 
[!] Binary located on a writable directory
Name: SecurityHealth
Key: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run
Writable directory: C:\WINDOWS\system32
Full path: %windir%\system32\SecurityHealthSystray.exe
 
Name: VMware User Process
Key: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run
Writable directory: C:\Program Files\VMware\VMware Tools
Full path: "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" -n vmusr
 
 
 
################ Taskscheduler ################
 
[!] Permission to write on the task directory: c:\windows\system32\tasks
True
 
-------------- Get System Priv with WebClient --------------
 
[!] Checking WebClient vulnerability
 
################ Error on: check_webclient ################
Traceback (most recent call last):
  File "beroot\run_checks.py", line 315, in check_all
  File "beroot\run_checks.py", line 277, in check_webclient
  File "beroot\modules\checks\webclient\webclient.py", line 206, in run
  File "beroot\modules\checks\webclient\webclient.py", line 101, in startWebclient
ValueError: Procedure probably called with not enough arguments (4 bytes missing)
 
 
[!] Elapsed time = 0.729000091553