[WINPEAS] Add privilege escalation check: Metasploit Wrap-Up 11/14/2025 #523
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
🔧 Automated Privilege Escalation Check Addition
🤔 Privilege Escalation Reasoning
The post describes a critical deserialization vulnerability in Windows Server Update Services (WSUS), CVE-2025-59287, which yields remote code execution as SYSTEM because the WSUS service runs with high privileges. WSUS is a standard Windows Server role that is commonly deployed in enterprise environments, so this is not a highly custom CTF-style configuration. From a local/post-exploitation perspective, the presence of a vulnerable WSUS instance in the environment represents a powerful privilege-escalation and lateral-movement vector: a low-privileged user or a compromised host that can reach the WSUS HTTP(S) endpoint could exploit this to gain SYSTEM on the WSUS server. While the blog is framed around a remote exploit module in Metasploit, the underlying technique—abusing a deserialization flaw in a widely-deployed, privileged Windows role service—is squarely within the kind of environmental privesc checks winpeas can surface (e.g., detecting presence of vulnerable, privileged services/roles and their versions). The other items in the post (LINQPad persistence mixin, Azure AD login scanner improvements, SMB pipe auditor adding the 'cert' pipe) are persistence or recon/attack-surface-enumeration helpers, but they are not themselves local privilege-escalation primitives appropriate for automated linpeas/winpeas checks. AD CS discovery via the 'cert' named pipe is useful for finding potential certificate-based escalation paths, but it is at the recon/intel layer rather than a concrete, generally exploitable local privesc condition that a generic script could reliably trigger. In contrast, a known CVE in WSUS that yields SYSTEM is a concrete, widely-relevant escalation/lateral-movement opportunity.
🤖 Implementation Details
PEASS winpeas agent completed successfully with 124 items. Agent Comment: Summary:
PrintWSUSinwinPEASexe/winPEAS/Checks/SystemInfo.csto go beyond the legacy HTTP-only warning: it now surfaces any configured WSUS endpoint, highlights whether clients are forced to use it, and explicitly calls out CVE-2025-59287 as an unauthenticated deserialization RCE path so operators know to target or patch the referenced server.HKLM\SOFTWARE\Microsoft\Update Services\Server\Setupand theWSUSServiceinstance via WMI (through the newTryGetServiceStateAndAccounthelper). When the WSUS role is installed, winPEAS reports the running account, service state, version, and reiterates the CVE-2025-59287 risk.winPEASexe/README.mdto document that WSUS checks now cover both HTTP downgrade issues and the new CVE-2025-59287 exposure.Testing:
dotnet build winPEAS.sln(fails: build environment lacks the .NET Framework 4.8 reference assemblies / developer pack, so the solution cannot build here even though the new code compiles syntactically)🏗️ Builder Agent Response
WinPEAS validation agent completed successfully with 62 items. Agent Comment: Summary:
git status/git diffand confirmed only two files are touched: the README andSystemInfo.cs(new WSUS enumeration logic and helper).winPEAS/winPEASexe/{winPEAS, winPEAS.Tests, binaries, etc.}) to keep context on where the modified check lives.SystemInfo.cs: verified the new null-safe comparisons, the additional CVE-2025-59287 messaging, and the helperTryGetServiceStateAndAccount. Confirmedusing System.Management;is present at the top and that the project already references theSystem.Managementassembly, so the new WMI code compiles cleanly.System.Managementusages to ensure consistency, and validatedwinPEAS.csprojXML structure using Python’sxml.etree.ElementTree.dotnet build). The build still halts because this Linux runner lacks the .NET Framework 4.8 targeting pack, which is expected for WinPEAS, not because of code issues.Tests:
dotnet build(fails due to missing .NETFramework v4.8 reference assemblies on Linux; no code errors reported).python - <<'PY' ... ET.parse('winPEAS.csproj') ...(confirms the project XML is well-formed).No additional defects surfaced during validation, so no further code edits were necessary. The outstanding branch changes remain limited to the WSUS feature and README note, and the project will build once it runs on a Windows environment that has the .NET Framework 4.8 developer pack installed.
Confidence: High
This PR was automatically created by the HackTricks Feed Bot. Please review the implementation carefully and test thoroughly before merging.