├── LICENSE ├── Mango.png ├── README.md ├── accesschk.exe ├── mango.png └── mango.ps1 /LICENSE: -------------------------------------------------------------------------------- 1 | BSD 3-Clause License 2 | 3 | Copyright (c) 2021, z3r0day 4 | All rights reserved. 5 | 6 | Redistribution and use in source and binary forms, with or without 7 | modification, are permitted provided that the following conditions are met: 8 | 9 | 1. Redistributions of source code must retain the above copyright notice, this 10 | list of conditions and the following disclaimer. 11 | 12 | 2. Redistributions in binary form must reproduce the above copyright notice, 13 | this list of conditions and the following disclaimer in the documentation 14 | and/or other materials provided with the distribution. 15 | 16 | 3. Neither the name of the copyright holder nor the names of its 17 | contributors may be used to endorse or promote products derived from 18 | this software without specific prior written permission. 19 | 20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 23 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 24 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 26 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 27 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 28 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 | -------------------------------------------------------------------------------- /Mango.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vrikodar/Mango/0890d0e8e663969a529f6ccef738fd2f0af3840e/Mango.png -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Mango 2 | 3 | ![](https://github.com/SxNade/Mango/blob/main/mango.png) 4 | 5 | **Mango is a user interactive Powershell program to search for possible privilege escalation vectors on windows** 6 | 7 | 8 | # Installing and Running 9 | 10 | *For repo* 11 | 12 | $ git clone https://github.com/SxNade/Mango 13 | $ cd Mango 14 | 15 | $ ls -la 16 | 17 | **Download with curl one liner** 18 | 19 | curl -s https://raw.githubusercontent.com/SxNade/Mango/main/mango.ps1 -o mango.ps1 20 | 21 | **Execute from command-prompt** 22 | 23 | ``` 24 | powershell.exe -ep bypass -c "./mango.ps1" 25 | ``` 26 | 27 | ![Mango:)](https://github.com/SxNade/Mango/blob/main/Mango.png) 28 | 29 | # About 30 | 31 | This script is kept very minimalistic for now, more code would added in upcoming updates! 32 | The functionallity of script is Designed in a way that all checks Requested by user are performed as Fast as Possbile. 33 | The script manages and executed multiple checks in the background at the same time and then retrieves the command Output for each thread. 34 | Also The script would not crash your shell even in case of overwhelming output [as for now ;)]. 35 | 36 | -------------------------------------------------------------------------------- /accesschk.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vrikodar/Mango/0890d0e8e663969a529f6ccef738fd2f0af3840e/accesschk.exe -------------------------------------------------------------------------------- /mango.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vrikodar/Mango/0890d0e8e663969a529f6ccef738fd2f0af3840e/mango.png -------------------------------------------------------------------------------- /mango.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | Mango-v(1.0) windows Privilege Escalation Script 3 | Author: z3r0day 4 | 5 | comment: This is my First ever full fledged powershell script so Forgive me for any shit scripting you Find in the code :) 6 | Bully Maguire: Want forgiveness? Get religion. 7 | 8 | This script is kept very minimalistic for now, more code would added in upcoming updates! 9 | The functionallity of script is Designed in a way that all checks Requested by user are performed as Fast as Possbile. 10 | The script manages and executed multiple checks in the background at the same time and then retrieves the command Output for each thread. 11 | Also The script would not crash your shell even in case of overwhelming output [as for now ;)]. 12 | #> 13 | 14 | Function banner { 15 | Write-Host "`n[+] Mango v(1.0) starting.....`n" -ForegroundColor Cyan 16 | } 17 | 18 | function job-manager($arg1) { 19 | # This is that background task management function :) 20 | $func_to_run = $arg1 21 | echo $func_to_run 22 | $id = Start-Job -ScriptBlock { $func_to_run } 23 | $prop = $id | Select-Object -Property JobStateInfo 24 | #wait for job to complete 25 | Get-Job | Wait-Job | Out-Null 26 | $Job_id = (Get-Job -State Completed | Select-Object -Property Id).Id 27 | Receive-Job $Job_id 28 | Get-job | Remove-Job | Out-Null 29 | } 30 | 31 | Function startup_apps { 32 | Write-Host "[+] Finding System Startup Apps`n" -ForegroundColor DarkGreen 33 | wmic startup get caption,command 34 | reg query HKLM\Software\Microsoft\Windows\CurrentVersion\R 35 | reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run 36 | reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce 37 | dir "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp" 38 | } 39 | 40 | Function sch_tasks { 41 | Write-Host "[+] Finding scheduled tasks`n" -ForegroundColor DarkGreen 42 | Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State 43 | } 44 | 45 | Function command_history { 46 | Write-Host "[+] Fetching powershell command History!`n" -ForegroundColor DarkGreen 47 | Get-History 48 | } 49 | Function Reg_elevated { 50 | Write-Host "[+] Checking for Always install elevated in Registry`n" -ForegroundColor DarkGreen 51 | reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated 52 | reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated 53 | } 54 | 55 | Function sam_find { 56 | Write-Host "[+] Looking for SAM and System Files`n" -ForegroundColor DarkGreen 57 | $File_paths = @("C:\Windows\repair\SAM", "C:\Windows\System32\config\RegBack\SAM", "C:\Windows\System32\config\SAM", "C:\Windows\repair\system", "C:\Windows\System32\config\SYSTEM", "C:\Windows\System32\config\RegBack\system") 58 | ForEach ($file_path in $File_paths) { 59 | if (Test-Path $file_path) { 60 | Write-Host "Found Valid Path: $file_path" 61 | } 62 | } 63 | } 64 | 65 | Function reg_pass_find { 66 | Write-Host "[+] Searching for Keyword pass in Registry :: This could generate overwhelming output.`n" -ForegroundColor DarkGreen 67 | REG QUERY HKLM /F "pass" /t REG_SZ /S /K 68 | REG QUERY HKCU /F "pass" /t REG_SZ /S /K 69 | } 70 | 71 | Function conf_file_pass { 72 | Write-Host "[+] Looking for password keyword in configuration Files`n" -ForegroundColor DarkGreen 73 | Write-Host "[+] Searching for unattented XML Files..." -ForegroundColor DarkGreen 74 | cmd.exe /C "dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*" 75 | $File_paths = @("C:\unattend.xml", "C:\Windows\Panther\Unattend.xml", "C:\Windows\Panther\Unattend\Unattend.xml", "C:\Windows\system32\sysprep.inf", "C:\Windows\system32\sysprep\sysprep.xml") 76 | ForEach ($file_path in $File_paths) { 77 | if (Test-Path $file_path) { 78 | Write-Host "Found Valid Path: $file_path" 79 | } 80 | } 81 | } 82 | 83 | 84 | Function passwords_lookup { 85 | Write-Host "[+] Looking for Saved Creds" -ForegroundColor DarkGreen 86 | cmdkey /list 87 | job-manager(command_history) 88 | job-manager(sam_find) 89 | job-manager(conf_file_pass) 90 | job-manager(reg_pass_find) 91 | } 92 | 93 | Function insecure_service_permissions { 94 | Write-Host "[+] Starting check for Insecure service permissions" -ForegroundColor DarkGreen 95 | Write-Host "`n[+] Requires use of accesschk.exe" -ForegroundColor DarkGreen 96 | Write-Host "[+] Enter the Server URL http://:/accesschk.exe" -ForegroundColor DarkGreen 97 | $url = Read-Host 98 | Write-Host "`n[+] Attempting to download accesschk.exe in C:\Users\Public" -ForegroundColor DarkGreen 99 | curl $url -o C:\Users\Public\accesschk.exe 100 | C:\Users\Public\accesschk.exe /accepteula -uwcv Everyone * 101 | } 102 | 103 | Function unquoted_service_paths { 104 | Write-Host "`n[+] Checking For unquoted Service Paths" -ForegroundColor DarkGreen 105 | cmd.exe /C 'wmic service get name,displayname,startmode,pathname | findstr /i /v "C:\Windows\\" |findstr /i /v """' 106 | } 107 | 108 | Function system-info { 109 | $current_user = C:\Windows\System32\whoami.exe 110 | Write-Host "`n[+] My Current user: ${current_user}" -ForegroundColor DarkGreen 111 | Write-Host "`n[+] ${current_user}'s privileges." -ForegroundColor DarkRed 112 | C:\Windows\System32\whoami.exe /priv 113 | Write-Host "`n[+] Other users present on the System.." -ForegroundColor Red 114 | C:\Windows\System32\net.exe user 115 | Write-Host "`n[+] Fetching System info.....`n" -ForegroundColor DarkGreen 116 | C:\Windows\System32\systeminfo | findstr /B /C:"OS Name" /C:"OS Version" 117 | wmic os get osarchitecture 118 | Write-Host "`n[+] Patches installed on the system.." -ForegroundColor Red 119 | wmic qfe 120 | 121 | } 122 | 123 | Function service_config { 124 | job-manager(insecure_service_permissions) 125 | job-manager(unquoted_service_paths) 126 | } 127 | 128 | 129 | Function Network_enum { 130 | Write-Host "`n[+] Fetching Basic NIC info" -ForegroundColor DarkGreen 131 | Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address 132 | Write-Host "`n[+] Fetching System routing table" -ForegroundColor DarkGreen 133 | Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex 134 | Write-Host "`n[+] Listing ARP table" -ForegroundColor DarkGreen 135 | Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State 136 | Write-Host "`n[+] Listing Current Network Connections" -ForegroundColor DarkGreen 137 | netstat -ano 138 | Write-Host "`n[+] Listing Network Shares" -ForegroundColor DarkGreen 139 | net share 140 | Write-Host "`n[+] Fetching Firewall info" -ForegroundColor DarkGreen 141 | netsh firewall show state 142 | netsh firewall show config 143 | } 144 | 145 | Function C_Enum { 146 | $Array_def_dir = @("PerfLogs", "Program Files", "Program Files (x86)", "Share", "Users", "Windows") 147 | Write-Host "`n[+] Non-Default Folders present in the C:\ Dir..`n" -ForegroundColor Red 148 | $Dirs = Get-ChildItem -Path C:\ | Select-Object Name | where Name -NotIn $Array_def_dir 149 | foreach ($Element in $Dirs) { 150 | $dir_name = $Element.Name 151 | Write-Host "Dir-Name: $dir_name" 152 | } 153 | Write-Host "`n" 154 | foreach ($Element in $Dirs) { 155 | $dir_name = $Element.Name 156 | Write-Host "`[+] Fetching contents of $dir_name" 157 | dir C:\$dir_name 158 | } 159 | 160 | Write-Host "`n[+] Enumerating Non-Default Programs Installed." -ForegroundColor Red 161 | $Array_target1 = @("Common Files", "Internet Explorer", "VMware", "Windows Defender", "Windows Defender Advanced Threat Protection", "Windows Mail", "Windows Media Player", "Windows Multimedia Platform", "Windows NT", "Windows Photo Viewer", "WindowsPowerShell", "Windows Security", "Windows Portable Devices") 162 | Write-Host "`n[+] Target1: Program Files." -ForegroundColor DarkGreen 163 | $Dirs = Get-ChildItem -Path "C:\Program Files" | Select-Object Name | where Name -NotIn $Array_target1 164 | foreach ($Element in $Dirs) { 165 | $dir_name = $Element.Name 166 | Write-Host "Dir-Name: $dir_name" 167 | } 168 | $Array_target2 = @("Microsoft", "Common Files", "Internet Explorer", "VMware", "Windows Defender", "Windows Defender Advanced Threat Protection", "Windows Mail", "Windows Media Player", "Windows Multimedia Platform", "Windows NT", "Windows Photo Viewer", "WindowsPowerShell", "Windows Security", "Windows Portable Devices") 169 | Write-Host "`n[+] Target2: Program Files (x86)." -ForegroundColor DarkGreen 170 | $Dirs = Get-ChildItem -Path "C:\Program Files (x86)" | Select-Object Name | where Name -NotIn $Array_target2 171 | foreach ($Element in $Dirs) { 172 | $dir_name = $Element.Name 173 | Write-Host "Dir-Name: $dir_name" 174 | } 175 | } 176 | 177 | 178 | 179 | Function menu 180 | { 181 | param ( 182 | [string]$Title = "Mango-v(1.0) choose the option!" 183 | ) 184 | Write-Host "`n=================================== $Title ===================================" 185 | Write-Host "1: Basic info about system and users" 186 | Write-Host "2: C:\ Enum " 187 | Write-Host "3: Network Information" 188 | Write-Host "4: Check For Service Misconfigurations" 189 | Write-Host "5: Reg Elevated." 190 | Write-Host "6: Look For Clear Text Passwords" 191 | Write-Host "7: Find Scheduled Tasks" 192 | Write-Host "8: Find Startup Applications" 193 | Write-Host "9: Clear the console`n" 194 | Write-Host "exit: exit Mango!" 195 | Write-Host "==============================================================================" 196 | } 197 | 198 | 199 | 200 | 201 | banner 202 | while ($userinput -ne "exit") { 203 | menu -Title 'Mango-v(1.0) choose the options!' 204 | Write-Host "`nMake the Appropriate Selection:- " 205 | $userinput = Read-Host 206 | switch ($userinput) 207 | { 208 | '1' {job-manager(system-info)} 209 | 210 | '2' {job-manager(C_Enum)} 211 | 212 | '3' {job-manager(Network_enum)} 213 | 214 | '4' {job-manager(service_config)} 215 | 216 | '5' {job-manager(Reg_elevated)} 217 | 218 | '6' {job-manager(passwords_lookup)} 219 | 220 | '7' {job-manager(sch_tasks)} 221 | 222 | '8' {job-manager(startup_apps)} 223 | 224 | '9' {job-manager(Clear-Host)} 225 | 226 | } 227 | } 228 | 229 | --------------------------------------------------------------------------------