Added SidAttributes enum, Get-CurrentUserTokenGroupSid now returns an object with SID and attributes fields

2016-06-03 23:37:52 -04:00 · 2016-06-03 23:37:52 -04:00 · 1f926e7fd6
parent 09d253f070
commit 1f926e7fd6
1 changed files with 43 additions and 27 deletions
--- a/Privesc/PowerUp.ps1
+++ b/Privesc/PowerUp.ps1
@ -900,11 +900,14 @@ function Get-CurrentUserTokenGroupSid {

    .LINK

-        https://msdn.microsoft.com/en-us/library/windows/desktop/aa379624(v=vs.85).aspx
+        https://msdn.microsoft.com/en-us/library/windows/desktop/aa446671(v=vs.85).aspx
        https://msdn.microsoft.com/en-us/library/windows/desktop/aa379624(v=vs.85).aspx
        https://msdn.microsoft.com/en-us/library/windows/desktop/aa379554(v=vs.85).aspx
 #>

+    [CmdletBinding()]
+    Param()
+
    $CurrentProcess = $Kernel32::GetCurrentProcess()

    # TOKEN_READ = (STANDARD_RIGHTS_READ | TOKEN_QUERY)
@ -928,17 +931,19 @@ function Get-CurrentUserTokenGroupSid {

            $TokenGroups = $TokenGroupsPtr -as $TOKEN_GROUPS

-            $TokenGroups.Groups | Where-Object {$_.SID} | Foreach-Object {
-                # convert each SID structure to a SID string we can decode
+            For ($i=0; $i -lt $TokenGroups.GroupCount; $i++) {
                $SidString = ''
-                $Result = $Advapi32::ConvertSidToStringSid($_.SID, [ref]$SidString);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error()
+                $Result = $Advapi32::ConvertSidToStringSid($TokenGroups.Groups[$i].SID, [ref]$SidString);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error()
                if($Result -eq 0) {
                    Write-Verbose "Error: $(([ComponentModel.Win32Exception] $LastError).Message)"
                }
                else {
-                    $SidString
+                    $GroupSid = New-Object PSObject
+                    $GroupSid | Add-Member Noteproperty 'SID' $SidString
+                    $GroupSid | Add-Member Noteproperty 'Attributes' ($TokenGroups.Groups[$i].Attributes -as $SidAttributes)
+                    $GroupSid
+                }
            }
-            } | Where-Object {$_ -and ($_ -ne '')} | Sort-Object -Unique   
        }
        else {
            Write-Warning ([ComponentModel.Win32Exception] $LastError)
@ -3519,7 +3524,7 @@ function Invoke-AllChecks {
    else{
        "`n`n[*] Checking if user is in a local group with administrative privileges..."

-        $CurrentUserSids = Get-CurrentUserTokenGroupSid
+        $CurrentUserSids = Get-CurrentUserTokenGroupSid | Select-Object -ExpandProperty SID
        if($CurrentUserSids -contains 'S-1-5-32-544') {
            "[+] User is in a local group that grants administrative privileges!"
            "[+] Run a BypassUAC attack to elevate privileges to admin."
@ -3679,6 +3684,17 @@ $ServiceAccessRights = psenum $Module PowerUp.ServiceAccessRights UInt32 @{
    AllAccess =             0x000F01FF
 } -Bitfield

+$SidAttributes = psenum $Module PowerUp.SidAttributes UInt32 @{
+    SE_GROUP_ENABLED =              0x00000004
+    SE_GROUP_ENABLED_BY_DEFAULT =   0x00000002
+    SE_GROUP_INTEGRITY =            0x00000020
+    SE_GROUP_INTEGRITY_ENABLED =    0xC0000000
+    SE_GROUP_MANDATORY =            0x00000001
+    SE_GROUP_OWNER =                0x00000008
+    SE_GROUP_RESOURCE =             0x20000000
+    SE_GROUP_USE_FOR_DENY_ONLY =    0x00000010
+} -Bitfield
+
 $SID_AND_ATTRIBUTES = struct $Module PowerUp.SidAndAttributes @{
    Sid         =   field 0 IntPtr
    Attributes  =   field 1 UInt32