Default Invoke-PrivEscAudit to return objects for parsing

2017-05-10 00:31:44 +01:00 · 2017-05-10 00:31:44 +01:00 · 52289768a9
parent f9b95c5cf2
commit 52289768a9
1 changed files with 100 additions and 147 deletions
--- a/Privesc/PowerUp.ps1
+++ b/Privesc/PowerUp.ps1
@ -4670,9 +4670,14 @@ Required Dependencies: None
 Executes all functions that check for various Windows privilege escalation opportunities.
 .PARAMETER Format
 String. Format to decide on what is returned from the command, an Object Array, List, or HTML Report.
 .PARAMETER HTMLReport
-Switch. Write a HTML version of the report to SYSTEM.username.html.
+DEPRECATED - Switch. Write a HTML version of the report to SYSTEM.username.html. 
 Superseded by the Format parameter.
 .EXAMPLE
@ -4682,25 +4687,26 @@ Runs all escalation checks and outputs a status report for discovered issues.
 .EXAMPLE
-Invoke-PrivescAudit -HTMLReport
+Invoke-PrivescAudit -Format HTML
 Runs all escalation checks and outputs a status report to SYSTEM.username.html
 detailing any discovered issues.
 .OUTPUTS
 System.String
 #>
    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
    [OutputType('System.String')]
    [CmdletBinding()]
    Param(
        [ValidateSet('Object','List','HTML')]
        [String]
        $Format = 'Object',
        [Switch]
        $HTMLReport
    )
-    if ($HTMLReport) {
+    if($HTMLReport){ $Format = 'HTML' }
    if ($Format -eq 'HTML') {
        $HtmlReportFile = "$($Env:ComputerName).$($Env:UserName).html"
        $Header = "<style>"
        $Header = $Header + "BODY{background-color:peachpuff;}"
@ -4711,153 +4717,101 @@ System.String
        ConvertTo-HTML -Head $Header -Body "<H1>PowerUp report for '$($Env:ComputerName).$($Env:UserName)'</H1>" | Out-File $HtmlReportFile
    }
-    # initial admin checks
+    Write-Verbose "Running Invoke-PrivescAudit"
    "`n[*] Running Invoke-AllChecks"
    $IsAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")
    if ($IsAdmin){
        "[+] Current user already has local administrative privileges!"
        if ($HTMLReport) {
            ConvertTo-HTML -Head $Header -Body "<H2>User Has Local Admin Privileges!</H2>" | Out-File -Append $HtmlReportFile
        }
    }
    else{
        "`n`n[*] Checking if user is in a local group with administrative privileges..."
        $CurrentUserSids = Get-ProcessTokenGroup | Select-Object -ExpandProperty SID
        if ($CurrentUserSids -Contains 'S-1-5-32-544') {
            "[+] User is in a local group that grants administrative privileges!"
            "[+] Run 'Invoke-WScriptUACBypass -Command `"...`"' to elevate privileges to admin."
            if ($HTMLReport) {
                ConvertTo-HTML -Head $Header -Body "<H2> User In Local Group With Administrative Privileges</H2>" | Out-File -Append $HtmlReportFile
            }
        }
    }
    "`n`n[*] Checking current process token permissions..."
    $Results = Get-ProcessTokenPrivilege -Special | Where-Object {$_}
    $Results | Format-List
    if ($HTMLReport) {
        $Results | ConvertTo-HTML -Head $Header -Body "<H2>Cached GPP Files</H2>" | Out-File -Append $HtmlReportFile
    }
    $Checks = @(
        # Initial admin checks
        @{
            Type    = 'User Has Local Admin Privileges'
            Command = { if (([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")){ New-Object PSObject } }
        },
        @{
            Type        = 'User In Local Group with Admin Privileges'
            Command     = { if ((Get-ProcessTokenGroup | Select-Object -ExpandProperty SID) -contains 'S-1-5-32-544'){ New-Object PSObject } }
            AbuseScript = { 'Invoke-WScriptUACBypass -Command "..."' }
        },
        @{
            Type       = 'Process Token Privileges'
            Command    = { Get-ProcessTokenPrivilege -Special | Where-Object {$_} }
        },
        # Service checks
-
+        @{
-    "`n`n[*] Checking for unquoted service paths..."
+            Type    = 'Unquoted Service Paths'
-    $Results = Get-UnquotedService
+            Command = { Get-UnquotedService }
-    $Results | Format-List
+        },
-    if ($HTMLReport) {
+        @{
-        $Results | ConvertTo-HTML -Head $Header -Body "<H2>Unquoted Service Paths</H2>" | Out-File -Append $HtmlReportFile
+            Type    = 'Modifiable Service Files'
-    }
+            Command = { Get-ModifiableServiceFile }
-
+        },
-    "`n`n[*] Checking service executable and argument permissions..."
+        @{
-    $Results = Get-ModifiableServiceFile
+            Type    = 'Modifiable Services'
-    $Results | Format-List
+            Command = { Get-ModifiableService }
-    if ($HTMLReport) {
+        },
        $Results | ConvertTo-HTML -Head $Header -Body "<H2>Service File Permissions</H2>" | Out-File -Append $HtmlReportFile
    }
    "`n`n[*] Checking service permissions..."
    $Results = Get-ModifiableService
    $Results | Format-List
    if ($HTMLReport) {
        $Results | ConvertTo-HTML -Head $Header -Body "<H2>Modifiable Services</H2>" | Out-File -Append $HtmlReportFile
    }
        # DLL hijacking
-
+        @{
-    "`n`n[*] Checking %PATH% for potentially hijackable DLL locations..."
+            Type        = '%PATH% .dll Hijacks'
-    $Results = Find-PathDLLHijack
+            Command     = { Find-PathDLLHijack }
-    $Results | Where-Object {$_} | Foreach-Object {
+            AbuseScript = { "Write-HijackDll -DllPath '$($_.ModifiablePath)\wlbsctrl.dll'" }
-        $AbuseString = "Write-HijackDll -DllPath '$($_.ModifiablePath)\wlbsctrl.dll'"
+        },
-        $_ | Add-Member Noteproperty 'AbuseFunction' $AbuseString
+        # Registry checks
-        $_
+        @{
-    } | Format-List
+            Type        = 'AlwaysInstallElevated Registry Key'
-    if ($HTMLReport) {
+            Command     = { if (Get-RegistryAlwaysInstallElevated){ New-Object PSObject } }
-        $Results | ConvertTo-HTML -Head $Header -Body "<H2>%PATH% .dll Hijacks</H2>" | Out-File -Append $HtmlReportFile
+            AbuseScript = { 'Write-UserAddMSI' }
        },
        @{
            Type    = 'Registry Autologons'
            Command = { Get-RegistryAutoLogon }
        },
        @{
            Type    = 'Modifiable Registry Autorun'
            Command = { Get-ModifiableRegistryAutoRun }
        },
        # Other checks
        @{
            Type    = 'Modifiable Scheduled Task Files'
            Command = { Get-ModifiableScheduledTaskFile }
        },
        @{
            Type    = 'Unattended Install Files'
            Command = { Get-UnattendedInstallFile }
        },
        @{
            Type    = 'Encrypted web.config Strings'
            Command = { Get-WebConfig | Where-Object {$_} }
        },
        @{
            Type    = 'Encrypted Application Pool Passwords'
            Command = { Get-ApplicationHost | Where-Object {$_} }
        },
        @{
            Type    = 'McAfee SiteList.xml files'
            Command = { Get-SiteListPassword | Where-Object {$_} }
        },
        @{
            Type    = 'Cached GPP Files'
            Command = { Get-CachedGPPPassword | Where-Object {$_} }
        }
    )
-
+    ForEach($Check in $Checks){
-    # registry checks
+        Write-Verbose "Checking for $($Check.Type)..."
-
+        $Results = . $Check.Command
-    "`n`n[*] Checking for AlwaysInstallElevated registry key..."
+        $Results | Where-Object {$_} | ForEach-Object {
-    if (Get-RegistryAlwaysInstallElevated) {
+            $_ | Add-Member Noteproperty 'Check' $Check.Type
-        $Out = New-Object PSObject
+            if ($Check.AbuseScript){
-        $Out | Add-Member Noteproperty 'AbuseFunction' "Write-UserAddMSI"
+                $_ | Add-Member Noteproperty 'AbuseFunction' (. $Check.AbuseScript)
-        $Results = $Out
+            }
-
+        }
-        $Results | Format-List
+        switch($Format){
-        if ($HTMLReport) {
+            Object { $Results }
-            $Results | ConvertTo-HTML -Head $Header -Body "<H2>AlwaysInstallElevated</H2>" | Out-File -Append $HtmlReportFile
+            List   { "`n`n[*] Checking for $($Check.Type)..."; $Results | Format-List }
            HTML   { $Results | ConvertTo-HTML -Head $Header -Body "<H2>$($Check.Type)</H2>" | Out-File -Append $HtmlReportFile }
        }
    }
-    "`n`n[*] Checking for Autologon credentials in registry..."
+    if ($Format -eq 'HTML') {
-    $Results = Get-RegistryAutoLogon
+        Write-Verbose "[*] Report written to '$HtmlReportFile' `n"
    $Results | Format-List
    if ($HTMLReport) {
        $Results | ConvertTo-HTML -Head $Header -Body "<H2>Registry Autologons</H2>" | Out-File -Append $HtmlReportFile
    }
    "`n`n[*] Checking for modifidable registry autoruns and configs..."
    $Results = Get-ModifiableRegistryAutoRun
    $Results | Format-List
    if ($HTMLReport) {
        $Results | ConvertTo-HTML -Head $Header -Body "<H2>Registry Autoruns</H2>" | Out-File -Append $HtmlReportFile
    }
    # other checks
    "`n`n[*] Checking for modifiable schtask files/configs..."
    $Results = Get-ModifiableScheduledTaskFile
    $Results | Format-List
    if ($HTMLReport) {
        $Results | ConvertTo-HTML -Head $Header -Body "<H2>Modifidable Schask Files</H2>" | Out-File -Append $HtmlReportFile
    }
    "`n`n[*] Checking for unattended install files..."
    $Results = Get-UnattendedInstallFile
    $Results | Format-List
    if ($HTMLReport) {
        $Results | ConvertTo-HTML -Head $Header -Body "<H2>Unattended Install Files</H2>" | Out-File -Append $HtmlReportFile
    }
    "`n`n[*] Checking for encrypted web.config strings..."
    $Results = Get-Webconfig | Where-Object {$_}
    $Results | Format-List
    if ($HTMLReport) {
        $Results | ConvertTo-HTML -Head $Header -Body "<H2>Encrypted 'web.config' String</H2>" | Out-File -Append $HtmlReportFile
    }
    "`n`n[*] Checking for encrypted application pool and virtual directory passwords..."
    $Results = Get-ApplicationHost | Where-Object {$_}
    $Results | Format-List
    if ($HTMLReport) {
        $Results | ConvertTo-HTML -Head $Header -Body "<H2>Encrypted Application Pool Passwords</H2>" | Out-File -Append $HtmlReportFile
    }
    "`n`n[*] Checking for plaintext passwords in McAfee SiteList.xml files..."
    $Results = Get-SiteListPassword | Where-Object {$_}
    $Results | Format-List
    if ($HTMLReport) {
        $Results | ConvertTo-HTML -Head $Header -Body "<H2>McAfee's SiteList.xml's</H2>" | Out-File -Append $HtmlReportFile
    }
    "`n`n[*] Checking for cached Group Policy Preferences .xml files..."
    $Results = Get-CachedGPPPassword | Where-Object {$_}
    $Results | Format-List
    if ($HTMLReport) {
        $Results | ConvertTo-HTML -Head $Header -Body "<H2>Cached GPP Files</H2>" | Out-File -Append $HtmlReportFile
    }
    "`n"
    if ($HTMLReport) {
        "[*] Report written to '$HtmlReportFile' `n"
    }
 }
@ -5012,5 +4966,4 @@ $Kernel32 = $Types['kernel32']
 $NTDll    = $Types['ntdll']
 Set-Alias Get-CurrentUserTokenGroupSid Get-ProcessTokenGroup
 Set-Alias Get-UnquotedService Get-UnquotedService
 Set-Alias Invoke-AllChecks Invoke-PrivescAudit