Gh0st
/
PowerSploit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Default Invoke-PrivEscAudit to return objects for parsing

This commit is contained in:
HackJammer 2017-05-10 00:31:44 +01:00
parent f9b95c5cf2
commit 52289768a9
1 changed files with 100 additions and 147 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

247
Privesc/PowerUp.ps1
View File

@ -4670,9 +4670,14 @@ Required Dependencies: None
Executes all functions that check for various Windows privilege escalation opportunities. Executes all functions that check for various Windows privilege escalation opportunities.
.PARAMETER Format
String. Format to decide on what is returned from the command, an Object Array, List, or HTML Report.
.PARAMETER HTMLReport .PARAMETER HTMLReport
Switch. Write a HTML version of the report to SYSTEM.username.html. DEPRECATED - Switch. Write a HTML version of the report to SYSTEM.username.html.
Superseded by the Format parameter.
.EXAMPLE .EXAMPLE
@ -4682,25 +4687,26 @@ Runs all escalation checks and outputs a status report for discovered issues.
.EXAMPLE .EXAMPLE
Invoke-PrivescAudit -HTMLReport Invoke-PrivescAudit -Format HTML
Runs all escalation checks and outputs a status report to SYSTEM.username.html Runs all escalation checks and outputs a status report to SYSTEM.username.html
detailing any discovered issues. detailing any discovered issues.
.OUTPUTS
System.String
#> #>
[Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
[OutputType('System.String')]
[CmdletBinding()] [CmdletBinding()]
Param( Param(
[ValidateSet('Object','List','HTML')]
[String]
$Format = 'Object',
[Switch] [Switch]
$HTMLReport $HTMLReport
) )
if ($HTMLReport) { if($HTMLReport){ $Format = 'HTML' }
if ($Format -eq 'HTML') {
$HtmlReportFile = "$($Env:ComputerName).$($Env:UserName).html" $HtmlReportFile = "$($Env:ComputerName).$($Env:UserName).html"
$Header = "<style>" $Header = "<style>"
$Header = $Header + "BODY{background-color:peachpuff;}" $Header = $Header + "BODY{background-color:peachpuff;}"
@ -4711,153 +4717,101 @@ System.String
ConvertTo-HTML -Head $Header -Body "<H1>PowerUp report for '$($Env:ComputerName).$($Env:UserName)'</H1>" | Out-File $HtmlReportFile ConvertTo-HTML -Head $Header -Body "<H1>PowerUp report for '$($Env:ComputerName).$($Env:UserName)'</H1>" | Out-File $HtmlReportFile
} }
# initial admin checks Write-Verbose "Running Invoke-PrivescAudit"
"`n[*] Running Invoke-AllChecks" $Checks = @(
# Initial admin checks
$IsAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator") @{
Type = 'User Has Local Admin Privileges'
if ($IsAdmin){ Command = { if (([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")){ New-Object PSObject } }
"[+] Current user already has local administrative privileges!" },
@{
if ($HTMLReport) { Type = 'User In Local Group with Admin Privileges'
ConvertTo-HTML -Head $Header -Body "<H2>User Has Local Admin Privileges!</H2>" | Out-File -Append $HtmlReportFile Command = { if ((Get-ProcessTokenGroup | Select-Object -ExpandProperty SID) -contains 'S-1-5-32-544'){ New-Object PSObject } }
AbuseScript = { 'Invoke-WScriptUACBypass -Command "..."' }
},
@{
Type = 'Process Token Privileges'
Command = { Get-ProcessTokenPrivilege -Special | Where-Object {$_} }
},
# Service checks
@{
Type = 'Unquoted Service Paths'
Command = { Get-UnquotedService }
},
@{
Type = 'Modifiable Service Files'
Command = { Get-ModifiableServiceFile }
},
@{
Type = 'Modifiable Services'
Command = { Get-ModifiableService }
},
# DLL hijacking
@{
Type = '%PATH% .dll Hijacks'
Command = { Find-PathDLLHijack }
AbuseScript = { "Write-HijackDll -DllPath '$($_.ModifiablePath)\wlbsctrl.dll'" }
},
# Registry checks
@{
Type = 'AlwaysInstallElevated Registry Key'
Command = { if (Get-RegistryAlwaysInstallElevated){ New-Object PSObject } }
AbuseScript = { 'Write-UserAddMSI' }
},
@{
Type = 'Registry Autologons'
Command = { Get-RegistryAutoLogon }
},
@{
Type = 'Modifiable Registry Autorun'
Command = { Get-ModifiableRegistryAutoRun }
},
# Other checks
@{
Type = 'Modifiable Scheduled Task Files'
Command = { Get-ModifiableScheduledTaskFile }
},
@{
Type = 'Unattended Install Files'
Command = { Get-UnattendedInstallFile }
},
@{
Type = 'Encrypted web.config Strings'
Command = { Get-WebConfig | Where-Object {$_} }
},
@{
Type = 'Encrypted Application Pool Passwords'
Command = { Get-ApplicationHost | Where-Object {$_} }
},
@{
Type = 'McAfee SiteList.xml files'
Command = { Get-SiteListPassword | Where-Object {$_} }
},
@{
Type = 'Cached GPP Files'
Command = { Get-CachedGPPPassword | Where-Object {$_} }
} }
} )
else{
"`n`n[*] Checking if user is in a local group with administrative privileges..."
$CurrentUserSids = Get-ProcessTokenGroup | Select-Object -ExpandProperty SID ForEach($Check in $Checks){
if ($CurrentUserSids -Contains 'S-1-5-32-544') { Write-Verbose "Checking for $($Check.Type)..."
"[+] User is in a local group that grants administrative privileges!" $Results = . $Check.Command
"[+] Run 'Invoke-WScriptUACBypass -Command `"...`"' to elevate privileges to admin." $Results | Where-Object {$_} | ForEach-Object {
if ($HTMLReport) { $_ | Add-Member Noteproperty 'Check' $Check.Type
ConvertTo-HTML -Head $Header -Body "<H2> User In Local Group With Administrative Privileges</H2>" | Out-File -Append $HtmlReportFile if ($Check.AbuseScript){
$_ | Add-Member Noteproperty 'AbuseFunction' (. $Check.AbuseScript)
} }
} }
} switch($Format){
Object { $Results }
"`n`n[*] Checking current process token permissions..." List { "`n`n[*] Checking for $($Check.Type)..."; $Results | Format-List }
$Results = Get-ProcessTokenPrivilege -Special | Where-Object {$_} HTML { $Results | ConvertTo-HTML -Head $Header -Body "<H2>$($Check.Type)</H2>" | Out-File -Append $HtmlReportFile }
$Results | Format-List
if ($HTMLReport) {
$Results | ConvertTo-HTML -Head $Header -Body "<H2>Cached GPP Files</H2>" | Out-File -Append $HtmlReportFile
}
# Service checks
"`n`n[*] Checking for unquoted service paths..."
$Results = Get-UnquotedService
$Results | Format-List
if ($HTMLReport) {
$Results | ConvertTo-HTML -Head $Header -Body "<H2>Unquoted Service Paths</H2>" | Out-File -Append $HtmlReportFile
}
"`n`n[*] Checking service executable and argument permissions..."
$Results = Get-ModifiableServiceFile
$Results | Format-List
if ($HTMLReport) {
$Results | ConvertTo-HTML -Head $Header -Body "<H2>Service File Permissions</H2>" | Out-File -Append $HtmlReportFile
}
"`n`n[*] Checking service permissions..."
$Results = Get-ModifiableService
$Results | Format-List
if ($HTMLReport) {
$Results | ConvertTo-HTML -Head $Header -Body "<H2>Modifiable Services</H2>" | Out-File -Append $HtmlReportFile
}
# DLL hijacking
"`n`n[*] Checking %PATH% for potentially hijackable DLL locations..."
$Results = Find-PathDLLHijack
$Results | Where-Object {$_} | Foreach-Object {
$AbuseString = "Write-HijackDll -DllPath '$($_.ModifiablePath)\wlbsctrl.dll'"
$_ | Add-Member Noteproperty 'AbuseFunction' $AbuseString
$_
} | Format-List
if ($HTMLReport) {
$Results | ConvertTo-HTML -Head $Header -Body "<H2>%PATH% .dll Hijacks</H2>" | Out-File -Append $HtmlReportFile
}
# registry checks
"`n`n[*] Checking for AlwaysInstallElevated registry key..."
if (Get-RegistryAlwaysInstallElevated) {
$Out = New-Object PSObject
$Out | Add-Member Noteproperty 'AbuseFunction' "Write-UserAddMSI"
$Results = $Out
$Results | Format-List
if ($HTMLReport) {
$Results | ConvertTo-HTML -Head $Header -Body "<H2>AlwaysInstallElevated</H2>" | Out-File -Append $HtmlReportFile
} }
} }
"`n`n[*] Checking for Autologon credentials in registry..." if ($Format -eq 'HTML') {
$Results = Get-RegistryAutoLogon Write-Verbose "[*] Report written to '$HtmlReportFile' `n"
$Results | Format-List
if ($HTMLReport) {
$Results | ConvertTo-HTML -Head $Header -Body "<H2>Registry Autologons</H2>" | Out-File -Append $HtmlReportFile
}
"`n`n[*] Checking for modifidable registry autoruns and configs..."
$Results = Get-ModifiableRegistryAutoRun
$Results | Format-List
if ($HTMLReport) {
$Results | ConvertTo-HTML -Head $Header -Body "<H2>Registry Autoruns</H2>" | Out-File -Append $HtmlReportFile
}
# other checks
"`n`n[*] Checking for modifiable schtask files/configs..."
$Results = Get-ModifiableScheduledTaskFile
$Results | Format-List
if ($HTMLReport) {
$Results | ConvertTo-HTML -Head $Header -Body "<H2>Modifidable Schask Files</H2>" | Out-File -Append $HtmlReportFile
}
"`n`n[*] Checking for unattended install files..."
$Results = Get-UnattendedInstallFile
$Results | Format-List
if ($HTMLReport) {
$Results | ConvertTo-HTML -Head $Header -Body "<H2>Unattended Install Files</H2>" | Out-File -Append $HtmlReportFile
}
"`n`n[*] Checking for encrypted web.config strings..."
$Results = Get-Webconfig | Where-Object {$_}
$Results | Format-List
if ($HTMLReport) {
$Results | ConvertTo-HTML -Head $Header -Body "<H2>Encrypted 'web.config' String</H2>" | Out-File -Append $HtmlReportFile
}
"`n`n[*] Checking for encrypted application pool and virtual directory passwords..."
$Results = Get-ApplicationHost | Where-Object {$_}
$Results | Format-List
if ($HTMLReport) {
$Results | ConvertTo-HTML -Head $Header -Body "<H2>Encrypted Application Pool Passwords</H2>" | Out-File -Append $HtmlReportFile
}
"`n`n[*] Checking for plaintext passwords in McAfee SiteList.xml files..."
$Results = Get-SiteListPassword | Where-Object {$_}
$Results | Format-List
if ($HTMLReport) {
$Results | ConvertTo-HTML -Head $Header -Body "<H2>McAfee's SiteList.xml's</H2>" | Out-File -Append $HtmlReportFile
}
"`n`n[*] Checking for cached Group Policy Preferences .xml files..."
$Results = Get-CachedGPPPassword | Where-Object {$_}
$Results | Format-List
if ($HTMLReport) {
$Results | ConvertTo-HTML -Head $Header -Body "<H2>Cached GPP Files</H2>" | Out-File -Append $HtmlReportFile
}
"`n"
if ($HTMLReport) {
"[*] Report written to '$HtmlReportFile' `n"
} }
} }
@ -5012,5 +4966,4 @@ $Kernel32 = $Types['kernel32']
$NTDll = $Types['ntdll'] $NTDll = $Types['ntdll']
Set-Alias Get-CurrentUserTokenGroupSid Get-ProcessTokenGroup Set-Alias Get-CurrentUserTokenGroupSid Get-ProcessTokenGroup
Set-Alias Get-UnquotedService Get-UnquotedService
Set-Alias Invoke-AllChecks Invoke-PrivescAudit Set-Alias Invoke-AllChecks Invoke-PrivescAudit