Gh0st
/
PowerSploit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Default Invoke-PrivEscAudit to return objects for parsing

This commit is contained in:
HackJammer 2017-05-10 00:31:44 +01:00
parent f9b95c5cf2
commit 52289768a9
1 changed files with 100 additions and 147 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

247
Privesc/PowerUp.ps1
View File

@ -4670,9 +4670,14 @@ Required Dependencies: None
Executes all functions that check for various Windows privilege escalation opportunities.
.PARAMETER Format
String. Format to decide on what is returned from the command, an Object Array, List, or HTML Report.
.PARAMETER HTMLReport
Switch. Write a HTML version of the report to SYSTEM.username.html.
DEPRECATED - Switch. Write a HTML version of the report to SYSTEM.username.html.
Superseded by the Format parameter.
.EXAMPLE
@ -4682,25 +4687,26 @@ Runs all escalation checks and outputs a status report for discovered issues.
.EXAMPLE
Invoke-PrivescAudit -HTMLReport
Invoke-PrivescAudit -Format HTML
Runs all escalation checks and outputs a status report to SYSTEM.username.html
detailing any discovered issues.
.OUTPUTS
System.String
#>
[Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
[OutputType('System.String')]
[CmdletBinding()]
Param(
[ValidateSet('Object','List','HTML')]
[String]
$Format = 'Object',
[Switch]
$HTMLReport
)
if ($HTMLReport) {
if($HTMLReport){ $Format = 'HTML' }
if ($Format -eq 'HTML') {
$HtmlReportFile = "$($Env:ComputerName).$($Env:UserName).html"
$Header = "<style>"
$Header = $Header + "BODY{background-color:peachpuff;}"
@ -4711,153 +4717,101 @@ System.String
ConvertTo-HTML -Head $Header -Body "<H1>PowerUp report for '$($Env:ComputerName).$($Env:UserName)'</H1>" | Out-File $HtmlReportFile
}
# initial admin checks
"`n[*] Running Invoke-AllChecks"
$IsAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")
if ($IsAdmin){
"[+] Current user already has local administrative privileges!"
if ($HTMLReport) {
ConvertTo-HTML -Head $Header -Body "<H2>User Has Local Admin Privileges!</H2>" | Out-File -Append $HtmlReportFile
}
}
else{
"`n`n[*] Checking if user is in a local group with administrative privileges..."
$CurrentUserSids = Get-ProcessTokenGroup | Select-Object -ExpandProperty SID
if ($CurrentUserSids -Contains 'S-1-5-32-544') {
"[+] User is in a local group that grants administrative privileges!"
"[+] Run 'Invoke-WScriptUACBypass -Command `"...`"' to elevate privileges to admin."
if ($HTMLReport) {
ConvertTo-HTML -Head $Header -Body "<H2> User In Local Group With Administrative Privileges</H2>" | Out-File -Append $HtmlReportFile
}
}
}
"`n`n[*] Checking current process token permissions..."
$Results = Get-ProcessTokenPrivilege -Special | Where-Object {$_}
$Results | Format-List
if ($HTMLReport) {
$Results | ConvertTo-HTML -Head $Header -Body "<H2>Cached GPP Files</H2>" | Out-File -Append $HtmlReportFile
}
Write-Verbose "Running Invoke-PrivescAudit"
$Checks = @(
# Initial admin checks
@{
Type = 'User Has Local Admin Privileges'
Command = { if (([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")){ New-Object PSObject } }
},
@{
Type = 'User In Local Group with Admin Privileges'
Command = { if ((Get-ProcessTokenGroup | Select-Object -ExpandProperty SID) -contains 'S-1-5-32-544'){ New-Object PSObject } }
AbuseScript = { 'Invoke-WScriptUACBypass -Command "..."' }
},
@{
Type = 'Process Token Privileges'
Command = { Get-ProcessTokenPrivilege -Special | Where-Object {$_} }
},
# Service checks
"`n`n[*] Checking for unquoted service paths..."
$Results = Get-UnquotedService
$Results | Format-List
if ($HTMLReport) {
$Results | ConvertTo-HTML -Head $Header -Body "<H2>Unquoted Service Paths</H2>" | Out-File -Append $HtmlReportFile
}
"`n`n[*] Checking service executable and argument permissions..."
$Results = Get-ModifiableServiceFile
$Results | Format-List
if ($HTMLReport) {
$Results | ConvertTo-HTML -Head $Header -Body "<H2>Service File Permissions</H2>" | Out-File -Append $HtmlReportFile
}
"`n`n[*] Checking service permissions..."
$Results = Get-ModifiableService
$Results | Format-List
if ($HTMLReport) {
$Results | ConvertTo-HTML -Head $Header -Body "<H2>Modifiable Services</H2>" | Out-File -Append $HtmlReportFile
}
@{
Type = 'Unquoted Service Paths'
Command = { Get-UnquotedService }
},
@{
Type = 'Modifiable Service Files'
Command = { Get-ModifiableServiceFile }
},
@{
Type = 'Modifiable Services'
Command = { Get-ModifiableService }
},
# DLL hijacking
"`n`n[*] Checking %PATH% for potentially hijackable DLL locations..."
$Results = Find-PathDLLHijack
$Results | Where-Object {$_} | Foreach-Object {
$AbuseString = "Write-HijackDll -DllPath '$($_.ModifiablePath)\wlbsctrl.dll'"
$_ | Add-Member Noteproperty 'AbuseFunction' $AbuseString
$_
} | Format-List
if ($HTMLReport) {
$Results | ConvertTo-HTML -Head $Header -Body "<H2>%PATH% .dll Hijacks</H2>" | Out-File -Append $HtmlReportFile
@{
Type = '%PATH% .dll Hijacks'
Command = { Find-PathDLLHijack }
AbuseScript = { "Write-HijackDll -DllPath '$($_.ModifiablePath)\wlbsctrl.dll'" }
},
# Registry checks
@{
Type = 'AlwaysInstallElevated Registry Key'
Command = { if (Get-RegistryAlwaysInstallElevated){ New-Object PSObject } }
AbuseScript = { 'Write-UserAddMSI' }
},
@{
Type = 'Registry Autologons'
Command = { Get-RegistryAutoLogon }
},
@{
Type = 'Modifiable Registry Autorun'
Command = { Get-ModifiableRegistryAutoRun }
},
# Other checks
@{
Type = 'Modifiable Scheduled Task Files'
Command = { Get-ModifiableScheduledTaskFile }
},
@{
Type = 'Unattended Install Files'
Command = { Get-UnattendedInstallFile }
},
@{
Type = 'Encrypted web.config Strings'
Command = { Get-WebConfig | Where-Object {$_} }
},
@{
Type = 'Encrypted Application Pool Passwords'
Command = { Get-ApplicationHost | Where-Object {$_} }
},
@{
Type = 'McAfee SiteList.xml files'
Command = { Get-SiteListPassword | Where-Object {$_} }
},
@{
Type = 'Cached GPP Files'
Command = { Get-CachedGPPPassword | Where-Object {$_} }
}
)
# registry checks
"`n`n[*] Checking for AlwaysInstallElevated registry key..."
if (Get-RegistryAlwaysInstallElevated) {
$Out = New-Object PSObject
$Out | Add-Member Noteproperty 'AbuseFunction' "Write-UserAddMSI"
$Results = $Out
$Results | Format-List
if ($HTMLReport) {
$Results | ConvertTo-HTML -Head $Header -Body "<H2>AlwaysInstallElevated</H2>" | Out-File -Append $HtmlReportFile
ForEach($Check in $Checks){
Write-Verbose "Checking for $($Check.Type)..."
$Results = . $Check.Command
$Results | Where-Object {$_} | ForEach-Object {
$_ | Add-Member Noteproperty 'Check' $Check.Type
if ($Check.AbuseScript){
$_ | Add-Member Noteproperty 'AbuseFunction' (. $Check.AbuseScript)
}
}
switch($Format){
Object { $Results }
List { "`n`n[*] Checking for $($Check.Type)..."; $Results | Format-List }
HTML { $Results | ConvertTo-HTML -Head $Header -Body "<H2>$($Check.Type)</H2>" | Out-File -Append $HtmlReportFile }
}
}
"`n`n[*] Checking for Autologon credentials in registry..."
$Results = Get-RegistryAutoLogon
$Results | Format-List
if ($HTMLReport) {
$Results | ConvertTo-HTML -Head $Header -Body "<H2>Registry Autologons</H2>" | Out-File -Append $HtmlReportFile
}
"`n`n[*] Checking for modifidable registry autoruns and configs..."
$Results = Get-ModifiableRegistryAutoRun
$Results | Format-List
if ($HTMLReport) {
$Results | ConvertTo-HTML -Head $Header -Body "<H2>Registry Autoruns</H2>" | Out-File -Append $HtmlReportFile
}
# other checks
"`n`n[*] Checking for modifiable schtask files/configs..."
$Results = Get-ModifiableScheduledTaskFile
$Results | Format-List
if ($HTMLReport) {
$Results | ConvertTo-HTML -Head $Header -Body "<H2>Modifidable Schask Files</H2>" | Out-File -Append $HtmlReportFile
}
"`n`n[*] Checking for unattended install files..."
$Results = Get-UnattendedInstallFile
$Results | Format-List
if ($HTMLReport) {
$Results | ConvertTo-HTML -Head $Header -Body "<H2>Unattended Install Files</H2>" | Out-File -Append $HtmlReportFile
}
"`n`n[*] Checking for encrypted web.config strings..."
$Results = Get-Webconfig | Where-Object {$_}
$Results | Format-List
if ($HTMLReport) {
$Results | ConvertTo-HTML -Head $Header -Body "<H2>Encrypted 'web.config' String</H2>" | Out-File -Append $HtmlReportFile
}
"`n`n[*] Checking for encrypted application pool and virtual directory passwords..."
$Results = Get-ApplicationHost | Where-Object {$_}
$Results | Format-List
if ($HTMLReport) {
$Results | ConvertTo-HTML -Head $Header -Body "<H2>Encrypted Application Pool Passwords</H2>" | Out-File -Append $HtmlReportFile
}
"`n`n[*] Checking for plaintext passwords in McAfee SiteList.xml files..."
$Results = Get-SiteListPassword | Where-Object {$_}
$Results | Format-List
if ($HTMLReport) {
$Results | ConvertTo-HTML -Head $Header -Body "<H2>McAfee's SiteList.xml's</H2>" | Out-File -Append $HtmlReportFile
}
"`n`n[*] Checking for cached Group Policy Preferences .xml files..."
$Results = Get-CachedGPPPassword | Where-Object {$_}
$Results | Format-List
if ($HTMLReport) {
$Results | ConvertTo-HTML -Head $Header -Body "<H2>Cached GPP Files</H2>" | Out-File -Append $HtmlReportFile
}
"`n"
if ($HTMLReport) {
"[*] Report written to '$HtmlReportFile' `n"
if ($Format -eq 'HTML') {
Write-Verbose "[*] Report written to '$HtmlReportFile' `n"
}
}
@ -5012,5 +4966,4 @@ $Kernel32 = $Types['kernel32']
$NTDll = $Types['ntdll']
Set-Alias Get-CurrentUserTokenGroupSid Get-ProcessTokenGroup
Set-Alias Get-UnquotedService Get-UnquotedService
Set-Alias Invoke-AllChecks Invoke-PrivescAudit