Gh0st
/
PowerSploit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Added documentation for PowerUp

This commit is contained in:
HarmJ0y 2016-12-14 11:53:29 -05:00
parent 5da1774219
commit 7964823e3f
37 changed files with 3070 additions and 129 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

190
Privesc/PowerUp.ps1
View File

@ -739,9 +739,9 @@ function Get-ModifiablePath {
Parses a passed string containing multiple possible file/folder paths and returns
the file paths where the current user has modification rights.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None
.DESCRIPTION
@ -935,9 +935,9 @@ function Get-TokenInformation {
Helpers that returns token groups or privileges for a passed process/thread token.
Used by Get-ProcessTokenGroup and Get-ProcessTokenPrivilege.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: PSReflect
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: PSReflect
.DESCRIPTION
@ -1065,9 +1065,9 @@ function Get-ProcessTokenGroup {
Returns all SIDs that the current token context is a part of, whether they are disabled or not.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: PSReflect, Get-TokenInformation
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: PSReflect, Get-TokenInformation
.DESCRIPTION
@ -1197,9 +1197,9 @@ function Get-ProcessTokenPrivilege {
Returns all privileges for the current (or specified) process ID.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: PSReflect, Get-TokenInformation
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: PSReflect, Get-TokenInformation
.DESCRIPTION
@ -1354,9 +1354,9 @@ function Enable-Privilege {
Enables a specific privilege for the current process.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: PSReflect
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: PSReflect
.DESCRIPTION
@ -1451,9 +1451,9 @@ function Add-ServiceDacl {
Adds a Dacl field to a service object returned by Get-Service.
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: PSReflect
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: PSReflect
.DESCRIPTION
@ -1567,9 +1567,9 @@ function Set-ServiceBinaryPath {
Sets the binary path for a service to a specified value.
Author: Will Schroeder (@harmj0y), Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: PSReflect
Author: Will Schroeder (@harmj0y), Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: PSReflect
.DESCRIPTION
@ -1688,9 +1688,9 @@ function Test-ServiceDaclPermission {
Tests one or more passed services or service names against a given permission set,
returning the service objects where the current user have the specified permissions.
Author: Will Schroeder (@harmj0y), Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: Add-ServiceDacl
Author: Will Schroeder (@harmj0y), Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: Add-ServiceDacl
.DESCRIPTION
@ -1868,9 +1868,9 @@ function Get-UnquotedService {
Returns the name and binary path for services with unquoted paths
that also have a space in the name.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: Get-ModifiablePath, Test-ServiceDaclPermission
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: Get-ModifiablePath, Test-ServiceDaclPermission
.DESCRIPTION
@ -1931,9 +1931,9 @@ function Get-ModifiableServiceFile {
Enumerates all services and returns vulnerable service files.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: Test-ServiceDaclPermission
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: Test-ServiceDaclPermission, Get-ModifiablePath
.DESCRIPTION
@ -1989,9 +1989,9 @@ function Get-ModifiableService {
Enumerates all services and returns services for which the current user can modify the binPath.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: Test-ServiceDaclPermission
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: Test-ServiceDaclPermission, Get-ServiceDetail
.DESCRIPTION
@ -2036,9 +2036,9 @@ function Get-ServiceDetail {
Returns detailed information about a specified service by querying the
WMI win32_service class for the specified service name.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None
.DESCRIPTION
@ -2109,9 +2109,9 @@ function Invoke-ServiceAbuse {
Abuses a function the current user has configuration rights on in order
to add a local administrator or execute a custom command.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: Get-ServiceDetail, Set-ServiceBinaryPath
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: Get-ServiceDetail, Set-ServiceBinaryPath
.DESCRIPTION
@ -2346,9 +2346,9 @@ function Write-ServiceBinary {
Patches in the specified command to a pre-compiled C# service executable and
writes the binary out to the specified ServicePath location.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None
.DESCRIPTION
@ -2529,9 +2529,9 @@ function Install-ServiceBinary {
Replaces the service binary for the specified service with one that executes
a specified command as SYSTEM.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: Get-ServiceDetail, Get-ModifiablePath, Write-ServiceBinary
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: Get-ServiceDetail, Get-ModifiablePath, Write-ServiceBinary
.DESCRIPTION
@ -2698,9 +2698,9 @@ function Restore-ServiceBinary {
Restores a service binary backed up by Install-ServiceBinary.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: Get-ServiceDetail, Get-ModifiablePath
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: Get-ServiceDetail, Get-ModifiablePath
.DESCRIPTION
@ -2793,9 +2793,9 @@ function Find-ProcessDLLHijack {
Finds all DLL hijack locations for currently running processes.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None
.DESCRIPTION
@ -2948,9 +2948,9 @@ function Find-PathDLLHijack {
Finds all directories in the system %PATH% that are modifiable by the current user.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: Get-ModifiablePath
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: Get-ModifiablePath
.DESCRIPTION
@ -3001,9 +3001,9 @@ function Write-HijackDll {
Patches in the path to a specified .bat (containing the specified command) into a
pre-compiled hijackable C++ DLL writes the DLL out to the specified ServicePath location.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None
.DESCRIPTION
@ -3229,9 +3229,9 @@ function Get-RegistryAlwaysInstallElevated {
Checks if any of the AlwaysInstallElevated registry keys are set.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None
.DESCRIPTION
@ -3298,9 +3298,9 @@ function Get-RegistryAutoLogon {
Finds any autologon credentials left in the registry.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None
.DESCRIPTION
@ -3361,9 +3361,9 @@ function Get-ModifiableRegistryAutoRun {
Returns any elevated system autoruns in which the current user can
modify part of the path string.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: Get-ModifiablePath
.DESCRIPTION
@ -3439,9 +3439,9 @@ function Get-ModifiableScheduledTaskFile {
Returns scheduled tasks where the current user can modify any file
in the associated task action string.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: Get-ModifiablePath
.DESCRIPTION
@ -3518,9 +3518,9 @@ function Get-UnattendedInstallFile {
Checks several locations for remaining unattended installation files,
which may have deployment credentials.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None
.EXAMPLE
@ -3577,9 +3577,9 @@ function Get-WebConfig {
This script will recover cleartext and encrypted connection strings from all web.config
files on the system. Also, it will decrypt them if needed.
Author: Scott Sutherland, Antti Rantasaari
License: BSD 3-Clause
Required Dependencies: None
Author: Scott Sutherland, Antti Rantasaari
License: BSD 3-Clause
Required Dependencies: None
.DESCRIPTION
@ -3791,9 +3791,9 @@ function Get-ApplicationHost {
Recovers encrypted application pool and virtual directory passwords from the applicationHost.config on the system.
Author: Scott Sutherland
License: BSD 3-Clause
Required Dependencies: None
Author: Scott Sutherland
License: BSD 3-Clause
Required Dependencies: None
.DESCRIPTION
@ -3952,10 +3952,10 @@ function Get-SiteListPassword {
Retrieves the plaintext passwords for found McAfee's SiteList.xml files.
Based on Jerome Nokin (@funoverip)'s Python solution (in links).
Author: Jerome Nokin (@funoverip)
PowerShell Port: @harmj0y
License: BSD 3-Clause
Required Dependencies: None
Author: Jerome Nokin (@funoverip)
PowerShell Port: @harmj0y
License: BSD 3-Clause
Required Dependencies: None
.DESCRIPTION
@ -4153,9 +4153,9 @@ function Get-CachedGPPPassword {
Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences and
left in cached files on the host.
Author: Chris Campbell (@obscuresec), local cache mods by @harmj0y
License: BSD 3-Clause
Required Dependencies: None
Author: Chris Campbell (@obscuresec)
License: BSD 3-Clause
Required Dependencies: None
.DESCRIPTION
@ -4360,9 +4360,9 @@ function Write-UserAddMSI {
Writes out a precompiled MSI installer that prompts for a user/group addition.
This function can be used to abuse Get-RegistryAlwaysInstallElevated.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None
.DESCRIPTION
@ -4414,9 +4414,9 @@ function Invoke-WScriptUACBypass {
Performs the bypass UAC attack by abusing the lack of an embedded manifest in wscript.exe.
Author: Matt Nelson (@enigma0x3), Will Schroeder (@harmj0y), Vozzie
License: BSD 3-Clause
Required Dependencies: None
Author: Matt Nelson (@enigma0x3), Will Schroeder (@harmj0y), Vozzie
License: BSD 3-Clause
Required Dependencies: None
.DESCRIPTION
@ -4650,9 +4650,9 @@ function Invoke-PrivescAudit {
Executes all functions that check for various Windows privilege escalation opportunities.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None
.DESCRIPTION
@ -4979,4 +4979,6 @@ $Advapi32 = $Types['advapi32']
$Kernel32 = $Types['kernel32']
$NTDll = $Types['ntdll']
Set-Alias Get-CurrentUserTokenGroupSid Get-ProcessTokenGroup
Set-Alias Get-UnquotedService Get-UnquotedService
Set-Alias Invoke-AllChecks Invoke-PrivescAudit

49
Privesc/Privesc.psd1
View File

@ -23,37 +23,36 @@ PowerShellVersion = '2.0'
# Functions to export from this module
FunctionsToExport = @(
'Add-ServiceDacl',
'Enable-Privilege',
'Find-PathDLLHijack',
'Find-ProcessDLLHijack',
'Get-ApplicationHost',
'Get-CachedGPPPassword',
'Get-ModifiablePath',
'Get-ModifiableRegistryAutoRun',
'Get-ModifiableScheduledTaskFile',
'Get-ModifiableService',
'Get-ModifiableServiceFile',
'Get-ProcessTokenGroup',
'Get-ProcessTokenPrivilege',
'Get-RegistryAlwaysInstallElevated',
'Get-RegistryAutoLogon',
'Get-ServiceDetail',
'Get-SiteListPassword',
'Get-TokenInformation',
'Get-UnquotedService',
'Get-UnattendedInstallFile',
'Get-WebConfig',
'Install-ServiceBinary',
'Invoke-ServiceAbuse',
'Invoke-WScriptUACBypass',
'Invoke-PrivescAudit',
'Restore-ServiceBinary',
'Enable-Privilege',
'Add-ServiceDacl',
'Set-ServiceBinaryPath',
'Test-ServiceDaclPermission',
'Write-UserAddMSI',
'Write-HijackDll',
'Get-UnquotedService',
'Get-ModifiableServiceFile',
'Get-ModifiableService',
'Get-ServiceDetail',
'Invoke-ServiceAbuse',
'Write-ServiceBinary',
'Install-ServiceBinary',
'Restore-ServiceBinary',
'Find-ProcessDLLHijack',
'Find-PathDLLHijack',
'Write-HijackDll',
'Get-RegistryAlwaysInstallElevated',
'Get-RegistryAutoLogon',
'Get-ModifiableRegistryAutoRun',
'Get-ModifiableScheduledTaskFile',
'Get-UnattendedInstallFile',
'Get-WebConfig',
'Get-ApplicationHost',
'Get-SiteListPassword',
'Get-CachedGPPPassword',
'Write-UserAddMSI',
'Invoke-WScriptUACBypass',
'Invoke-PrivescAudit',
'Get-System'
)

22
Privesc/README.md
View File

@ -27,13 +27,18 @@ Required Dependencies: None
Optional Dependencies: None
### Service Enumeration:
Get-ServiceUnquoted - returns services with unquoted paths that also have a space in the name
### Token/Privilege Enumeration/Abuse:
Get-ProcessTokenGroup - returns all SIDs that the current token context is a part of, whether they are disabled or not
Get-ProcessTokenPrivilege - returns all privileges for the current (or specified) process ID
Enable-Privilege - enables a specific privilege for the current process
### Service Enumeration/Abuse:
Test-ServiceDaclPermission - tests one or more passed services or service names against a given permission set
Get-UnquotedService - returns services with unquoted paths that also have a space in the name
Get-ModifiableServiceFile - returns services where the current user can write to the service binary path or its config
Get-ModifiableService - returns services the current user can modify
Get-ServiceDetail - returns detailed information about a specified service
### Service Abuse:
Set-ServiceBinaryPath - sets the binary path for a service to a specified value
Invoke-ServiceAbuse - modifies a vulnerable service to create a local admin or execute a custom command
Write-ServiceBinary - writes out a patched C# service binary that adds a local admin or executes a custom command
Install-ServiceBinary - replaces a service binary with one that adds a local admin or executes a custom command
@ -45,7 +50,7 @@ Optional Dependencies: None
Write-HijackDll - writes out a hijackable DLL
### Registry Checks:
Get-RegistryAlwaysInstallElevated - checks if the AlwaysInstallElevated registry key is set
Get-RegistryAlwaysInstallElevated - checks if the AlwaysInstallElevated registry key is set
Get-RegistryAutoLogon - checks for Autologon credentials in the registry
Get-ModifiableRegistryAutoRun - checks for any modifiable binaries/scripts (or their configs) in HKLM autoruns
@ -59,9 +64,6 @@ Optional Dependencies: None
### Other Helpers/Meta-Functions:
Get-ModifiablePath - tokenizes an input string and returns the files in it the current user can modify
Get-CurrentUserTokenGroupSid - returns all SIDs that the current user is a part of, whether they are disabled or not
Add-ServiceDacl - adds a Dacl field to a service object returned by Get-Service
Set-ServiceBinPath - sets the binary path for a service to a specified value through Win32 API methods
Test-ServiceDaclPermission - tests one or more passed services or service names against a given permission set
Write-UserAddMSI - write out a MSI installer that prompts for a user to be added
Invoke-AllChecks - runs all current escalation checks and returns a report
Invoke-WScriptUACBypass - performs the bypass UAC attack by abusing the lack of an embedded manifest in wscript.exe
Invoke-PrivescAudit - runs all current escalation checks and returns a report (formerly Invoke-AllChecks)

68
docs/Privesc/Add-ServiceDacl.md Executable file
View File

@ -0,0 +1,68 @@
# Add-ServiceDacl
## SYNOPSIS
Adds a Dacl field to a service object returned by Get-Service.
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: PSReflect
## SYNTAX
```
Add-ServiceDacl [-Name] <String[]>
```
## DESCRIPTION
Takes one or more ServiceProcess.ServiceController objects on the pipeline and adds a
Dacl field to each object.
It does this by opening a handle with ReadControl for the
service with using the GetServiceHandle Win32 API call and then uses
QueryServiceObjectSecurity to retrieve a copy of the security descriptor for the service.
## EXAMPLES
### -------------------------- EXAMPLE 1 --------------------------
```
Get-Service | Add-ServiceDacl
```
Add Dacls for every service the current user can read.
### -------------------------- EXAMPLE 2 --------------------------
```
Get-Service -Name VMTools | Add-ServiceDacl
```
Add the Dacl to the VMTools service object.
## PARAMETERS
### -Name
An array of one or more service names to add a service Dacl for.
Passable on the pipeline.
```yaml
Type: String[]
Parameter Sets: (All)
Aliases: ServiceName
Required: True
Position: 1
Default value: None
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: False
```
## INPUTS
## OUTPUTS
### ServiceProcess.ServiceController
## NOTES
## RELATED LINKS
[https://rohnspowershellblog.wordpress.com/2013/03/19/viewing-service-acls/](https://rohnspowershellblog.wordpress.com/2013/03/19/viewing-service-acls/)

105
docs/Privesc/Enable-Privilege.md Executable file
View File

@ -0,0 +1,105 @@
# Enable-Privilege
## SYNOPSIS
Enables a specific privilege for the current process.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: PSReflect
## SYNTAX
```
Enable-Privilege [-Privilege] <String[]>
```
## DESCRIPTION
Uses RtlAdjustPrivilege to enable a specific privilege for the current process.
Privileges can be passed by string, or the output from Get-ProcessTokenPrivilege
can be passed on the pipeline.
## EXAMPLES
### -------------------------- EXAMPLE 1 --------------------------
```
Get-ProcessTokenPrivilege
```
Privilege Attributes ProcessId
--------- ---------- ---------
SeShutdownPrivilege DISABLED 3620
SeChangeNotifyPrivilege ...AULT, SE_PRIVILEGE_ENABLED 3620
SeUndockPrivilege DISABLED 3620
SeIncreaseWorkingSetPrivilege DISABLED 3620
SeTimeZonePrivilege DISABLED 3620
Enable-Privilege SeShutdownPrivilege
Get-ProcessTokenPrivilege
Privilege Attributes ProcessId
--------- ---------- ---------
SeShutdownPrivilege SE_PRIVILEGE_ENABLED 3620
SeChangeNotifyPrivilege ...AULT, SE_PRIVILEGE_ENABLED 3620
SeUndockPrivilege DISABLED 3620
SeIncreaseWorkingSetPrivilege DISABLED 3620
SeTimeZonePrivilege DISABLED 3620
### -------------------------- EXAMPLE 2 --------------------------
```
Get-ProcessTokenPrivilege
```
Privilege Attributes ProcessId
--------- ---------- ---------
SeShutdownPrivilege DISABLED 2828
SeChangeNotifyPrivilege ...AULT, SE_PRIVILEGE_ENABLED 2828
SeUndockPrivilege DISABLED 2828
SeIncreaseWorkingSetPrivilege DISABLED 2828
SeTimeZonePrivilege DISABLED 2828
Get-ProcessTokenPrivilege | Enable-Privilege -Verbose
VERBOSE: Attempting to enable SeShutdownPrivilege
VERBOSE: Attempting to enable SeChangeNotifyPrivilege
VERBOSE: Attempting to enable SeUndockPrivilege
VERBOSE: Attempting to enable SeIncreaseWorkingSetPrivilege
VERBOSE: Attempting to enable SeTimeZonePrivilege
Get-ProcessTokenPrivilege
Privilege Attributes ProcessId
--------- ---------- ---------
SeShutdownPrivilege SE_PRIVILEGE_ENABLED 2828
SeChangeNotifyPrivilege ...AULT, SE_PRIVILEGE_ENABLED 2828
SeUndockPrivilege SE_PRIVILEGE_ENABLED 2828
SeIncreaseWorkingSetPrivilege SE_PRIVILEGE_ENABLED 2828
SeTimeZonePrivilege SE_PRIVILEGE_ENABLED 2828
## PARAMETERS
### -Privilege
{{Fill Privilege Description}}
```yaml
Type: String[]
Parameter Sets: (All)
Aliases: Privileges
Required: True
Position: 1
Default value: None
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: False
```
## INPUTS
## OUTPUTS
## NOTES
## RELATED LINKS
[http://forum.sysinternals.com/tip-easy-way-to-enable-privileges_topic15745.html](http://forum.sysinternals.com/tip-easy-way-to-enable-privileges_topic15745.html)

45
docs/Privesc/Find-PathDLLHijack.md Executable file
View File

@ -0,0 +1,45 @@
# Find-PathDLLHijack
## SYNOPSIS
Finds all directories in the system %PATH% that are modifiable by the current user.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: Get-ModifiablePath
## SYNTAX
```
Find-PathDLLHijack
```
## DESCRIPTION
Enumerates the paths stored in Env:Path (%PATH) and filters each through Get-ModifiablePath
to return the folder paths the current user can write to.
On Windows 7, if wlbsctrl.dll is
written to one of these paths, execution for the IKEEXT can be hijacked due to DLL search
order loading.
## EXAMPLES
### -------------------------- EXAMPLE 1 --------------------------
```
Find-PathDLLHijack
```
Finds all %PATH% .DLL hijacking opportunities.
## PARAMETERS
## INPUTS
## OUTPUTS
### PowerUp.HijackableDLL.Path
## NOTES
## RELATED LINKS
[http://www.greyhathacker.net/?p=738](http://www.greyhathacker.net/?p=738)

127
docs/Privesc/Find-ProcessDLLHijack.md Executable file
View File

@ -0,0 +1,127 @@
# Find-ProcessDLLHijack
## SYNOPSIS
Finds all DLL hijack locations for currently running processes.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None
## SYNTAX
```
Find-ProcessDLLHijack [[-Name] <String[]>] [-ExcludeWindows] [-ExcludeProgramFiles] [-ExcludeOwned]
```
## DESCRIPTION
Enumerates all currently running processes with Get-Process (or accepts an
input process object from Get-Process) and enumerates the loaded modules for each.
All loaded module name exists outside of the process binary base path, as those
are DLL load-order hijack candidates.
## EXAMPLES
### -------------------------- EXAMPLE 1 --------------------------
```
Find-ProcessDLLHijack
```
Finds possible hijackable DLL locations for all processes.
### -------------------------- EXAMPLE 2 --------------------------
```
Get-Process VulnProcess | Find-ProcessDLLHijack
```
Finds possible hijackable DLL locations for the 'VulnProcess' processes.
### -------------------------- EXAMPLE 3 --------------------------
```
Find-ProcessDLLHijack -ExcludeWindows -ExcludeProgramFiles
```
Finds possible hijackable DLL locations not in C:\Windows\* and
not in C:\Program Files\* or C:\Program Files (x86)\*
### -------------------------- EXAMPLE 4 --------------------------
```
Find-ProcessDLLHijack -ExcludeOwned
```
Finds possible hijackable DLL location for processes not owned by the
current user.
## PARAMETERS
### -Name
The name of a process to enumerate for possible DLL path hijack opportunities.
```yaml
Type: String[]
Parameter Sets: (All)
Aliases: ProcessName
Required: False
Position: 1
Default value: $(Get-Process | Select-Object -Expand Name)
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: False
```
### -ExcludeWindows
Exclude paths from C:\Windows\* instead of just C:\Windows\System32\*
```yaml
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
```
### -ExcludeProgramFiles
Exclude paths from C:\Program Files\* and C:\Program Files (x86)\*
```yaml
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
```
### -ExcludeOwned
Exclude processes the current user owns.
```yaml
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
```
## INPUTS
## OUTPUTS
### PowerUp.HijackableDLL.Process
## NOTES
## RELATED LINKS
[https://www.mandiant.com/blog/malware-persistence-windows-registry/](https://www.mandiant.com/blog/malware-persistence-windows-registry/)

95
docs/Privesc/Get-ApplicationHost.md Executable file
View File

@ -0,0 +1,95 @@
# Get-ApplicationHost
## SYNOPSIS
Recovers encrypted application pool and virtual directory passwords from the applicationHost.config on the system.
Author: Scott Sutherland
License: BSD 3-Clause
Required Dependencies: None
## SYNTAX
```
Get-ApplicationHost
```
## DESCRIPTION
This script will decrypt and recover application pool and virtual directory passwords
from the applicationHost.config file on the system.
The output supports the
pipeline which can be used to convert all of the results into a pretty table by piping
to format-table.
## EXAMPLES
### -------------------------- EXAMPLE 1 --------------------------
```
Return application pool and virtual directory passwords from the applicationHost.config on the system.
```
Get-ApplicationHost
user : PoolUser1
pass : PoolParty1!
type : Application Pool
vdir : NA
apppool : ApplicationPool1
user : PoolUser2
pass : PoolParty2!
type : Application Pool
vdir : NA
apppool : ApplicationPool2
user : VdirUser1
pass : VdirPassword1!
type : Virtual Directory
vdir : site1/vdir1/
apppool : NA
user : VdirUser2
pass : VdirPassword2!
type : Virtual Directory
vdir : site2/
apppool : NA
### -------------------------- EXAMPLE 2 --------------------------
```
Return a list of cleartext and decrypted connect strings from web.config files.
```
Get-ApplicationHost | Format-Table -Autosize
user pass type vdir apppool
---- ---- ---- ---- -------
PoolUser1 PoolParty1!
Application Pool NA ApplicationPool1
PoolUser2 PoolParty2!
Application Pool NA ApplicationPool2
VdirUser1 VdirPassword1!
Virtual Directory site1/vdir1/ NA
VdirUser2 VdirPassword2!
Virtual Directory site2/ NA
## PARAMETERS
## INPUTS
## OUTPUTS
### System.Data.DataTable
System.Boolean
## NOTES
Author: Scott Sutherland - 2014, NetSPI
Version: Get-ApplicationHost v1.0
Comments: Should work on IIS 6 and Above
## RELATED LINKS
[https://github.com/darkoperator/Posh-SecMod/blob/master/PostExploitation/PostExploitation.psm1
http://www.netspi.com
http://www.iis.net/learn/get-started/getting-started-with-iis/getting-started-with-appcmdexe
http://msdn.microsoft.com/en-us/library/k6h9cz8h(v=vs.80).aspx](https://github.com/darkoperator/Posh-SecMod/blob/master/PostExploitation/PostExploitation.psm1
http://www.netspi.com
http://www.iis.net/learn/get-started/getting-started-with-iis/getting-started-with-appcmdexe
http://msdn.microsoft.com/en-us/library/k6h9cz8h(v=vs.80).aspx)

55
docs/Privesc/Get-CachedGPPPassword.md Executable file
View File

@ -0,0 +1,55 @@
# Get-CachedGPPPassword
## SYNOPSIS
Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences and
left in cached files on the host.
Author: Chris Campbell (@obscuresec)
License: BSD 3-Clause
Required Dependencies: None
## SYNTAX
```
Get-CachedGPPPassword
```
## DESCRIPTION
Get-CachedGPPPassword searches the local machine for cached for groups.xml, scheduledtasks.xml, services.xml and
datasources.xml files and returns plaintext passwords.
## EXAMPLES
### -------------------------- EXAMPLE 1 --------------------------
```
Get-CachedGPPPassword
```
NewName : \[BLANK\]
Changed : {2013-04-25 18:36:07}
Passwords : {Super!!!Password}
UserNames : {SuperSecretBackdoor}
File : C:\ProgramData\Microsoft\Group Policy\History\{32C4C89F-7
C3A-4227-A61D-8EF72B5B9E42}\Machine\Preferences\Groups\Gr
oups.xml
## PARAMETERS
## INPUTS
## OUTPUTS
## NOTES
## RELATED LINKS
[http://www.obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html
https://github.com/mattifestation/PowerSploit/blob/master/Recon/Get-GPPPassword.ps1
https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/gpp.rb
http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences
http://rewtdance.blogspot.com/2012/06/exploiting-windows-2008-group-policy.html](http://www.obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html
https://github.com/mattifestation/PowerSploit/blob/master/Recon/Get-GPPPassword.ps1
https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/gpp.rb
http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences
http://rewtdance.blogspot.com/2012/06/exploiting-windows-2008-group-policy.html)

102
docs/Privesc/Get-ModifiablePath.md Executable file
View File

@ -0,0 +1,102 @@
# Get-ModifiablePath
## SYNOPSIS
Parses a passed string containing multiple possible file/folder paths and returns
the file paths where the current user has modification rights.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None
## SYNTAX
```
Get-ModifiablePath [-Path] <String[]> [-Literal]
```
## DESCRIPTION
Takes a complex path specification of an initial file/folder path with possible
configuration files, 'tokenizes' the string in a number of possible ways, and
enumerates the ACLs for each path that currently exists on the system.
Any path that
the current user has modification rights on is returned in a custom object that contains
the modifiable path, associated permission set, and the IdentityReference with the specified
rights.
The SID of the current user and any group he/she are a part of are used as the
comparison set against the parsed path DACLs.
## EXAMPLES
### -------------------------- EXAMPLE 1 --------------------------
```
'"C:\Temp\blah.exe" -f "C:\Temp\config.ini"' | Get-ModifiablePath
```
Path Permissions IdentityReference
---- ----------- -----------------
C:\Temp\blah.exe {ReadAttributes, ReadCo...
NT AUTHORITY\Authentic...
C:\Temp\config.ini {ReadAttributes, ReadCo...
NT AUTHORITY\Authentic...
### -------------------------- EXAMPLE 2 --------------------------
```
Get-ChildItem C:\Vuln\ -Recurse | Get-ModifiablePath
```
Path Permissions IdentityReference
---- ----------- -----------------
C:\Vuln\blah.bat {ReadAttributes, ReadCo...
NT AUTHORITY\Authentic...
C:\Vuln\config.ini {ReadAttributes, ReadCo...
NT AUTHORITY\Authentic...
...
## PARAMETERS
### -Path
The string path to parse for modifiable files.
Required
```yaml
Type: String[]
Parameter Sets: (All)
Aliases: FullName
Required: True
Position: 1
Default value: None
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: False
```
### -Literal
Switch.
Treat all paths as literal (i.e.
don't do 'tokenization').
```yaml
Type: SwitchParameter
Parameter Sets: (All)
Aliases: LiteralPaths
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
```
## INPUTS
## OUTPUTS
### PowerUp.TokenPrivilege.ModifiablePath
Custom PSObject containing the Permissions, ModifiablePath, IdentityReference for
a modifiable path.
## NOTES
## RELATED LINKS

44
docs/Privesc/Get-ModifiableRegistryAutoRun.md Executable file
View File

@ -0,0 +1,44 @@
# Get-ModifiableRegistryAutoRun
## SYNOPSIS
Returns any elevated system autoruns in which the current user can
modify part of the path string.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: Get-ModifiablePath
## SYNTAX
```
Get-ModifiableRegistryAutoRun
```
## DESCRIPTION
Enumerates a number of autorun specifications in HKLM and filters any
autoruns through Get-ModifiablePath, returning any file/config locations
in the found path strings that the current user can modify.
## EXAMPLES
### -------------------------- EXAMPLE 1 --------------------------
```
Get-ModifiableRegistryAutoRun
```
Return vulneable autorun binaries (or associated configs).
## PARAMETERS
## INPUTS
## OUTPUTS
### PowerUp.ModifiableRegistryAutoRun
Custom PSObject containing results.
## NOTES
## RELATED LINKS

45
docs/Privesc/Get-ModifiableScheduledTaskFile.md Executable file
View File

@ -0,0 +1,45 @@
# Get-ModifiableScheduledTaskFile
## SYNOPSIS
Returns scheduled tasks where the current user can modify any file
in the associated task action string.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: Get-ModifiablePath
## SYNTAX
```
Get-ModifiableScheduledTaskFile
```
## DESCRIPTION
Enumerates all scheduled tasks by recursively listing "$($ENV:windir)\System32\Tasks"
and parses the XML specification for each task, extracting the command triggers.
Each trigger string is filtered through Get-ModifiablePath, returning any file/config
locations in the found path strings that the current user can modify.
## EXAMPLES
### -------------------------- EXAMPLE 1 --------------------------
```
Get-ModifiableScheduledTaskFile
```
Return scheduled tasks with modifiable command strings.
## PARAMETERS
## INPUTS
## OUTPUTS
### PowerUp.ModifiableScheduledTaskFile
Custom PSObject containing results.
## NOTES
## RELATED LINKS

40
docs/Privesc/Get-ModifiableService.md Executable file
View File

@ -0,0 +1,40 @@
# Get-ModifiableService
## SYNOPSIS
Enumerates all services and returns services for which the current user can modify the binPath.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: Test-ServiceDaclPermission, Get-ServiceDetail
## SYNTAX
```
Get-ModifiableService
```
## DESCRIPTION
Enumerates all services using Get-Service and uses Test-ServiceDaclPermission to test if
the current user has rights to change the service configuration.
## EXAMPLES
### -------------------------- EXAMPLE 1 --------------------------
```
Get-ModifiableService
```
Get a set of potentially exploitable services.
## PARAMETERS
## INPUTS
## OUTPUTS
### PowerUp.ModifiablePath
## NOTES
## RELATED LINKS

45
docs/Privesc/Get-ModifiableServiceFile.md Executable file
View File

@ -0,0 +1,45 @@
# Get-ModifiableServiceFile
## SYNOPSIS
Enumerates all services and returns vulnerable service files.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: Test-ServiceDaclPermission, Get-ModifiablePath
## SYNTAX
```
Get-ModifiableServiceFile
```
## DESCRIPTION
Enumerates all services by querying the WMI win32_service class.
For each service,
it takes the pathname (aka binPath) and passes it to Get-ModifiablePath to determine
if the current user has rights to modify the service binary itself or any associated
arguments.
If the associated binary (or any configuration files) can be overwritten,
privileges may be able to be escalated.
## EXAMPLES
### -------------------------- EXAMPLE 1 --------------------------
```
Get-ModifiableServiceFile
```
Get a set of potentially exploitable service binares/config files.
## PARAMETERS
## INPUTS
## OUTPUTS
### PowerUp.ModifiablePath
## NOTES
## RELATED LINKS

114
docs/Privesc/Get-ProcessTokenGroup.md Executable file
View File

@ -0,0 +1,114 @@
# Get-ProcessTokenGroup
## SYNOPSIS
Returns all SIDs that the current token context is a part of, whether they are disabled or not.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: PSReflect, Get-TokenInformation
## SYNTAX
```
Get-ProcessTokenGroup [[-Id] <UInt32>]
```
## DESCRIPTION
First, if a process ID is passed, then the process is opened using OpenProcess(),
otherwise GetCurrentProcess() is used to open up a pseudohandle to the current process.
OpenProcessToken() is then used to get a handle to the specified process token.
The token
is then passed to Get-TokenInformation to query the current token groups for the specified
token.
## EXAMPLES
### -------------------------- EXAMPLE 1 --------------------------
```
Get-ProcessTokenGroup
```
SID Attributes ProcessId
--- ---------- ---------
S-1-5-21-890171859-3433809...
..._DEFAULT, SE_GROUP_ENABLED 1372
S-1-1-0 ..._DEFAULT, SE_GROUP_ENABLED 1372
S-1-5-32-544 SE_GROUP_USE_FOR_DENY_ONLY 1372
S-1-5-32-545 ..._DEFAULT, SE_GROUP_ENABLED 1372
S-1-5-4 ..._DEFAULT, SE_GROUP_ENABLED 1372
S-1-2-1 ..._DEFAULT, SE_GROUP_ENABLED 1372
S-1-5-11 ..._DEFAULT, SE_GROUP_ENABLED 1372
S-1-5-15 ..._DEFAULT, SE_GROUP_ENABLED 1372
S-1-5-5-0-419601 ...SE_GROUP_INTEGRITY_ENABLED 1372
S-1-2-0 ..._DEFAULT, SE_GROUP_ENABLED 1372
S-1-5-21-890171859-3433809...
..._DEFAULT, SE_GROUP_ENABLED 1372
S-1-5-21-890171859-3433809...
..._DEFAULT, SE_GROUP_ENABLED 1372
S-1-5-21-890171859-3433809...
..._DEFAULT, SE_GROUP_ENABLED 1372
S-1-18-1 ..._DEFAULT, SE_GROUP_ENABLED 1372
S-1-16-8192 1372
### -------------------------- EXAMPLE 2 --------------------------
```
Get-Process notepad | Get-ProcessTokenGroup
```
SID Attributes ProcessId
--- ---------- ---------
S-1-5-21-890171859-3433809...
..._DEFAULT, SE_GROUP_ENABLED 2640
S-1-1-0 ..._DEFAULT, SE_GROUP_ENABLED 2640
S-1-5-32-544 SE_GROUP_USE_FOR_DENY_ONLY 2640
S-1-5-32-545 ..._DEFAULT, SE_GROUP_ENABLED 2640
S-1-5-4 ..._DEFAULT, SE_GROUP_ENABLED 2640
S-1-2-1 ..._DEFAULT, SE_GROUP_ENABLED 2640
S-1-5-11 ..._DEFAULT, SE_GROUP_ENABLED 2640
S-1-5-15 ..._DEFAULT, SE_GROUP_ENABLED 2640
S-1-5-5-0-419601 ...SE_GROUP_INTEGRITY_ENABLED 2640
S-1-2-0 ..._DEFAULT, SE_GROUP_ENABLED 2640
S-1-5-21-890171859-3433809...
..._DEFAULT, SE_GROUP_ENABLED 2640
S-1-5-21-890171859-3433809...
..._DEFAULT, SE_GROUP_ENABLED 2640
S-1-5-21-890171859-3433809...
..._DEFAULT, SE_GROUP_ENABLED 2640
S-1-18-1 ..._DEFAULT, SE_GROUP_ENABLED 2640
S-1-16-8192 2640
## PARAMETERS
### -Id
The process ID to enumerate token groups for, otherwise defaults to the current process.
```yaml
Type: UInt32
Parameter Sets: (All)
Aliases: ProcessID
Required: False
Position: 1
Default value: 0
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: False
```
## INPUTS
## OUTPUTS
### PowerUp.TokenGroup
Outputs a custom object containing the token group (SID/attributes) for the specified token if
"-InformationClass 'Groups'" is passed.
PowerUp.TokenPrivilege
Outputs a custom object containing the token privilege (name/attributes) for the specified token if
"-InformationClass 'Privileges'" is passed
## NOTES
## RELATED LINKS

131
docs/Privesc/Get-ProcessTokenPrivilege.md Executable file
View File

@ -0,0 +1,131 @@
# Get-ProcessTokenPrivilege
## SYNOPSIS
Returns all privileges for the current (or specified) process ID.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: PSReflect, Get-TokenInformation
## SYNTAX
```
Get-ProcessTokenPrivilege [[-Id] <UInt32>] [-Special]
```
## DESCRIPTION
First, if a process ID is passed, then the process is opened using OpenProcess(),
otherwise GetCurrentProcess() is used to open up a pseudohandle to the current process.
OpenProcessToken() is then used to get a handle to the specified process token.
The token
is then passed to Get-TokenInformation to query the current privileges for the specified
token.
## EXAMPLES
### -------------------------- EXAMPLE 1 --------------------------
```
Get-ProcessTokenPrivilege
```
Privilege Attributes ProcessId
--------- ---------- ---------
SeShutdownPrivilege DISABLED 2600
SeChangeNotifyPrivilege ...AULT, SE_PRIVILEGE_ENABLED 2600
SeUndockPrivilege DISABLED 2600
SeIncreaseWorkingSetPrivilege DISABLED 2600
SeTimeZonePrivilege DISABLED 2600
### -------------------------- EXAMPLE 2 --------------------------
```
Get-ProcessTokenPrivilege -Special
```
Privilege Attributes ProcessId
--------- ---------- ---------
SeSecurityPrivilege DISABLED 2444
SeTakeOwnershipPrivilege DISABLED 2444
SeBackupPrivilege DISABLED 2444
SeRestorePrivilege DISABLED 2444
SeSystemEnvironmentPriv...
DISABLED 2444
SeImpersonatePrivilege ...T, SE_PRIVILEGE_ENABLED 2444
### -------------------------- EXAMPLE 3 --------------------------
```
Get-Process notepad | Get-ProcessTokenPrivilege | fl
```
Privilege : SeShutdownPrivilege
Attributes : DISABLED
ProcessId : 2640
Privilege : SeChangeNotifyPrivilege
Attributes : SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
ProcessId : 2640
Privilege : SeUndockPrivilege
Attributes : DISABLED
ProcessId : 2640
Privilege : SeIncreaseWorkingSetPrivilege
Attributes : DISABLED
ProcessId : 2640
Privilege : SeTimeZonePrivilege
Attributes : DISABLED
ProcessId : 2640
## PARAMETERS
### -Id
The process ID to enumerate token groups for, otherwise defaults to the current process.
```yaml
Type: UInt32
Parameter Sets: (All)
Aliases: ProcessID
Required: False
Position: 1
Default value: 0
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: False
```
### -Special
Switch.
Only return 'special' privileges, meaning admin-level privileges.
These include SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege,
SeRestorePrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeTcbPrivilege.
```yaml
Type: SwitchParameter
Parameter Sets: (All)
Aliases: Privileged
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
```
## INPUTS
## OUTPUTS
### PowerUp.TokenGroup
Outputs a custom object containing the token group (SID/attributes) for the specified token if
"-InformationClass 'Groups'" is passed.
PowerUp.TokenPrivilege
Outputs a custom object containing the token privilege (name/attributes) for the specified token if
"-InformationClass 'Privileges'" is passed
## NOTES
## RELATED LINKS

45
docs/Privesc/Get-RegistryAlwaysInstallElevated.md Executable file
View File

@ -0,0 +1,45 @@
# Get-RegistryAlwaysInstallElevated
## SYNOPSIS
Checks if any of the AlwaysInstallElevated registry keys are set.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None
## SYNTAX
```
Get-RegistryAlwaysInstallElevated
```
## DESCRIPTION
Returns $True if the HKLM:SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
or the HKCU:SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated keys
are set, $False otherwise.
If one of these keys are set, then all .MSI files run with
elevated permissions, regardless of current user permissions.
## EXAMPLES
### -------------------------- EXAMPLE 1 --------------------------
```
Get-RegistryAlwaysInstallElevated
```
Returns $True if any of the AlwaysInstallElevated registry keys are set.
## PARAMETERS
## INPUTS
## OUTPUTS
### System.Boolean
$True if RegistryAlwaysInstallElevated is set, $False otherwise.
## NOTES
## RELATED LINKS

44
docs/Privesc/Get-RegistryAutoLogon.md Executable file
View File

@ -0,0 +1,44 @@
# Get-RegistryAutoLogon
## SYNOPSIS
Finds any autologon credentials left in the registry.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None
## SYNTAX
```
Get-RegistryAutoLogon
```
## DESCRIPTION
Checks if any autologon accounts/credentials are set in a number of registry locations.
If they are, the credentials are extracted and returned as a custom PSObject.
## EXAMPLES
### -------------------------- EXAMPLE 1 --------------------------
```
Get-RegistryAutoLogon
```
Finds any autologon credentials left in the registry.
## PARAMETERS
## INPUTS
## OUTPUTS
### PowerUp.RegistryAutoLogon
Custom PSObject containing autologin credentials found in the registry.
## NOTES
## RELATED LINKS
[https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/windows_autologin.rb](https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/windows_autologin.rb)

65
docs/Privesc/Get-ServiceDetail.md Executable file
View File

@ -0,0 +1,65 @@
# Get-ServiceDetail
## SYNOPSIS
Returns detailed information about a specified service by querying the
WMI win32_service class for the specified service name.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None
## SYNTAX
```
Get-ServiceDetail [-Name] <String[]>
```
## DESCRIPTION
Takes an array of one or more service Names or ServiceProcess.ServiceController objedts on
the pipeline object returned by Get-Service, extracts out the service name, queries the
WMI win32_service class for the specified service for details like binPath, and outputs
everything.
## EXAMPLES
### -------------------------- EXAMPLE 1 --------------------------
```
Get-ServiceDetail -Name VulnSVC
```
Gets detailed information about the 'VulnSVC' service.
### -------------------------- EXAMPLE 2 --------------------------
```
Get-Service VulnSVC | Get-ServiceDetail
```
Gets detailed information about the 'VulnSVC' service.
## PARAMETERS
### -Name
An array of one or more service names to query information for.
```yaml
Type: String[]
Parameter Sets: (All)
Aliases: ServiceName
Required: True
Position: 1
Default value: None
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: False
```
## INPUTS
## OUTPUTS
### System.Management.ManagementObject
## NOTES
## RELATED LINKS

96
docs/Privesc/Get-SiteListPassword.md Executable file
View File

@ -0,0 +1,96 @@
# Get-SiteListPassword
## SYNOPSIS
Retrieves the plaintext passwords for found McAfee's SiteList.xml files.
Based on Jerome Nokin (@funoverip)'s Python solution (in links).
Author: Jerome Nokin (@funoverip)
PowerShell Port: @harmj0y
License: BSD 3-Clause
Required Dependencies: None
## SYNTAX
```
Get-SiteListPassword [[-Path] <String[]>]
```
## DESCRIPTION
Searches for any McAfee SiteList.xml in C:\Program Files\, C:\Program Files (x86)\,
C:\Documents and Settings\, or C:\Users\.
For any files found, the appropriate
credential fields are extracted and decrypted using the internal Get-DecryptedSitelistPassword
function that takes advantage of McAfee's static key encryption.
Any decrypted credentials
are output in custom objects.
See links for more information.
## EXAMPLES
### -------------------------- EXAMPLE 1 --------------------------
```
Get-SiteListPassword
```
EncPassword : jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q==
UserName :
Path : Products/CommonUpdater
Name : McAfeeHttp
DecPassword : MyStrongPassword!
Enabled : 1
DomainName :
Server : update.nai.com:80
EncPassword : jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q==
UserName : McAfeeService
Path : Repository$
Name : Paris
DecPassword : MyStrongPassword!
Enabled : 1
DomainName : companydomain
Server : paris001
EncPassword : jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q==
UserName : McAfeeService
Path : Repository$
Name : Tokyo
DecPassword : MyStrongPassword!
Enabled : 1
DomainName : companydomain
Server : tokyo000
## PARAMETERS
### -Path
Optional path to a SiteList.xml file or folder.
```yaml
Type: String[]
Parameter Sets: (All)
Aliases:
Required: False
Position: 1
Default value: None
Accept pipeline input: True (ByValue)
Accept wildcard characters: False
```
## INPUTS
## OUTPUTS
### PowerUp.SiteListPassword
## NOTES
## RELATED LINKS
[https://github.com/funoverip/mcafee-sitelist-pwd-decryption/
https://funoverip.net/2016/02/mcafee-sitelist-xml-password-decryption/
https://github.com/tfairane/HackStory/blob/master/McAfeePrivesc.md
https://www.syss.de/fileadmin/dokumente/Publikationen/2011/SySS_2011_Deeg_Privilege_Escalation_via_Antivirus_Software.pdf](https://github.com/funoverip/mcafee-sitelist-pwd-decryption/
https://funoverip.net/2016/02/mcafee-sitelist-xml-password-decryption/
https://github.com/tfairane/HackStory/blob/master/McAfeePrivesc.md
https://www.syss.de/fileadmin/dokumente/Publikationen/2011/SySS_2011_Deeg_Privilege_Escalation_via_Antivirus_Software.pdf)

172
docs/Privesc/Get-System.md Executable file
View File

@ -0,0 +1,172 @@
# Get-System
## SYNOPSIS
GetSystem functionality inspired by Meterpreter's getsystem.
'NamedPipe' impersonation doesn't need SeDebugPrivilege but does create
a service, 'Token' duplications a SYSTEM token but needs SeDebugPrivilege.
NOTE: if running PowerShell 2.0, start powershell.exe with '-STA' to ensure
token duplication works correctly.
PowerSploit Function: Get-System
Author: @harmj0y, @mattifestation
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
## SYNTAX
### NamedPipe (Default)
```
Get-System [-Technique <String>] [-ServiceName <String>] [-PipeName <String>]
```
### Token
```
Get-System [-Technique <String>]
```
### RevToSelf
```
Get-System [-RevToSelf]
```
### WhoAmI
```
Get-System [-WhoAmI]
```
## DESCRIPTION
{{Fill in the Description}}
## EXAMPLES
### -------------------------- EXAMPLE 1 --------------------------
```
Get-System
```
Uses named impersonate to elevate the current thread token to SYSTEM.
### -------------------------- EXAMPLE 2 --------------------------
```
Get-System -ServiceName 'PrivescSvc' -PipeName 'secret'
```
Uses named impersonate to elevate the current thread token to SYSTEM
with a custom service and pipe name.
### -------------------------- EXAMPLE 3 --------------------------
```
Get-System -Technique Token
```
Uses token duplication to elevate the current thread token to SYSTEM.
### -------------------------- EXAMPLE 4 --------------------------
```
Get-System -WhoAmI
```
Displays the credentials for the current thread.
### -------------------------- EXAMPLE 5 --------------------------
```
Get-System -RevToSelf
```
Reverts the current thread privileges.
## PARAMETERS
### -Technique
The technique to use, 'NamedPipe' or 'Token'.
```yaml
Type: String
Parameter Sets: NamedPipe, Token
Aliases:
Required: False
Position: Named
Default value: NamedPipe
Accept pipeline input: False
Accept wildcard characters: False
```
### -ServiceName
The name of the service used with named pipe impersonation, defaults to 'TestSVC'.
```yaml
Type: String
Parameter Sets: NamedPipe
Aliases:
Required: False
Position: Named
Default value: TestSVC
Accept pipeline input: False
Accept wildcard characters: False
```
### -PipeName
The name of the named pipe used with named pipe impersonation, defaults to 'TestSVC'.
```yaml
Type: String
Parameter Sets: NamedPipe
Aliases:
Required: False
Position: Named
Default value: TestSVC
Accept pipeline input: False
Accept wildcard characters: False
```
### -RevToSelf
Reverts the current thread privileges.
```yaml
Type: SwitchParameter
Parameter Sets: RevToSelf
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
```
### -WhoAmI
Switch.
Display the credentials for the current PowerShell thread.
```yaml
Type: SwitchParameter
Parameter Sets: WhoAmI
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
```
## INPUTS
## OUTPUTS
## NOTES
## RELATED LINKS
[https://github.com/rapid7/meterpreter/blob/2a891a79001fc43cb25475cc43bced9449e7dc37/source/extensions/priv/server/elevate/namedpipe.c
https://github.com/obscuresec/shmoocon/blob/master/Invoke-TwitterBot
http://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
http://clymb3r.wordpress.com/2013/11/03/powershell-and-token-impersonation/](https://github.com/rapid7/meterpreter/blob/2a891a79001fc43cb25475cc43bced9449e7dc37/source/extensions/priv/server/elevate/namedpipe.c
https://github.com/obscuresec/shmoocon/blob/master/Invoke-TwitterBot
http://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
http://clymb3r.wordpress.com/2013/11/03/powershell-and-token-impersonation/)

44
docs/Privesc/Get-UnattendedInstallFile.md Executable file
View File

@ -0,0 +1,44 @@
# Get-UnattendedInstallFile
## SYNOPSIS
Checks several locations for remaining unattended installation files,
which may have deployment credentials.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None
## SYNTAX
```
Get-UnattendedInstallFile
```
## DESCRIPTION
{{Fill in the Description}}
## EXAMPLES
### -------------------------- EXAMPLE 1 --------------------------
```
Get-UnattendedInstallFile
```
Finds any remaining unattended installation files.
## PARAMETERS
## INPUTS
## OUTPUTS
### PowerUp.UnattendedInstallFile
Custom PSObject containing results.
## NOTES
## RELATED LINKS
[http://www.fuzzysecurity.com/tutorials/16.html](http://www.fuzzysecurity.com/tutorials/16.html)

45
docs/Privesc/Get-UnquotedService.md Executable file
View File

@ -0,0 +1,45 @@
# Get-UnquotedService
## SYNOPSIS
Get-UnquotedService Returns the name and binary path for services with unquoted paths
that also have a space in the name.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: Get-ModifiablePath, Test-ServiceDaclPermission
## SYNTAX
```
Get-UnquotedService
```
## DESCRIPTION
Uses Get-WmiObject to query all win32_service objects and extract out
the binary pathname for each.
Then checks if any binary paths have a space
and aren't quoted.
## EXAMPLES
### -------------------------- EXAMPLE 1 --------------------------
```
Get-UnquotedService
```
Get a set of potentially exploitable services.
## PARAMETERS
## INPUTS
## OUTPUTS
### PowerUp.UnquotedService
## NOTES
## RELATED LINKS
[https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/trusted_service_path.rb](https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/trusted_service_path.rb)

93
docs/Privesc/Get-WebConfig.md Executable file
View File

@ -0,0 +1,93 @@
# Get-WebConfig
## SYNOPSIS
This script will recover cleartext and encrypted connection strings from all web.config
files on the system.
Also, it will decrypt them if needed.
Author: Scott Sutherland, Antti Rantasaari
License: BSD 3-Clause
Required Dependencies: None
## SYNTAX
```
Get-WebConfig
```
## DESCRIPTION
This script will identify all of the web.config files on the system and recover the
connection strings used to support authentication to backend databases.
If needed, the
script will also decrypt the connection strings on the fly.
The output supports the
pipeline which can be used to convert all of the results into a pretty table by piping
to format-table.
## EXAMPLES
### -------------------------- EXAMPLE 1 --------------------------
```
Return a list of cleartext and decrypted connect strings from web.config files.
```
Get-WebConfig
user : s1admin
pass : s1password
dbserv : 192.168.1.103\server1
vdir : C:\test2
path : C:\test2\web.config
encr : No
user : s1user
pass : s1password
dbserv : 192.168.1.103\server1
vdir : C:\inetpub\wwwroot
path : C:\inetpub\wwwroot\web.config
encr : Yes
### -------------------------- EXAMPLE 2 --------------------------
```
Return a list of clear text and decrypted connect strings from web.config files.
```
Get-WebConfig | Format-Table -Autosize
user pass dbserv vdir path encr
---- ---- ------ ---- ---- ----
s1admin s1password 192.168.1.101\server1 C:\App1 C:\App1\web.config No
s1user s1password 192.168.1.101\server1 C:\inetpub\wwwroot C:\inetpub\wwwroot\web.config No
s2user s2password 192.168.1.102\server2 C:\App2 C:\App2\test\web.config No
s2user s2password 192.168.1.102\server2 C:\App2 C:\App2\web.config Yes
s3user s3password 192.168.1.103\server3 D:\App3 D:\App3\web.config No
## PARAMETERS
## INPUTS
## OUTPUTS
### System.Boolean
System.Data.DataTable
## NOTES
Below is an alterantive method for grabbing connection strings, but it doesn't support decryption.
for /f "tokens=*" %i in ('%systemroot%\system32\inetsrv\appcmd.exe list sites /text:name') do %systemroot%\system32\inetsrv\appcmd.exe list config "%i" -section:connectionstrings
Author: Scott Sutherland - 2014, NetSPI
Author: Antti Rantasaari - 2014, NetSPI
## RELATED LINKS
[https://github.com/darkoperator/Posh-SecMod/blob/master/PostExploitation/PostExploitation.psm1
http://www.netspi.com
https://raw2.github.com/NetSPI/cmdsql/master/cmdsql.aspx
http://www.iis.net/learn/get-started/getting-started-with-iis/getting-started-with-appcmdexe
http://msdn.microsoft.com/en-us/library/k6h9cz8h(v=vs.80).aspx](https://github.com/darkoperator/Posh-SecMod/blob/master/PostExploitation/PostExploitation.psm1
http://www.netspi.com
https://raw2.github.com/NetSPI/cmdsql/master/cmdsql.aspx
http://www.iis.net/learn/get-started/getting-started-with-iis/getting-started-with-appcmdexe
http://msdn.microsoft.com/en-us/library/k6h9cz8h(v=vs.80).aspx)

175
docs/Privesc/Install-ServiceBinary.md Executable file
View File

@ -0,0 +1,175 @@
# Install-ServiceBinary
## SYNOPSIS
Replaces the service binary for the specified service with one that executes
a specified command as SYSTEM.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: Get-ServiceDetail, Get-ModifiablePath, Write-ServiceBinary
## SYNTAX
```
Install-ServiceBinary [-Name] <String> [-UserName <String>] [-Password <String>] [-LocalGroup <String>]
[-Credential <PSCredential>] [-Command <String>]
```
## DESCRIPTION
Takes a esrvice Name or a ServiceProcess.ServiceController on the pipeline where the
current user can modify the associated service binary listed in the binPath.
Backs up
the original service binary to "OriginalService.exe.bak" in service binary location,
and then uses Write-ServiceBinary to create a C# service binary that either adds
a local administrator user or executes a custom command.
The new service binary is
replaced in the original service binary path, and a custom object is returned that
captures the original and new service binary configuration.
## EXAMPLES
### -------------------------- EXAMPLE 1 --------------------------
```
Install-ServiceBinary -Name VulnSVC
```
Backs up the original service binary to SERVICE_PATH.exe.bak and replaces the binary
for VulnSVC with one that adds a local Administrator (john/Password123!).
### -------------------------- EXAMPLE 2 --------------------------
```
Get-Service VulnSVC | Install-ServiceBinary
```
Backs up the original service binary to SERVICE_PATH.exe.bak and replaces the binary
for VulnSVC with one that adds a local Administrator (john/Password123!).
### -------------------------- EXAMPLE 3 --------------------------
```
Install-ServiceBinary -Name VulnSVC -UserName 'TESTLAB\john'
```
Backs up the original service binary to SERVICE_PATH.exe.bak and replaces the binary
for VulnSVC with one that adds TESTLAB\john to the Administrators local group.
### -------------------------- EXAMPLE 4 --------------------------
```
Install-ServiceBinary -Name VulnSVC -UserName backdoor -Password Password123!
```
Backs up the original service binary to SERVICE_PATH.exe.bak and replaces the binary
for VulnSVC with one that adds a local Administrator (backdoor/Password123!).
### -------------------------- EXAMPLE 5 --------------------------
```
Install-ServiceBinary -Name VulnSVC -Command "net ..."
```
Backs up the original service binary to SERVICE_PATH.exe.bak and replaces the binary
for VulnSVC with one that executes a custom command.
## PARAMETERS
### -Name
The service name the EXE will be running under.
```yaml
Type: String
Parameter Sets: (All)
Aliases: ServiceName
Required: True
Position: 1
Default value: None
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: False
```
### -UserName
The \[domain\\\]username to add.
If not given, it defaults to "john".
Domain users are not created, only added to the specified localgroup.
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: John
Accept pipeline input: False
Accept wildcard characters: False
```
### -Password
The password to set for the added user.
If not given, it defaults to "Password123!"
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: Password123!
Accept pipeline input: False
Accept wildcard characters: False
```
### -LocalGroup
Local group name to add the user to (default of 'Administrators').
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: Administrators
Accept pipeline input: False
Accept wildcard characters: False
```
### -Credential
A \[Management.Automation.PSCredential\] object specifying the user/password to add.
```yaml
Type: PSCredential
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: [Management.Automation.PSCredential]::Empty
Accept pipeline input: False
Accept wildcard characters: False
```
### -Command
Custom command to execute instead of user creation.
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
## INPUTS
## OUTPUTS
### PowerUp.ServiceBinary.Installed
## NOTES
## RELATED LINKS

63
docs/Privesc/Invoke-PrivescAudit.md Executable file
View File

@ -0,0 +1,63 @@
# Invoke-PrivescAudit
## SYNOPSIS
Executes all functions that check for various Windows privilege escalation opportunities.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None
## SYNTAX
```
Invoke-PrivescAudit [-HTMLReport]
```
## DESCRIPTION
Executes all functions that check for various Windows privilege escalation opportunities.
## EXAMPLES
### -------------------------- EXAMPLE 1 --------------------------
```
Invoke-PrivescAudit
```
Runs all escalation checks and outputs a status report for discovered issues.
### -------------------------- EXAMPLE 2 --------------------------
```
Invoke-PrivescAudit -HTMLReport
```
Runs all escalation checks and outputs a status report to SYSTEM.username.html
detailing any discovered issues.
## PARAMETERS
### -HTMLReport
Switch.
Write a HTML version of the report to SYSTEM.username.html.
```yaml
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
```
## INPUTS
## OUTPUTS
### System.String
## NOTES
## RELATED LINKS

194
docs/Privesc/Invoke-ServiceAbuse.md Executable file
View File

@ -0,0 +1,194 @@
# Invoke-ServiceAbuse
## SYNOPSIS
Abuses a function the current user has configuration rights on in order
to add a local administrator or execute a custom command.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: Get-ServiceDetail, Set-ServiceBinaryPath
## SYNTAX
```
Invoke-ServiceAbuse [-Name] <String[]> [-UserName <String>] [-Password <String>] [-LocalGroup <String>]
[-Credential <PSCredential>] [-Command <String>] [-Force]
```
## DESCRIPTION
Takes a service Name or a ServiceProcess.ServiceController on the pipeline that the current
user has configuration modification rights on and executes a series of automated actions to
execute commands as SYSTEM.
First, the service is enabled if it was set as disabled and the
original service binary path and configuration state are preserved.
Then the service is stopped
and the Set-ServiceBinaryPath function is used to set the binary (binPath) for the service to a
series of commands, the service is started, stopped, and the next command is configured.
After
completion, the original service configuration is restored and a custom object is returned
that captures the service abused and commands run.
## EXAMPLES
### -------------------------- EXAMPLE 1 --------------------------
```
Invoke-ServiceAbuse -Name VulnSVC
```
Abuses service 'VulnSVC' to add a localuser "john" with password
"Password123!
to the machine and local administrator group
### -------------------------- EXAMPLE 2 --------------------------
```
Get-Service VulnSVC | Invoke-ServiceAbuse
```
Abuses service 'VulnSVC' to add a localuser "john" with password
"Password123!
to the machine and local administrator group
### -------------------------- EXAMPLE 3 --------------------------
```
Invoke-ServiceAbuse -Name VulnSVC -UserName "TESTLAB\john"
```
Abuses service 'VulnSVC' to add a the domain user TESTLAB\john to the
local adminisrtators group.
### -------------------------- EXAMPLE 4 --------------------------
```
Invoke-ServiceAbuse -Name VulnSVC -UserName backdoor -Password password -LocalGroup "Power Users"
```
Abuses service 'VulnSVC' to add a localuser "backdoor" with password
"password" to the machine and local "Power Users" group
### -------------------------- EXAMPLE 5 --------------------------
```
Invoke-ServiceAbuse -Name VulnSVC -Command "net ..."
```
Abuses service 'VulnSVC' to execute a custom command.
## PARAMETERS
### -Name
An array of one or more service names to abuse.
```yaml
Type: String[]
Parameter Sets: (All)
Aliases: ServiceName
Required: True
Position: 1
Default value: None
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: False
```
### -UserName
The \[domain\\\]username to add.
If not given, it defaults to "john".
Domain users are not created, only added to the specified localgroup.
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: John
Accept pipeline input: False
Accept wildcard characters: False
```
### -Password
The password to set for the added user.
If not given, it defaults to "Password123!"
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: Password123!
Accept pipeline input: False
Accept wildcard characters: False
```
### -LocalGroup
Local group name to add the user to (default of 'Administrators').
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: Administrators
Accept pipeline input: False
Accept wildcard characters: False
```
### -Credential
A \[Management.Automation.PSCredential\] object specifying the user/password to add.
```yaml
Type: PSCredential
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: [Management.Automation.PSCredential]::Empty
Accept pipeline input: False
Accept wildcard characters: False
```
### -Command
Custom command to execute instead of user creation.
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### -Force
Switch.
Force service stopping, even if other services are dependent.
```yaml
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
```
## INPUTS
## OUTPUTS
### PowerUp.AbusedService
## NOTES
## RELATED LINKS

85
docs/Privesc/Invoke-WScriptUACBypass.md Executable file
View File

@ -0,0 +1,85 @@
# Invoke-WScriptUACBypass
## SYNOPSIS
Performs the bypass UAC attack by abusing the lack of an embedded manifest in wscript.exe.
Author: Matt Nelson (@enigma0x3), Will Schroeder (@harmj0y), Vozzie
License: BSD 3-Clause
Required Dependencies: None
## SYNTAX
```
Invoke-WScriptUACBypass [-Command] <String> [-WindowStyle <String>]
```
## DESCRIPTION
Drops wscript.exe and a custom manifest into C:\Windows and then proceeds to execute
VBScript using the wscript executable with the new manifest.
The VBScript executed by
C:\Windows\wscript.exe will run elevated.
## EXAMPLES
### -------------------------- EXAMPLE 1 --------------------------
```
"
```
Launches the specified PowerShell encoded command in high-integrity.
### -------------------------- EXAMPLE 2 --------------------------
```
Invoke-WScriptUACBypass -Command cmd.exe -WindowStyle 'Visible'
```
Spawns a high integrity cmd.exe.
## PARAMETERS
### -Command
The shell command you want wscript.exe to run elevated.
```yaml
Type: String
Parameter Sets: (All)
Aliases: CMD
Required: True
Position: 1
Default value: None
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: False
```
### -WindowStyle
Whether to display or hide the window for the executed '-Command X'.
Accepted values are 'Hidden' and 'Normal'/'Visible.
Default is 'Hidden'.
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: Hidden
Accept pipeline input: False
Accept wildcard characters: False
```
## INPUTS
## OUTPUTS
## NOTES
## RELATED LINKS
[http://seclist.us/uac-bypass-vulnerability-in-the-windows-script-host.html
https://github.com/Vozzie/uacscript
https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-WScriptBypassUAC.ps1](http://seclist.us/uac-bypass-vulnerability-in-the-windows-script-host.html
https://github.com/Vozzie/uacscript
https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-WScriptBypassUAC.ps1)

87
docs/Privesc/Restore-ServiceBinary.md Executable file
View File

@ -0,0 +1,87 @@
# Restore-ServiceBinary
## SYNOPSIS
Restores a service binary backed up by Install-ServiceBinary.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: Get-ServiceDetail, Get-ModifiablePath
## SYNTAX
```
Restore-ServiceBinary [-Name] <String> [[-BackupPath] <String>]
```
## DESCRIPTION
Takes a service Name or a ServiceProcess.ServiceController on the pipeline and
checks for the existence of an "OriginalServiceBinary.exe.bak" in the service
binary location.
If it exists, the backup binary is restored to the original
binary path.
## EXAMPLES
### -------------------------- EXAMPLE 1 --------------------------
```
Restore-ServiceBinary -Name VulnSVC
```
Restore the original binary for the service 'VulnSVC'.
### -------------------------- EXAMPLE 2 --------------------------
```
Get-Service VulnSVC | Restore-ServiceBinary
```
Restore the original binary for the service 'VulnSVC'.
### -------------------------- EXAMPLE 3 --------------------------
```
Restore-ServiceBinary -Name VulnSVC -BackupPath 'C:\temp\backup.exe'
```
Restore the original binary for the service 'VulnSVC' from a custom location.
## PARAMETERS
### -Name
The service name to restore a binary for.
```yaml
Type: String
Parameter Sets: (All)
Aliases: ServiceName
Required: True
Position: 1
Default value: None
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: False
```
### -BackupPath
Optional manual path to the backup binary.
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 2
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
## INPUTS
## OUTPUTS
### PowerUp.ServiceBinary.Installed
## NOTES
## RELATED LINKS

92
docs/Privesc/Set-ServiceBinaryPath.md Executable file
View File

@ -0,0 +1,92 @@
# Set-ServiceBinaryPath
## SYNOPSIS
Sets the binary path for a service to a specified value.
Author: Will Schroeder (@harmj0y), Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: PSReflect
## SYNTAX
```
Set-ServiceBinaryPath [-Name] <String[]> [-Path] <String>
```
## DESCRIPTION
Takes a service Name or a ServiceProcess.ServiceController on the pipeline and first opens up a
service handle to the service with ConfigControl access using the GetServiceHandle
Win32 API call.
ChangeServiceConfig is then used to set the binary path (lpBinaryPathName/binPath)
to the string value specified by binPath, and the handle is closed off.
Takes one or more ServiceProcess.ServiceController objects on the pipeline and adds a
Dacl field to each object.
It does this by opening a handle with ReadControl for the
service with using the GetServiceHandle Win32 API call and then uses
QueryServiceObjectSecurity to retrieve a copy of the security descriptor for the service.
## EXAMPLES
### -------------------------- EXAMPLE 1 --------------------------
```
Set-ServiceBinaryPath -Name VulnSvc -Path 'net user john Password123! /add'
```
Sets the binary path for 'VulnSvc' to be a command to add a user.
### -------------------------- EXAMPLE 2 --------------------------
```
Get-Service VulnSvc | Set-ServiceBinaryPath -Path 'net user john Password123! /add'
```
Sets the binary path for 'VulnSvc' to be a command to add a user.
## PARAMETERS
### -Name
An array of one or more service names to set the binary path for.
Required.
```yaml
Type: String[]
Parameter Sets: (All)
Aliases: ServiceName
Required: True
Position: 1
Default value: None
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: False
```
### -Path
The new binary path (lpBinaryPathName) to set for the specified service.
Required.
```yaml
Type: String
Parameter Sets: (All)
Aliases: BinaryPath, binPath
Required: True
Position: 2
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
## INPUTS
## OUTPUTS
### System.Boolean
$True if configuration succeeds, $False otherwise.
## NOTES
## RELATED LINKS
[https://msdn.microsoft.com/en-us/library/windows/desktop/ms681987(v=vs.85).aspx](https://msdn.microsoft.com/en-us/library/windows/desktop/ms681987(v=vs.85).aspx)

112
docs/Privesc/Test-ServiceDaclPermission.md Executable file
View File

@ -0,0 +1,112 @@
# Test-ServiceDaclPermission
## SYNOPSIS
Tests one or more passed services or service names against a given permission set,
returning the service objects where the current user have the specified permissions.
Author: Will Schroeder (@harmj0y), Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: Add-ServiceDacl
## SYNTAX
```
Test-ServiceDaclPermission [-Name] <String[]> [-Permissions <String[]>] [-PermissionSet <String>]
```
## DESCRIPTION
Takes a service Name or a ServiceProcess.ServiceController on the pipeline, and first adds
a service Dacl to the service object with Add-ServiceDacl.
All group SIDs for the current
user are enumerated services where the user has some type of permission are filtered.
The
services are then filtered against a specified set of permissions, and services where the
current user have the specified permissions are returned.
## EXAMPLES
### -------------------------- EXAMPLE 1 --------------------------
```
Get-Service | Test-ServiceDaclPermission
```
Return all service objects where the current user can modify the service configuration.
### -------------------------- EXAMPLE 2 --------------------------
```
Get-Service | Test-ServiceDaclPermission -PermissionSet 'Restart'
```
Return all service objects that the current user can restart.
### -------------------------- EXAMPLE 3 --------------------------
```
Test-ServiceDaclPermission -Permissions 'Start' -Name 'VulnSVC'
```
Return the VulnSVC object if the current user has start permissions.
## PARAMETERS
### -Name
An array of one or more service names to test against the specified permission set.
```yaml
Type: String[]
Parameter Sets: (All)
Aliases: ServiceName, Service
Required: True
Position: 1
Default value: None
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: False
```
### -Permissions
A manual set of permission to test again.
One of:'QueryConfig', 'ChangeConfig', 'QueryStatus',
'EnumerateDependents', 'Start', 'Stop', 'PauseContinue', 'Interrogate', UserDefinedControl',
'Delete', 'ReadControl', 'WriteDac', 'WriteOwner', 'Synchronize', 'AccessSystemSecurity',
'GenericAll', 'GenericExecute', 'GenericWrite', 'GenericRead', 'AllAccess'
```yaml
Type: String[]
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### -PermissionSet
A pre-defined permission set to test a specified service against.
'ChangeConfig', 'Restart', or 'AllAccess'.
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: ChangeConfig
Accept pipeline input: False
Accept wildcard characters: False
```
## INPUTS
## OUTPUTS
### ServiceProcess.ServiceController
## NOTES
## RELATED LINKS
[https://rohnspowershellblog.wordpress.com/2013/03/19/viewing-service-acls/](https://rohnspowershellblog.wordpress.com/2013/03/19/viewing-service-acls/)

173
docs/Privesc/Write-HijackDll.md Executable file
View File

@ -0,0 +1,173 @@
# Write-HijackDll
## SYNOPSIS
Patches in the path to a specified .bat (containing the specified command) into a
pre-compiled hijackable C++ DLL writes the DLL out to the specified ServicePath location.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None
## SYNTAX
```
Write-HijackDll [-DllPath] <String> [[-Architecture] <String>] [[-BatPath] <String>] [[-UserName] <String>]
[[-Password] <String>] [[-LocalGroup] <String>] [[-Credential] <PSCredential>] [[-Command] <String>]
```
## DESCRIPTION
First builds a self-deleting .bat file that executes the specified -Command or local user,
to add and writes the.bat out to -BatPath.
The BatPath is then patched into a pre-compiled
C++ DLL that is built to be hijackable by the IKEEXT service.
There are two DLLs, one for
x86 and one for x64, and both are contained as base64-encoded strings.
The DLL is then
written out to the specified OutputFile.
## EXAMPLES
### Example 1
```
PS C:\> {{ Add example code here }}
```
{{ Add example description here }}
## PARAMETERS
### -DllPath
File name to write the generated DLL out to.
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: 1
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### -Architecture
The Architecture to generate for the DLL, x86 or x64.
If not specified, PowerUp
will try to automatically determine the correct architecture.
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 2
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### -BatPath
Path to the .bat for the DLL to launch.
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 3
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### -UserName
The \[domain\\\]username to add.
If not given, it defaults to "john".
Domain users are not created, only added to the specified localgroup.
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 4
Default value: John
Accept pipeline input: False
Accept wildcard characters: False
```
### -Password
The password to set for the added user.
If not given, it defaults to "Password123!"
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 5
Default value: Password123!
Accept pipeline input: False
Accept wildcard characters: False
```
### -LocalGroup
Local group name to add the user to (default of 'Administrators').
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 6
Default value: Administrators
Accept pipeline input: False
Accept wildcard characters: False
```
### -Credential
A \[Management.Automation.PSCredential\] object specifying the user/password to add.
```yaml
Type: PSCredential
Parameter Sets: (All)
Aliases:
Required: False
Position: 7
Default value: [Management.Automation.PSCredential]::Empty
Accept pipeline input: False
Accept wildcard characters: False
```
### -Command
Custom command to execute instead of user creation.
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 8
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
## INPUTS
## OUTPUTS
### PowerUp.HijackableDLL
## NOTES
## RELATED LINKS

191
docs/Privesc/Write-ServiceBinary.md Executable file
View File

@ -0,0 +1,191 @@
# Write-ServiceBinary
## SYNOPSIS
Patches in the specified command to a pre-compiled C# service executable and
writes the binary out to the specified ServicePath location.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None
## SYNTAX
```
Write-ServiceBinary [-Name] <String> [-UserName <String>] [-Password <String>] [-LocalGroup <String>]
[-Credential <PSCredential>] [-Command <String>] [-Path <String>]
```
## DESCRIPTION
Takes a pre-compiled C# service binary and patches in the appropriate commands needed
for service abuse.
If a -UserName/-Password or -Credential is specified, the command
patched in creates a local user and adds them to the specified -LocalGroup, otherwise
the specified -Command is patched in.
The binary is then written out to the specified
-ServicePath.
Either -Name must be specified for the service, or a proper object from
Get-Service must be passed on the pipeline in order to patch in the appropriate service
name the binary will be running under.
## EXAMPLES
### -------------------------- EXAMPLE 1 --------------------------
```
Write-ServiceBinary -Name VulnSVC
```
Writes a service binary to service.exe in the local directory for VulnSVC that
adds a local Administrator (john/Password123!).
### -------------------------- EXAMPLE 2 --------------------------
```
Get-Service VulnSVC | Write-ServiceBinary
```
Writes a service binary to service.exe in the local directory for VulnSVC that
adds a local Administrator (john/Password123!).
### -------------------------- EXAMPLE 3 --------------------------
```
Write-ServiceBinary -Name VulnSVC -UserName 'TESTLAB\john'
```
Writes a service binary to service.exe in the local directory for VulnSVC that adds
TESTLAB\john to the Administrators local group.
### -------------------------- EXAMPLE 4 --------------------------
```
Write-ServiceBinary -Name VulnSVC -UserName backdoor -Password Password123!
```
Writes a service binary to service.exe in the local directory for VulnSVC that
adds a local Administrator (backdoor/Password123!).
### -------------------------- EXAMPLE 5 --------------------------
```
Write-ServiceBinary -Name VulnSVC -Command "net ..."
```
Writes a service binary to service.exe in the local directory for VulnSVC that
executes a custom command.
## PARAMETERS
### -Name
The service name the EXE will be running under.
```yaml
Type: String
Parameter Sets: (All)
Aliases: ServiceName
Required: True
Position: 1
Default value: None
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: False
```
### -UserName
The \[domain\\\]username to add.
If not given, it defaults to "john".
Domain users are not created, only added to the specified localgroup.
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: John
Accept pipeline input: False
Accept wildcard characters: False
```
### -Password
The password to set for the added user.
If not given, it defaults to "Password123!"
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: Password123!
Accept pipeline input: False
Accept wildcard characters: False
```
### -LocalGroup
Local group name to add the user to (default of 'Administrators').
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: Administrators
Accept pipeline input: False
Accept wildcard characters: False
```
### -Credential
A \[Management.Automation.PSCredential\] object specifying the user/password to add.
```yaml
Type: PSCredential
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: [Management.Automation.PSCredential]::Empty
Accept pipeline input: False
Accept wildcard characters: False
```
### -Command
Custom command to execute instead of user creation.
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### -Path
Path to write the binary out to, defaults to 'service.exe' in the local directory.
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: "$(Convert-Path .)\service.exe"
Accept pipeline input: False
Accept wildcard characters: False
```
## INPUTS
## OUTPUTS
### PowerUp.ServiceBinary
## NOTES
## RELATED LINKS

56
docs/Privesc/Write-UserAddMSI.md Executable file
View File

@ -0,0 +1,56 @@
# Write-UserAddMSI
## SYNOPSIS
Writes out a precompiled MSI installer that prompts for a user/group addition.
This function can be used to abuse Get-RegistryAlwaysInstallElevated.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None
## SYNTAX
```
Write-UserAddMSI [[-Path] <String>]
```
## DESCRIPTION
Writes out a precompiled MSI installer that prompts for a user/group addition.
This function can be used to abuse Get-RegistryAlwaysInstallElevated.
## EXAMPLES
### -------------------------- EXAMPLE 1 --------------------------
```
Write-UserAddMSI
```
Writes the user add MSI to the local directory.
## PARAMETERS
### -Path
{{Fill Path Description}}
```yaml
Type: String
Parameter Sets: (All)
Aliases: ServiceName
Required: False
Position: 1
Default value: UserAdd.msi
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: False
```
## INPUTS
## OUTPUTS
### PowerUp.UserAddMSI
## NOTES
## RELATED LINKS

55
docs/Privesc/index.md Normal file
View File

@ -0,0 +1,55 @@
## PowerUp
PowerUp aims to be a clearinghouse of common Windows privilege escalation
vectors that rely on misconfigurations.
Running Invoke-AllChecks will output any identifiable vulnerabilities along
with specifications for any abuse functions. The -HTMLReport flag will also
generate a COMPUTER.username.html version of the report.
Author: @harmj0y
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
### Token/Privilege Enumeration/Abuse:
Get-ProcessTokenGroup - returns all SIDs that the current token context is a part of, whether they are disabled or not
Get-ProcessTokenPrivilege - returns all privileges for the current (or specified) process ID
Enable-Privilege - enables a specific privilege for the current process
### Service Enumeration/Abuse:
Test-ServiceDaclPermission - tests one or more passed services or service names against a given permission set
Get-UnquotedService - returns services with unquoted paths that also have a space in the name
Get-ModifiableServiceFile - returns services where the current user can write to the service binary path or its config
Get-ModifiableService - returns services the current user can modify
Get-ServiceDetail - returns detailed information about a specified service
Set-ServiceBinaryPath - sets the binary path for a service to a specified value
Invoke-ServiceAbuse - modifies a vulnerable service to create a local admin or execute a custom command
Write-ServiceBinary - writes out a patched C# service binary that adds a local admin or executes a custom command
Install-ServiceBinary - replaces a service binary with one that adds a local admin or executes a custom command
Restore-ServiceBinary - restores a replaced service binary with the original executable
### DLL Hijacking:
Find-ProcessDLLHijack - finds potential DLL hijacking opportunities for currently running processes
Find-PathDLLHijack - finds service %PATH% DLL hijacking opportunities
Write-HijackDll - writes out a hijackable DLL
### Registry Checks:
Get-RegistryAlwaysInstallElevated - checks if the AlwaysInstallElevated registry key is set
Get-RegistryAutoLogon - checks for Autologon credentials in the registry
Get-ModifiableRegistryAutoRun - checks for any modifiable binaries/scripts (or their configs) in HKLM autoruns
### Miscellaneous Checks:
Get-ModifiableScheduledTaskFile - find schtasks with modifiable target files
Get-UnattendedInstallFile - finds remaining unattended installation files
Get-Webconfig - checks for any encrypted web.config strings
Get-ApplicationHost - checks for encrypted application pool and virtual directory passwords
Get-SiteListPassword - retrieves the plaintext passwords for any found McAfee's SiteList.xml files
Get-CachedGPPPassword - checks for passwords in cached Group Policy Preferences files
### Other Helpers/Meta-Functions:
Get-ModifiablePath - tokenizes an input string and returns the files in it the current user can modify
Write-UserAddMSI - write out a MSI installer that prompts for a user to be added
Invoke-WScriptUACBypass - performs the bypass UAC attack by abusing the lack of an embedded manifest in wscript.exe
Invoke-PrivescAudit - runs all current escalation checks and returns a report (formerly Invoke-AllChecks)

1
docs/index.md
View File

@ -61,6 +61,7 @@ Cause general mayhem with PowerShell.
Tools to help with escalating privileges on a target, including PowerUp.
PowerUp - Clearing house of common privilege escalation checks, along with some weaponization vectors.
Get-System - GetSystem functionality inspired by Meterpreter's getsystem
### Recon
Tools to aid in the reconnaissance phase of a penetration test, including PowerView.

34
mkdocs.yml
View File

@ -85,3 +85,37 @@ pages:
- Get-HttpStatus: 'Recon/Get-HttpStatus.md'
- Invoke-Portscan: 'Recon/Invoke-Portscan.md'
- Invoke-ReverseDnsLookup: 'Recon/Invoke-ReverseDnsLookup.md'
- Privesc:
- About: 'Privesc/index.md'
- Functions:
- Get-ModifiablePath: 'Privesc/Get-ModifiablePath.md'
- Get-ProcessTokenGroup: 'Privesc/Get-ProcessTokenGroup.md'
- Get-ProcessTokenPrivilege: 'Privesc/Get-ProcessTokenPrivilege.md'
- Enable-Privilege: 'Privesc/Enable-Privilege.md'
- Add-ServiceDacl: 'Privesc/Add-ServiceDacl.md'
- Set-ServiceBinaryPath: 'Privesc/Set-ServiceBinaryPath.md'
- Test-ServiceDaclPermission: 'Privesc/Test-ServiceDaclPermission.md'
- Get-UnquotedService: 'Privesc/Get-UnquotedService.md'
- Get-ModifiableServiceFile: 'Privesc/Get-ModifiableServiceFile.md'
- Get-ModifiableService: 'Privesc/Get-ModifiableService.md'
- Get-ServiceDetail: 'Privesc/Get-ServiceDetail.md'
- Invoke-ServiceAbuse: 'Privesc/Invoke-ServiceAbuse.md'
- Write-ServiceBinary: 'Privesc/Write-ServiceBinary.md'
- Install-ServiceBinary: 'Privesc/Install-ServiceBinary.md'
- Restore-ServiceBinary: 'Privesc/Restore-ServiceBinary.md'
- Find-ProcessDLLHijack: 'Privesc/Find-ProcessDLLHijack.md'
- Find-PathDLLHijack: 'Privesc/Find-PathDLLHijack.md'
- Write-HijackDll: 'Privesc/Write-HijackDll.md'
- Get-RegistryAlwaysInstallElevated: 'Privesc/Get-RegistryAlwaysInstallElevated.md'
- Get-RegistryAutoLogon: 'Privesc/Get-RegistryAutoLogon.md'
- Get-ModifiableRegistryAutoRun: 'Privesc/Get-ModifiableRegistryAutoRun.md'
- Get-ModifiableScheduledTaskFile: 'Privesc/Get-ModifiableScheduledTaskFile.md'
- Get-UnattendedInstallFile: 'Privesc/Get-UnattendedInstallFile.md'
- Get-WebConfig: 'Privesc/Get-WebConfig.md'
- Get-ApplicationHost: 'Privesc/Get-ApplicationHost.md'
- Get-SiteListPassword: 'Privesc/Get-SiteListPassword.md'
- Get-CachedGPPPassword: 'Privesc/Get-CachedGPPPassword.md'
- Write-UserAddMSI: 'Privesc/Write-UserAddMSI.md'
- Invoke-WScriptUACBypass: 'Privesc/Invoke-WScriptUACBypass.md'
- Invoke-PrivescAudit: 'Privesc/Invoke-PrivescAudit.md'
- Get-System: 'Privesc/Get-System.md'