Gh0st
/
PowerSploit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge 198d9f78dd into c7985c9bc3

This commit is contained in:
mwkoehler 2017-09-30 02:23:55 +00:00 committed by GitHub
parent c7985c9bc3 198d9f78dd
commit b730511d17
1 changed files with 60 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

109
Privesc/PowerUp.ps1
View File

@ -853,7 +853,7 @@ function Get-ModifiablePath {
# if the path doesn't exist, check if the parent folder allows for modification # if the path doesn't exist, check if the parent folder allows for modification
try { try {
$ParentPath = Split-Path $TempPath -Parent $ParentPath = Split-Path $TempPath -Parent
if($ParentPath -and (Test-Path -Path $ParentPath)) { if ($ParentPath -and ($ParentPath -ne '') -and ($ParentPath -ne '\') -and (Test-Path -Path $ParentPath )) {
$CandidatePaths += Resolve-Path -Path $ParentPath -ErrorAction SilentlyContinue | Select-Object -ExpandProperty Path $CandidatePaths += Resolve-Path -Path $ParentPath -ErrorAction SilentlyContinue | Select-Object -ExpandProperty Path
} }
} }
@ -880,7 +880,7 @@ function Get-ModifiablePath {
# if the path doesn't exist, check if the parent folder allows for modification # if the path doesn't exist, check if the parent folder allows for modification
try { try {
$ParentPath = (Split-Path -Path $TempPath -Parent).Trim() $ParentPath = (Split-Path -Path $TempPath -Parent).Trim()
if($ParentPath -and ($ParentPath -ne '') -and (Test-Path -Path $ParentPath )) { if ($ParentPath -and ($ParentPath -ne '') -and ($ParentPath -ne '\') -and (Test-Path -Path $ParentPath )) {
$CandidatePaths += Resolve-Path -Path $ParentPath | Select-Object -ExpandProperty Path $CandidatePaths += Resolve-Path -Path $ParentPath | Select-Object -ExpandProperty Path
} }
} }
@ -900,37 +900,43 @@ function Get-ModifiablePath {
$CandidatePaths | Sort-Object -Unique | ForEach-Object { $CandidatePaths | Sort-Object -Unique | ForEach-Object {
$CandidatePath = $_ $CandidatePath = $_
Get-Acl -Path $CandidatePath | Select-Object -ExpandProperty Access | Where-Object {($_.AccessControlType -match 'Allow')} | ForEach-Object { try
{
Get-Acl -Path $CandidatePath | Select-Object -ExpandProperty Access | Where-Object {($_.AccessControlType -match 'Allow')} | ForEach-Object {
$FileSystemRights = $_.FileSystemRights.value__ $FileSystemRights = $_.FileSystemRights.value__
$Permissions = $AccessMask.Keys | Where-Object { $FileSystemRights -band $_ } | ForEach-Object { $accessMask[$_] } $Permissions = $AccessMask.Keys | Where-Object { $FileSystemRights -band $_ } | ForEach-Object { $accessMask[$_] }
# the set of permission types that allow for modification # the set of permission types that allow for modification
$Comparison = Compare-Object -ReferenceObject $Permissions -DifferenceObject @('GenericWrite', 'GenericAll', 'MaximumAllowed', 'WriteOwner', 'WriteDAC', 'WriteData/AddFile', 'AppendData/AddSubdirectory') -IncludeEqual -ExcludeDifferent $Comparison = Compare-Object -ReferenceObject $Permissions -DifferenceObject @('GenericWrite', 'GenericAll', 'MaximumAllowed', 'WriteOwner', 'WriteDAC', 'WriteData/AddFile', 'AppendData/AddSubdirectory') -IncludeEqual -ExcludeDifferent
if($Comparison) { if($Comparison) {
if ($_.IdentityReference -notmatch '^S-1-5.*') { if ($_.IdentityReference -notmatch '^S-1-5.*') {
if(-not ($TranslatedIdentityReferences[$_.IdentityReference])) { if(-not ($TranslatedIdentityReferences[$_.IdentityReference])) {
# translate the IdentityReference if it's a username and not a SID # translate the IdentityReference if it's a username and not a SID
$IdentityUser = New-Object System.Security.Principal.NTAccount($_.IdentityReference) $IdentityUser = New-Object System.Security.Principal.NTAccount($_.IdentityReference)
$TranslatedIdentityReferences[$_.IdentityReference] = $IdentityUser.Translate([System.Security.Principal.SecurityIdentifier]) | Select-Object -ExpandProperty Value $TranslatedIdentityReferences[$_.IdentityReference] = $IdentityUser.Translate([System.Security.Principal.SecurityIdentifier]) | Select-Object -ExpandProperty Value
}
$IdentitySID = $TranslatedIdentityReferences[$_.IdentityReference]
}
else {
$IdentitySID = $_.IdentityReference
} }
$IdentitySID = $TranslatedIdentityReferences[$_.IdentityReference]
}
else {
$IdentitySID = $_.IdentityReference
}
if($CurrentUserSids -contains $IdentitySID) { if($CurrentUserSids -contains $IdentitySID) {
New-Object -TypeName PSObject -Property @{ New-Object -TypeName PSObject -Property @{
ModifiablePath = $CandidatePath ModifiablePath = $CandidatePath
IdentityReference = $_.IdentityReference IdentityReference = $_.IdentityReference
Permissions = $Permissions Permissions = $Permissions
}
} }
} }
} }
} }
catch [System.UnauthorizedAccessException] {
# Get-ACL access failure means user has no access
}
} }
} }
} }
@ -990,16 +996,19 @@ function Get-CurrentUserTokenGroupSid {
For ($i=0; $i -lt $TokenGroups.GroupCount; $i++) { For ($i=0; $i -lt $TokenGroups.GroupCount; $i++) {
# convert each token group SID to a displayable string # convert each token group SID to a displayable string
$SidString = '' $SidString = ''
$Result = $Advapi32::ConvertSidToStringSid($TokenGroups.Groups[$i].SID, [ref]$SidString);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error() if ($TokenGroups.Groups[$i].SID -and $TokenGroups.Groups[$i].SID -ne '')
if($Result -eq 0) { {
Write-Verbose "Error: $(([ComponentModel.Win32Exception] $LastError).Message)" $Result = $Advapi32::ConvertSidToStringSid($TokenGroups.Groups[$i].SID, [ref]$SidString);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error()
} if($Result -eq 0) {
else { Write-Verbose "Error: $(([ComponentModel.Win32Exception] $LastError).Message)"
$GroupSid = New-Object PSObject }
$GroupSid | Add-Member Noteproperty 'SID' $SidString else {
# cast the atttributes field as our SidAttributes enum $GroupSid = New-Object PSObject
$GroupSid | Add-Member Noteproperty 'Attributes' ($TokenGroups.Groups[$i].Attributes -as $SidAttributes) $GroupSid | Add-Member Noteproperty 'SID' $SidString
$GroupSid # cast the atttributes field as our SidAttributes enum
$GroupSid | Add-Member Noteproperty 'Attributes' ($TokenGroups.Groups[$i].Attributes -as $SidAttributes)
$GroupSid
}
} }
} }
} }
@ -3672,22 +3681,24 @@ function Get-CachedGPPPassword {
$Password += , $DecryptedPassword $Password += , $DecryptedPassword
} }
# put [BLANK] in variables if ($Password -or $UserName -or $Changed -or $NewName) {
if (-not $Password) {$Password = '[BLANK]'} # put [BLANK] in variables
if (-not $UserName) {$UserName = '[BLANK]'} if (-not $Password) {$Password = '[BLANK]'}
if (-not $Changed) {$Changed = '[BLANK]'} if (-not $UserName) {$UserName = '[BLANK]'}
if (-not $NewName) {$NewName = '[BLANK]'} if (-not $Changed) {$Changed = '[BLANK]'}
if (-not $NewName) {$NewName = '[BLANK]'}
# Create custom object to output results
$ObjectProperties = @{'Passwords' = $Password; # Create custom object to output results
'UserNames' = $UserName; $ObjectProperties = @{'Passwords' = $Password;
'Changed' = $Changed; 'UserNames' = $UserName;
'NewName' = $NewName; 'Changed' = $Changed;
'File' = $File} 'NewName' = $NewName;
'File' = $File}
$ResultsObject = New-Object -TypeName PSObject -Property $ObjectProperties
Write-Verbose "The password is between {} and may be more than one value." $ResultsObject = New-Object -TypeName PSObject -Property $ObjectProperties
if ($ResultsObject) {Return $ResultsObject} Write-Verbose "The password is between {} and may be more than one value."
if ($ResultsObject) {Return $ResultsObject}
}
} }
catch {Write-Error $Error[0]} catch {Write-Error $Error[0]}