Gh0st
/
PowerSploit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

PowerUp.ps1:3158 - Check SystemPath only 

The current instantiation of code calls the %PATH% environment variable. However, since PowerUp is normally run with the permissions of an unprivileged crappy user in order to privesc, the %PATH% variable is returned as a concatenation of the SystemPath and UserPath. Any exploitable services running as SYSTEM will not call DLLs from the UserPath. Thus, we need to focus on writable folders in the SystemPath only in order to privesc. The proposed change pulls the SystemPath value directly from the registry and places it in the same format as the original code.
This commit is contained in:
Bubbl3H3d 2017-10-01 16:37:07 -04:00 committed by GitHub
parent c5eb994f84
commit ef67012655
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Privesc/PowerUp.ps1
View File

@ -3155,7 +3155,7 @@ http://www.greyhathacker.net/?p=738
Param() Param()
# use -Literal so the spaces in %PATH% folders are not tokenized # use -Literal so the spaces in %PATH% folders are not tokenized
Get-Item Env:Path | Select-Object -ExpandProperty Value | ForEach-Object { $_.split(';') } | Where-Object {$_ -and ($_ -ne '')} | ForEach-Object { (get-itemproperty "HKLM:\System\CurrentControlSet\Control\Session Manager\Environment").path.split(';') | ForEach-Object {
$TargetPath = $_ $TargetPath = $_
$ModifidablePaths = $TargetPath | Get-ModifiablePath -Literal | Where-Object {$_ -and ($Null -ne $_) -and ($Null -ne $_.ModifiablePath) -and ($_.ModifiablePath.Trim() -ne '')} $ModifidablePaths = $TargetPath | Get-ModifiablePath -Literal | Where-Object {$_ -and ($Null -ne $_) -and ($Null -ne $_.ModifiablePath) -and ($_.ModifiablePath.Trim() -ne '')}
ForEach ($ModifidablePath in $ModifidablePaths) { ForEach ($ModifidablePath in $ModifidablePaths) {