diff options
| author | HarmJ0y <will@harmj0y.net> | 2016-12-14 11:53:29 -0500 |
|---|---|---|
| committer | HarmJ0y <will@harmj0y.net> | 2016-12-14 11:53:29 -0500 |
| commit | 7964823e3f398c41a7ad1c0e8c4c28c0806a9c0d (patch) | |
| tree | 57e9cfbba515d074f9ca77438245f8dfe46b62aa /docs | |
| parent | 5da1774219284bbe1539675e84f5c8b4370b386e (diff) | |
| download | PowerSploit-7964823e3f398c41a7ad1c0e8c4c28c0806a9c0d.tar.gz PowerSploit-7964823e3f398c41a7ad1c0e8c4c28c0806a9c0d.zip | |
Added documentation for PowerUp
Diffstat (limited to 'docs')
33 files changed, 2904 insertions, 0 deletions
diff --git a/docs/Privesc/Add-ServiceDacl.md b/docs/Privesc/Add-ServiceDacl.md new file mode 100755 index 0000000..13e4d64 --- /dev/null +++ b/docs/Privesc/Add-ServiceDacl.md @@ -0,0 +1,68 @@ +# Add-ServiceDacl
+
+## SYNOPSIS
+Adds a Dacl field to a service object returned by Get-Service.
+
+Author: Matthew Graeber (@mattifestation)
+License: BSD 3-Clause
+Required Dependencies: PSReflect
+
+## SYNTAX
+
+```
+Add-ServiceDacl [-Name] <String[]>
+```
+
+## DESCRIPTION
+Takes one or more ServiceProcess.ServiceController objects on the pipeline and adds a
+Dacl field to each object.
+It does this by opening a handle with ReadControl for the
+service with using the GetServiceHandle Win32 API call and then uses
+QueryServiceObjectSecurity to retrieve a copy of the security descriptor for the service.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-Service | Add-ServiceDacl
+```
+
+Add Dacls for every service the current user can read.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-Service -Name VMTools | Add-ServiceDacl
+```
+
+Add the Dacl to the VMTools service object.
+
+## PARAMETERS
+
+### -Name
+An array of one or more service names to add a service Dacl for.
+Passable on the pipeline.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: ServiceName
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### ServiceProcess.ServiceController
+
+## NOTES
+
+## RELATED LINKS
+
+[https://rohnspowershellblog.wordpress.com/2013/03/19/viewing-service-acls/](https://rohnspowershellblog.wordpress.com/2013/03/19/viewing-service-acls/)
+
diff --git a/docs/Privesc/Enable-Privilege.md b/docs/Privesc/Enable-Privilege.md new file mode 100755 index 0000000..6de9c43 --- /dev/null +++ b/docs/Privesc/Enable-Privilege.md @@ -0,0 +1,105 @@ +# Enable-Privilege
+
+## SYNOPSIS
+Enables a specific privilege for the current process.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: PSReflect
+
+## SYNTAX
+
+```
+Enable-Privilege [-Privilege] <String[]>
+```
+
+## DESCRIPTION
+Uses RtlAdjustPrivilege to enable a specific privilege for the current process.
+Privileges can be passed by string, or the output from Get-ProcessTokenPrivilege
+can be passed on the pipeline.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-ProcessTokenPrivilege
+```
+
+Privilege Attributes ProcessId
+ --------- ---------- ---------
+ SeShutdownPrivilege DISABLED 3620
+ SeChangeNotifyPrivilege ...AULT, SE_PRIVILEGE_ENABLED 3620
+ SeUndockPrivilege DISABLED 3620
+SeIncreaseWorkingSetPrivilege DISABLED 3620
+ SeTimeZonePrivilege DISABLED 3620
+
+Enable-Privilege SeShutdownPrivilege
+
+Get-ProcessTokenPrivilege
+
+ Privilege Attributes ProcessId
+ --------- ---------- ---------
+ SeShutdownPrivilege SE_PRIVILEGE_ENABLED 3620
+ SeChangeNotifyPrivilege ...AULT, SE_PRIVILEGE_ENABLED 3620
+ SeUndockPrivilege DISABLED 3620
+SeIncreaseWorkingSetPrivilege DISABLED 3620
+ SeTimeZonePrivilege DISABLED 3620
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-ProcessTokenPrivilege
+```
+
+Privilege Attributes ProcessId
+--------- ---------- ---------
+SeShutdownPrivilege DISABLED 2828
+SeChangeNotifyPrivilege ...AULT, SE_PRIVILEGE_ENABLED 2828
+SeUndockPrivilege DISABLED 2828
+SeIncreaseWorkingSetPrivilege DISABLED 2828
+SeTimeZonePrivilege DISABLED 2828
+
+
+Get-ProcessTokenPrivilege | Enable-Privilege -Verbose
+VERBOSE: Attempting to enable SeShutdownPrivilege
+VERBOSE: Attempting to enable SeChangeNotifyPrivilege
+VERBOSE: Attempting to enable SeUndockPrivilege
+VERBOSE: Attempting to enable SeIncreaseWorkingSetPrivilege
+VERBOSE: Attempting to enable SeTimeZonePrivilege
+
+Get-ProcessTokenPrivilege
+
+Privilege Attributes ProcessId
+--------- ---------- ---------
+SeShutdownPrivilege SE_PRIVILEGE_ENABLED 2828
+SeChangeNotifyPrivilege ...AULT, SE_PRIVILEGE_ENABLED 2828
+SeUndockPrivilege SE_PRIVILEGE_ENABLED 2828
+SeIncreaseWorkingSetPrivilege SE_PRIVILEGE_ENABLED 2828
+SeTimeZonePrivilege SE_PRIVILEGE_ENABLED 2828
+
+## PARAMETERS
+
+### -Privilege
+{{Fill Privilege Description}}
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: Privileges
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+
+## RELATED LINKS
+
+[http://forum.sysinternals.com/tip-easy-way-to-enable-privileges_topic15745.html](http://forum.sysinternals.com/tip-easy-way-to-enable-privileges_topic15745.html)
+
diff --git a/docs/Privesc/Find-PathDLLHijack.md b/docs/Privesc/Find-PathDLLHijack.md new file mode 100755 index 0000000..f43fc69 --- /dev/null +++ b/docs/Privesc/Find-PathDLLHijack.md @@ -0,0 +1,45 @@ +# Find-PathDLLHijack
+
+## SYNOPSIS
+Finds all directories in the system %PATH% that are modifiable by the current user.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-ModifiablePath
+
+## SYNTAX
+
+```
+Find-PathDLLHijack
+```
+
+## DESCRIPTION
+Enumerates the paths stored in Env:Path (%PATH) and filters each through Get-ModifiablePath
+to return the folder paths the current user can write to.
+On Windows 7, if wlbsctrl.dll is
+written to one of these paths, execution for the IKEEXT can be hijacked due to DLL search
+order loading.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Find-PathDLLHijack
+```
+
+Finds all %PATH% .DLL hijacking opportunities.
+
+## PARAMETERS
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerUp.HijackableDLL.Path
+
+## NOTES
+
+## RELATED LINKS
+
+[http://www.greyhathacker.net/?p=738](http://www.greyhathacker.net/?p=738)
+
diff --git a/docs/Privesc/Find-ProcessDLLHijack.md b/docs/Privesc/Find-ProcessDLLHijack.md new file mode 100755 index 0000000..bbece58 --- /dev/null +++ b/docs/Privesc/Find-ProcessDLLHijack.md @@ -0,0 +1,127 @@ +# Find-ProcessDLLHijack
+
+## SYNOPSIS
+Finds all DLL hijack locations for currently running processes.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: None
+
+## SYNTAX
+
+```
+Find-ProcessDLLHijack [[-Name] <String[]>] [-ExcludeWindows] [-ExcludeProgramFiles] [-ExcludeOwned]
+```
+
+## DESCRIPTION
+Enumerates all currently running processes with Get-Process (or accepts an
+input process object from Get-Process) and enumerates the loaded modules for each.
+All loaded module name exists outside of the process binary base path, as those
+are DLL load-order hijack candidates.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Find-ProcessDLLHijack
+```
+
+Finds possible hijackable DLL locations for all processes.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-Process VulnProcess | Find-ProcessDLLHijack
+```
+
+Finds possible hijackable DLL locations for the 'VulnProcess' processes.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Find-ProcessDLLHijack -ExcludeWindows -ExcludeProgramFiles
+```
+
+Finds possible hijackable DLL locations not in C:\Windows\* and
+not in C:\Program Files\* or C:\Program Files (x86)\*
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+Find-ProcessDLLHijack -ExcludeOwned
+```
+
+Finds possible hijackable DLL location for processes not owned by the
+current user.
+
+## PARAMETERS
+
+### -Name
+The name of a process to enumerate for possible DLL path hijack opportunities.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: ProcessName
+
+Required: False
+Position: 1
+Default value: $(Get-Process | Select-Object -Expand Name)
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -ExcludeWindows
+Exclude paths from C:\Windows\* instead of just C:\Windows\System32\*
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ExcludeProgramFiles
+Exclude paths from C:\Program Files\* and C:\Program Files (x86)\*
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ExcludeOwned
+Exclude processes the current user owns.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerUp.HijackableDLL.Process
+
+## NOTES
+
+## RELATED LINKS
+
+[https://www.mandiant.com/blog/malware-persistence-windows-registry/](https://www.mandiant.com/blog/malware-persistence-windows-registry/)
+
diff --git a/docs/Privesc/Get-ApplicationHost.md b/docs/Privesc/Get-ApplicationHost.md new file mode 100755 index 0000000..44d07d7 --- /dev/null +++ b/docs/Privesc/Get-ApplicationHost.md @@ -0,0 +1,95 @@ +# Get-ApplicationHost
+
+## SYNOPSIS
+Recovers encrypted application pool and virtual directory passwords from the applicationHost.config on the system.
+
+Author: Scott Sutherland
+License: BSD 3-Clause
+Required Dependencies: None
+
+## SYNTAX
+
+```
+Get-ApplicationHost
+```
+
+## DESCRIPTION
+This script will decrypt and recover application pool and virtual directory passwords
+from the applicationHost.config file on the system.
+The output supports the
+pipeline which can be used to convert all of the results into a pretty table by piping
+to format-table.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Return application pool and virtual directory passwords from the applicationHost.config on the system.
+```
+
+Get-ApplicationHost
+
+user : PoolUser1
+pass : PoolParty1!
+type : Application Pool
+vdir : NA
+apppool : ApplicationPool1
+user : PoolUser2
+pass : PoolParty2!
+type : Application Pool
+vdir : NA
+apppool : ApplicationPool2
+user : VdirUser1
+pass : VdirPassword1!
+type : Virtual Directory
+vdir : site1/vdir1/
+apppool : NA
+user : VdirUser2
+pass : VdirPassword2!
+type : Virtual Directory
+vdir : site2/
+apppool : NA
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Return a list of cleartext and decrypted connect strings from web.config files.
+```
+
+Get-ApplicationHost | Format-Table -Autosize
+
+user pass type vdir apppool
+---- ---- ---- ---- -------
+PoolUser1 PoolParty1!
+Application Pool NA ApplicationPool1
+PoolUser2 PoolParty2!
+Application Pool NA ApplicationPool2
+VdirUser1 VdirPassword1!
+Virtual Directory site1/vdir1/ NA
+VdirUser2 VdirPassword2!
+Virtual Directory site2/ NA
+
+## PARAMETERS
+
+## INPUTS
+
+## OUTPUTS
+
+### System.Data.DataTable
+
+System.Boolean
+
+## NOTES
+Author: Scott Sutherland - 2014, NetSPI
+Version: Get-ApplicationHost v1.0
+Comments: Should work on IIS 6 and Above
+
+## RELATED LINKS
+
+[https://github.com/darkoperator/Posh-SecMod/blob/master/PostExploitation/PostExploitation.psm1
+http://www.netspi.com
+http://www.iis.net/learn/get-started/getting-started-with-iis/getting-started-with-appcmdexe
+http://msdn.microsoft.com/en-us/library/k6h9cz8h(v=vs.80).aspx](https://github.com/darkoperator/Posh-SecMod/blob/master/PostExploitation/PostExploitation.psm1
+http://www.netspi.com
+http://www.iis.net/learn/get-started/getting-started-with-iis/getting-started-with-appcmdexe
+http://msdn.microsoft.com/en-us/library/k6h9cz8h(v=vs.80).aspx)
+
diff --git a/docs/Privesc/Get-CachedGPPPassword.md b/docs/Privesc/Get-CachedGPPPassword.md new file mode 100755 index 0000000..2169a15 --- /dev/null +++ b/docs/Privesc/Get-CachedGPPPassword.md @@ -0,0 +1,55 @@ +# Get-CachedGPPPassword
+
+## SYNOPSIS
+Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences and
+left in cached files on the host.
+
+Author: Chris Campbell (@obscuresec)
+License: BSD 3-Clause
+Required Dependencies: None
+
+## SYNTAX
+
+```
+Get-CachedGPPPassword
+```
+
+## DESCRIPTION
+Get-CachedGPPPassword searches the local machine for cached for groups.xml, scheduledtasks.xml, services.xml and
+datasources.xml files and returns plaintext passwords.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-CachedGPPPassword
+```
+
+NewName : \[BLANK\]
+Changed : {2013-04-25 18:36:07}
+Passwords : {Super!!!Password}
+UserNames : {SuperSecretBackdoor}
+File : C:\ProgramData\Microsoft\Group Policy\History\{32C4C89F-7
+ C3A-4227-A61D-8EF72B5B9E42}\Machine\Preferences\Groups\Gr
+ oups.xml
+
+## PARAMETERS
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+
+## RELATED LINKS
+
+[http://www.obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html
+https://github.com/mattifestation/PowerSploit/blob/master/Recon/Get-GPPPassword.ps1
+https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/gpp.rb
+http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences
+http://rewtdance.blogspot.com/2012/06/exploiting-windows-2008-group-policy.html](http://www.obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html
+https://github.com/mattifestation/PowerSploit/blob/master/Recon/Get-GPPPassword.ps1
+https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/gpp.rb
+http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences
+http://rewtdance.blogspot.com/2012/06/exploiting-windows-2008-group-policy.html)
+
diff --git a/docs/Privesc/Get-ModifiablePath.md b/docs/Privesc/Get-ModifiablePath.md new file mode 100755 index 0000000..2a1118f --- /dev/null +++ b/docs/Privesc/Get-ModifiablePath.md @@ -0,0 +1,102 @@ +# Get-ModifiablePath
+
+## SYNOPSIS
+Parses a passed string containing multiple possible file/folder paths and returns
+the file paths where the current user has modification rights.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: None
+
+## SYNTAX
+
+```
+Get-ModifiablePath [-Path] <String[]> [-Literal]
+```
+
+## DESCRIPTION
+Takes a complex path specification of an initial file/folder path with possible
+configuration files, 'tokenizes' the string in a number of possible ways, and
+enumerates the ACLs for each path that currently exists on the system.
+Any path that
+the current user has modification rights on is returned in a custom object that contains
+the modifiable path, associated permission set, and the IdentityReference with the specified
+rights.
+The SID of the current user and any group he/she are a part of are used as the
+comparison set against the parsed path DACLs.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+'"C:\Temp\blah.exe" -f "C:\Temp\config.ini"' | Get-ModifiablePath
+```
+
+Path Permissions IdentityReference
+---- ----------- -----------------
+C:\Temp\blah.exe {ReadAttributes, ReadCo...
+NT AUTHORITY\Authentic...
+C:\Temp\config.ini {ReadAttributes, ReadCo...
+NT AUTHORITY\Authentic...
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-ChildItem C:\Vuln\ -Recurse | Get-ModifiablePath
+```
+
+Path Permissions IdentityReference
+---- ----------- -----------------
+C:\Vuln\blah.bat {ReadAttributes, ReadCo...
+NT AUTHORITY\Authentic...
+C:\Vuln\config.ini {ReadAttributes, ReadCo...
+NT AUTHORITY\Authentic...
+...
+
+## PARAMETERS
+
+### -Path
+The string path to parse for modifiable files.
+Required
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: FullName
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Literal
+Switch.
+Treat all paths as literal (i.e.
+don't do 'tokenization').
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: LiteralPaths
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerUp.TokenPrivilege.ModifiablePath
+
+Custom PSObject containing the Permissions, ModifiablePath, IdentityReference for
+a modifiable path.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Privesc/Get-ModifiableRegistryAutoRun.md b/docs/Privesc/Get-ModifiableRegistryAutoRun.md new file mode 100755 index 0000000..23314f9 --- /dev/null +++ b/docs/Privesc/Get-ModifiableRegistryAutoRun.md @@ -0,0 +1,44 @@ +# Get-ModifiableRegistryAutoRun
+
+## SYNOPSIS
+Returns any elevated system autoruns in which the current user can
+modify part of the path string.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-ModifiablePath
+
+## SYNTAX
+
+```
+Get-ModifiableRegistryAutoRun
+```
+
+## DESCRIPTION
+Enumerates a number of autorun specifications in HKLM and filters any
+autoruns through Get-ModifiablePath, returning any file/config locations
+in the found path strings that the current user can modify.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-ModifiableRegistryAutoRun
+```
+
+Return vulneable autorun binaries (or associated configs).
+
+## PARAMETERS
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerUp.ModifiableRegistryAutoRun
+
+Custom PSObject containing results.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Privesc/Get-ModifiableScheduledTaskFile.md b/docs/Privesc/Get-ModifiableScheduledTaskFile.md new file mode 100755 index 0000000..4e48cc4 --- /dev/null +++ b/docs/Privesc/Get-ModifiableScheduledTaskFile.md @@ -0,0 +1,45 @@ +# Get-ModifiableScheduledTaskFile
+
+## SYNOPSIS
+Returns scheduled tasks where the current user can modify any file
+in the associated task action string.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-ModifiablePath
+
+## SYNTAX
+
+```
+Get-ModifiableScheduledTaskFile
+```
+
+## DESCRIPTION
+Enumerates all scheduled tasks by recursively listing "$($ENV:windir)\System32\Tasks"
+and parses the XML specification for each task, extracting the command triggers.
+Each trigger string is filtered through Get-ModifiablePath, returning any file/config
+locations in the found path strings that the current user can modify.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-ModifiableScheduledTaskFile
+```
+
+Return scheduled tasks with modifiable command strings.
+
+## PARAMETERS
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerUp.ModifiableScheduledTaskFile
+
+Custom PSObject containing results.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Privesc/Get-ModifiableService.md b/docs/Privesc/Get-ModifiableService.md new file mode 100755 index 0000000..92eeb81 --- /dev/null +++ b/docs/Privesc/Get-ModifiableService.md @@ -0,0 +1,40 @@ +# Get-ModifiableService
+
+## SYNOPSIS
+Enumerates all services and returns services for which the current user can modify the binPath.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Test-ServiceDaclPermission, Get-ServiceDetail
+
+## SYNTAX
+
+```
+Get-ModifiableService
+```
+
+## DESCRIPTION
+Enumerates all services using Get-Service and uses Test-ServiceDaclPermission to test if
+the current user has rights to change the service configuration.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-ModifiableService
+```
+
+Get a set of potentially exploitable services.
+
+## PARAMETERS
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerUp.ModifiablePath
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Privesc/Get-ModifiableServiceFile.md b/docs/Privesc/Get-ModifiableServiceFile.md new file mode 100755 index 0000000..ab01e42 --- /dev/null +++ b/docs/Privesc/Get-ModifiableServiceFile.md @@ -0,0 +1,45 @@ +# Get-ModifiableServiceFile
+
+## SYNOPSIS
+Enumerates all services and returns vulnerable service files.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Test-ServiceDaclPermission, Get-ModifiablePath
+
+## SYNTAX
+
+```
+Get-ModifiableServiceFile
+```
+
+## DESCRIPTION
+Enumerates all services by querying the WMI win32_service class.
+For each service,
+it takes the pathname (aka binPath) and passes it to Get-ModifiablePath to determine
+if the current user has rights to modify the service binary itself or any associated
+arguments.
+If the associated binary (or any configuration files) can be overwritten,
+privileges may be able to be escalated.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-ModifiableServiceFile
+```
+
+Get a set of potentially exploitable service binares/config files.
+
+## PARAMETERS
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerUp.ModifiablePath
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Privesc/Get-ProcessTokenGroup.md b/docs/Privesc/Get-ProcessTokenGroup.md new file mode 100755 index 0000000..e52533c --- /dev/null +++ b/docs/Privesc/Get-ProcessTokenGroup.md @@ -0,0 +1,114 @@ +# Get-ProcessTokenGroup
+
+## SYNOPSIS
+Returns all SIDs that the current token context is a part of, whether they are disabled or not.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: PSReflect, Get-TokenInformation
+
+## SYNTAX
+
+```
+Get-ProcessTokenGroup [[-Id] <UInt32>]
+```
+
+## DESCRIPTION
+First, if a process ID is passed, then the process is opened using OpenProcess(),
+otherwise GetCurrentProcess() is used to open up a pseudohandle to the current process.
+OpenProcessToken() is then used to get a handle to the specified process token.
+The token
+is then passed to Get-TokenInformation to query the current token groups for the specified
+token.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-ProcessTokenGroup
+```
+
+SID Attributes ProcessId
+--- ---------- ---------
+S-1-5-21-890171859-3433809...
+..._DEFAULT, SE_GROUP_ENABLED 1372
+S-1-1-0 ..._DEFAULT, SE_GROUP_ENABLED 1372
+S-1-5-32-544 SE_GROUP_USE_FOR_DENY_ONLY 1372
+S-1-5-32-545 ..._DEFAULT, SE_GROUP_ENABLED 1372
+S-1-5-4 ..._DEFAULT, SE_GROUP_ENABLED 1372
+S-1-2-1 ..._DEFAULT, SE_GROUP_ENABLED 1372
+S-1-5-11 ..._DEFAULT, SE_GROUP_ENABLED 1372
+S-1-5-15 ..._DEFAULT, SE_GROUP_ENABLED 1372
+S-1-5-5-0-419601 ...SE_GROUP_INTEGRITY_ENABLED 1372
+S-1-2-0 ..._DEFAULT, SE_GROUP_ENABLED 1372
+S-1-5-21-890171859-3433809...
+..._DEFAULT, SE_GROUP_ENABLED 1372
+S-1-5-21-890171859-3433809...
+..._DEFAULT, SE_GROUP_ENABLED 1372
+S-1-5-21-890171859-3433809...
+..._DEFAULT, SE_GROUP_ENABLED 1372
+S-1-18-1 ..._DEFAULT, SE_GROUP_ENABLED 1372
+S-1-16-8192 1372
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-Process notepad | Get-ProcessTokenGroup
+```
+
+SID Attributes ProcessId
+--- ---------- ---------
+S-1-5-21-890171859-3433809...
+..._DEFAULT, SE_GROUP_ENABLED 2640
+S-1-1-0 ..._DEFAULT, SE_GROUP_ENABLED 2640
+S-1-5-32-544 SE_GROUP_USE_FOR_DENY_ONLY 2640
+S-1-5-32-545 ..._DEFAULT, SE_GROUP_ENABLED 2640
+S-1-5-4 ..._DEFAULT, SE_GROUP_ENABLED 2640
+S-1-2-1 ..._DEFAULT, SE_GROUP_ENABLED 2640
+S-1-5-11 ..._DEFAULT, SE_GROUP_ENABLED 2640
+S-1-5-15 ..._DEFAULT, SE_GROUP_ENABLED 2640
+S-1-5-5-0-419601 ...SE_GROUP_INTEGRITY_ENABLED 2640
+S-1-2-0 ..._DEFAULT, SE_GROUP_ENABLED 2640
+S-1-5-21-890171859-3433809...
+..._DEFAULT, SE_GROUP_ENABLED 2640
+S-1-5-21-890171859-3433809...
+..._DEFAULT, SE_GROUP_ENABLED 2640
+S-1-5-21-890171859-3433809...
+..._DEFAULT, SE_GROUP_ENABLED 2640
+S-1-18-1 ..._DEFAULT, SE_GROUP_ENABLED 2640
+S-1-16-8192 2640
+
+## PARAMETERS
+
+### -Id
+The process ID to enumerate token groups for, otherwise defaults to the current process.
+
+```yaml
+Type: UInt32
+Parameter Sets: (All)
+Aliases: ProcessID
+
+Required: False
+Position: 1
+Default value: 0
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerUp.TokenGroup
+
+Outputs a custom object containing the token group (SID/attributes) for the specified token if
+"-InformationClass 'Groups'" is passed.
+
+PowerUp.TokenPrivilege
+
+Outputs a custom object containing the token privilege (name/attributes) for the specified token if
+"-InformationClass 'Privileges'" is passed
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Privesc/Get-ProcessTokenPrivilege.md b/docs/Privesc/Get-ProcessTokenPrivilege.md new file mode 100755 index 0000000..9f835f2 --- /dev/null +++ b/docs/Privesc/Get-ProcessTokenPrivilege.md @@ -0,0 +1,131 @@ +# Get-ProcessTokenPrivilege
+
+## SYNOPSIS
+Returns all privileges for the current (or specified) process ID.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: PSReflect, Get-TokenInformation
+
+## SYNTAX
+
+```
+Get-ProcessTokenPrivilege [[-Id] <UInt32>] [-Special]
+```
+
+## DESCRIPTION
+First, if a process ID is passed, then the process is opened using OpenProcess(),
+otherwise GetCurrentProcess() is used to open up a pseudohandle to the current process.
+OpenProcessToken() is then used to get a handle to the specified process token.
+The token
+is then passed to Get-TokenInformation to query the current privileges for the specified
+token.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-ProcessTokenPrivilege
+```
+
+Privilege Attributes ProcessId
+ --------- ---------- ---------
+ SeShutdownPrivilege DISABLED 2600
+ SeChangeNotifyPrivilege ...AULT, SE_PRIVILEGE_ENABLED 2600
+ SeUndockPrivilege DISABLED 2600
+SeIncreaseWorkingSetPrivilege DISABLED 2600
+ SeTimeZonePrivilege DISABLED 2600
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-ProcessTokenPrivilege -Special
+```
+
+Privilege Attributes ProcessId
+--------- ---------- ---------
+SeSecurityPrivilege DISABLED 2444
+SeTakeOwnershipPrivilege DISABLED 2444
+SeBackupPrivilege DISABLED 2444
+SeRestorePrivilege DISABLED 2444
+SeSystemEnvironmentPriv...
+DISABLED 2444
+SeImpersonatePrivilege ...T, SE_PRIVILEGE_ENABLED 2444
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Get-Process notepad | Get-ProcessTokenPrivilege | fl
+```
+
+Privilege : SeShutdownPrivilege
+Attributes : DISABLED
+ProcessId : 2640
+
+Privilege : SeChangeNotifyPrivilege
+Attributes : SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
+ProcessId : 2640
+
+Privilege : SeUndockPrivilege
+Attributes : DISABLED
+ProcessId : 2640
+
+Privilege : SeIncreaseWorkingSetPrivilege
+Attributes : DISABLED
+ProcessId : 2640
+
+Privilege : SeTimeZonePrivilege
+Attributes : DISABLED
+ProcessId : 2640
+
+## PARAMETERS
+
+### -Id
+The process ID to enumerate token groups for, otherwise defaults to the current process.
+
+```yaml
+Type: UInt32
+Parameter Sets: (All)
+Aliases: ProcessID
+
+Required: False
+Position: 1
+Default value: 0
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Special
+Switch.
+Only return 'special' privileges, meaning admin-level privileges.
+These include SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege,
+SeRestorePrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeTcbPrivilege.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: Privileged
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerUp.TokenGroup
+
+Outputs a custom object containing the token group (SID/attributes) for the specified token if
+"-InformationClass 'Groups'" is passed.
+
+PowerUp.TokenPrivilege
+
+Outputs a custom object containing the token privilege (name/attributes) for the specified token if
+"-InformationClass 'Privileges'" is passed
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Privesc/Get-RegistryAlwaysInstallElevated.md b/docs/Privesc/Get-RegistryAlwaysInstallElevated.md new file mode 100755 index 0000000..ff48afc --- /dev/null +++ b/docs/Privesc/Get-RegistryAlwaysInstallElevated.md @@ -0,0 +1,45 @@ +# Get-RegistryAlwaysInstallElevated
+
+## SYNOPSIS
+Checks if any of the AlwaysInstallElevated registry keys are set.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: None
+
+## SYNTAX
+
+```
+Get-RegistryAlwaysInstallElevated
+```
+
+## DESCRIPTION
+Returns $True if the HKLM:SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
+or the HKCU:SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated keys
+are set, $False otherwise.
+If one of these keys are set, then all .MSI files run with
+elevated permissions, regardless of current user permissions.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-RegistryAlwaysInstallElevated
+```
+
+Returns $True if any of the AlwaysInstallElevated registry keys are set.
+
+## PARAMETERS
+
+## INPUTS
+
+## OUTPUTS
+
+### System.Boolean
+
+$True if RegistryAlwaysInstallElevated is set, $False otherwise.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Privesc/Get-RegistryAutoLogon.md b/docs/Privesc/Get-RegistryAutoLogon.md new file mode 100755 index 0000000..b93e75c --- /dev/null +++ b/docs/Privesc/Get-RegistryAutoLogon.md @@ -0,0 +1,44 @@ +# Get-RegistryAutoLogon
+
+## SYNOPSIS
+Finds any autologon credentials left in the registry.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: None
+
+## SYNTAX
+
+```
+Get-RegistryAutoLogon
+```
+
+## DESCRIPTION
+Checks if any autologon accounts/credentials are set in a number of registry locations.
+If they are, the credentials are extracted and returned as a custom PSObject.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-RegistryAutoLogon
+```
+
+Finds any autologon credentials left in the registry.
+
+## PARAMETERS
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerUp.RegistryAutoLogon
+
+Custom PSObject containing autologin credentials found in the registry.
+
+## NOTES
+
+## RELATED LINKS
+
+[https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/windows_autologin.rb](https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/windows_autologin.rb)
+
diff --git a/docs/Privesc/Get-ServiceDetail.md b/docs/Privesc/Get-ServiceDetail.md new file mode 100755 index 0000000..ac758b0 --- /dev/null +++ b/docs/Privesc/Get-ServiceDetail.md @@ -0,0 +1,65 @@ +# Get-ServiceDetail
+
+## SYNOPSIS
+Returns detailed information about a specified service by querying the
+WMI win32_service class for the specified service name.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: None
+
+## SYNTAX
+
+```
+Get-ServiceDetail [-Name] <String[]>
+```
+
+## DESCRIPTION
+Takes an array of one or more service Names or ServiceProcess.ServiceController objedts on
+the pipeline object returned by Get-Service, extracts out the service name, queries the
+WMI win32_service class for the specified service for details like binPath, and outputs
+everything.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-ServiceDetail -Name VulnSVC
+```
+
+Gets detailed information about the 'VulnSVC' service.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-Service VulnSVC | Get-ServiceDetail
+```
+
+Gets detailed information about the 'VulnSVC' service.
+
+## PARAMETERS
+
+### -Name
+An array of one or more service names to query information for.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: ServiceName
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### System.Management.ManagementObject
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Privesc/Get-SiteListPassword.md b/docs/Privesc/Get-SiteListPassword.md new file mode 100755 index 0000000..1ebbb5b --- /dev/null +++ b/docs/Privesc/Get-SiteListPassword.md @@ -0,0 +1,96 @@ +# Get-SiteListPassword
+
+## SYNOPSIS
+Retrieves the plaintext passwords for found McAfee's SiteList.xml files.
+Based on Jerome Nokin (@funoverip)'s Python solution (in links).
+
+Author: Jerome Nokin (@funoverip)
+PowerShell Port: @harmj0y
+License: BSD 3-Clause
+Required Dependencies: None
+
+## SYNTAX
+
+```
+Get-SiteListPassword [[-Path] <String[]>]
+```
+
+## DESCRIPTION
+Searches for any McAfee SiteList.xml in C:\Program Files\, C:\Program Files (x86)\,
+C:\Documents and Settings\, or C:\Users\.
+For any files found, the appropriate
+credential fields are extracted and decrypted using the internal Get-DecryptedSitelistPassword
+function that takes advantage of McAfee's static key encryption.
+Any decrypted credentials
+are output in custom objects.
+See links for more information.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-SiteListPassword
+```
+
+EncPassword : jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q==
+UserName :
+Path : Products/CommonUpdater
+Name : McAfeeHttp
+DecPassword : MyStrongPassword!
+Enabled : 1
+DomainName :
+Server : update.nai.com:80
+
+EncPassword : jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q==
+UserName : McAfeeService
+Path : Repository$
+Name : Paris
+DecPassword : MyStrongPassword!
+Enabled : 1
+DomainName : companydomain
+Server : paris001
+
+EncPassword : jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q==
+UserName : McAfeeService
+Path : Repository$
+Name : Tokyo
+DecPassword : MyStrongPassword!
+Enabled : 1
+DomainName : companydomain
+Server : tokyo000
+
+## PARAMETERS
+
+### -Path
+Optional path to a SiteList.xml file or folder.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByValue)
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerUp.SiteListPassword
+
+## NOTES
+
+## RELATED LINKS
+
+[https://github.com/funoverip/mcafee-sitelist-pwd-decryption/
+https://funoverip.net/2016/02/mcafee-sitelist-xml-password-decryption/
+https://github.com/tfairane/HackStory/blob/master/McAfeePrivesc.md
+https://www.syss.de/fileadmin/dokumente/Publikationen/2011/SySS_2011_Deeg_Privilege_Escalation_via_Antivirus_Software.pdf](https://github.com/funoverip/mcafee-sitelist-pwd-decryption/
+https://funoverip.net/2016/02/mcafee-sitelist-xml-password-decryption/
+https://github.com/tfairane/HackStory/blob/master/McAfeePrivesc.md
+https://www.syss.de/fileadmin/dokumente/Publikationen/2011/SySS_2011_Deeg_Privilege_Escalation_via_Antivirus_Software.pdf)
+
diff --git a/docs/Privesc/Get-System.md b/docs/Privesc/Get-System.md new file mode 100755 index 0000000..bcaf3d6 --- /dev/null +++ b/docs/Privesc/Get-System.md @@ -0,0 +1,172 @@ +# Get-System
+
+## SYNOPSIS
+GetSystem functionality inspired by Meterpreter's getsystem.
+'NamedPipe' impersonation doesn't need SeDebugPrivilege but does create
+a service, 'Token' duplications a SYSTEM token but needs SeDebugPrivilege.
+NOTE: if running PowerShell 2.0, start powershell.exe with '-STA' to ensure
+token duplication works correctly.
+
+PowerSploit Function: Get-System
+Author: @harmj0y, @mattifestation
+License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: None
+
+## SYNTAX
+
+### NamedPipe (Default)
+```
+Get-System [-Technique <String>] [-ServiceName <String>] [-PipeName <String>]
+```
+
+### Token
+```
+Get-System [-Technique <String>]
+```
+
+### RevToSelf
+```
+Get-System [-RevToSelf]
+```
+
+### WhoAmI
+```
+Get-System [-WhoAmI]
+```
+
+## DESCRIPTION
+{{Fill in the Description}}
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-System
+```
+
+Uses named impersonate to elevate the current thread token to SYSTEM.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-System -ServiceName 'PrivescSvc' -PipeName 'secret'
+```
+
+Uses named impersonate to elevate the current thread token to SYSTEM
+with a custom service and pipe name.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Get-System -Technique Token
+```
+
+Uses token duplication to elevate the current thread token to SYSTEM.
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+Get-System -WhoAmI
+```
+
+Displays the credentials for the current thread.
+
+### -------------------------- EXAMPLE 5 --------------------------
+```
+Get-System -RevToSelf
+```
+
+Reverts the current thread privileges.
+
+## PARAMETERS
+
+### -Technique
+The technique to use, 'NamedPipe' or 'Token'.
+
+```yaml
+Type: String
+Parameter Sets: NamedPipe, Token
+Aliases:
+
+Required: False
+Position: Named
+Default value: NamedPipe
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServiceName
+The name of the service used with named pipe impersonation, defaults to 'TestSVC'.
+
+```yaml
+Type: String
+Parameter Sets: NamedPipe
+Aliases:
+
+Required: False
+Position: Named
+Default value: TestSVC
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -PipeName
+The name of the named pipe used with named pipe impersonation, defaults to 'TestSVC'.
+
+```yaml
+Type: String
+Parameter Sets: NamedPipe
+Aliases:
+
+Required: False
+Position: Named
+Default value: TestSVC
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -RevToSelf
+Reverts the current thread privileges.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: RevToSelf
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -WhoAmI
+Switch.
+Display the credentials for the current PowerShell thread.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: WhoAmI
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+
+## RELATED LINKS
+
+[https://github.com/rapid7/meterpreter/blob/2a891a79001fc43cb25475cc43bced9449e7dc37/source/extensions/priv/server/elevate/namedpipe.c
+https://github.com/obscuresec/shmoocon/blob/master/Invoke-TwitterBot
+http://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
+http://clymb3r.wordpress.com/2013/11/03/powershell-and-token-impersonation/](https://github.com/rapid7/meterpreter/blob/2a891a79001fc43cb25475cc43bced9449e7dc37/source/extensions/priv/server/elevate/namedpipe.c
+https://github.com/obscuresec/shmoocon/blob/master/Invoke-TwitterBot
+http://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
+http://clymb3r.wordpress.com/2013/11/03/powershell-and-token-impersonation/)
+
diff --git a/docs/Privesc/Get-UnattendedInstallFile.md b/docs/Privesc/Get-UnattendedInstallFile.md new file mode 100755 index 0000000..8927520 --- /dev/null +++ b/docs/Privesc/Get-UnattendedInstallFile.md @@ -0,0 +1,44 @@ +# Get-UnattendedInstallFile
+
+## SYNOPSIS
+Checks several locations for remaining unattended installation files,
+which may have deployment credentials.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: None
+
+## SYNTAX
+
+```
+Get-UnattendedInstallFile
+```
+
+## DESCRIPTION
+{{Fill in the Description}}
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-UnattendedInstallFile
+```
+
+Finds any remaining unattended installation files.
+
+## PARAMETERS
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerUp.UnattendedInstallFile
+
+Custom PSObject containing results.
+
+## NOTES
+
+## RELATED LINKS
+
+[http://www.fuzzysecurity.com/tutorials/16.html](http://www.fuzzysecurity.com/tutorials/16.html)
+
diff --git a/docs/Privesc/Get-UnquotedService.md b/docs/Privesc/Get-UnquotedService.md new file mode 100755 index 0000000..4b61355 --- /dev/null +++ b/docs/Privesc/Get-UnquotedService.md @@ -0,0 +1,45 @@ +# Get-UnquotedService
+
+## SYNOPSIS
+Get-UnquotedService Returns the name and binary path for services with unquoted paths
+that also have a space in the name.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-ModifiablePath, Test-ServiceDaclPermission
+
+## SYNTAX
+
+```
+Get-UnquotedService
+```
+
+## DESCRIPTION
+Uses Get-WmiObject to query all win32_service objects and extract out
+the binary pathname for each.
+Then checks if any binary paths have a space
+and aren't quoted.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-UnquotedService
+```
+
+Get a set of potentially exploitable services.
+
+## PARAMETERS
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerUp.UnquotedService
+
+## NOTES
+
+## RELATED LINKS
+
+[https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/trusted_service_path.rb](https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/trusted_service_path.rb)
+
diff --git a/docs/Privesc/Get-WebConfig.md b/docs/Privesc/Get-WebConfig.md new file mode 100755 index 0000000..78cef7d --- /dev/null +++ b/docs/Privesc/Get-WebConfig.md @@ -0,0 +1,93 @@ +# Get-WebConfig
+
+## SYNOPSIS
+This script will recover cleartext and encrypted connection strings from all web.config
+files on the system.
+Also, it will decrypt them if needed.
+
+Author: Scott Sutherland, Antti Rantasaari
+License: BSD 3-Clause
+Required Dependencies: None
+
+## SYNTAX
+
+```
+Get-WebConfig
+```
+
+## DESCRIPTION
+This script will identify all of the web.config files on the system and recover the
+connection strings used to support authentication to backend databases.
+If needed, the
+script will also decrypt the connection strings on the fly.
+The output supports the
+pipeline which can be used to convert all of the results into a pretty table by piping
+to format-table.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Return a list of cleartext and decrypted connect strings from web.config files.
+```
+
+Get-WebConfig
+
+user : s1admin
+pass : s1password
+dbserv : 192.168.1.103\server1
+vdir : C:\test2
+path : C:\test2\web.config
+encr : No
+
+user : s1user
+pass : s1password
+dbserv : 192.168.1.103\server1
+vdir : C:\inetpub\wwwroot
+path : C:\inetpub\wwwroot\web.config
+encr : Yes
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Return a list of clear text and decrypted connect strings from web.config files.
+```
+
+Get-WebConfig | Format-Table -Autosize
+
+user pass dbserv vdir path encr
+---- ---- ------ ---- ---- ----
+s1admin s1password 192.168.1.101\server1 C:\App1 C:\App1\web.config No
+s1user s1password 192.168.1.101\server1 C:\inetpub\wwwroot C:\inetpub\wwwroot\web.config No
+s2user s2password 192.168.1.102\server2 C:\App2 C:\App2\test\web.config No
+s2user s2password 192.168.1.102\server2 C:\App2 C:\App2\web.config Yes
+s3user s3password 192.168.1.103\server3 D:\App3 D:\App3\web.config No
+
+## PARAMETERS
+
+## INPUTS
+
+## OUTPUTS
+
+### System.Boolean
+
+System.Data.DataTable
+
+## NOTES
+Below is an alterantive method for grabbing connection strings, but it doesn't support decryption.
+for /f "tokens=*" %i in ('%systemroot%\system32\inetsrv\appcmd.exe list sites /text:name') do %systemroot%\system32\inetsrv\appcmd.exe list config "%i" -section:connectionstrings
+
+Author: Scott Sutherland - 2014, NetSPI
+Author: Antti Rantasaari - 2014, NetSPI
+
+## RELATED LINKS
+
+[https://github.com/darkoperator/Posh-SecMod/blob/master/PostExploitation/PostExploitation.psm1
+http://www.netspi.com
+https://raw2.github.com/NetSPI/cmdsql/master/cmdsql.aspx
+http://www.iis.net/learn/get-started/getting-started-with-iis/getting-started-with-appcmdexe
+http://msdn.microsoft.com/en-us/library/k6h9cz8h(v=vs.80).aspx](https://github.com/darkoperator/Posh-SecMod/blob/master/PostExploitation/PostExploitation.psm1
+http://www.netspi.com
+https://raw2.github.com/NetSPI/cmdsql/master/cmdsql.aspx
+http://www.iis.net/learn/get-started/getting-started-with-iis/getting-started-with-appcmdexe
+http://msdn.microsoft.com/en-us/library/k6h9cz8h(v=vs.80).aspx)
+
diff --git a/docs/Privesc/Install-ServiceBinary.md b/docs/Privesc/Install-ServiceBinary.md new file mode 100755 index 0000000..bc75a2a --- /dev/null +++ b/docs/Privesc/Install-ServiceBinary.md @@ -0,0 +1,175 @@ +# Install-ServiceBinary
+
+## SYNOPSIS
+Replaces the service binary for the specified service with one that executes
+a specified command as SYSTEM.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-ServiceDetail, Get-ModifiablePath, Write-ServiceBinary
+
+## SYNTAX
+
+```
+Install-ServiceBinary [-Name] <String> [-UserName <String>] [-Password <String>] [-LocalGroup <String>]
+ [-Credential <PSCredential>] [-Command <String>]
+```
+
+## DESCRIPTION
+Takes a esrvice Name or a ServiceProcess.ServiceController on the pipeline where the
+current user can modify the associated service binary listed in the binPath.
+Backs up
+the original service binary to "OriginalService.exe.bak" in service binary location,
+and then uses Write-ServiceBinary to create a C# service binary that either adds
+a local administrator user or executes a custom command.
+The new service binary is
+replaced in the original service binary path, and a custom object is returned that
+captures the original and new service binary configuration.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Install-ServiceBinary -Name VulnSVC
+```
+
+Backs up the original service binary to SERVICE_PATH.exe.bak and replaces the binary
+for VulnSVC with one that adds a local Administrator (john/Password123!).
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-Service VulnSVC | Install-ServiceBinary
+```
+
+Backs up the original service binary to SERVICE_PATH.exe.bak and replaces the binary
+for VulnSVC with one that adds a local Administrator (john/Password123!).
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Install-ServiceBinary -Name VulnSVC -UserName 'TESTLAB\john'
+```
+
+Backs up the original service binary to SERVICE_PATH.exe.bak and replaces the binary
+for VulnSVC with one that adds TESTLAB\john to the Administrators local group.
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+Install-ServiceBinary -Name VulnSVC -UserName backdoor -Password Password123!
+```
+
+Backs up the original service binary to SERVICE_PATH.exe.bak and replaces the binary
+for VulnSVC with one that adds a local Administrator (backdoor/Password123!).
+
+### -------------------------- EXAMPLE 5 --------------------------
+```
+Install-ServiceBinary -Name VulnSVC -Command "net ..."
+```
+
+Backs up the original service binary to SERVICE_PATH.exe.bak and replaces the binary
+for VulnSVC with one that executes a custom command.
+
+## PARAMETERS
+
+### -Name
+The service name the EXE will be running under.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ServiceName
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -UserName
+The \[domain\\\]username to add.
+If not given, it defaults to "john".
+Domain users are not created, only added to the specified localgroup.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: John
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Password
+The password to set for the added user.
+If not given, it defaults to "Password123!"
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Password123!
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LocalGroup
+Local group name to add the user to (default of 'Administrators').
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Administrators
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object specifying the user/password to add.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Command
+Custom command to execute instead of user creation.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerUp.ServiceBinary.Installed
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Privesc/Invoke-PrivescAudit.md b/docs/Privesc/Invoke-PrivescAudit.md new file mode 100755 index 0000000..7110962 --- /dev/null +++ b/docs/Privesc/Invoke-PrivescAudit.md @@ -0,0 +1,63 @@ +# Invoke-PrivescAudit
+
+## SYNOPSIS
+Executes all functions that check for various Windows privilege escalation opportunities.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: None
+
+## SYNTAX
+
+```
+Invoke-PrivescAudit [-HTMLReport]
+```
+
+## DESCRIPTION
+Executes all functions that check for various Windows privilege escalation opportunities.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Invoke-PrivescAudit
+```
+
+Runs all escalation checks and outputs a status report for discovered issues.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Invoke-PrivescAudit -HTMLReport
+```
+
+Runs all escalation checks and outputs a status report to SYSTEM.username.html
+detailing any discovered issues.
+
+## PARAMETERS
+
+### -HTMLReport
+Switch.
+Write a HTML version of the report to SYSTEM.username.html.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### System.String
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Privesc/Invoke-ServiceAbuse.md b/docs/Privesc/Invoke-ServiceAbuse.md new file mode 100755 index 0000000..8d493d7 --- /dev/null +++ b/docs/Privesc/Invoke-ServiceAbuse.md @@ -0,0 +1,194 @@ +# Invoke-ServiceAbuse
+
+## SYNOPSIS
+Abuses a function the current user has configuration rights on in order
+to add a local administrator or execute a custom command.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-ServiceDetail, Set-ServiceBinaryPath
+
+## SYNTAX
+
+```
+Invoke-ServiceAbuse [-Name] <String[]> [-UserName <String>] [-Password <String>] [-LocalGroup <String>]
+ [-Credential <PSCredential>] [-Command <String>] [-Force]
+```
+
+## DESCRIPTION
+Takes a service Name or a ServiceProcess.ServiceController on the pipeline that the current
+user has configuration modification rights on and executes a series of automated actions to
+execute commands as SYSTEM.
+First, the service is enabled if it was set as disabled and the
+original service binary path and configuration state are preserved.
+Then the service is stopped
+and the Set-ServiceBinaryPath function is used to set the binary (binPath) for the service to a
+series of commands, the service is started, stopped, and the next command is configured.
+After
+completion, the original service configuration is restored and a custom object is returned
+that captures the service abused and commands run.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Invoke-ServiceAbuse -Name VulnSVC
+```
+
+Abuses service 'VulnSVC' to add a localuser "john" with password
+"Password123!
+to the machine and local administrator group
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-Service VulnSVC | Invoke-ServiceAbuse
+```
+
+Abuses service 'VulnSVC' to add a localuser "john" with password
+"Password123!
+to the machine and local administrator group
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Invoke-ServiceAbuse -Name VulnSVC -UserName "TESTLAB\john"
+```
+
+Abuses service 'VulnSVC' to add a the domain user TESTLAB\john to the
+local adminisrtators group.
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+Invoke-ServiceAbuse -Name VulnSVC -UserName backdoor -Password password -LocalGroup "Power Users"
+```
+
+Abuses service 'VulnSVC' to add a localuser "backdoor" with password
+"password" to the machine and local "Power Users" group
+
+### -------------------------- EXAMPLE 5 --------------------------
+```
+Invoke-ServiceAbuse -Name VulnSVC -Command "net ..."
+```
+
+Abuses service 'VulnSVC' to execute a custom command.
+
+## PARAMETERS
+
+### -Name
+An array of one or more service names to abuse.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: ServiceName
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -UserName
+The \[domain\\\]username to add.
+If not given, it defaults to "john".
+Domain users are not created, only added to the specified localgroup.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: John
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Password
+The password to set for the added user.
+If not given, it defaults to "Password123!"
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Password123!
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LocalGroup
+Local group name to add the user to (default of 'Administrators').
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Administrators
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object specifying the user/password to add.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Command
+Custom command to execute instead of user creation.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Force
+Switch.
+Force service stopping, even if other services are dependent.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerUp.AbusedService
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Privesc/Invoke-WScriptUACBypass.md b/docs/Privesc/Invoke-WScriptUACBypass.md new file mode 100755 index 0000000..f9eeb8d --- /dev/null +++ b/docs/Privesc/Invoke-WScriptUACBypass.md @@ -0,0 +1,85 @@ +# Invoke-WScriptUACBypass
+
+## SYNOPSIS
+Performs the bypass UAC attack by abusing the lack of an embedded manifest in wscript.exe.
+
+Author: Matt Nelson (@enigma0x3), Will Schroeder (@harmj0y), Vozzie
+License: BSD 3-Clause
+Required Dependencies: None
+
+## SYNTAX
+
+```
+Invoke-WScriptUACBypass [-Command] <String> [-WindowStyle <String>]
+```
+
+## DESCRIPTION
+Drops wscript.exe and a custom manifest into C:\Windows and then proceeds to execute
+VBScript using the wscript executable with the new manifest.
+The VBScript executed by
+C:\Windows\wscript.exe will run elevated.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+"
+```
+
+Launches the specified PowerShell encoded command in high-integrity.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Invoke-WScriptUACBypass -Command cmd.exe -WindowStyle 'Visible'
+```
+
+Spawns a high integrity cmd.exe.
+
+## PARAMETERS
+
+### -Command
+The shell command you want wscript.exe to run elevated.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: CMD
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -WindowStyle
+Whether to display or hide the window for the executed '-Command X'.
+Accepted values are 'Hidden' and 'Normal'/'Visible.
+Default is 'Hidden'.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Hidden
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+
+## RELATED LINKS
+
+[http://seclist.us/uac-bypass-vulnerability-in-the-windows-script-host.html
+https://github.com/Vozzie/uacscript
+https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-WScriptBypassUAC.ps1](http://seclist.us/uac-bypass-vulnerability-in-the-windows-script-host.html
+https://github.com/Vozzie/uacscript
+https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-WScriptBypassUAC.ps1)
+
diff --git a/docs/Privesc/Restore-ServiceBinary.md b/docs/Privesc/Restore-ServiceBinary.md new file mode 100755 index 0000000..a88fc29 --- /dev/null +++ b/docs/Privesc/Restore-ServiceBinary.md @@ -0,0 +1,87 @@ +# Restore-ServiceBinary
+
+## SYNOPSIS
+Restores a service binary backed up by Install-ServiceBinary.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-ServiceDetail, Get-ModifiablePath
+
+## SYNTAX
+
+```
+Restore-ServiceBinary [-Name] <String> [[-BackupPath] <String>]
+```
+
+## DESCRIPTION
+Takes a service Name or a ServiceProcess.ServiceController on the pipeline and
+checks for the existence of an "OriginalServiceBinary.exe.bak" in the service
+binary location.
+If it exists, the backup binary is restored to the original
+binary path.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Restore-ServiceBinary -Name VulnSVC
+```
+
+Restore the original binary for the service 'VulnSVC'.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-Service VulnSVC | Restore-ServiceBinary
+```
+
+Restore the original binary for the service 'VulnSVC'.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Restore-ServiceBinary -Name VulnSVC -BackupPath 'C:\temp\backup.exe'
+```
+
+Restore the original binary for the service 'VulnSVC' from a custom location.
+
+## PARAMETERS
+
+### -Name
+The service name to restore a binary for.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ServiceName
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -BackupPath
+Optional manual path to the backup binary.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 2
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerUp.ServiceBinary.Installed
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Privesc/Set-ServiceBinaryPath.md b/docs/Privesc/Set-ServiceBinaryPath.md new file mode 100755 index 0000000..b39926f --- /dev/null +++ b/docs/Privesc/Set-ServiceBinaryPath.md @@ -0,0 +1,92 @@ +# Set-ServiceBinaryPath
+
+## SYNOPSIS
+Sets the binary path for a service to a specified value.
+
+Author: Will Schroeder (@harmj0y), Matthew Graeber (@mattifestation)
+License: BSD 3-Clause
+Required Dependencies: PSReflect
+
+## SYNTAX
+
+```
+Set-ServiceBinaryPath [-Name] <String[]> [-Path] <String>
+```
+
+## DESCRIPTION
+Takes a service Name or a ServiceProcess.ServiceController on the pipeline and first opens up a
+service handle to the service with ConfigControl access using the GetServiceHandle
+Win32 API call.
+ChangeServiceConfig is then used to set the binary path (lpBinaryPathName/binPath)
+to the string value specified by binPath, and the handle is closed off.
+
+Takes one or more ServiceProcess.ServiceController objects on the pipeline and adds a
+Dacl field to each object.
+It does this by opening a handle with ReadControl for the
+service with using the GetServiceHandle Win32 API call and then uses
+QueryServiceObjectSecurity to retrieve a copy of the security descriptor for the service.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Set-ServiceBinaryPath -Name VulnSvc -Path 'net user john Password123! /add'
+```
+
+Sets the binary path for 'VulnSvc' to be a command to add a user.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-Service VulnSvc | Set-ServiceBinaryPath -Path 'net user john Password123! /add'
+```
+
+Sets the binary path for 'VulnSvc' to be a command to add a user.
+
+## PARAMETERS
+
+### -Name
+An array of one or more service names to set the binary path for.
+Required.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: ServiceName
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Path
+The new binary path (lpBinaryPathName) to set for the specified service.
+Required.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: BinaryPath, binPath
+
+Required: True
+Position: 2
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### System.Boolean
+
+$True if configuration succeeds, $False otherwise.
+
+## NOTES
+
+## RELATED LINKS
+
+[https://msdn.microsoft.com/en-us/library/windows/desktop/ms681987(v=vs.85).aspx](https://msdn.microsoft.com/en-us/library/windows/desktop/ms681987(v=vs.85).aspx)
+
diff --git a/docs/Privesc/Test-ServiceDaclPermission.md b/docs/Privesc/Test-ServiceDaclPermission.md new file mode 100755 index 0000000..2251a11 --- /dev/null +++ b/docs/Privesc/Test-ServiceDaclPermission.md @@ -0,0 +1,112 @@ +# Test-ServiceDaclPermission
+
+## SYNOPSIS
+Tests one or more passed services or service names against a given permission set,
+returning the service objects where the current user have the specified permissions.
+
+Author: Will Schroeder (@harmj0y), Matthew Graeber (@mattifestation)
+License: BSD 3-Clause
+Required Dependencies: Add-ServiceDacl
+
+## SYNTAX
+
+```
+Test-ServiceDaclPermission [-Name] <String[]> [-Permissions <String[]>] [-PermissionSet <String>]
+```
+
+## DESCRIPTION
+Takes a service Name or a ServiceProcess.ServiceController on the pipeline, and first adds
+a service Dacl to the service object with Add-ServiceDacl.
+All group SIDs for the current
+user are enumerated services where the user has some type of permission are filtered.
+The
+services are then filtered against a specified set of permissions, and services where the
+current user have the specified permissions are returned.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-Service | Test-ServiceDaclPermission
+```
+
+Return all service objects where the current user can modify the service configuration.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-Service | Test-ServiceDaclPermission -PermissionSet 'Restart'
+```
+
+Return all service objects that the current user can restart.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Test-ServiceDaclPermission -Permissions 'Start' -Name 'VulnSVC'
+```
+
+Return the VulnSVC object if the current user has start permissions.
+
+## PARAMETERS
+
+### -Name
+An array of one or more service names to test against the specified permission set.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: ServiceName, Service
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Permissions
+A manual set of permission to test again.
+One of:'QueryConfig', 'ChangeConfig', 'QueryStatus',
+'EnumerateDependents', 'Start', 'Stop', 'PauseContinue', 'Interrogate', UserDefinedControl',
+'Delete', 'ReadControl', 'WriteDac', 'WriteOwner', 'Synchronize', 'AccessSystemSecurity',
+'GenericAll', 'GenericExecute', 'GenericWrite', 'GenericRead', 'AllAccess'
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -PermissionSet
+A pre-defined permission set to test a specified service against.
+'ChangeConfig', 'Restart', or 'AllAccess'.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: ChangeConfig
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### ServiceProcess.ServiceController
+
+## NOTES
+
+## RELATED LINKS
+
+[https://rohnspowershellblog.wordpress.com/2013/03/19/viewing-service-acls/](https://rohnspowershellblog.wordpress.com/2013/03/19/viewing-service-acls/)
+
diff --git a/docs/Privesc/Write-HijackDll.md b/docs/Privesc/Write-HijackDll.md new file mode 100755 index 0000000..d38e3e7 --- /dev/null +++ b/docs/Privesc/Write-HijackDll.md @@ -0,0 +1,173 @@ +# Write-HijackDll
+
+## SYNOPSIS
+Patches in the path to a specified .bat (containing the specified command) into a
+pre-compiled hijackable C++ DLL writes the DLL out to the specified ServicePath location.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: None
+
+## SYNTAX
+
+```
+Write-HijackDll [-DllPath] <String> [[-Architecture] <String>] [[-BatPath] <String>] [[-UserName] <String>]
+ [[-Password] <String>] [[-LocalGroup] <String>] [[-Credential] <PSCredential>] [[-Command] <String>]
+```
+
+## DESCRIPTION
+First builds a self-deleting .bat file that executes the specified -Command or local user,
+to add and writes the.bat out to -BatPath.
+The BatPath is then patched into a pre-compiled
+C++ DLL that is built to be hijackable by the IKEEXT service.
+There are two DLLs, one for
+x86 and one for x64, and both are contained as base64-encoded strings.
+The DLL is then
+written out to the specified OutputFile.
+
+## EXAMPLES
+
+### Example 1
+```
+PS C:\> {{ Add example code here }}
+```
+
+{{ Add example description here }}
+
+## PARAMETERS
+
+### -DllPath
+File name to write the generated DLL out to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Architecture
+The Architecture to generate for the DLL, x86 or x64.
+If not specified, PowerUp
+will try to automatically determine the correct architecture.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 2
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -BatPath
+Path to the .bat for the DLL to launch.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 3
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -UserName
+The \[domain\\\]username to add.
+If not given, it defaults to "john".
+Domain users are not created, only added to the specified localgroup.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 4
+Default value: John
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Password
+The password to set for the added user.
+If not given, it defaults to "Password123!"
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 5
+Default value: Password123!
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LocalGroup
+Local group name to add the user to (default of 'Administrators').
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 6
+Default value: Administrators
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object specifying the user/password to add.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 7
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Command
+Custom command to execute instead of user creation.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 8
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerUp.HijackableDLL
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Privesc/Write-ServiceBinary.md b/docs/Privesc/Write-ServiceBinary.md new file mode 100755 index 0000000..7d588a5 --- /dev/null +++ b/docs/Privesc/Write-ServiceBinary.md @@ -0,0 +1,191 @@ +# Write-ServiceBinary
+
+## SYNOPSIS
+Patches in the specified command to a pre-compiled C# service executable and
+writes the binary out to the specified ServicePath location.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: None
+
+## SYNTAX
+
+```
+Write-ServiceBinary [-Name] <String> [-UserName <String>] [-Password <String>] [-LocalGroup <String>]
+ [-Credential <PSCredential>] [-Command <String>] [-Path <String>]
+```
+
+## DESCRIPTION
+Takes a pre-compiled C# service binary and patches in the appropriate commands needed
+for service abuse.
+If a -UserName/-Password or -Credential is specified, the command
+patched in creates a local user and adds them to the specified -LocalGroup, otherwise
+the specified -Command is patched in.
+The binary is then written out to the specified
+-ServicePath.
+Either -Name must be specified for the service, or a proper object from
+Get-Service must be passed on the pipeline in order to patch in the appropriate service
+name the binary will be running under.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Write-ServiceBinary -Name VulnSVC
+```
+
+Writes a service binary to service.exe in the local directory for VulnSVC that
+adds a local Administrator (john/Password123!).
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-Service VulnSVC | Write-ServiceBinary
+```
+
+Writes a service binary to service.exe in the local directory for VulnSVC that
+adds a local Administrator (john/Password123!).
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Write-ServiceBinary -Name VulnSVC -UserName 'TESTLAB\john'
+```
+
+Writes a service binary to service.exe in the local directory for VulnSVC that adds
+TESTLAB\john to the Administrators local group.
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+Write-ServiceBinary -Name VulnSVC -UserName backdoor -Password Password123!
+```
+
+Writes a service binary to service.exe in the local directory for VulnSVC that
+adds a local Administrator (backdoor/Password123!).
+
+### -------------------------- EXAMPLE 5 --------------------------
+```
+Write-ServiceBinary -Name VulnSVC -Command "net ..."
+```
+
+Writes a service binary to service.exe in the local directory for VulnSVC that
+executes a custom command.
+
+## PARAMETERS
+
+### -Name
+The service name the EXE will be running under.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ServiceName
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -UserName
+The \[domain\\\]username to add.
+If not given, it defaults to "john".
+Domain users are not created, only added to the specified localgroup.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: John
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Password
+The password to set for the added user.
+If not given, it defaults to "Password123!"
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Password123!
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LocalGroup
+Local group name to add the user to (default of 'Administrators').
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Administrators
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object specifying the user/password to add.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Command
+Custom command to execute instead of user creation.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Path
+Path to write the binary out to, defaults to 'service.exe' in the local directory.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: "$(Convert-Path .)\service.exe"
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerUp.ServiceBinary
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Privesc/Write-UserAddMSI.md b/docs/Privesc/Write-UserAddMSI.md new file mode 100755 index 0000000..cac959d --- /dev/null +++ b/docs/Privesc/Write-UserAddMSI.md @@ -0,0 +1,56 @@ +# Write-UserAddMSI
+
+## SYNOPSIS
+Writes out a precompiled MSI installer that prompts for a user/group addition.
+This function can be used to abuse Get-RegistryAlwaysInstallElevated.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: None
+
+## SYNTAX
+
+```
+Write-UserAddMSI [[-Path] <String>]
+```
+
+## DESCRIPTION
+Writes out a precompiled MSI installer that prompts for a user/group addition.
+This function can be used to abuse Get-RegistryAlwaysInstallElevated.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Write-UserAddMSI
+```
+
+Writes the user add MSI to the local directory.
+
+## PARAMETERS
+
+### -Path
+{{Fill Path Description}}
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ServiceName
+
+Required: False
+Position: 1
+Default value: UserAdd.msi
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerUp.UserAddMSI
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Privesc/index.md b/docs/Privesc/index.md new file mode 100644 index 0000000..836e674 --- /dev/null +++ b/docs/Privesc/index.md @@ -0,0 +1,55 @@ +## PowerUp + +PowerUp aims to be a clearinghouse of common Windows privilege escalation +vectors that rely on misconfigurations. + +Running Invoke-AllChecks will output any identifiable vulnerabilities along +with specifications for any abuse functions. The -HTMLReport flag will also +generate a COMPUTER.username.html version of the report. + +Author: @harmj0y +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + + +### Token/Privilege Enumeration/Abuse: + Get-ProcessTokenGroup - returns all SIDs that the current token context is a part of, whether they are disabled or not + Get-ProcessTokenPrivilege - returns all privileges for the current (or specified) process ID + Enable-Privilege - enables a specific privilege for the current process + +### Service Enumeration/Abuse: + Test-ServiceDaclPermission - tests one or more passed services or service names against a given permission set + Get-UnquotedService - returns services with unquoted paths that also have a space in the name + Get-ModifiableServiceFile - returns services where the current user can write to the service binary path or its config + Get-ModifiableService - returns services the current user can modify + Get-ServiceDetail - returns detailed information about a specified service + Set-ServiceBinaryPath - sets the binary path for a service to a specified value + Invoke-ServiceAbuse - modifies a vulnerable service to create a local admin or execute a custom command + Write-ServiceBinary - writes out a patched C# service binary that adds a local admin or executes a custom command + Install-ServiceBinary - replaces a service binary with one that adds a local admin or executes a custom command + Restore-ServiceBinary - restores a replaced service binary with the original executable + +### DLL Hijacking: + Find-ProcessDLLHijack - finds potential DLL hijacking opportunities for currently running processes + Find-PathDLLHijack - finds service %PATH% DLL hijacking opportunities + Write-HijackDll - writes out a hijackable DLL + +### Registry Checks: + Get-RegistryAlwaysInstallElevated - checks if the AlwaysInstallElevated registry key is set + Get-RegistryAutoLogon - checks for Autologon credentials in the registry + Get-ModifiableRegistryAutoRun - checks for any modifiable binaries/scripts (or their configs) in HKLM autoruns + +### Miscellaneous Checks: + Get-ModifiableScheduledTaskFile - find schtasks with modifiable target files + Get-UnattendedInstallFile - finds remaining unattended installation files + Get-Webconfig - checks for any encrypted web.config strings + Get-ApplicationHost - checks for encrypted application pool and virtual directory passwords + Get-SiteListPassword - retrieves the plaintext passwords for any found McAfee's SiteList.xml files + Get-CachedGPPPassword - checks for passwords in cached Group Policy Preferences files + +### Other Helpers/Meta-Functions: + Get-ModifiablePath - tokenizes an input string and returns the files in it the current user can modify + Write-UserAddMSI - write out a MSI installer that prompts for a user to be added + Invoke-WScriptUACBypass - performs the bypass UAC attack by abusing the lack of an embedded manifest in wscript.exe + Invoke-PrivescAudit - runs all current escalation checks and returns a report (formerly Invoke-AllChecks) diff --git a/docs/index.md b/docs/index.md index 67ddcbc..8cd53ea 100644 --- a/docs/index.md +++ b/docs/index.md @@ -61,6 +61,7 @@ Cause general mayhem with PowerShell. Tools to help with escalating privileges on a target, including PowerUp. PowerUp - Clearing house of common privilege escalation checks, along with some weaponization vectors. + Get-System - GetSystem functionality inspired by Meterpreter's getsystem ### Recon Tools to aid in the reconnaissance phase of a penetration test, including PowerView. |