diff options
| -rw-r--r-- | Privesc/PowerUp.ps1 | 251 |
1 files changed, 102 insertions, 149 deletions
diff --git a/Privesc/PowerUp.ps1 b/Privesc/PowerUp.ps1 index 50f8268..af2d79e 100644 --- a/Privesc/PowerUp.ps1 +++ b/Privesc/PowerUp.ps1 @@ -4670,9 +4670,14 @@ Required Dependencies: None Executes all functions that check for various Windows privilege escalation opportunities. +.PARAMETER Format + +String. Format to decide on what is returned from the command, an Object Array, List, or HTML Report. + .PARAMETER HTMLReport -Switch. Write a HTML version of the report to SYSTEM.username.html. +DEPRECATED - Switch. Write a HTML version of the report to SYSTEM.username.html. +Superseded by the Format parameter. .EXAMPLE @@ -4682,25 +4687,26 @@ Runs all escalation checks and outputs a status report for discovered issues. .EXAMPLE -Invoke-PrivescAudit -HTMLReport +Invoke-PrivescAudit -Format HTML Runs all escalation checks and outputs a status report to SYSTEM.username.html detailing any discovered issues. -.OUTPUTS - -System.String #> [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] - [OutputType('System.String')] [CmdletBinding()] Param( + [ValidateSet('Object','List','HTML')] + [String] + $Format = 'Object', [Switch] $HTMLReport ) - if ($HTMLReport) { + if($HTMLReport){ $Format = 'HTML' } + + if ($Format -eq 'HTML') { $HtmlReportFile = "$($Env:ComputerName).$($Env:UserName).html" $Header = "<style>" $Header = $Header + "BODY{background-color:peachpuff;}" @@ -4711,153 +4717,101 @@ System.String ConvertTo-HTML -Head $Header -Body "<H1>PowerUp report for '$($Env:ComputerName).$($Env:UserName)'</H1>" | Out-File $HtmlReportFile } - # initial admin checks - - "`n[*] Running Invoke-AllChecks" - - $IsAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator") - - if ($IsAdmin){ - "[+] Current user already has local administrative privileges!" - - if ($HTMLReport) { - ConvertTo-HTML -Head $Header -Body "<H2>User Has Local Admin Privileges!</H2>" | Out-File -Append $HtmlReportFile + Write-Verbose "Running Invoke-PrivescAudit" + + $Checks = @( + # Initial admin checks + @{ + Type = 'User Has Local Admin Privileges' + Command = { if (([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")){ New-Object PSObject } } + }, + @{ + Type = 'User In Local Group with Admin Privileges' + Command = { if ((Get-ProcessTokenGroup | Select-Object -ExpandProperty SID) -contains 'S-1-5-32-544'){ New-Object PSObject } } + AbuseScript = { 'Invoke-WScriptUACBypass -Command "..."' } + }, + @{ + Type = 'Process Token Privileges' + Command = { Get-ProcessTokenPrivilege -Special | Where-Object {$_} } + }, + # Service checks + @{ + Type = 'Unquoted Service Paths' + Command = { Get-UnquotedService } + }, + @{ + Type = 'Modifiable Service Files' + Command = { Get-ModifiableServiceFile } + }, + @{ + Type = 'Modifiable Services' + Command = { Get-ModifiableService } + }, + # DLL hijacking + @{ + Type = '%PATH% .dll Hijacks' + Command = { Find-PathDLLHijack } + AbuseScript = { "Write-HijackDll -DllPath '$($_.ModifiablePath)\wlbsctrl.dll'" } + }, + # Registry checks + @{ + Type = 'AlwaysInstallElevated Registry Key' + Command = { if (Get-RegistryAlwaysInstallElevated){ New-Object PSObject } } + AbuseScript = { 'Write-UserAddMSI' } + }, + @{ + Type = 'Registry Autologons' + Command = { Get-RegistryAutoLogon } + }, + @{ + Type = 'Modifiable Registry Autorun' + Command = { Get-ModifiableRegistryAutoRun } + }, + # Other checks + @{ + Type = 'Modifiable Scheduled Task Files' + Command = { Get-ModifiableScheduledTaskFile } + }, + @{ + Type = 'Unattended Install Files' + Command = { Get-UnattendedInstallFile } + }, + @{ + Type = 'Encrypted web.config Strings' + Command = { Get-WebConfig | Where-Object {$_} } + }, + @{ + Type = 'Encrypted Application Pool Passwords' + Command = { Get-ApplicationHost | Where-Object {$_} } + }, + @{ + Type = 'McAfee SiteList.xml files' + Command = { Get-SiteListPassword | Where-Object {$_} } + }, + @{ + Type = 'Cached GPP Files' + Command = { Get-CachedGPPPassword | Where-Object {$_} } } - } - else{ - "`n`n[*] Checking if user is in a local group with administrative privileges..." - - $CurrentUserSids = Get-ProcessTokenGroup | Select-Object -ExpandProperty SID - if ($CurrentUserSids -Contains 'S-1-5-32-544') { - "[+] User is in a local group that grants administrative privileges!" - "[+] Run 'Invoke-WScriptUACBypass -Command `"...`"' to elevate privileges to admin." - if ($HTMLReport) { - ConvertTo-HTML -Head $Header -Body "<H2> User In Local Group With Administrative Privileges</H2>" | Out-File -Append $HtmlReportFile + ) + + ForEach($Check in $Checks){ + Write-Verbose "Checking for $($Check.Type)..." + $Results = . $Check.Command + $Results | Where-Object {$_} | ForEach-Object { + $_ | Add-Member Noteproperty 'Check' $Check.Type + if ($Check.AbuseScript){ + $_ | Add-Member Noteproperty 'AbuseFunction' (. $Check.AbuseScript) } } - } - - "`n`n[*] Checking current process token permissions..." - $Results = Get-ProcessTokenPrivilege -Special | Where-Object {$_} - $Results | Format-List - if ($HTMLReport) { - $Results | ConvertTo-HTML -Head $Header -Body "<H2>Cached GPP Files</H2>" | Out-File -Append $HtmlReportFile - } - - # Service checks - - "`n`n[*] Checking for unquoted service paths..." - $Results = Get-UnquotedService - $Results | Format-List - if ($HTMLReport) { - $Results | ConvertTo-HTML -Head $Header -Body "<H2>Unquoted Service Paths</H2>" | Out-File -Append $HtmlReportFile - } - - "`n`n[*] Checking service executable and argument permissions..." - $Results = Get-ModifiableServiceFile - $Results | Format-List - if ($HTMLReport) { - $Results | ConvertTo-HTML -Head $Header -Body "<H2>Service File Permissions</H2>" | Out-File -Append $HtmlReportFile - } - - "`n`n[*] Checking service permissions..." - $Results = Get-ModifiableService - $Results | Format-List - if ($HTMLReport) { - $Results | ConvertTo-HTML -Head $Header -Body "<H2>Modifiable Services</H2>" | Out-File -Append $HtmlReportFile - } - - - # DLL hijacking - - "`n`n[*] Checking %PATH% for potentially hijackable DLL locations..." - $Results = Find-PathDLLHijack - $Results | Where-Object {$_} | Foreach-Object { - $AbuseString = "Write-HijackDll -DllPath '$($_.ModifiablePath)\wlbsctrl.dll'" - $_ | Add-Member Noteproperty 'AbuseFunction' $AbuseString - $_ - } | Format-List - if ($HTMLReport) { - $Results | ConvertTo-HTML -Head $Header -Body "<H2>%PATH% .dll Hijacks</H2>" | Out-File -Append $HtmlReportFile - } - - - # registry checks - - "`n`n[*] Checking for AlwaysInstallElevated registry key..." - if (Get-RegistryAlwaysInstallElevated) { - $Out = New-Object PSObject - $Out | Add-Member Noteproperty 'AbuseFunction' "Write-UserAddMSI" - $Results = $Out - - $Results | Format-List - if ($HTMLReport) { - $Results | ConvertTo-HTML -Head $Header -Body "<H2>AlwaysInstallElevated</H2>" | Out-File -Append $HtmlReportFile + switch($Format){ + Object { $Results } + List { "`n`n[*] Checking for $($Check.Type)..."; $Results | Format-List } + HTML { $Results | ConvertTo-HTML -Head $Header -Body "<H2>$($Check.Type)</H2>" | Out-File -Append $HtmlReportFile } } } - "`n`n[*] Checking for Autologon credentials in registry..." - $Results = Get-RegistryAutoLogon - $Results | Format-List - if ($HTMLReport) { - $Results | ConvertTo-HTML -Head $Header -Body "<H2>Registry Autologons</H2>" | Out-File -Append $HtmlReportFile - } - - - "`n`n[*] Checking for modifidable registry autoruns and configs..." - $Results = Get-ModifiableRegistryAutoRun - $Results | Format-List - if ($HTMLReport) { - $Results | ConvertTo-HTML -Head $Header -Body "<H2>Registry Autoruns</H2>" | Out-File -Append $HtmlReportFile - } - - # other checks - - "`n`n[*] Checking for modifiable schtask files/configs..." - $Results = Get-ModifiableScheduledTaskFile - $Results | Format-List - if ($HTMLReport) { - $Results | ConvertTo-HTML -Head $Header -Body "<H2>Modifidable Schask Files</H2>" | Out-File -Append $HtmlReportFile - } - - "`n`n[*] Checking for unattended install files..." - $Results = Get-UnattendedInstallFile - $Results | Format-List - if ($HTMLReport) { - $Results | ConvertTo-HTML -Head $Header -Body "<H2>Unattended Install Files</H2>" | Out-File -Append $HtmlReportFile - } - - "`n`n[*] Checking for encrypted web.config strings..." - $Results = Get-Webconfig | Where-Object {$_} - $Results | Format-List - if ($HTMLReport) { - $Results | ConvertTo-HTML -Head $Header -Body "<H2>Encrypted 'web.config' String</H2>" | Out-File -Append $HtmlReportFile - } - - "`n`n[*] Checking for encrypted application pool and virtual directory passwords..." - $Results = Get-ApplicationHost | Where-Object {$_} - $Results | Format-List - if ($HTMLReport) { - $Results | ConvertTo-HTML -Head $Header -Body "<H2>Encrypted Application Pool Passwords</H2>" | Out-File -Append $HtmlReportFile - } - - "`n`n[*] Checking for plaintext passwords in McAfee SiteList.xml files..." - $Results = Get-SiteListPassword | Where-Object {$_} - $Results | Format-List - if ($HTMLReport) { - $Results | ConvertTo-HTML -Head $Header -Body "<H2>McAfee's SiteList.xml's</H2>" | Out-File -Append $HtmlReportFile - } - - "`n`n[*] Checking for cached Group Policy Preferences .xml files..." - $Results = Get-CachedGPPPassword | Where-Object {$_} - $Results | Format-List - if ($HTMLReport) { - $Results | ConvertTo-HTML -Head $Header -Body "<H2>Cached GPP Files</H2>" | Out-File -Append $HtmlReportFile - } - "`n" - - if ($HTMLReport) { - "[*] Report written to '$HtmlReportFile' `n" + if ($Format -eq 'HTML') { + Write-Verbose "[*] Report written to '$HtmlReportFile' `n" } } @@ -5012,5 +4966,4 @@ $Kernel32 = $Types['kernel32'] $NTDll = $Types['ntdll'] Set-Alias Get-CurrentUserTokenGroupSid Get-ProcessTokenGroup -Set-Alias Get-UnquotedService Get-UnquotedService Set-Alias Invoke-AllChecks Invoke-PrivescAudit |