aboutsummaryrefslogtreecommitdiff
path: root/Privesc
AgeCommit message (Collapse)AuthorFilesLines
2016-07-15Merge pull request #161 from joncave/batnewlinesHarmJ0y1-2/+2
PowerUp: Remove badly encoded new lines from .bat output
2016-06-30PowerUp: Remove badly encoded new lines from .bat outputJon Cave1-2/+2
The current implementation results in a .bat like: @echo off\n start /b net user john Password123! /add && timeout /t 5 && net localgroup Administrators john /add\n start /b "" cmd /c del "%~f0"&exit /b With literal "\n" strings at the end of the first two lines. A new line in a PowerShell string should be "`n". However, an extra new line isn't actually necessary in this case.
2016-06-30PowerUp: Allocate enough space for TOKEN_GROUPSJon Cave1-6/+5
Make an initial call to GetTokenInformation() with a NULL buffer to get the actual buffer size required. Prevents "The data area passed to a system call is too small" error being thrown.
2016-06-23Fixed bug in Get-ModifiablePath that resulted in spaces being expanded to ↵Harmj0y1-36/+54
the current directory location Fixed other logic bugs in Get-ModifiablePath Fixed bug in Add-ServiceDacl when the [ServiceProcess.ServiceController] wasn't loaded yet by Get-Service Error handling for Get-CachedGPPPassword Changed some Write-Warnings to Write-Verbose Updated Privesc Pester tests for PowerUp
2016-06-07Corrected -Path parameter in Write-ServiceBinaryHarmj0y1-6/+6
2016-06-06updated Privesc.psd1 and README.mdHarmj0y2-0/+2
2016-06-06Addded Get-CachedGPPPassword to PowerUp, based almost entirely on ↵Harmj0y1-0/+208
Get-GPPPassword. Added Pester tests for Get-CachedGPPPassword.
2016-06-04Get-ModifiablePath now also checks parent folders of files for modificationHarmj0y1-31/+99
Bug fixes Corrected PowerUp Pester tests Changed 'Path' field to 'ModifiablePath' in 'Get-ModifiablePath' Get-ServiceUnquoted now filters paths through Get-ModifiablePath
2016-06-04Renamed Get-RegistryAutoRun to Get-ModifiableRegistryAutoRunHarmj0y3-13/+12
Renamed Find-PathHijack to Find-PathDLLHijack Fixed exposed functions in PowerSploit.psd1
2016-06-04-Enum specification bug fixHarmj0y1-62/+70
-Additional error checking and documentation -OpenProcessToken() call now uses TOKEN_QUERY instead of TOKEN_READ
2016-06-03Added SidAttributes enum, Get-CurrentUserTokenGroupSid now returns an object ↵Harmj0y1-27/+43
with SID and attributes fields
2016-06-03Added Get-CurrentUserTokenGroupSid to enumerate all group SIDs the current ↵Harmj0y3-4/+94
user is a part of, regardless of being disabled. Replaced 'whoami /groups' local admin + medium integrity check with comparison against Get-CurrentUserTokenGroupSid
2016-06-03-Added ValueFromPipelineByPropertyName to Get-ModifiablePath to parse passed ↵Harmj0y1-603/+492
file objects -Service functions now accept just -Name (instead of -Service/-ServiceName) that accepts has ValueFromPipelineByPropertyName set in order to handle service objects on the pipeline -Moved PSReflect signatures to the bottom of the script -Function and help cleanup
2016-06-02Updated Privesc README.md and .psd1 to reflect the new PowerUp function names.Harmj0y2-34/+44
2016-06-02-Get-ModifiableFile renamed to Get-ModifiablePathHarmj0y1-249/+330
-Get-VulnSchTask renamed to Get-ModifiableScheduledTaskFile -Get-VulnAutoRun renamed Get-RegistryAutoRun -Get-RegAutoLogon renamed Get-RegistryAutoLogon -Find-DLLHijack renamed to Find-ProcessDLLHijack for clarification, code cleaned up, -Process parameter added, output object detail expanded, and help expanded -Removed most of the code from Find-PathHijack, replacing it with Get-ModifiablePath -Cleaned up logic for Write-HijackDll -Expanded help for the registry enumeration cmdlets -Added local user creation options to Write-HijackDll to match Write-ServiceBinary -Increased pause between user creation commands
2016-06-02-Help expanded for Invoke-ServiceAbuseHarmj0y1-340/+490
-Fixed parameter sets for Write-ServiceBinary and added -Credential and -Service params -Simplified/corrected logic for Install-ServiceBinary -Fixed parameter sets and simplified logic for Restore-ServiceBinary -Added sanity check with Get-ModifiableFile for Install-ServiceBinary -Cleaned up lingering spaces
2016-06-01-Removed Invoke-ServiceStart, Invoke-ServiceStop, Invoke-ServiceEnable, ↵Harmj0y1-425/+1419
Invoke-ServiceDisable -Renamed Get-ServiceFilePermission to Get-ModifiableServiceFile -Renamed Get-ServicePermission Get-ModifiableService -Integrated PSReflect codebase from @mattifestation -Modified Get-ModifiableFile to enumerate the ACLs for passed file paths, returning the path/permission set/identityreference for each modifable file (instead of opening file for modification) -Added Add-ServiceDacl from @mattifestation to add service Dacls to Get-Service objects -Added Set-ServiceBinPath replace "sc.exe config SERVICE binPath= X" - now modifies using the ChangeServiceConfig Win32 API call -Revamped Test-ServiceDaclPermission to take advantage of Add-ServiceDacl. Service permissions are now matched up against the current user's group memberships and specified permission sets to check for. -Functions that checked for service restarting now use Test-ServiceDaclPermission -Get-ModifiableService now uses Test-ServiceDaclPermission -Invoke-ServiceAbuse completely rebuilt to use native PowerShell functions and Set-ServiceBinPath to reconfiguring service binary paths for abuse -Parameter sets rewritten for several functions to accept -Credential objects were applicable and -Service objects from Get-Service on the pipeline TODO: Tune up Write-ServiceBinary, Install-ServiceBinary, Restore-ServiceBinary, Find-DLLHijack, Find-PathHijack, Write-HijackDll, and all the registry checks
2016-05-31Bug fix for Get-System for when a needed assembly isn't loaded.Harmj0y1-0/+2
2016-05-23Combined Get-SiteListPassword.ps1 into PowerUp.ps1Harmj0y3-179/+189
2016-05-23Bug fix for issue #137Harmj0y1-13/+12
2016-04-08Merge pull request #122 from joncave/patch-1HarmJ0y1-0/+1
Find-PathHijack: Expand environment variables in path
2016-03-20Find-PathHijack: Expand environment variables in pathJon Cave1-0/+1
Paths containing environment variables can cause false-positives to occur, e.g. `%SystemRoot%\system32\WindowsPowerShell\v1.0\`. `Find-PathHijack` will believe this is a relative path and will report it as hijackable if the current directory is writeable.
2016-03-15Moved admin check for Get-System to allow for RevToSelfHarmj0y1-4/+4
2016-03-11Added Get-System to Privesc/Harmj0y2-3/+594
Added Pester tests for Get-System
2016-02-12Added Pester tests for Get-SiteListPasswordHarmj0y1-2/+7
Encrypted password check for Get-SiteListPassword fields
2016-02-12Added additional search paths, code cleanup.Harmj0y1-42/+14
2016-02-11Added Get-SiteListPassword to decrypt McAfee SiteList.xml file passwords.Harmj0y2-1/+203
2016-01-25Merge pull request #111 from sagishahar/devHarmJ0y1-3/+3
Fix 'Install-ServiceBinary' for non-'Modifiable' files
2016-01-25Merge pull request #108 from sagishahar/masterHarmJ0y1-55/+64
Add 'CanRestart' to output and Pester tests
2016-01-17Fix 'Install-ServiceBinary' for non-'Modifiable' filessagishahar1-3/+3
The 'Install-ServiceBinary' function fails on an edge case where the service's file permission does not include the 'Modify' permission but does include the 'Write' permission (https://technet.microsoft.com/en-au/library/dd349321(v=ws.10).aspx). In this scenario, renaming the original service file for backup purposes will result in 'Access Denied' message. Fixing this requires that the file be copied to service.exe.bak instead of renamed to service.exe.bak.
2016-01-13Add 'CanRestart' to output and Pester testssagishahar1-55/+64
Pester tests to the function 'Test-ServiceDaclPermission' were added in order to increase confidence in its reliability. In general, my intention was to replace the current functionality of the service management functions such as Invoke-ServiceStart, to not use blindly 'sc.exe start' but rather consult with the DACL permissions and base the decision on that. Unforunately, further investigation lead me to the conclusion that retrieval of the service's DACL permissions requires that an additional DACL permission (RC) be set. This may lead to an edge case that could miss a potential privilege escalation condition and thereby the original idea was discarded. Nonetheless, 'Test-ServiceDaclPermission' can be used for less critical tasks. Therefore, a 'CanRestart' property was added to the output of the service enumeration functions such as 'Get-ServiceUnquoted' as I think that it will add value to redteamers/pentesters by helping them prioritise which service should be abused for escalation of privileges. Services that can be restarted by a low privileged user will probably be prioritised first. Additionally, manual checking whether the vulnerable service can be restarted would not be required in most cases.
2015-12-29Sorted exports into alphabetical orderStuart Morgan1-13/+13
2015-12-18Set all module versions to 3.0Matt Graeber1-61/+1
Also cleaned up some module manifest cruft.
2015-12-14Removed commented blocks.Harmj0y1-6/+6
2015-12-14Removed C# enum for Test-ServiceDaclPermissionHarmj0y1-42/+42
2015-12-03Added ./Privesc/ folder that integrates PowerUp.ps1Harmj0y4-0/+2467
Updated README.md's
generated by cgit v1.2.3 (git 2.39.1) at 2025-05-25 22:46:35 +0000