aboutsummaryrefslogtreecommitdiff
path: root/Privesc
AgeCommit message (Collapse)AuthorFilesLines
2016-04-08Merge pull request #122 from joncave/patch-1HarmJ0y1-0/+1
Find-PathHijack: Expand environment variables in path
2016-03-20Find-PathHijack: Expand environment variables in pathJon Cave1-0/+1
Paths containing environment variables can cause false-positives to occur, e.g. `%SystemRoot%\system32\WindowsPowerShell\v1.0\`. `Find-PathHijack` will believe this is a relative path and will report it as hijackable if the current directory is writeable.
2016-03-15Moved admin check for Get-System to allow for RevToSelfHarmj0y1-4/+4
2016-03-11Added Get-System to Privesc/Harmj0y2-3/+594
Added Pester tests for Get-System
2016-02-12Added Pester tests for Get-SiteListPasswordHarmj0y1-2/+7
Encrypted password check for Get-SiteListPassword fields
2016-02-12Added additional search paths, code cleanup.Harmj0y1-42/+14
2016-02-11Added Get-SiteListPassword to decrypt McAfee SiteList.xml file passwords.Harmj0y2-1/+203
2016-01-25Merge pull request #111 from sagishahar/devHarmJ0y1-3/+3
Fix 'Install-ServiceBinary' for non-'Modifiable' files
2016-01-25Merge pull request #108 from sagishahar/masterHarmJ0y1-55/+64
Add 'CanRestart' to output and Pester tests
2016-01-17Fix 'Install-ServiceBinary' for non-'Modifiable' filessagishahar1-3/+3
The 'Install-ServiceBinary' function fails on an edge case where the service's file permission does not include the 'Modify' permission but does include the 'Write' permission (https://technet.microsoft.com/en-au/library/dd349321(v=ws.10).aspx). In this scenario, renaming the original service file for backup purposes will result in 'Access Denied' message. Fixing this requires that the file be copied to service.exe.bak instead of renamed to service.exe.bak.
2016-01-13Add 'CanRestart' to output and Pester testssagishahar1-55/+64
Pester tests to the function 'Test-ServiceDaclPermission' were added in order to increase confidence in its reliability. In general, my intention was to replace the current functionality of the service management functions such as Invoke-ServiceStart, to not use blindly 'sc.exe start' but rather consult with the DACL permissions and base the decision on that. Unforunately, further investigation lead me to the conclusion that retrieval of the service's DACL permissions requires that an additional DACL permission (RC) be set. This may lead to an edge case that could miss a potential privilege escalation condition and thereby the original idea was discarded. Nonetheless, 'Test-ServiceDaclPermission' can be used for less critical tasks. Therefore, a 'CanRestart' property was added to the output of the service enumeration functions such as 'Get-ServiceUnquoted' as I think that it will add value to redteamers/pentesters by helping them prioritise which service should be abused for escalation of privileges. Services that can be restarted by a low privileged user will probably be prioritised first. Additionally, manual checking whether the vulnerable service can be restarted would not be required in most cases.
2015-12-29Sorted exports into alphabetical orderStuart Morgan1-13/+13
2015-12-18Set all module versions to 3.0Matt Graeber1-61/+1
Also cleaned up some module manifest cruft.
2015-12-14Removed commented blocks.Harmj0y1-6/+6
2015-12-14Removed C# enum for Test-ServiceDaclPermissionHarmj0y1-42/+42
2015-12-03Added ./Privesc/ folder that integrates PowerUp.ps1Harmj0y4-0/+2467
Updated README.md's
generated by cgit v1.2.3 (git 2.39.1) at 2025-05-25 22:27:18 +0000