From f9b95c5cf2812ddf7691940b26eac89bce5e03f8 Mon Sep 17 00:00:00 2001
From: James McGinnigle <james@cyberstack.co.uk>
Date: Sun, 7 May 2017 16:32:55 +0100
Subject: Fix build for import and run of Invoke-PrivescAudit

---
 PowerSploit.psd1    |  4 ++--
 PowerSploit.psm1    |  2 +-
 Recon/PowerView.ps1 | 10 +++++-----
 3 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/PowerSploit.psd1 b/PowerSploit.psd1
index 065ea68..3b6976f 100644
--- a/PowerSploit.psd1
+++ b/PowerSploit.psd1
@@ -90,11 +90,11 @@ FunctionsToExport = @(
     'Get-RegistryAutoLogon',
     'Get-SecurityPackages',
     'Get-ServiceDetail',
-    'Get-ServiceUnquoted',
     'Get-SiteListPassword',
     'Get-System',
     'Get-TimedScreenshot',
     'Get-UnattendedInstallFile',
+    'Get-UnquotedService',
     'Get-UserEvent',
     'Get-UserProperty',
     'Get-VaultCredential',
@@ -103,7 +103,6 @@ FunctionsToExport = @(
     'Install-ServiceBinary',
     'Install-SSP',
     'Invoke-ACLScanner',
-    'Invoke-AllChecks',
     'Invoke-CheckLocalAdminAccess',
     'Invoke-CredentialInjection',
     'Invoke-DllInjection',
@@ -114,6 +113,7 @@ FunctionsToExport = @(
     'Invoke-Mimikatz',
     'Invoke-NinjaCopy',
     'Invoke-Portscan',
+    'Invoke-PrivescAudit',
     'Invoke-ProcessHunter',
     'Invoke-ReflectivePEInjection',
     'Invoke-ReverseDnsLookup',
diff --git a/PowerSploit.psm1 b/PowerSploit.psm1
index 9bc0240..42a9174 100644
--- a/PowerSploit.psm1
+++ b/PowerSploit.psm1
@@ -1 +1 @@
-Get-ChildItem $PSScriptRoot | ? { $_.PSIsContainer -and ($_.Name -ne 'Tests') } | % { Import-Module $_.FullName -DisableNameChecking }
+Get-ChildItem $PSScriptRoot | ? { $_.PSIsContainer -and !('Tests','docs' -contains $_.Name) } | % { Import-Module $_.FullName -DisableNameChecking }
diff --git a/Recon/PowerView.ps1 b/Recon/PowerView.ps1
index c6cb5ff..487ed09 100755
--- a/Recon/PowerView.ps1
+++ b/Recon/PowerView.ps1
@@ -6634,19 +6634,19 @@ System.Security.AccessControl.AuthorizationRule
         [ValidateSet('AccessSystemSecurity', 'CreateChild','Delete','DeleteChild','DeleteTree','ExtendedRight','GenericAll','GenericExecute','GenericRead','GenericWrite','ListChildren','ListObject','ReadControl','ReadProperty','Self','Synchronize','WriteDacl','WriteOwner','WriteProperty')]
         $Right,
 
-        [Parameter(Mandatory = $True, ParameterSetName=’AccessRuleType’)]
+        [Parameter(Mandatory = $True, ParameterSetName='AccessRuleType')]
         [ValidateSet('Allow', 'Deny')]
         [String[]]
         $AccessControlType,
 
-        [Parameter(Mandatory = $True, ParameterSetName=’AuditRuleType’)]
+        [Parameter(Mandatory = $True, ParameterSetName='AuditRuleType')]
         [ValidateSet('Success', 'Failure')]
         [String]
         $AuditFlag,
 
-        [Parameter(Mandatory = $False, ParameterSetName=’AccessRuleType’)]
-        [Parameter(Mandatory = $False, ParameterSetName=’AuditRuleType’)]
-        [Parameter(Mandatory = $False, ParameterSetName=’ObjectGuidLookup’)]
+        [Parameter(Mandatory = $False, ParameterSetName='AccessRuleType')]
+        [Parameter(Mandatory = $False, ParameterSetName='AuditRuleType')]
+        [Parameter(Mandatory = $False, ParameterSetName='ObjectGuidLookup')]
         [Guid]
         $ObjectType,
 
-- 
cgit v1.2.3


From 52289768a95dae478df1a9bdd97dcfd7e4d02455 Mon Sep 17 00:00:00 2001
From: HackJammer <hackjammer@users.noreply.github.com>
Date: Wed, 10 May 2017 00:31:44 +0100
Subject: Default Invoke-PrivEscAudit to return objects for parsing

---
 Privesc/PowerUp.ps1 | 251 +++++++++++++++++++++-------------------------------
 1 file changed, 102 insertions(+), 149 deletions(-)

diff --git a/Privesc/PowerUp.ps1 b/Privesc/PowerUp.ps1
index 50f8268..af2d79e 100644
--- a/Privesc/PowerUp.ps1
+++ b/Privesc/PowerUp.ps1
@@ -4670,9 +4670,14 @@ Required Dependencies: None
 
 Executes all functions that check for various Windows privilege escalation opportunities.
 
+.PARAMETER Format
+
+String. Format to decide on what is returned from the command, an Object Array, List, or HTML Report.
+
 .PARAMETER HTMLReport
 
-Switch. Write a HTML version of the report to SYSTEM.username.html.
+DEPRECATED - Switch. Write a HTML version of the report to SYSTEM.username.html. 
+Superseded by the Format parameter.
 
 .EXAMPLE
 
@@ -4682,25 +4687,26 @@ Runs all escalation checks and outputs a status report for discovered issues.
 
 .EXAMPLE
 
-Invoke-PrivescAudit -HTMLReport
+Invoke-PrivescAudit -Format HTML
 
 Runs all escalation checks and outputs a status report to SYSTEM.username.html
 detailing any discovered issues.
 
-.OUTPUTS
-
-System.String
 #>
 
     [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
-    [OutputType('System.String')]
     [CmdletBinding()]
     Param(
+        [ValidateSet('Object','List','HTML')]
+        [String]
+        $Format = 'Object',
         [Switch]
         $HTMLReport
     )
 
-    if ($HTMLReport) {
+    if($HTMLReport){ $Format = 'HTML' }
+
+    if ($Format -eq 'HTML') {
         $HtmlReportFile = "$($Env:ComputerName).$($Env:UserName).html"
         $Header = "<style>"
         $Header = $Header + "BODY{background-color:peachpuff;}"
@@ -4711,153 +4717,101 @@ System.String
         ConvertTo-HTML -Head $Header -Body "<H1>PowerUp report for '$($Env:ComputerName).$($Env:UserName)'</H1>" | Out-File $HtmlReportFile
     }
 
-    # initial admin checks
-
-    "`n[*] Running Invoke-AllChecks"
-
-    $IsAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")
-
-    if ($IsAdmin){
-        "[+] Current user already has local administrative privileges!"
-
-        if ($HTMLReport) {
-            ConvertTo-HTML -Head $Header -Body "<H2>User Has Local Admin Privileges!</H2>" | Out-File -Append $HtmlReportFile
+    Write-Verbose "Running Invoke-PrivescAudit"
+
+    $Checks = @(
+        # Initial admin checks
+        @{
+            Type    = 'User Has Local Admin Privileges'
+            Command = { if (([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")){ New-Object PSObject } }
+        },
+        @{
+            Type        = 'User In Local Group with Admin Privileges'
+            Command     = { if ((Get-ProcessTokenGroup | Select-Object -ExpandProperty SID) -contains 'S-1-5-32-544'){ New-Object PSObject } }
+            AbuseScript = { 'Invoke-WScriptUACBypass -Command "..."' }
+        },
+        @{
+            Type       = 'Process Token Privileges'
+            Command    = { Get-ProcessTokenPrivilege -Special | Where-Object {$_} }
+        },
+        # Service checks
+        @{
+            Type    = 'Unquoted Service Paths'
+            Command = { Get-UnquotedService }
+        },
+        @{
+            Type    = 'Modifiable Service Files'
+            Command = { Get-ModifiableServiceFile }
+        },
+        @{
+            Type    = 'Modifiable Services'
+            Command = { Get-ModifiableService }
+        },
+        # DLL hijacking
+        @{
+            Type        = '%PATH% .dll Hijacks'
+            Command     = { Find-PathDLLHijack }
+            AbuseScript = { "Write-HijackDll -DllPath '$($_.ModifiablePath)\wlbsctrl.dll'" }
+        },
+        # Registry checks
+        @{
+            Type        = 'AlwaysInstallElevated Registry Key'
+            Command     = { if (Get-RegistryAlwaysInstallElevated){ New-Object PSObject } }
+            AbuseScript = { 'Write-UserAddMSI' }
+        },
+        @{
+            Type    = 'Registry Autologons'
+            Command = { Get-RegistryAutoLogon }
+        },
+        @{
+            Type    = 'Modifiable Registry Autorun'
+            Command = { Get-ModifiableRegistryAutoRun }
+        },
+        # Other checks
+        @{
+            Type    = 'Modifiable Scheduled Task Files'
+            Command = { Get-ModifiableScheduledTaskFile }
+        },
+        @{
+            Type    = 'Unattended Install Files'
+            Command = { Get-UnattendedInstallFile }
+        },
+        @{
+            Type    = 'Encrypted web.config Strings'
+            Command = { Get-WebConfig | Where-Object {$_} }
+        },
+        @{
+            Type    = 'Encrypted Application Pool Passwords'
+            Command = { Get-ApplicationHost | Where-Object {$_} }
+        },
+        @{
+            Type    = 'McAfee SiteList.xml files'
+            Command = { Get-SiteListPassword | Where-Object {$_} }
+        },
+        @{
+            Type    = 'Cached GPP Files'
+            Command = { Get-CachedGPPPassword | Where-Object {$_} }
         }
-    }
-    else{
-        "`n`n[*] Checking if user is in a local group with administrative privileges..."
-
-        $CurrentUserSids = Get-ProcessTokenGroup | Select-Object -ExpandProperty SID
-        if ($CurrentUserSids -Contains 'S-1-5-32-544') {
-            "[+] User is in a local group that grants administrative privileges!"
-            "[+] Run 'Invoke-WScriptUACBypass -Command `"...`"' to elevate privileges to admin."
-            if ($HTMLReport) {
-                ConvertTo-HTML -Head $Header -Body "<H2> User In Local Group With Administrative Privileges</H2>" | Out-File -Append $HtmlReportFile
+    )
+
+    ForEach($Check in $Checks){
+        Write-Verbose "Checking for $($Check.Type)..."
+        $Results = . $Check.Command
+        $Results | Where-Object {$_} | ForEach-Object {
+            $_ | Add-Member Noteproperty 'Check' $Check.Type
+            if ($Check.AbuseScript){
+                $_ | Add-Member Noteproperty 'AbuseFunction' (. $Check.AbuseScript)
             }
         }
-    }
-
-    "`n`n[*] Checking current process token permissions..."
-    $Results = Get-ProcessTokenPrivilege -Special | Where-Object {$_}
-    $Results | Format-List
-    if ($HTMLReport) {
-        $Results | ConvertTo-HTML -Head $Header -Body "<H2>Cached GPP Files</H2>" | Out-File -Append $HtmlReportFile
-    }
-
-    # Service checks
-
-    "`n`n[*] Checking for unquoted service paths..."
-    $Results = Get-UnquotedService
-    $Results | Format-List
-    if ($HTMLReport) {
-        $Results | ConvertTo-HTML -Head $Header -Body "<H2>Unquoted Service Paths</H2>" | Out-File -Append $HtmlReportFile
-    }
-
-    "`n`n[*] Checking service executable and argument permissions..."
-    $Results = Get-ModifiableServiceFile
-    $Results | Format-List
-    if ($HTMLReport) {
-        $Results | ConvertTo-HTML -Head $Header -Body "<H2>Service File Permissions</H2>" | Out-File -Append $HtmlReportFile
-    }
-
-    "`n`n[*] Checking service permissions..."
-    $Results = Get-ModifiableService
-    $Results | Format-List
-    if ($HTMLReport) {
-        $Results | ConvertTo-HTML -Head $Header -Body "<H2>Modifiable Services</H2>" | Out-File -Append $HtmlReportFile
-    }
-
-
-    # DLL hijacking
-
-    "`n`n[*] Checking %PATH% for potentially hijackable DLL locations..."
-    $Results = Find-PathDLLHijack
-    $Results | Where-Object {$_} | Foreach-Object {
-        $AbuseString = "Write-HijackDll -DllPath '$($_.ModifiablePath)\wlbsctrl.dll'"
-        $_ | Add-Member Noteproperty 'AbuseFunction' $AbuseString
-        $_
-    } | Format-List
-    if ($HTMLReport) {
-        $Results | ConvertTo-HTML -Head $Header -Body "<H2>%PATH% .dll Hijacks</H2>" | Out-File -Append $HtmlReportFile
-    }
-
-
-    # registry checks
-
-    "`n`n[*] Checking for AlwaysInstallElevated registry key..."
-    if (Get-RegistryAlwaysInstallElevated) {
-        $Out = New-Object PSObject
-        $Out | Add-Member Noteproperty 'AbuseFunction' "Write-UserAddMSI"
-        $Results = $Out
-
-        $Results | Format-List
-        if ($HTMLReport) {
-            $Results | ConvertTo-HTML -Head $Header -Body "<H2>AlwaysInstallElevated</H2>" | Out-File -Append $HtmlReportFile
+        switch($Format){
+            Object { $Results }
+            List   { "`n`n[*] Checking for $($Check.Type)..."; $Results | Format-List }
+            HTML   { $Results | ConvertTo-HTML -Head $Header -Body "<H2>$($Check.Type)</H2>" | Out-File -Append $HtmlReportFile }
         }
     }
 
-    "`n`n[*] Checking for Autologon credentials in registry..."
-    $Results = Get-RegistryAutoLogon
-    $Results | Format-List
-    if ($HTMLReport) {
-        $Results | ConvertTo-HTML -Head $Header -Body "<H2>Registry Autologons</H2>" | Out-File -Append $HtmlReportFile
-    }
-
-
-    "`n`n[*] Checking for modifidable registry autoruns and configs..."
-    $Results = Get-ModifiableRegistryAutoRun
-    $Results | Format-List
-    if ($HTMLReport) {
-        $Results | ConvertTo-HTML -Head $Header -Body "<H2>Registry Autoruns</H2>" | Out-File -Append $HtmlReportFile
-    }
-
-    # other checks
-
-    "`n`n[*] Checking for modifiable schtask files/configs..."
-    $Results = Get-ModifiableScheduledTaskFile
-    $Results | Format-List
-    if ($HTMLReport) {
-        $Results | ConvertTo-HTML -Head $Header -Body "<H2>Modifidable Schask Files</H2>" | Out-File -Append $HtmlReportFile
-    }
-
-    "`n`n[*] Checking for unattended install files..."
-    $Results = Get-UnattendedInstallFile
-    $Results | Format-List
-    if ($HTMLReport) {
-        $Results | ConvertTo-HTML -Head $Header -Body "<H2>Unattended Install Files</H2>" | Out-File -Append $HtmlReportFile
-    }
-
-    "`n`n[*] Checking for encrypted web.config strings..."
-    $Results = Get-Webconfig | Where-Object {$_}
-    $Results | Format-List
-    if ($HTMLReport) {
-        $Results | ConvertTo-HTML -Head $Header -Body "<H2>Encrypted 'web.config' String</H2>" | Out-File -Append $HtmlReportFile
-    }
-
-    "`n`n[*] Checking for encrypted application pool and virtual directory passwords..."
-    $Results = Get-ApplicationHost | Where-Object {$_}
-    $Results | Format-List
-    if ($HTMLReport) {
-        $Results | ConvertTo-HTML -Head $Header -Body "<H2>Encrypted Application Pool Passwords</H2>" | Out-File -Append $HtmlReportFile
-    }
-
-    "`n`n[*] Checking for plaintext passwords in McAfee SiteList.xml files..."
-    $Results = Get-SiteListPassword | Where-Object {$_}
-    $Results | Format-List
-    if ($HTMLReport) {
-        $Results | ConvertTo-HTML -Head $Header -Body "<H2>McAfee's SiteList.xml's</H2>" | Out-File -Append $HtmlReportFile
-    }
-
-    "`n`n[*] Checking for cached Group Policy Preferences .xml files..."
-    $Results = Get-CachedGPPPassword | Where-Object {$_}
-    $Results | Format-List
-    if ($HTMLReport) {
-        $Results | ConvertTo-HTML -Head $Header -Body "<H2>Cached GPP Files</H2>" | Out-File -Append $HtmlReportFile
-    }
-    "`n"
-
-    if ($HTMLReport) {
-        "[*] Report written to '$HtmlReportFile' `n"
+    if ($Format -eq 'HTML') {
+        Write-Verbose "[*] Report written to '$HtmlReportFile' `n"
     }
 }
 
@@ -5012,5 +4966,4 @@ $Kernel32 = $Types['kernel32']
 $NTDll    = $Types['ntdll']
 
 Set-Alias Get-CurrentUserTokenGroupSid Get-ProcessTokenGroup
-Set-Alias Get-UnquotedService Get-UnquotedService
 Set-Alias Invoke-AllChecks Invoke-PrivescAudit
-- 
cgit v1.2.3


From a78474aa5cfa9df1689fe298297831640aea5b4d Mon Sep 17 00:00:00 2001
From: HackJammer <hackjammer@users.noreply.github.com>
Date: Wed, 10 May 2017 00:50:42 +0100
Subject: Add Name alias to PowerUp object properties for easier parsing

---
 Privesc/PowerUp.ps1 | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/Privesc/PowerUp.ps1 b/Privesc/PowerUp.ps1
index af2d79e..3971571 100644
--- a/Privesc/PowerUp.ps1
+++ b/Privesc/PowerUp.ps1
@@ -1387,6 +1387,7 @@ Outputs a custom object containing the token privilege (name/attributes) for the
                     if ($PSBoundParameters['Special']) {
                         if ($SpecialPrivileges -Contains $_.Privilege) {
                             $_ | Add-Member Noteproperty 'ProcessId' $ProcessID
+                            $_ | Add-Member Aliasproperty Name ProcessId
                             $_
                         }
                     }
@@ -2077,6 +2078,7 @@ https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/wind
                 $Out | Add-Member Noteproperty 'StartName' $Service.startname
                 $Out | Add-Member Noteproperty 'AbuseFunction' "Write-ServiceBinary -Name '$($Service.name)' -Path <HijackPath>"
                 $Out | Add-Member Noteproperty 'CanRestart' ([Bool]$CanRestart)
+                $Out | Add-Member Aliasproperty Name ServiceName
                 $Out.PSObject.TypeNames.Insert(0, 'PowerUp.UnquotedService')
                 $Out
             }
@@ -2136,6 +2138,7 @@ PowerUp.ModifiablePath
             $Out | Add-Member Noteproperty 'StartName' $ServiceStartName
             $Out | Add-Member Noteproperty 'AbuseFunction' "Install-ServiceBinary -Name '$ServiceName'"
             $Out | Add-Member Noteproperty 'CanRestart' ([Bool]$CanRestart)
+            $Out | Add-Member Aliasproperty Name ServiceName
             $Out.PSObject.TypeNames.Insert(0, 'PowerUp.ModifiableServiceFile')
             $Out
         }
@@ -2183,6 +2186,7 @@ PowerUp.ModifiablePath
         $Out | Add-Member Noteproperty 'StartName' $ServiceDetails.startname
         $Out | Add-Member Noteproperty 'AbuseFunction' "Invoke-ServiceAbuse -Name '$($ServiceDetails.name)'"
         $Out | Add-Member Noteproperty 'CanRestart' ([Bool]$CanRestart)
+        $Out | Add-Member Aliasproperty Name ServiceName
         $Out.PSObject.TypeNames.Insert(0, 'PowerUp.ModifiableService')
         $Out
     }
@@ -3146,6 +3150,7 @@ http://www.greyhathacker.net/?p=738
         ForEach ($ModifidablePath in $ModifidablePaths) {
             if ($Null -ne $ModifidablePath.ModifiablePath) {
                 $ModifidablePath | Add-Member Noteproperty '%PATH%' $_
+                $ModifidablePath | Add-Member Aliasproperty Name '%PATH%'
                 $ModifidablePath.PSObject.TypeNames.Insert(0, 'PowerUp.HijackableDLL.Path')
                 $ModifidablePath
             }
@@ -3576,6 +3581,7 @@ Custom PSObject containing results.
                 $Out | Add-Member Noteproperty 'Key' "$ParentPath\$Name"
                 $Out | Add-Member Noteproperty 'Path' $Path
                 $Out | Add-Member Noteproperty 'ModifiableFile' $_
+                $Out | Add-Member Aliasproperty Name Key
                 $Out.PSObject.TypeNames.Insert(0, 'PowerUp.ModifiableRegistryAutoRun')
                 $Out
             }
@@ -3648,6 +3654,7 @@ Custom PSObject containing results.
                     $Out | Add-Member Noteproperty 'TaskName' $TaskName
                     $Out | Add-Member Noteproperty 'TaskFilePath' $_
                     $Out | Add-Member Noteproperty 'TaskTrigger' $TaskTrigger
+                    $Out | Add-Member Aliasproperty Name TaskName
                     $Out.PSObject.TypeNames.Insert(0, 'PowerUp.ModifiableScheduledTaskFile')
                     $Out
                 }
@@ -3658,6 +3665,7 @@ Custom PSObject containing results.
                     $Out | Add-Member Noteproperty 'TaskName' $TaskName
                     $Out | Add-Member Noteproperty 'TaskFilePath' $_
                     $Out | Add-Member Noteproperty 'TaskTrigger' $TaskTrigger
+                    $Out | Add-Member Aliasproperty Name TaskName
                     $Out.PSObject.TypeNames.Insert(0, 'PowerUp.ModifiableScheduledTaskFile')
                     $Out
                 }
@@ -3722,6 +3730,7 @@ Custom PSObject containing results.
     $SearchLocations | Where-Object { Test-Path $_ } | ForEach-Object {
         $Out = New-Object PSObject
         $Out | Add-Member Noteproperty 'UnattendPath' $_
+        $Out | Add-Member Aliasproperty Name UnattendPath
         $Out.PSObject.TypeNames.Insert(0, 'PowerUp.UnattendedInstallFile')
         $Out
     }
-- 
cgit v1.2.3