From 8083c1e1bb20ae4ceed16298bd2eeddf9cb5a70a Mon Sep 17 00:00:00 2001 From: Harmj0y Date: Thu, 2 Jun 2016 02:14:38 -0400 Subject: Updated Privesc README.md and .psd1 to reflect the new PowerUp function names. --- Privesc/Privesc.psd1 | 26 +++++++++++++++----------- Privesc/README.md | 52 +++++++++++++++++++++++++++++----------------------- 2 files changed, 44 insertions(+), 34 deletions(-) diff --git a/Privesc/Privesc.psd1 b/Privesc/Privesc.psd1 index 4e66883..fe964a3 100644 --- a/Privesc/Privesc.psd1 +++ b/Privesc/Privesc.psd1 @@ -10,7 +10,7 @@ ModuleVersion = '3.0.0.0' GUID = 'efb2a78f-a069-4bfd-91c2-7c7c0c225f56' # Author of this module -Author = 'Will Schroder' +Author = 'Will Schroeder' # Copyright statement for this module Copyright = 'BSD 3-Clause' @@ -23,28 +23,32 @@ PowerShellVersion = '2.0' # Functions to export from this module FunctionsToExport = @( - 'Find-DLLHijack', + 'Add-ServiceDacl', 'Find-PathHijack', + 'Find-ProcessDLLHijack', 'Get-ApplicationHost', - 'Get-RegAlwaysInstallElevated', - 'Get-RegAutoLogon', + 'Get-ModifiablePath', + 'Get-ModifiableScheduledTaskFile', + 'Get-ModifiableService', + 'Get-ModifiableServiceFile', + 'Get-RegistryAlwaysInstallElevated', + 'Get-RegistryAutoLogon', + 'Get-RegistryAutoRun', 'Get-ServiceDetail', - 'Get-ServiceFilePermission', - 'Get-ServicePermission', 'Get-ServiceUnquoted', + 'Get-SiteListPassword', + 'Get-System', 'Get-UnattendedInstallFile', - 'Get-VulnAutoRun', - 'Get-VulnSchTask', 'Get-Webconfig', 'Install-ServiceBinary', 'Invoke-AllChecks', 'Invoke-ServiceAbuse', 'Restore-ServiceBinary', + 'Set-ServiceBinPath', + 'Test-ServiceDaclPermission', 'Write-HijackDll', 'Write-ServiceBinary', - 'Write-UserAddMSI', - 'Get-SiteListPassword', - 'Get-System' + 'Write-UserAddMSI' ) # List of all files packaged with this module diff --git a/Privesc/README.md b/Privesc/README.md index bb68a43..66a7730 100644 --- a/Privesc/README.md +++ b/Privesc/README.md @@ -28,32 +28,38 @@ Optional Dependencies: None ### Service Enumeration: - Get-ServiceUnquoted - returns services with unquoted paths that also have a space in the name - Get-ServiceFilePermission - returns services where the current user can write to the service binary path or its config - Get-ServicePermission - returns services the current user can modify - Get-ServiceDetail - returns detailed information about a specified service + Get-ServiceUnquoted - returns services with unquoted paths that also have a space in the name + Get-ModifiableServiceFile - returns services where the current user can write to the service binary path or its config + Get-ModifiableService - returns services the current user can modify + Get-ServiceDetail - returns detailed information about a specified service ### Service Abuse: - Invoke-ServiceAbuse - modifies a vulnerable service to create a local admin or execute a custom command - Write-ServiceBinary - writes out a patched C# service binary that adds a local admin or executes a custom command - Install-ServiceBinary - replaces a service binary with one that adds a local admin or executes a custom command - Restore-ServiceBinary - restores a replaced service binary with the original executable + Invoke-ServiceAbuse - modifies a vulnerable service to create a local admin or execute a custom command + Write-ServiceBinary - writes out a patched C# service binary that adds a local admin or executes a custom command + Install-ServiceBinary - replaces a service binary with one that adds a local admin or executes a custom command + Restore-ServiceBinary - restores a replaced service binary with the original executable ### DLL Hijacking: - Find-DLLHijack - finds .dll hijacking opportunities for currently running processes - Find-PathHijack - finds service %PATH% .dll hijacking opportunities - Write-HijackDll - writes out a hijackable .dll + Find-ProcessDLLHijack - finds potential DLL hijacking opportunities for currently running processes + Find-PathHijack - finds service %PATH% .dll hijacking opportunities + Write-HijackDll - writes out a hijackable .dll ### Registry Checks: - Get-RegAlwaysInstallElevated - checks if the AlwaysInstallElevated registry key is set - Get-RegAutoLogon - checks for Autologon credentials in the registry - Get-VulnAutoRun - checks for any modifiable binaries/scripts (or their configs) in HKLM autoruns - -### Misc.: - Get-VulnSchTask - find schtasks with modifiable target files - Get-UnattendedInstallFile - finds remaining unattended installation files - Get-Webconfig - checks for any encrypted web.config strings - Get-ApplicationHost - checks for encrypted application pool and virtual directory passwords - Write-UserAddMSI - write out a MSI installer that prompts for a user to be added - Invoke-AllChecks - runs all current escalation checks and returns a report - + Get-RegistryAlwaysInstallElevated - checks if the AlwaysInstallElevated registry key is set + Get-RegistryAutoLogon - checks for Autologon credentials in the registry + Get-RegistryAutoRun - checks for any modifiable binaries/scripts (or their configs) in HKLM autoruns + +### Miscellaneous Checks: + Get-ModifiableScheduledTaskFile - find schtasks with modifiable target files + Get-UnattendedInstallFile - finds remaining unattended installation files + Get-Webconfig - checks for any encrypted web.config strings + Get-ApplicationHost - checks for encrypted application pool and virtual directory passwords + Get-SiteListPassword - retrieves the plaintext passwords for any found McAfee's SiteList.xml files + +### Other Helpers/Meta-Functions: + Get-ModifiablePath - tokenizes an input string and returns the files in it the current user can modify + Add-ServiceDacl - adds a Dacl field to a service object returned by Get-Service + Set-ServiceBinPath - sets the binary path for a service to a specified value through Win32 API methods + Test-ServiceDaclPermission - tests one or more passed services or service names against a given permission set + Write-UserAddMSI - write out a MSI installer that prompts for a user to be added + Invoke-AllChecks - runs all current escalation checks and returns a report -- cgit v1.2.3