From 84b8e1da9ae80de0b7e677f8b9d4b631778c02ea Mon Sep 17 00:00:00 2001
From: Jon Cave <jon@lionsgoroar.co.uk>
Date: Sun, 20 Mar 2016 21:28:22 +0000
Subject: Find-PathHijack: Expand environment variables in path

Paths containing environment variables can cause false-positives to occur, e.g. `%SystemRoot%\system32\WindowsPowerShell\v1.0\`. `Find-PathHijack` will believe this is a relative path and will report it as hijackable if the current directory is writeable.
---
 Privesc/PowerUp.ps1 | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Privesc/PowerUp.ps1 b/Privesc/PowerUp.ps1
index 0d71b14..9954c98 100644
--- a/Privesc/PowerUp.ps1
+++ b/Privesc/PowerUp.ps1
@@ -1283,6 +1283,7 @@ function Find-PathHijack {
         if (-not $Path.EndsWith("\")){
             $Path = $Path + "\"
         }
+        $Path = [System.Environment]::ExpandEnvironmentVariables($Path)
 
         # reference - http://stackoverflow.com/questions/9735449/how-to-verify-whether-the-share-has-write-access
         $TestPath = Join-Path $Path ([IO.Path]::GetRandomFileName())
-- 
cgit v1.2.3