From 7964823e3f398c41a7ad1c0e8c4c28c0806a9c0d Mon Sep 17 00:00:00 2001 From: HarmJ0y Date: Wed, 14 Dec 2016 11:53:29 -0500 Subject: Added documentation for PowerUp --- docs/Privesc/Invoke-ServiceAbuse.md | 194 ++++++++++++++++++++++++++++++++++++ 1 file changed, 194 insertions(+) create mode 100755 docs/Privesc/Invoke-ServiceAbuse.md (limited to 'docs/Privesc/Invoke-ServiceAbuse.md') diff --git a/docs/Privesc/Invoke-ServiceAbuse.md b/docs/Privesc/Invoke-ServiceAbuse.md new file mode 100755 index 0000000..8d493d7 --- /dev/null +++ b/docs/Privesc/Invoke-ServiceAbuse.md @@ -0,0 +1,194 @@ +# Invoke-ServiceAbuse + +## SYNOPSIS +Abuses a function the current user has configuration rights on in order +to add a local administrator or execute a custom command. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-ServiceDetail, Set-ServiceBinaryPath + +## SYNTAX + +``` +Invoke-ServiceAbuse [-Name] [-UserName ] [-Password ] [-LocalGroup ] + [-Credential ] [-Command ] [-Force] +``` + +## DESCRIPTION +Takes a service Name or a ServiceProcess.ServiceController on the pipeline that the current +user has configuration modification rights on and executes a series of automated actions to +execute commands as SYSTEM. +First, the service is enabled if it was set as disabled and the +original service binary path and configuration state are preserved. +Then the service is stopped +and the Set-ServiceBinaryPath function is used to set the binary (binPath) for the service to a +series of commands, the service is started, stopped, and the next command is configured. +After +completion, the original service configuration is restored and a custom object is returned +that captures the service abused and commands run. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Invoke-ServiceAbuse -Name VulnSVC +``` + +Abuses service 'VulnSVC' to add a localuser "john" with password +"Password123! +to the machine and local administrator group + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-Service VulnSVC | Invoke-ServiceAbuse +``` + +Abuses service 'VulnSVC' to add a localuser "john" with password +"Password123! +to the machine and local administrator group + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Invoke-ServiceAbuse -Name VulnSVC -UserName "TESTLAB\john" +``` + +Abuses service 'VulnSVC' to add a the domain user TESTLAB\john to the +local adminisrtators group. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +Invoke-ServiceAbuse -Name VulnSVC -UserName backdoor -Password password -LocalGroup "Power Users" +``` + +Abuses service 'VulnSVC' to add a localuser "backdoor" with password +"password" to the machine and local "Power Users" group + +### -------------------------- EXAMPLE 5 -------------------------- +``` +Invoke-ServiceAbuse -Name VulnSVC -Command "net ..." +``` + +Abuses service 'VulnSVC' to execute a custom command. + +## PARAMETERS + +### -Name +An array of one or more service names to abuse. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: ServiceName + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -UserName +The \[domain\\\]username to add. +If not given, it defaults to "john". +Domain users are not created, only added to the specified localgroup. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: John +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Password +The password to set for the added user. +If not given, it defaults to "Password123!" + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Password123! +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LocalGroup +Local group name to add the user to (default of 'Administrators'). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Administrators +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object specifying the user/password to add. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Command +Custom command to execute instead of user creation. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Force +Switch. +Force service stopping, even if other services are dependent. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerUp.AbusedService + +## NOTES + +## RELATED LINKS + -- cgit v1.2.3