Windows Priv Esc
Tools
PowerUp: https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc
BeRoot: https://github.com/AlessandroZ/BeRoot
Privesc: https://github.com/enjoiz/Privesc
WinPEA: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite
SCManager Abuse
Not detected by most tools. Remember to check this one manually. Full writeup at https://recipeforroot.com/scmanger/
Unquoted Service Paths
Takes a pre-compiled C# service binary and patches in the appropriate commands needed for service abuse. If a -UserName/-Password or -Credential is specified, the command patched in creates a local user and adds them to the specified -LocalGroup, otherwise the specified -Command is patched in. The binary is then written out to the specified -ServicePath. Either -Name must be specified for the service, or a proper object from Get-Service must be passed on the pipeline in order to patch in the appropriate service name the binary will be running under.
Modify Service Executable
Replaces the service binary for the specified service with one that executes a specified command as SYSTEM.
Takes a service Name or a ServiceProcess.ServiceController on the pipeline where the current user can modify the associated service binary listed in the binPath. Backs up the original service binary to "OriginalService.exe.bak" in service binary location, and then uses Write-ServiceBinary to create a C# service binary that either adds a local administrator user or executes a custom command. The new service binary is replaced in the original service binary path, and a custom object is returned that captures the original and new service binary configuration.
Modify Service BinPath
Takes a service Name or a ServiceProcess.ServiceController on the pipeline that the current user has configuration modification rights on and executes a series of automated actions to execute commands as SYSTEM. First, the service is enabled if it was set as disabled and the original service binary path and configuration state are preserved. Then the service is stopped and the Set-ServiceBinPath function is used to set the binary (binPath) for the service to a series of commands, the service is started, stopped, and the next command is configured. After completion, the original service configuration is restored and a custom object is returned that captures the service abused and commands run.
Interesting Files
Command History in PowerShell 5.0
By default, the PowerShell in Windows 10 saves the last 4096 commands that are stored in a plain text file located in the profile of each user %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
Last updated