search
Ctrlk

Local Privilege Escalation

hashtag
Tools

PowerUp: https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc

BeRoot: https://github.com/AlessandroZ/BeRoot

Privesc: https://github.com/enjoiz/Privesc

WinPEA: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite

hashtag
Unquoted Service Paths

Takes a pre-compiled C# service binary and patches in the appropriate commands needed for service abuse. If a -UserName/-Password or -Credential is specified, the command patched in creates a local user and adds them to the specified -LocalGroup, otherwise the specified -Command is patched in. The binary is then written out to the specified -ServicePath. Either -Name must be specified for the service, or a proper object from Get-Service must be passed on the pipeline in order to patch in the appropriate service name the binary will be running under.

# Enumeration
Invoke-AllChecks
Get-ServiceUnquoted

# Abuse
Write-ServiceBinary -Name 'service' -Path <HijackPatch> (will add john:Password123!)
Write-ServiceBinary -Name 'service' -Path C:\WebServer\Abyss.exe -Command "net localgroup Administrators user /add"

# Restart Service (cmd)
sc stop service
sc start service

hashtag
Modify Service Executable

Replaces the service binary for the specified service with one that executes a specified command as SYSTEM.

Takes a service Name or a ServiceProcess.ServiceController on the pipeline where the current user can modify the associated service binary listed in the binPath. Backs up the original service binary to "OriginalService.exe.bak" in service binary location, and then uses Write-ServiceBinary to create a C# service binary that either adds a local administrator user or executes a custom command. The new service binary is replaced in the original service binary path, and a custom object is returned that captures the original and new service binary configuration.

hashtag
Modify Service BinPath

Takes a service Name or a ServiceProcess.ServiceController on the pipeline that the current user has configuration modification rights on and executes a series of automated actions to execute commands as SYSTEM. First, the service is enabled if it was set as disabled and the original service binary path and configuration state are preserved. Then the service is stopped and the Set-ServiceBinPath function is used to set the binary (binPath) for the service to a series of commands, the service is started, stopped, and the next command is configured. After completion, the original service configuration is restored and a custom object is returned that captures the service abused and commands run.

hashtag
SCManager Abuse

PreviousEnumerationNextUAC Bypasses

Last updated