Privilege Escalation

PowerShellMafia

Try to use dev brach always. PowerView has some cool functions to use.

• https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1

• https://github.com/PowerShellMafia/PowerSploit/blob/dev/Privesc/PowerUp.ps1

powershell.exe -c "Import-Module C:\Users\Public\PowerUp.ps1; Invoke-AllChecks"
powershell.exe -c "Import-Module C:\Users\Public\Get-System.ps1; Get-System"

Unquoted Service Paths

Let's say we have a system path like below.

C:\Program Files\IObit\Advanced SystemCare\ASCService.exe

Windows will first try execute it like below in the following order

• c:\program.exe

• C:\Program Files\IObit\Advanced.exe

• C:\Program Files\IObit\Advanced SystemCare\ASCService.exe

If we can plant the exe in one of the paths below we can elevate privileges

• Please note that we need to either have the ability to restart the machine or restart the service. Otherwise it's useless kinda.

Enumerating unquoted service paths

WinPeas

It is a great privilege escalation enumeration tool. Find the releases below and simply execute the binary.

• https://github.com/carlospolop/PEASS-ng/releases

Seatbelt

• https://github.com/GhostPack/Seatbelt

Always Install Elevated

• https://www.hackingarticles.in/windows-privilege-escalation-alwaysinstallelevated/#:~:text=For%20this%20purpose%2C%20the%20AlwaysInstallElevated,any%20program%20on%20the%20system.

Detecting if the OS is vulnerable,

If always install elevated is enabled, queries above should return 1.

Exploiting it is pretty simple. Generate an msi payload,

Execute it,