The document discusses tools and techniques for privilege escalation on Windows systems, particularly focusing on PowerShell exploits. It presents methods for discovering and abusing misconfigured services, including service permissions and executable permissions, as well as various PowerShell modules and resources. Additionally, it highlights the PowerUp tool for enumerating and exploiting Windows service vulnerabilities, providing an overview of its functionalities and usages.

2. $ whoami
 Security researcher and pentester/red teamer for the
Adaptive Threat Division of Veris Group
 Co-founder of the Veil-Framework #avlol
 www.veil-framework.com
 Shmoocon ‘14: AV Evasion with the Veil Framework
 co-wrote Veil-Evasion, wrote Veil-Catapult and Veil-
PowerView
 BSides Austin ‘14: Wielding a Cortana
 BSides Boston ’14: Pwnstaller 1.0
 Defcon ’14 (accepted): Post-Exploitation 2.0

3. tl;dr
 Why powershell?
 Why build this?
 Windows Service Vulnerabilities
 PowerUp
 service enumeration
 service abuse
 misc. methods
 Demo
 Questions

4. Why Powershell?
 Really need to say anything?
 Whitelisted, trusted execution, full .NET capabilities,
can refrain from touching disk, etc. etc. etc.
 Use it, yo’
 PowerSploit
 Posh-SecMod
 Veil-Powerview
 Nishang

5. Why build this?
 On a recent assessment, had to escalate privileges
on a locked down workstation
 Kernel exploits wouldn’t work, so fell back to
vulnerable services
 Service binary had improper permissions
 Replacing the .exe and bouncing the box = no privs
to local admin
 More or less did everything manually, wanted
something a bit easier

7. Trusted Path Escalation
 Metasploit module: trusted_service_path.rb
 If a path is unquoted and has a space, there is
ambiguity for the Windows API on how to interpret
the final path
 I.E. C:ToolsCustom Toolsprogram.exe will be
interpreted as C:ToolsCustom.exe first, then
C:ToolsCustom Toolsprogram.exe
 If you have write access to the base path, money!

8. Vulnerable Service Permissions
 Also a Metasploit module: service_permissions.rb
 Check if the current user can modify the service
itself
 Replace the binary path for the service with
something like “net user john password /add” and
bounce the service to add the user
 Repeat with “net localgroup administrators john
/add”
 Can be done by hand with accesschk.exe and SC

9. Vulnerable EXE Permissions
 Check the permissions for each executable
associated with running processes
 If you can write to the executable path for a service,
replace the binary with something that adds a local
admin (or pops a Meterpreter shell)
 If you can’t bounce the service, bounce the box
 This is how we ended up escalating in the field

11. PowerUp
 Implements methods to easily enumerate and abuse
misconfigured Windows services for the purposes of
privilege escalation
 Have started to implement additional common
Windows privesc vectors
 .dll hijacking, AlwaysInstallElevated, etc.
 http://www.harmj0y.net/blog/powershell/powerup/
 https://github.com/HarmJ0y/PowerUp

12. Service Enumeration
 Get-ServiceUnquoted will find all services with
unquoted paths and a space in the full path name
 Get-ServicePerms enumerates all services the
current user has modification rights to
 Get-ServiceEXEPerms checks all associated
service executables and returns any paths the user
has write access to

13. Service Abuse
 Invoke-ServiceUserAdd enables/stops a service,
reconfigures it to create a user and add them to the
local admins, restarts, etc.
 Write-UserAddServiceBinary generates a
precompiled C# service binary and binary patches in
the service name, username/password and group to
add a user to
 Can easily write the binary out to any unquoted paths
 Write-ServiceEXE writes a service binary out to a
given service path, backing up the original .exe

14. Misc. Checks I
 Invoke-FindDLLHijack is a (kind of) port of
Mandiant’s FindDLLHijack code
 Checks each running process and its loaded
modules, and returns all hijackable locations, i.e. any
base “exe path + loaded module name” that doesn’t
exist
 Invoke-FindPathDLLHijack finds potentially
hijackable service .DLL locations from %PATH%
 Check out http://www.greyhathacker.net/?p=738 for
more information

15. Misc. Checks II
 Get-RegAlwaysInstallElevated checks if the
AlwaysInstallElevated registry key is enabled
 Write-UserAddMSI can then write out a MSI installer
that prompts for a local admin to add
 Get-UnattendedInstallFiles finds unattended .xml
install files that may have leftover credentials
 Get-RegAutoLogon extracts any auto logon
credentials from the Windows registry
 Invoke-AllChecks will run all current privesc checks

16. Demo

17. Questions?
 Contact me:
 @harmj0y
 will@harmj0y.net
 Read more:
 http://www.harmj0y.net/blog/powershell/powerup/
 Get PowerUp
 https://github.com/HarmJ0y/PowerUp
 Being integrated into Nishang