Merge pull request PowerShellMafia#182 from monoxgas/dev

HarmJ0y · web-flow · commit 8c9c7c84fef0 · 2016-09-26T17:44:55.000-04:00
Service DACL false positive | Request-SPNTicket double hash
diff --git a/Privesc/PowerUp.ps1 b/Privesc/PowerUp.ps1
@@ -1404,7 +1404,7 @@ function Test-ServiceDaclPermission {
                         else {
                             ForEach($TargetPermission in $TargetPermissions) {
                                 # check permissions || style
-                                if (($ServiceDacl.AccessRights -band $AccessMask[$TargetPermission]) -eq $AccessMask[$TargetPermission]) {
+                                if (($ServiceDacl.AceType -eq 'AccessAllowed') -and ($ServiceDacl.AccessRights -band $AccessMask[$TargetPermission]) -eq $AccessMask[$TargetPermission]) {
                                     Write-Verbose "Current user has '$TargetPermission' for $IndividualService"
                                     $TargetService
                                     break
diff --git a/Recon/PowerView.ps1 b/Recon/PowerView.ps1
@@ -1382,6 +1382,7 @@ function Request-SPNTicket {
                     [System.Collections.ArrayList]$Parts = ($TicketHexStream -replace '^(.*?)04820...(.*)','$2') -Split "A48201"
                     $Parts.RemoveAt($Parts.Count - 1)
                     $Parts -join "A48201"
+                    break
                 }
             }
         }

Original file line number	Diff line number	Diff line change
`@@ -1382,6 +1382,7 @@ function Request-SPNTicket {`
`1382`	`1382`	`[System.Collections.ArrayList]$Parts = ($TicketHexStream -replace '^(.?)04820...(.)','$2') -Split "A48201"`
`1383`	`1383`	`$Parts.RemoveAt($Parts.Count - 1)`
`1384`	`1384`	`$Parts -join "A48201"`
	`1385`	`+ break`
`1385`	`1386`	`}`
`1386`	`1387`	`}`
`1387`	`1388`	`}`