Added documentation for PowerUp

Author: HarmJ0y

Privesc/PowerUp.ps1

@@ -23,37 +23,36 @@ PowerShellVersion = '2.0'
 
 # Functions to export from this module
 FunctionsToExport = @(
-    'Add-ServiceDacl',
-    'Enable-Privilege',
-    'Find-PathDLLHijack',
-    'Find-ProcessDLLHijack',
-    'Get-ApplicationHost',
-    'Get-CachedGPPPassword',
     'Get-ModifiablePath',
-    'Get-ModifiableRegistryAutoRun',
-    'Get-ModifiableScheduledTaskFile',
-    'Get-ModifiableService',
-    'Get-ModifiableServiceFile',
     'Get-ProcessTokenGroup',
     'Get-ProcessTokenPrivilege',
+    'Enable-Privilege',
+    'Add-ServiceDacl',
+    'Set-ServiceBinaryPath',
+    'Test-ServiceDaclPermission',
+    'Get-UnquotedService',
+    'Get-ModifiableServiceFile',
+    'Get-ModifiableService',
+    'Get-ServiceDetail',
+    'Invoke-ServiceAbuse',
+    'Write-ServiceBinary',
+    'Install-ServiceBinary',
+    'Restore-ServiceBinary',
+    'Find-ProcessDLLHijack',
+    'Find-PathDLLHijack',
+    'Write-HijackDll',
     'Get-RegistryAlwaysInstallElevated',
     'Get-RegistryAutoLogon',
-    'Get-ServiceDetail',
-    'Get-SiteListPassword',
-    'Get-TokenInformation',
-    'Get-UnquotedService',
+    'Get-ModifiableRegistryAutoRun',
+    'Get-ModifiableScheduledTaskFile',
     'Get-UnattendedInstallFile',
     'Get-WebConfig',
-    'Install-ServiceBinary',
-    'Invoke-ServiceAbuse',
+    'Get-ApplicationHost',
+    'Get-SiteListPassword',
+    'Get-CachedGPPPassword',
+    'Write-UserAddMSI',
     'Invoke-WScriptUACBypass',
     'Invoke-PrivescAudit',
-    'Restore-ServiceBinary',
-    'Set-ServiceBinaryPath',
-    'Test-ServiceDaclPermission',
-    'Write-UserAddMSI',
-    'Write-HijackDll',
-    'Write-ServiceBinary',
     'Get-System'
 )
 

Privesc/Privesc.psd1

@@ -27,13 +27,18 @@ Required Dependencies: None
 Optional Dependencies: None
 
 
-### Service Enumeration:
-    Get-ServiceUnquoted                 -   returns services with unquoted paths that also have a space in the name
+### Token/Privilege Enumeration/Abuse:
+    Get-ProcessTokenGroup               -   returns all SIDs that the current token context is a part of, whether they are disabled or not
+    Get-ProcessTokenPrivilege           -   returns all privileges for the current (or specified) process ID
+    Enable-Privilege                    -   enables a specific privilege for the current process
+
+### Service Enumeration/Abuse:
+    Test-ServiceDaclPermission          -   tests one or more passed services or service names against a given permission set
+    Get-UnquotedService                 -   returns services with unquoted paths that also have a space in the name
     Get-ModifiableServiceFile           -   returns services where the current user can write to the service binary path or its config
     Get-ModifiableService               -   returns services the current user can modify
     Get-ServiceDetail                   -   returns detailed information about a specified service
-
-### Service Abuse:
+    Set-ServiceBinaryPath               -   sets the binary path for a service to a specified value
     Invoke-ServiceAbuse                 -   modifies a vulnerable service to create a local admin or execute a custom command
     Write-ServiceBinary                 -   writes out a patched C# service binary that adds a local admin or executes a custom command
     Install-ServiceBinary               -   replaces a service binary with one that adds a local admin or executes a custom command
@@ -45,7 +50,7 @@ Optional Dependencies: None
     Write-HijackDll                     -   writes out a hijackable DLL
 
 ### Registry Checks:
-    Get-RegistryAlwaysInstallElevated   -  checks if the AlwaysInstallElevated registry key is set
+    Get-RegistryAlwaysInstallElevated   -   checks if the AlwaysInstallElevated registry key is set
     Get-RegistryAutoLogon               -   checks for Autologon credentials in the registry
     Get-ModifiableRegistryAutoRun       -   checks for any modifiable binaries/scripts (or their configs) in HKLM autoruns
 
@@ -59,9 +64,6 @@ Optional Dependencies: None
 
 ### Other Helpers/Meta-Functions:
     Get-ModifiablePath                  -   tokenizes an input string and returns the files in it the current user can modify
-    Get-CurrentUserTokenGroupSid        -   returns all SIDs that the current user is a part of, whether they are disabled or not
-    Add-ServiceDacl                     -   adds a Dacl field to a service object returned by Get-Service
-    Set-ServiceBinPath                  -   sets the binary path for a service to a specified value through Win32 API methods
-    Test-ServiceDaclPermission          -   tests one or more passed services or service names against a given permission set
     Write-UserAddMSI                    -   write out a MSI installer that prompts for a user to be added
-    Invoke-AllChecks                    -   runs all current escalation checks and returns a report
+    Invoke-WScriptUACBypass             -   performs the bypass UAC attack by abusing the lack of an embedded manifest in wscript.exe
+    Invoke-PrivescAudit                 -   runs all current escalation checks and returns a report (formerly Invoke-AllChecks)

Privesc/README.md

@@ -0,0 +1,68 @@
+# Add-ServiceDacl
+
+## SYNOPSIS
+Adds a Dacl field to a service object returned by Get-Service.
+
+Author: Matthew Graeber (@mattifestation)  
+License: BSD 3-Clause  
+Required Dependencies: PSReflect
+
+## SYNTAX
+
+```
+Add-ServiceDacl [-Name] <String[]>
+```
+
+## DESCRIPTION
+Takes one or more ServiceProcess.ServiceController objects on the pipeline and adds a
+Dacl field to each object.
+It does this by opening a handle with ReadControl for the
+service with using the GetServiceHandle Win32 API call and then uses
+QueryServiceObjectSecurity to retrieve a copy of the security descriptor for the service.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-Service | Add-ServiceDacl
+```
+
+Add Dacls for every service the current user can read.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-Service -Name VMTools | Add-ServiceDacl
+```
+
+Add the Dacl to the VMTools service object.
+
+## PARAMETERS
+
+### -Name
+An array of one or more service names to add a service Dacl for.
+Passable on the pipeline.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: ServiceName
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### ServiceProcess.ServiceController
+
+## NOTES
+
+## RELATED LINKS
+
+[https://rohnspowershellblog.wordpress.com/2013/03/19/viewing-service-acls/](https://rohnspowershellblog.wordpress.com/2013/03/19/viewing-service-acls/)
+

docs/Privesc/Add-ServiceDacl.md

@@ -0,0 +1,105 @@
+# Enable-Privilege
+
+## SYNOPSIS
+Enables a specific privilege for the current process.
+
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: PSReflect
+
+## SYNTAX
+
+```
+Enable-Privilege [-Privilege] <String[]>
+```
+
+## DESCRIPTION
+Uses RtlAdjustPrivilege to enable a specific privilege for the current process.
+Privileges can be passed by string, or the output from Get-ProcessTokenPrivilege
+can be passed on the pipeline.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-ProcessTokenPrivilege
+```
+
+Privilege                    Attributes                     ProcessId
+                    ---------                    ----------                     ---------
+          SeShutdownPrivilege                      DISABLED                          3620
+      SeChangeNotifyPrivilege ...AULT, SE_PRIVILEGE_ENABLED                          3620
+            SeUndockPrivilege                      DISABLED                          3620
+SeIncreaseWorkingSetPrivilege                      DISABLED                          3620
+          SeTimeZonePrivilege                      DISABLED                          3620
+
+Enable-Privilege SeShutdownPrivilege
+
+Get-ProcessTokenPrivilege
+
+                    Privilege                    Attributes                     ProcessId
+                    ---------                    ----------                     ---------
+          SeShutdownPrivilege          SE_PRIVILEGE_ENABLED                          3620
+      SeChangeNotifyPrivilege ...AULT, SE_PRIVILEGE_ENABLED                          3620
+            SeUndockPrivilege                      DISABLED                          3620
+SeIncreaseWorkingSetPrivilege                      DISABLED                          3620
+          SeTimeZonePrivilege                      DISABLED                          3620
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-ProcessTokenPrivilege
+```
+
+Privilege                                        Attributes                     ProcessId
+---------                                        ----------                     ---------
+SeShutdownPrivilege                                DISABLED                          2828
+SeChangeNotifyPrivilege       ...AULT, SE_PRIVILEGE_ENABLED                          2828
+SeUndockPrivilege                                  DISABLED                          2828
+SeIncreaseWorkingSetPrivilege                      DISABLED                          2828
+SeTimeZonePrivilege                                DISABLED                          2828
+
+
+Get-ProcessTokenPrivilege | Enable-Privilege -Verbose
+VERBOSE: Attempting to enable SeShutdownPrivilege
+VERBOSE: Attempting to enable SeChangeNotifyPrivilege
+VERBOSE: Attempting to enable SeUndockPrivilege
+VERBOSE: Attempting to enable SeIncreaseWorkingSetPrivilege
+VERBOSE: Attempting to enable SeTimeZonePrivilege
+
+Get-ProcessTokenPrivilege
+
+Privilege                                        Attributes                     ProcessId
+---------                                        ----------                     ---------
+SeShutdownPrivilege                    SE_PRIVILEGE_ENABLED                          2828
+SeChangeNotifyPrivilege       ...AULT, SE_PRIVILEGE_ENABLED                          2828
+SeUndockPrivilege                      SE_PRIVILEGE_ENABLED                          2828
+SeIncreaseWorkingSetPrivilege          SE_PRIVILEGE_ENABLED                          2828
+SeTimeZonePrivilege                    SE_PRIVILEGE_ENABLED                          2828
+
+## PARAMETERS
+
+### -Privilege
+{{Fill Privilege Description}}
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: Privileges
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+
+## RELATED LINKS
+
+[http://forum.sysinternals.com/tip-easy-way-to-enable-privileges_topic15745.html](http://forum.sysinternals.com/tip-easy-way-to-enable-privileges_topic15745.html)
+

docs/Privesc/Enable-Privilege.md

@@ -0,0 +1,45 @@
+# Find-PathDLLHijack
+
+## SYNOPSIS
+Finds all directories in the system %PATH% that are modifiable by the current user.
+
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: Get-ModifiablePath
+
+## SYNTAX
+
+```
+Find-PathDLLHijack
+```
+
+## DESCRIPTION
+Enumerates the paths stored in Env:Path (%PATH) and filters each through Get-ModifiablePath
+to return the folder paths the current user can write to.
+On Windows 7, if wlbsctrl.dll is
+written to one of these paths, execution for the IKEEXT can be hijacked due to DLL search
+order loading.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Find-PathDLLHijack
+```
+
+Finds all %PATH% .DLL hijacking opportunities.
+
+## PARAMETERS
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerUp.HijackableDLL.Path
+
+## NOTES
+
+## RELATED LINKS
+
+[http://www.greyhathacker.net/?p=738](http://www.greyhathacker.net/?p=738)
+