This slidedeck was given as a firetalk at @BSidesBoston '14, and covers the genesis and implementation of PowerUp, a Powershell tool for Windows privilege escalation.
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
PowerUp - Automating Windows Privilege Escalation
1.
2. $ whoami
Security researcher and pentester/red teamer for the
Adaptive Threat Division of Veris Group
Co-founder of the Veil-Framework #avlol
www.veil-framework.com
Shmoocon ‘14: AV Evasion with the Veil Framework
co-wrote Veil-Evasion, wrote Veil-Catapult and Veil-
PowerView
BSides Austin ‘14: Wielding a Cortana
BSides Boston ’14: Pwnstaller 1.0
Defcon ’14 (accepted): Post-Exploitation 2.0
3. tl;dr
Why powershell?
Why build this?
Windows Service Vulnerabilities
PowerUp
service enumeration
service abuse
misc. methods
Demo
Questions
4. Why Powershell?
Really need to say anything?
Whitelisted, trusted execution, full .NET capabilities,
can refrain from touching disk, etc. etc. etc.
Use it, yo’
PowerSploit
Posh-SecMod
Veil-Powerview
Nishang
5. Why build this?
On a recent assessment, had to escalate privileges
on a locked down workstation
Kernel exploits wouldn’t work, so fell back to
vulnerable services
Service binary had improper permissions
Replacing the .exe and bouncing the box = no privs
to local admin
More or less did everything manually, wanted
something a bit easier
6.
7. Trusted Path Escalation
Metasploit module: trusted_service_path.rb
If a path is unquoted and has a space, there is
ambiguity for the Windows API on how to interpret
the final path
I.E. C:ToolsCustom Toolsprogram.exe will be
interpreted as C:ToolsCustom.exe first, then
C:ToolsCustom Toolsprogram.exe
If you have write access to the base path, money!
8. Vulnerable Service Permissions
Also a Metasploit module: service_permissions.rb
Check if the current user can modify the service
itself
Replace the binary path for the service with
something like “net user john password /add” and
bounce the service to add the user
Repeat with “net localgroup administrators john
/add”
Can be done by hand with accesschk.exe and SC
9. Vulnerable EXE Permissions
Check the permissions for each executable
associated with running processes
If you can write to the executable path for a service,
replace the binary with something that adds a local
admin (or pops a Meterpreter shell)
If you can’t bounce the service, bounce the box
This is how we ended up escalating in the field
10.
11. PowerUp
Implements methods to easily enumerate and abuse
misconfigured Windows services for the purposes of
privilege escalation
Have started to implement additional common
Windows privesc vectors
.dll hijacking, AlwaysInstallElevated, etc.
http://www.harmj0y.net/blog/powershell/powerup/
https://github.com/HarmJ0y/PowerUp
12. Service Enumeration
Get-ServiceUnquoted will find all services with
unquoted paths and a space in the full path name
Get-ServicePerms enumerates all services the
current user has modification rights to
Get-ServiceEXEPerms checks all associated
service executables and returns any paths the user
has write access to
13. Service Abuse
Invoke-ServiceUserAdd enables/stops a service,
reconfigures it to create a user and add them to the
local admins, restarts, etc.
Write-UserAddServiceBinary generates a
precompiled C# service binary and binary patches in
the service name, username/password and group to
add a user to
Can easily write the binary out to any unquoted paths
Write-ServiceEXE writes a service binary out to a
given service path, backing up the original .exe
14. Misc. Checks I
Invoke-FindDLLHijack is a (kind of) port of
Mandiant’s FindDLLHijack code
Checks each running process and its loaded
modules, and returns all hijackable locations, i.e. any
base “exe path + loaded module name” that doesn’t
exist
Invoke-FindPathDLLHijack finds potentially
hijackable service .DLL locations from %PATH%
Check out http://www.greyhathacker.net/?p=738 for
more information
15. Misc. Checks II
Get-RegAlwaysInstallElevated checks if the
AlwaysInstallElevated registry key is enabled
Write-UserAddMSI can then write out a MSI installer
that prompts for a local admin to add
Get-UnattendedInstallFiles finds unattended .xml
install files that may have leftover credentials
Get-RegAutoLogon extracts any auto logon
credentials from the Windows registry
Invoke-AllChecks will run all current privesc checks