II. Local Privilege Escalation

• There are various ways of locally escalating privileges on Windows box:

  • Missing patches

  • Automated deployment and AutoLogon passwords in clear text

  • AlwaysInstallElevated (Any user can run MSI as SYSTEM)

  • Misconfigured Services

  • DLL Hijacking and more

• We can use below tools for complete coverage

  • PowerUp: https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc

  • BeRoot: https://github.com/AlessandroZ/BeRoot

  • Privesc: https://github.com/enjoiz/Privesc

PowerUp

#Privesc:
Invoke-PrivEsc


#Run all checks from
Invoke-AllChecks



#Get services with unquoted paths and a space in their name.
Get-ServiceUnquoted -Verbose


#Get services where the current user can write to its binary path or change arguments to the binary
Get-ModifiableServiceFile -Verbose


#Get the services whose configuration current user can modify.
Get-ModifiableService -Verbose