Privilege Escalation

Windows

PowerUp.ps1

Import-Module ./PowerUp.ps1
Invoke-AllChecks | Out-File -Encoding ASCII checks.txt # The function that we need to run

Invoke-Command (Credential)

En caso de tener credenciales, podemos ejecutar comandos sin necesitar Shell:

Funciรณn de bash tomada de un directo en twitch de s4vitar

PSCredential () {
    echo -e "\n\t[+] \$user = 'user'"
    echo -e "\t[+] \$pw = 'password'"
    echo -e "\t[+] \$secpw = ConvertTo-SecureString \$pw -AsPlainText -Force"
    echo -e "\t[+] \$cred = New-Object System.Management.Automation.PSCredential \$user, \$secpw"
    echo -e "\t[+] Invoke-Command -ComputerName localhost -Credential \$cred -ScriptBlock { whoami }"
}
PreviousWindowsNextPath Hijacking

Last updated