Skip to content
/ PrivescCheck Public
forked from itm4n/PrivescCheck

Privilege Escalation Enumeration Script for Windows

License

BSD-3-Clause license
0 stars 431 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

eversinc33/PrivescCheck

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

238 Commits
src
src
 
 
Build.ps1
Build.ps1
 
 
CHANGELOG.md
CHANGELOG.md
 
 
INFORMATION.md
INFORMATION.md
 
 
LICENSE
LICENSE
 
 
PrivescCheck.ps1
PrivescCheck.ps1
 
 
README.md
README.md
 
 

Repository files navigation

PrivescCheck

This script aims to enumerate common Windows configuration issues that can be leveraged for local privilege escalation. It also gathers various information that might be useful for exploitation and/or post-exploitation.

You can find more information about PrivescCheck here.

Use from a command prompt

Usage #1: Basic usage

powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"

Usage #2: Extended mode

powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended"

Usage #3: Extended mode + Write a report file (default format is raw text)

powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended -Report PrivescCheck_%COMPUTERNAME%"

Usage #4: Extended mode + Write report files in other formats

powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended -Report PrivescCheck_%COMPUTERNAME% -Format TXT,CSV,HTML,XML"

Use from a PowerShell prompt

1. Load the script as a module

Case #1: Execution policy is already set to Bypass, so simply load the script.

. .\PrivescCheck.ps1

Case #2: Default execution policy is set, so set it to Bypass for the current PowerShell process and load the script.

Set-ExecutionPolicy Bypass -Scope process -Force
. .\PrivescCheck.ps1

Case #3: Execution policy is locked down, so get the file's content and pipe it to Invoke-Expression.

Get-Content .\PrivescCheck.ps1 | Out-String | IEX

2. Run the script

Then, use the Invoke-PrivescCheck cmdlet.

Usage #1: Basic usage

Invoke-PrivescCheck

Usage #2: Extended mode

Invoke-PrivescCheck -Extended

Usage #3: Extended mode + Write a report file (default format is raw text)

Invoke-PrivescCheck -Extended -Report "PrivescCheck_$($env:COMPUTERNAME)"

Usage #4: Extended mode + Write report files in other formats

Invoke-PrivescCheck -Extended -Report "PrivescCheck_$($env:COMPUTERNAME)" -Format TXT,CSV,HTML,XML

Known issues

Metasploit timeout

If you run this script within a Meterpreter session, you will likely get a "timeout" error. Metasploit has a "response timeout" value, which is set to 15 seconds by default, but this script takes a lot more time to run in most environments.

meterpreter > load powershell
Loading extension powershell...Success.
meterpreter > powershell_import /local/path/to/PrivescCheck.ps1
[+] File successfully imported. No result was returned.
meterpreter > powershell_execute "Invoke-PrivescCheck"
[-] Error running command powershell_execute: Rex::TimeoutError Operation timed out.

It is possible to set a different value thanks to the -t option of the sessions command (documentation). In the following example, a timeout of 2 minutes is set for the session with ID 1.

msf6 exploit(multi/handler) > sessions -t 120 -i 1
[*] Starting interaction with 1...
meterpreter > powershell_execute "Invoke-PrivescCheck"

About

Privilege Escalation Enumeration Script for Windows

Resources

Readme

License

BSD-3-Clause license
Activity

Stars

0 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • PowerShell 100.0%