Skip to content

Latest commit

 

History

History
105 lines (70 loc) · 3.16 KB

README.md

File metadata and controls

105 lines (70 loc) · 3.16 KB

PrivescCheck

This script aims to enumerate common Windows configuration issues that can be leveraged for local privilege escalation. It also gathers various information that might be useful for exploitation and/or post-exploitation.

You can find more information about PrivescCheck here.

Use from a command prompt

Usage #1: Basic usage

powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"

Usage #2: Extended mode

powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended"

Usage #3: Extended mode + Write a report file (default format is raw text)

powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended -Report PrivescCheck_%COMPUTERNAME%"

Usage #4: Extended mode + Write report files in other formats

powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended -Report PrivescCheck_%COMPUTERNAME% -Format TXT,CSV,HTML,XML"

Use from a PowerShell prompt

1. Load the script as a module

Case #1: Execution policy is already set to Bypass, so simply load the script.

. .\PrivescCheck.ps1

Case #2: Default execution policy is set, so set it to Bypass for the current PowerShell process and load the script.

Set-ExecutionPolicy Bypass -Scope process -Force
. .\PrivescCheck.ps1

Case #3: Execution policy is locked down, so get the file's content and pipe it to Invoke-Expression.

Get-Content .\PrivescCheck.ps1 | Out-String | IEX

2. Run the script

Then, use the Invoke-PrivescCheck cmdlet.

Usage #1: Basic usage

Invoke-PrivescCheck

Usage #2: Extended mode

Invoke-PrivescCheck -Extended

Usage #3: Extended mode + Write a report file (default format is raw text)

Invoke-PrivescCheck -Extended -Report "PrivescCheck_$($env:COMPUTERNAME)"

Usage #4: Extended mode + Write report files in other formats

Invoke-PrivescCheck -Extended -Report "PrivescCheck_$($env:COMPUTERNAME)" -Format TXT,CSV,HTML,XML

Known issues

Metasploit timeout

If you run this script within a Meterpreter session, you will likely get a "timeout" error. Metasploit has a "response timeout" value, which is set to 15 seconds by default, but this script takes a lot more time to run in most environments.

meterpreter > load powershell
Loading extension powershell...Success.
meterpreter > powershell_import /local/path/to/PrivescCheck.ps1
[+] File successfully imported. No result was returned.
meterpreter > powershell_execute "Invoke-PrivescCheck"
[-] Error running command powershell_execute: Rex::TimeoutError Operation timed out.

It is possible to set a different value thanks to the -t option of the sessions command (documentation). In the following example, a timeout of 2 minutes is set for the session with ID 1.

msf6 exploit(multi/handler) > sessions -t 120 -i 1
[*] Starting interaction with 1...
meterpreter > powershell_execute "Invoke-PrivescCheck"