This script aims to identify Local Privilege Escalation (LPE) vulnerabilities that are usually due to Windows configuration issues, or bad practices. It can also gather useful information for some exploitation and post-exploitation tasks.
After downloading the script and copying it onto the target Windows machine, run it using one of the commands below.
Note
You don't need to clone the entire repository. The file PrivescCheck.ps1 is a standalone PowerShell script that contains all the code required by PrivescCheck to run on a target host.
Important
In the commands below, the first . (dot) is used for "dot sourcing" the script, so that the functions and cmdlets can be used in the current scope (see PowerShell dot sourcing feature).
. .\PrivescCheck.ps1; Invoke-PrivescCheck. .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended -Report PrivescCheck_$($env:COMPUTERNAME) -Format TXT,CSV,HTML,XMLpowershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended -Report PrivescCheck_$($env:COMPUTERNAME) -Format TXT,CSV,HTML,XML"By default, the PowerShell execution policy is set to Restricted on clients, and RemoteSigned on servers, when a new powershell.exe process is started. These policies block the execution of (unsigned) scripts, but they can be overriden within the current scope as follows.
Set-ExecutionPolicy Bypass -Scope Process -Force
. .\PrivescCheck.ps1However, this trick does not work when the execution policy is enforced through a GPO. In this case, after starting a new PowerShell session, you can load the script as follows.
Get-Content .\PrivescCheck.ps1 | Out-String | Invoke-ExpressionA common way to bypass Constrained Language Mode consists in starting PowerShell version 2 as it does not implement this protection. Therefore, a significant part of the development effort goes into maintaining this compatibility.
Note
Although PowerShell version 2 is still enabled by default on recent versions of Windows, it cannot run without the .Net framework version 2.0, which requires a manual install.
If you run this script within a Meterpreter session, you will likely get a "timeout" error. Metasploit has a "response timeout" value, which is set to 15 seconds by default, but this script takes a lot more time to run in most environments.
meterpreter > load powershell
Loading extension powershell...Success.
meterpreter > powershell_import /local/path/to/PrivescCheck.ps1
[+] File successfully imported. No result was returned.
meterpreter > powershell_execute "Invoke-PrivescCheck"
[-] Error running command powershell_execute: Rex::TimeoutError Operation timed out.It is possible to set a different value thanks to the -t option of the sessions command (documentation). In the following example, a timeout of 2 minutes is set for the session with ID 1.
msf6 exploit(multi/handler) > sessions -t 120 -i 1
[*] Starting interaction with 1...
meterpreter > powershell_execute "Invoke-PrivescCheck"