I constitute a neat write-up past times the Veris Group on how to purpose PowerUp.ps1 @ http://www.verisgroup.com/2014/06/17/powerup-usage/. I idea I would accept some fourth dimension as well as walk through this tutorial on a Windows seven box amongst a non-privileged user.
Following the Veris groups instructions:
1. I downloaded the PowerUp.ps1 script from their github repo at https://github.com/HarmJ0y/PowerUp. Notice every bit of December 2014 this repo is no longer supported.
2. Drop the file PowerUp.ps1 into a location yous tin displace write to. I get got a folder I created called c:\PowerUp.
3. Then execute "powershell.exe -nop -exec bypass" to enable the execution bypass.
4. Then execute "import-module c:\PowerUp\powerup.ps1" of the sum path addition the filename of the powershell script.
5. To setup the phase of having a vulnerable service to demonstrate with, I modified the next registry cardinal to permit for an unquoted path vulnerability.
Following the Veris groups instructions:
1. I downloaded the PowerUp.ps1 script from their github repo at https://github.com/HarmJ0y/PowerUp. Notice every bit of December 2014 this repo is no longer supported.
2. Drop the file PowerUp.ps1 into a location yous tin displace write to. I get got a folder I created called c:\PowerUp.
3. Then execute "powershell.exe -nop -exec bypass" to enable the execution bypass.
4. Then execute "import-module c:\PowerUp\powerup.ps1" of the sum path addition the filename of the powershell script.
5. To setup the phase of having a vulnerable service to demonstrate with, I modified the next registry cardinal to permit for an unquoted path vulnerability.
6. I removed the quotes some the path listed inward the ImagePath of the registry. Sometimes this is every bit slow every bit checking to meet if your user tin displace modify these paths on whatever service that has started.
7. Then I modified the permissions to the VMWare folder to where the user tin displace read/write to the directory.
8. With that the service commonly it does non laid about automatically therefore I changed it to laid about automatically.
9. Now amongst this setup nosotros tin displace utilize the PowerUp.ps1 script to practise a user trouble organisation human relationship using this service.
10. Using powerup.ps1 nosotros immediately execute "Invoke-AllChecks". The origin banking concern tally that it runs is for an unquoted path vulnerability as well as it finds the i that nosotros setup.
11. Then nosotros practise the file that volition practise the backdoor trouble organisation human relationship past times the next command:
12. The service.exe file was created immediately nosotros re-create that file into the directory of "C:\Program Files\VMWare" as well as telephone band it VMWare.exe. It volition execute instead of going into the directory of "VMWare Tools". However nosotros practise non get got access to restart this service therefore nosotros quest to expression for the user to reboot the machine. However, amongst express access yous could generate some errors for the user which would give them an indication that it needed to last rebooted.
13. After the workstation restarted as well as therefore the service loads every bit the local service trouble organisation human relationship as well as creates the trouble organisation human relationship "backdoor" every bit an administrator on the workstation.
This is solely i method of exploiting the unquoted path vulnerability on a workstation or server to attain administrative privileges on the computer.
