This script aims to identify Local Privilege Escalation (LPE) vulnerabilities that are usually due to Windows configuration issues, or bad practices. It can also gather useful information for some exploitation and post-exploitation tasks.
After downloading the script and copying it onto the target Windows machine, run it using one of the commands below.
Note
You don't need to clone the entire repository. The file PrivescCheck.ps1 is a standalone PowerShell script that contains all the code required by PrivescCheck to run.
Important
In the commands below, the first . (dot) is used for "dot sourcing" the script, so that the functions and cmdlets can be used in the current scope (see PowerShell dot sourcing feature).
Quickly identify important issues, such as local privilege escalation vulnerabilities.
powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"Identify important issues, but also gather additional information, and save the results to report files that are easy to read.
powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended -Report PrivescCheck_$($env:COMPUTERNAME) -Format TXT,HTML"Perform extended and audit checks, and save the results to human-readable reports, but also machine-readable files, which can later be parsed for automated report generation.
powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended -Audit -Report PrivescCheck_$($env:COMPUTERNAME) -Format TXT,HTML,CSV,XML"All the checks implemented in PrivescCheck have a Type. This value, and the flags specified on the command line, will determine if they are run, or not.
Checks of type Base will always be executed, unless the script is run as an administrator. They are mainly intended for identifying privilege escalation vulnerabilities, or other important issues.
Checks of type Extended can only be executed if the option -Extended is specified on the command line. They are mainly intended for providing additional information that could be useful for exploit development, or post-exploitation.
Checks of type Audit can only be executed if the option -Audit is specified on the command line. They are mainly intended for providing information that is relevant in the context of a configuration audit.
Checks of type Experimental can only be executed if the option -Experimental is specified on the command line. These are unstable checks that need further work. Use them with caution.
By default, the PowerShell execution policy is set to Restricted on clients, and RemoteSigned on servers, when a new powershell.exe process is started. These policies block the execution of (unsigned) scripts, but they can be overriden within the current scope as follows.
Set-ExecutionPolicy Bypass -Scope Process -Force
. .\PrivescCheck.ps1However, this trick does not work when the execution policy is enforced through a GPO. In this case, after starting a new PowerShell session, you can load the script as follows.
Get-Content .\PrivescCheck.ps1 | Out-String | Invoke-ExpressionA common way to bypass Constrained Language Mode consists in starting PowerShell version 2 as it does not implement this protection. Therefore, a significant part of the development effort goes into maintaining this compatibility.
Note
Although PowerShell version 2 is still enabled by default on recent versions of Windows, it cannot run without the .Net framework version 2.0, which requires a manual install.
If you run this script within a Meterpreter session, you will likely get a "timeout" error. Metasploit has a "response timeout" value, which is set to 15 seconds by default, but this script takes a lot more time to run in most environments.
meterpreter > load powershell
Loading extension powershell...Success.
meterpreter > powershell_import /local/path/to/PrivescCheck.ps1
[+] File successfully imported. No result was returned.
meterpreter > powershell_execute "Invoke-PrivescCheck"
[-] Error running command powershell_execute: Rex::TimeoutError Operation timed out.It is possible to set a different value thanks to the -t option of the sessions command (documentation). In the following example, a timeout of 2 minutes is set for the session with ID 1.
msf6 exploit(multi/handler) > sessions -t 120 -i 1
[*] Starting interaction with 1...
meterpreter > powershell_execute "Invoke-PrivescCheck"