Finding PE Vulns
Though some of the fundamentals of finding the right PE method was explained as part of the introductory page, there are a few useful scripts and executables that can come in handy to identify such vulnerabilities quickly. Here is a short list of such tools.
WinPeas
LinPeas is one of the most popular privilege escalation enumeration script that you can find. Running the script outputs the vulnerabilities in colors indicating the most probable to the least probable or not possible ones.
Sherlock Script
Powershell script to find missing software patches for local privilege escalation vulnerabilities.
The script has a bunch of functions to validate different vulnerabilities. You can either call a specific function or apply all functions to find any one of the suscptible vulnerabilities. You can add the line "Find-AllVulns" to the bottom of the powershell script and then execute it to list all vulnerabilities.
Powersploit - Powerup
Similar to Sherlock this is another powershell script that can be used to find privilege escalation vectors that rely on misconfigurations.
The powerup is ported to a C# executable and available through the following link as SharpUp,
PrivescCheck
Yet another powershell script to sniff out misconfiguration in a windows system to exploit it to privilege escalate.
Windows Exploit Suggester
This tool directly compares the patch levels of software withthe Microsoft Vulnerability Database to detect missing patches. It requires the 'systeminfo' command output to compature that with the Microsoft Security Bulletin database.
Just Another Windows Script (JAWS)
Yet another powershell script that identifies potential privilege escalation vectors on Windows.
Rasta Watson
Watson is a .NET tool designed to enumerate missing KBs and suggest exploits for Privilege Escalation vulnerabilities.
PowerUp Script
The powerup script can be used to identify a modifiable binary in a Windows system. It is available within the Kali OS in the following location,
/usr/share/windows-resources/powersploit/Privesc/PowerUp.ps1
The script can be downloaded to the Windows system and the following function can be used to identify the modifiable binary,
This also has a function to abuse this vulnerability by adding a default user by the name "john" with the password "Password123!" and adding it to the local administrator group. It can also restart the service if sufficient permissions are available.
Last updated