PS script seems to work with no function header... (Nothing Urgent)
Closed this issue · 3 comments
Hey Cristoph,
(Bear in mind I still have no PS skills and no idea what I'm looking at)
I was curious about something... I found this great script -
https://github.com/itm4n/PrivescCheck
it appears to be a script and not a function...but it seems to work OK.
I download it and build the Armoury file -
. .\New-PSArmoury
New-PSArmoury -Fromfile .\PrivescCheck.ps1 -Path .\priv_armour.ps1 -EnhancedArmour
I load the .\priv-armour.ps1 file (twice to avoid any non-MS EDR)
cat -raw .\priv_armour.ps1 | iex
and except for an illegal character error it seems to run OK and give me the results -
PS C:\Users\matt_\Downloads> Invoke-PrivescCheck
Test-Path : Illegal characters in path.
At line:6689 char:9
+ if (Test-Path $ScriptPath) {
+ ~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (C:\Users\matt_\...rmour.ps1 | iex:String) [Test-Path], ArgumentExcepti
on
+ FullyQualifiedErrorId : ItemExistsArgumentError,Microsoft.PowerShell.Commands.TestPathCommand
+------+------------------------------------------------+------+
| TEST | USER > Privileges | VULN |
+------+------------------------------------------------+------+
| DESC | List the privileges that are associated to the |
| | current user's token. If any of them can be leveraged |
| | to somehow run code in the context of the SYSTEM |
| | account, it will be reported as a finding. |
+------+-------------------------------------------------------+
[!] Not vulnerable.
+------+------------------------------------------------+------+
| TEST | USER > Environment Variables | INFO |
+------+------------------------------------------------+------+
| DESC | List the environment variables of the current process |
| | and try to identify any potentially sensitive |
| | information such as passwords or API secrets. This |
| | check is simply based on keyword matching and might |
| | not be entirely reliable. |
+------+-------------------------------------------------------+
[!] Nothing found.
+------+------------------------------------------------+------+
| TEST | SERVICES > Non-default Services | INFO |
+------+------------------------------------------------+------+
| DESC | List all registered services and filter out the ones |
| | that are built into Windows. It does so by parsing |
| | the target executable's metadata. |
+------+-------------------------------------------------------+
But, this appears to be a script, since it doesn't have a function block around it like all the others that work so easily. In fact, if I try to add a function block to the beginning it it doesn't work at all.
I was just curious, why this seems to work.
Keep up the great work and stay safe!!
Just saw this issue by chance.
This is actually not an misconfiguration with PowerShellArmoury. The script is loaded and executed successfully. You can take a look at the variable $ScriptPath after loading the script. When loading Invoke-Privesccheck from an URL via IEX it contains the URL value, and in this case it will contain some invalid charackters. Just change the line if (Test-Path $ScriptPath)
to for example if ("1" -eq "2")
if you don´t need the module imports.
Hi @mathurin68, thanks for your question. @S3cur3Th1sSh1t is correct. I just want to add that PrivescCheck does contain a couple of different functions if you scroll down a bit in the source code. The stuff at the beginning of the file are the various declarations of native APIs the script is using.
And just to add some background: you do not actually "need" a function for PSArmoury. If you run "cat -raw .\priv_armour.ps1 | iex" the loader will decrypt your content (PrivescCheck) and then itself just pipe everything into invoke-expression.
Now everything that's inside a function block will be defined and you can use it later, meaning that you can decide when to execute that code. Everything that's not inside a function block will be executed right away and that might not be what you want.
I created a little gist for you to try here: https://gist.github.com/cfalta/afe271fca9bcbbdcc1925610237ab909
Try to run it with PSArmoury and check out the source to see the difference between function block and non function block :-)
@cfalta Everything that's not inside a function block will be executed right away and that might not be what you want.
"not inside function block"
Got it...thank you!!