PowerUp

PowerUp has been out for a while a great PowerShell script that looks for your typical out of place configurations that can allow a regular user access to resources that they shouldn't this tool has not been updated in a while, especially the PowerShell script version one but we can utilize the C# one which Is actively maintained

Running is straightforward in its help menu we want to use all checks available and get the results from that the audit parameter is the one we use; we wait for it to finish, and we can see it has found a vulnerable configuration

To take advantage of this method we see that 2 registry keys are enabled that allow us to install MSI packages with elevated permissions, we are mostly interested in the User Key since we should be in this context.

We can create a simple payload utilizing msfvenom to create an MSI package or a visual studio to create our custom one.

To take advantage of this method we drop our MSI payload to the workstation utilize msiexec LOLBAS and gain a shell with elevated permissions

Here is a small demo of this technique

Demo: