# PowerUp PowerUp has been out for a while a great PowerShell script that looks for your typical out of place configurations that can allow a regular user access to resources that they shouldn't this tool has not been updated in a while, especially the PowerShell script version one but we can utilize the C# one which Is actively maintained Running is straightforward in its help menu we want to use all checks available and get the results from that the audit parameter is the one we use; we wait for it to finish, and we can see it has found a vulnerable configuration ![](/files/Y55mmfGzUXbhmJQ3xthU) To take advantage of this method we see that 2 registry keys are enabled that allow us to install MSI packages with elevated permissions, we are mostly interested in the User Key since we should be in this context. We can create a simple payload utilizing msfvenom to create an MSI package or a visual studio to create our custom one. To take advantage of this method we drop our MSI payload to the workstation utilize msiexec LOLBAS and gain a shell with elevated permissions ![](/files/dsr9gxjtccNsOu9Yg8BH) Here is a small demo of this technique Demo: ![](/files/rXHsqL7bYRg8awQjGliu) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://dmcxblue.gitbook.io/red-team-notes-2-0/privilege-escalation/powerup.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.