PS script seems to work with no function header... (Nothing Urgent)

[mathurin68]

Hey Cristoph,

(Bear in mind I still have no PS skills and no idea what I'm looking at) I was curious about something... I found this great script - https://github.com/itm4n/PrivescCheck it appears to be a script and not a function...but it seems to work OK.

I download it and build the Armoury file - . .\New-PSArmoury New-PSArmoury -Fromfile .\PrivescCheck.ps1 -Path .\priv_armour.ps1 -EnhancedArmour

I load the .\priv-armour.ps1 file (twice to avoid any non-MS EDR) cat -raw .\priv_armour.ps1 | iex

and except for an illegal character error it seems to run OK and give me the results -

PS C:\Users\matt_\Downloads> Invoke-PrivescCheck
Test-Path : Illegal characters in path.
At line:6689 char:9
+     if (Test-Path $ScriptPath) {
+         ~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (C:\Users\matt_\...rmour.ps1 | iex:String) [Test-Path], ArgumentExcepti
   on
    + FullyQualifiedErrorId : ItemExistsArgumentError,Microsoft.PowerShell.Commands.TestPathCommand

+------+------------------------------------------------+------+
| TEST | USER > Privileges                              | VULN |
+------+------------------------------------------------+------+
| DESC | List the privileges that are associated to the        |
|      | current user's token. If any of them can be leveraged |
|      | to somehow run code in the context of the SYSTEM      |
|      | account, it will be reported as a finding.            |
+------+-------------------------------------------------------+
[!] Not vulnerable.

+------+------------------------------------------------+------+
| TEST | USER > Environment Variables                   | INFO |
+------+------------------------------------------------+------+
| DESC | List the environment variables of the current process |
|      | and try to identify any potentially sensitive         |
|      | information such as passwords or API secrets. This    |
|      | check is simply based on keyword matching and might   |
|      | not be entirely reliable.                             |
+------+-------------------------------------------------------+
[!] Nothing found.

+------+------------------------------------------------+------+
| TEST | SERVICES > Non-default Services                | INFO |
+------+------------------------------------------------+------+
| DESC | List all registered services and filter out the ones  |
|      | that are built into Windows. It does so by parsing    |
|      | the target executable's metadata.                     |
+------+-------------------------------------------------------+

But, this appears to be a script, since it doesn't have a function block around it like all the others that work so easily. In fact, if I try to add a function block to the beginning it it doesn't work at all.

I was just curious, why this seems to work.

Keep up the great work and stay safe!!

[S3cur3Th1sSh1t]

Just saw this issue by chance.

This is actually not an misconfiguration with PowerShellArmoury. The script is loaded and executed successfully. You can take a look at the variable $ScriptPath after loading the script. When loading Invoke-Privesccheck from an URL via IEX it contains the URL value, and in this case it will contain some invalid charackters. Just change the line if (Test-Path $ScriptPath) to for example if ("1" -eq "2") if you don´t need the module imports.

[cfalta]

Hi @mathurin68, thanks for your question. @S3cur3Th1sSh1t is correct. I just want to add that PrivescCheck does contain a couple of different functions if you scroll down a bit in the source code. The stuff at the beginning of the file are the various declarations of native APIs the script is using. And just to add some background: you do not actually "need" a function for PSArmoury. If you run "cat -raw .\priv_armour.ps1 | iex" the loader will decrypt your content (PrivescCheck) and then itself just pipe everything into invoke-expression. Now everything that's inside a function block will be defined and you can use it later, meaning that you can decide when to execute that code. Everything that's not inside a function block will be executed right away and that might not be what you want.

I created a little gist for you to try here: https://gist.github.com/cfalta/afe271fca9bcbbdcc1925610237ab909

Try to run it with PSArmoury and check out the source to see the difference between function block and non function block :-)

[mathurin68]

@cfalta Everything that's not inside a function block will be executed right away and that might not be what you want. "not inside function block"

Got it...thank you!!