search

itm4n / PrivescCheck

Privilege Escalation Enumeration Script for Windows
BSD 3-Clause "New" or "Revised" License
2.79k stars 416 forks source link

A lot of errors when running with -Extended #17

Closed init5-SF closed 3 years ago

init5-SF commented 3 years ago

Hey, great tool!

I am testing on a Windows 10 Enterprise (20H2), it's spitting out a lot of errors. Actual script output is diverted to a text file, so only errors are showing in PS console, I also have local admin privs but did not run PS as administrator.

Let me know if you need more details!

PS D:\Toolz\AVtest> Invoke-PrivescCheck -Extended > privescReport.txt
Get-ItemProperty : Specified cast is not valid.
At D:\Toolz\AVtest\PrivescCheck.ps1:1385 char:27
+ ... roperties = Get-ItemProperty -Path $RegService.PSPath -ErrorAction Si ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-ItemProperty], InvalidCastException
    + FullyQualifiedErrorId : System.InvalidCastException,Microsoft.PowerShell.Commands.GetItemPropertyCommand

Get-Item : Could not find item C:\ProgramData\Tencent\QQPCMgr\QMConfig.hiv.LOG1.
At D:\Toolz\AVtest\PrivescCheck.ps1:1570 char:27
+                     if ($(Get-Item -Path $ResolvedPath) -is [System.I ...
+                           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (C:\ProgramData\...Config.hiv.LOG1:String) [Get-Item], IOException
    + FullyQualifiedErrorId : ItemNotFound,Microsoft.PowerShell.Commands.GetItemCommand

Get-Item : Could not find item C:\ProgramData\Tencent\QQPCMgr\QMConfig.hiv.LOG2.
At D:\Toolz\AVtest\PrivescCheck.ps1:1570 char:27
+                     if ($(Get-Item -Path $ResolvedPath) -is [System.I ...
+                           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (C:\ProgramData\...Config.hiv.LOG2:String) [Get-Item], IOException
    + FullyQualifiedErrorId : ItemNotFound,Microsoft.PowerShell.Commands.GetItemCommand

Get-Item : Could not find item C:\ProgramData\Tencent\QQPCMgr\QMConfig.hiv{f8fce59d-bade-11ea-b83e-d43d7e187ce5}.TM.blf.
At D:\Toolz\AVtest\PrivescCheck.ps1:1570 char:27
+                     if ($(Get-Item -Path $ResolvedPath) -is [System.I ...
+                           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (C:\ProgramData\...e187ce5}.TM.blf:String) [Get-Item], IOException
    + FullyQualifiedErrorId : ItemNotFound,Microsoft.PowerShell.Commands.GetItemCommand

Get-Item : Could not find item C:\ProgramData\Tencent\QQPCMgr\QMConfig.hiv{f8fce59d-bade-11ea-b83e-d43d7e187ce5}.TMContainer00000000000000000001.regtrans-ms.
At D:\Toolz\AVtest\PrivescCheck.ps1:1570 char:27
+                     if ($(Get-Item -Path $ResolvedPath) -is [System.I ...
+                           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (C:\ProgramData\...001.regtrans-ms:String) [Get-Item], IOException
    + FullyQualifiedErrorId : ItemNotFound,Microsoft.PowerShell.Commands.GetItemCommand

Get-Item : Could not find item C:\ProgramData\Tencent\QQPCMgr\QMConfig.hiv{f8fce59d-bade-11ea-b83e-d43d7e187ce5}.TMContainer00000000000000000002.regtrans-ms.
At D:\Toolz\AVtest\PrivescCheck.ps1:1570 char:27
+                     if ($(Get-Item -Path $ResolvedPath) -is [System.I ...
+                           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (C:\ProgramData\...002.regtrans-ms:String) [Get-Item], IOException
    + FullyQualifiedErrorId : ItemNotFound,Microsoft.PowerShell.Commands.GetItemCommand
itm4n commented 3 years ago

Hello!

Thanks for reporting these issues. I'll have to take a closer look at those errors. 🧐

init5-SF commented 3 years ago

Sure, let me know if you need details or debug info from my end.

itm4n commented 3 years ago

Note to self

The second error can be reproduced on one of my lab machines with the following command:

PS C:\Users\Lab-User\Downloads> . .\PrivescCheck.ps1; Invoke-ProgramDataCheck
Get-Item : Could not find item C:\ProgramData\Chocolatey\.chocolatey.
At C:\Users\Lab-User\Downloads\PrivescCheck.ps1:1570 char:27
+                     if ($(Get-Item -Path $ResolvedPath) -is [System.I ...
+                           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (C:\ProgramData\Chocolatey\.chocolatey:String) [Get-Item], IOException
    + FullyQualifiedErrorId : ItemNotFound,Microsoft.PowerShell.Commands.GetItemCommand
itm4n commented 3 years ago

My recent update should have fixed most of the errors you got. I simply forgot to add the -Force flag when calling Get-Item. This flag is required when opening hidden files.

itm4n commented 3 years ago

I close this issue for now. Feel free to open a new one in case you find other errors. Thanks. :)

init5-SF commented 3 years ago

hey there, the previous errors are now fixed, Thanks! I'm getting a new one now (with and without -Extended):

Get-ItemProperty : Specified cast is not valid.
At line:626 char:26
+ ... roperties = Get-ItemProperty -Path "Registry::$ServiceRegPath" -Error ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-ItemProperty], InvalidCastException
    + FullyQualifiedErrorId : System.InvalidCastException,Microsoft.PowerShell.Commands.GetItemPropertyCommand

It always displays the same line number 626