Skip to main content

Scan Directory Permissions - PSP Assignment 0x3

Before we start I would like to bring your attention to this PSP course from Pentester Academy  -
https://www.pentesteracademy.com/course?id=21. The course is focused on Powershell scripting which can be used in pentesting activities.


Description -
A powershell script that enumerate directories inside folders which are writable by non-admin users and print it out for the user.

Script Code -

function Enum-DirPermission{
<#
.SYNOPSIS
Enumerate a directory and find writeable directories for non admin user.
.DESCRIPTION
A poweshell script that enumerate directories inside folders which are writable by non-admin users and print it out for the user.
.PARAMTER User
Username whose permission should be check
.PARAMETER Path
The path of the directory to be checked.
.EXAMPLE
PS C:\> . .\Enum-DirPermission.ps1
PS C:\> Enum-DirPermission -Username Anurag
.CREDIT
https://sa1m0nz.wordpress.com/2018/01/26/enumerate-directories-inside-cwindowssystem32-which-are-writable-by-non-admin-users-powershell-for-pentesters-task-3/
.NOTES
This script has been created for completing the requirements of the SecurityTube PowerShell for Penetration Testers Certification Exam
http://www.securitytube-training.com/online-courses/powershell-for-pentesters/
Student ID: PSP-3250
#>
[CmdletBinding()] Param(
[Parameter(Mandatory = $true, ValueFromPipeline=$true)]
[Alias("Username")]
[String]
$User,
[Parameter(Mandatory = $false, ValueFromPipeline=$true)]
[Alias('Location','Directory')]
[String]
$Path = "C:\windows\system32"
)
$fetchdir = Get-ChildItem $Path | foreach {If ($_.psiscontainer) {$_.fullname}}
$ErrorActionPreference = 'SilentlyContinue'
foreach ($dir in $fetchdir )
{
$res = icacls $dir
if ( ($res) -match $User){
"`n[+] Woaah, Found Some ! `n"
write-host ( $dir.Split('\')[-1] + "directory maybe writeable for user [ " + $User + " ] in directory - " + $dir) -ForegroundColor Yellow
" "
"Confirming the write permission by creating a file.... `n "
$check = $dir + "\check.txt"
Try{
[io.file]::OpenWrite($check).close()
Write-Host "[+] Permission Confirmed ! You surely have write permission in: $dir" -foregroundColor Green
#Deleting the file
[io.file]::Delete($check)
}
Catch{
Write-Host "[-] Oops, you have write permission" -foregroundColor Red
}
}
}
}
view raw Enum-DirPermissions.ps1 hosted with ❤ by GitHub
Proof of Concept -


References -
https://sa1m0nz.wordpress.com/2018/01/26/enumerate-directories-inside-cwindowssystem32-which-are-writable-by-non-admin-users-powershell-for-pentesters-task-3/

The script can be found on my github -
https://github.com/hexachordanu/PSP/blob/master/Enum-DirPermission.ps1

This blog post has been created for completing the requirements of the SecurityTube PowerShell for Penetration Testers Certification Exam
https://www.pentesteracademy.com/course?id=21
Student ID: PSP-3250

Comments

Post a Comment

Popular posts from this blog

Review of Pentester Academy - Attacking and Defending Active Directory Lab

Few months ago I didn't know what Active Directory is, and why should I care about it and never heard about ACL abuse and all. Although I had attended a BPAD (Breaking and Pwning Active Directory) training which was provided by Nullcon but I was not confident enough to go for this course exam, since my day-today activity involves VAPT stuffs related to Web/Network/Mobile and sometimes basic malware analysis (very basic one :p).  I started doing offshore lab and took help from some friends in understanding few Active Directory concepts. I did many silly mistakes during the lab and learned a lot. Meanwhile I registered for Active Directory Lab Course and got it in a discounted offer for first 50 students of about 11k INR  ( 1 mont lab access) :). Before wasting time any further let's dive into the review. The course -  https://www.pentesteracademy.com/activedirectorylab Certification - Certified Red Team Professional The Course Content  - After paying the c...
4 comments
Read more

Hacking Thick Clients – Authorization Bypass

Hello Readers, This post will be focused on setting up a vulnerable thick client application and finding vulnerabilities. The blog post is an unofficial part of the on going series of post by NetSPI. NetSPI has released a vulnerable thick client app called BetaFast which has two versions - BetaBank and BetaFast based on 2-tier and 3-tier architecture respectively. The app is coded by Austin Altmann  and he is writing the walk-through series. Note: At the time of writing this blog, the walk-through/write-up for authorization bypass vulnerability was yet to be published by NetSPI and therefore I decided to create this blog post. All the credit for developing and maintaining this app goes to Austin and NetSPI team. You can find some of the cool write-ups here . Let's start. Setting up Betafast - 1. Download the files from github -  https://github.com/NetSPI/BetaFast  . 2. Extract and open the...
1 comment
Read more

Brute Force Basic Authentication - PSP Assignment 0x1

Before we start I would like to bring your attention to this PSP course from Pentester Academy   - https://www.pentesteracademy.com/course?id=21 . The course is focused on Powershell scripting which can be used in pentesting activities. AGENDA  : 1. Introduction to Powershell 2. Basic Authentication lab setup 3. Brute-force Basic Authentication using Powershell Script -   - cmdlet   - IP,Port and word-list should be easily configurable 1.  Introduction to Powershell  -  Microsoft says- PowerShell is a task-based command-line shell and scripting language built on .NET. PowerShell helps system administrators and power-users rapidly automate tasks that manage operating systems (Linux, macOS, and Windows) and processes. PowerShell commands let you manage computers from the command line. PowerShell providers let you access data stores, such as the registry and certificate store, as easily as you access the file system. PowerShell inc...
1 comment
Read more