From ef67012655218d6e1cbd7225afb1cc5eee21511e Mon Sep 17 00:00:00 2001
From: Bubbl3H3d <31154539+Bubbl3H3d@users.noreply.github.com>
Date: Sun, 1 Oct 2017 16:37:07 -0400
Subject: [PATCH 1/2] PowerUp.ps1:3158 - Check SystemPath only

The current instantiation of code calls the %PATH% environment variable. However, since PowerUp is normally run with the permissions of an unprivileged crappy user in order to privesc, the %PATH% variable is returned as a concatenation of the SystemPath and UserPath. Any exploitable services running as SYSTEM will not call DLLs from the UserPath. Thus, we need to focus on writable folders in the SystemPath only in order to privesc. The proposed change pulls the SystemPath value directly from the registry and places it in the same format as the original code.
---
 Privesc/PowerUp.ps1 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Privesc/PowerUp.ps1 b/Privesc/PowerUp.ps1
index 45edcecf..e93949cb 100644
--- a/Privesc/PowerUp.ps1
+++ b/Privesc/PowerUp.ps1
@@ -3155,7 +3155,7 @@ http://www.greyhathacker.net/?p=738
     Param()
 
     # use -Literal so the spaces in %PATH% folders are not tokenized
-    Get-Item Env:Path | Select-Object -ExpandProperty Value | ForEach-Object { $_.split(';') } | Where-Object {$_ -and ($_ -ne '')} | ForEach-Object {
+     (get-itemproperty "HKLM:\System\CurrentControlSet\Control\Session Manager\Environment").path.split(';') | ForEach-Object {
         $TargetPath = $_
         $ModifidablePaths = $TargetPath | Get-ModifiablePath -Literal | Where-Object {$_ -and ($Null -ne $_) -and ($Null -ne $_.ModifiablePath) -and ($_.ModifiablePath.Trim() -ne '')}
         ForEach ($ModifidablePath in $ModifidablePaths) {

From 2007000ff4da1e8f2df0d6a193e4c73cf395a285 Mon Sep 17 00:00:00 2001
From: Bubbl3H3d <31154539+Bubbl3H3d@users.noreply.github.com>
Date: Sun, 1 Oct 2017 16:42:56 -0400
Subject: [PATCH 2/2] Update PowerUp.ps1

---
 Privesc/PowerUp.ps1 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Privesc/PowerUp.ps1 b/Privesc/PowerUp.ps1
index e93949cb..8f43b401 100644
--- a/Privesc/PowerUp.ps1
+++ b/Privesc/PowerUp.ps1
@@ -3155,7 +3155,7 @@ http://www.greyhathacker.net/?p=738
     Param()
 
     # use -Literal so the spaces in %PATH% folders are not tokenized
-     (get-itemproperty "HKLM:\System\CurrentControlSet\Control\Session Manager\Environment").path.split(';') | ForEach-Object {
+    (get-itemproperty "HKLM:\System\CurrentControlSet\Control\Session Manager\Environment").path.split(';') | ForEach-Object {
         $TargetPath = $_
         $ModifidablePaths = $TargetPath | Get-ModifiablePath -Literal | Where-Object {$_ -and ($Null -ne $_) -and ($Null -ne $_.ModifiablePath) -and ($_.ModifiablePath.Trim() -ne '')}
         ForEach ($ModifidablePath in $ModifidablePaths) {