Flebbi Posted March 10, 2020 Share Posted March 10, 2020 This was created by @PoSHMagiC0de Can somebody tell me what I'm doing wrong? Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted March 10, 2020 Share Posted March 10, 2020 Welp, I mentioned awhile back on the correct way to create Powershell payloads/scripts that are easily transportable. That method is to make them as functions. This is a function. When you ran that, it created the function and stored it in memory. To run it, you have to run the function name with the parameters. The file method needs to local location of the ps1 file to be ran. The encoded way needs the powershell commands you want to run encoded as base64 unicode encoded (like if you were going to run the encoded powershell commands with the "powershell /E" way). So, if you are trying to run notepad with this then either have a local ps1 file created with: Start-Process Notepad Or take that command above the encode it to base64 unicode and use it with the encoded method. Welcome to Powershell 101. PS: Forgot to mention you have to be a local admin to begin with. Script will do nothing if you are not. There is no privesc for normal user to admin. Link to comment Share on other sites More sharing options...
Flebbi Posted March 10, 2020 Author Share Posted March 10, 2020 On 3/10/2020 at 4:56 PM, PoSHMagiC0de said: Start-Process Notepad Or take that command above the encode it to base64 unicode and use it with the encoded method. @PoSHMagiC0deBut haven't I done this already? I took the exact command from your github: Invoke-TaskCleanerBypass -Method Encoded -EncodedCommand "bgBvAHQAZQBwAGEAZAA=". This is the encoded method and the command "notepad" is encoded into base64. That should start notepad as administrator, shouldn't it? And if I try the file method I also get nothing. I tried that: Invoke-TaskCleanerBypass -Method File -Filename C:\users\\$env:username\Documents\myscript.ps1 while myscript.ps1 was containing only that command: "Start-Process notepad". I tried also to write "U3RhcnQtUHJvY2VzcyBub3RlcGFk" (start-process notepad in base64) into the file instead of "start-process notepad" but that gave me the same "nothing-happens" result. Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted March 12, 2020 Share Posted March 12, 2020 Just retested. It works. You have to be a local admin on the machine first before you run this. It will not warn you or do absolutely anything if you are not. This is not a priv escalation from a unprivileged user to admin. This is to bypass UAC. UAC is that prompt you get when you are on as an admin and need to run something that requires elevated rights so it greys out the screen with that "are you sure" message. It is Windows version of sudo. For automated tasks where keyboard access is not there this is very helpful since you will not be able to click "yes" via code. Link to comment Share on other sites More sharing options...
Flebbi Posted March 12, 2020 Author Share Posted March 12, 2020 17 minutes ago, PoSHMagiC0de said: Just retested. It works. You have to be a local admin on the machine first before you run this. It will not warn you or do absolutely anything if you are not. This is not a priv escalation from a unprivileged user to admin. This is to bypass UAC. UAC is that prompt you get when you are on as an admin and need to run something that requires elevated rights so it greys out the screen with that "are you sure" message. It is Windows version of sudo. For automated tasks where keyboard access is not there this is very helpful since you will not be able to click "yes" via code. Yes, I know this all, and I am a local admin. I tested it on my Win10 machine. I get what the function should do and how it could be used. I just don't get what I'm doing wrong. What exactly have you done, that it worked on your machine? Here's what I did (you could also see it in the video but I'll explain it here to clarify 100%): First, I copy-pasted this text into powershell (not elevated powershell, just normal powershell) and hit enter. Second I ran this command {Invoke-TaskCleanerBypass -Method Encoded -EncodedCommand "bgBvAHQAZQBwAGEAZAA="} (without the {} of course) which is also on your readme on github so that should definitly work. I also tried replacing the encoded "notepad" text by encooded cmd or powershell, same result. Nothing pops up. I just did these two steps: Copy-paste the function and run the command. Do I have to do anything else or why does it not work🤔🤔 Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted March 12, 2020 Share Posted March 12, 2020 Welp, it checks to make sure you are in the local administrators group. Now, I can see an issue ensuing in the way I am checking this since I am directly checking the local group, If you are added to Administrators group via another group, it may not see you. You can remark out the check if you want to test for yourself, the code is commented. Anyway, if your name is not in the local administrators group, it will just exit. Also, it checks for a specific version number of Windows. Will run if Win10 or greater or if version 8.1...specifically major version 6.3 it looks like. I was going off of user feedback on the 8.1 part if it worked or not for that version. If both are satisfied, it will create a powershell command to be added to the registry for the diskcleanup task with arguments, etc. It then schedules a schtask for diskcleanup, waits 5 seconds and then removes the registry entry. Similar to the eventviewer bypass in some ways. Very noticable as the script will pause and then return once the 5 secs are up and a black window will pop up briefly before notepad comes up. That is all that encoded script does in the example. I pretty much took someone else's script and cleaned it up to be more portable. Link to comment Share on other sites More sharing options...
kuyaya Posted March 12, 2020 Share Posted March 12, 2020 I think I may found the solution: PoSHMagiC0de mentioned the local administrators group. The script also didn't work for me, then I went step by step throught the script and that is exactly what brought me the soultion. I checked the groups by running that in powershell: Get-LocalGroup And then I checked what users in the group "administrators" are by running that: Get-LocalGroupMember "administrators" That's what brought me the solution. It gave me an error, the group 'administrators' don't exist. Then I ran Get-LocalGroup again and saw that the name wasn't "administrators", it was "administratoren", which is administrators in german. You probably are in the local administrators group, it just doesn't work because it isn't "administrators" in your language. The rest is really easy. Go to line 42 of the script and change "administrators" to <administrators in your language>. That should fix it. Posh, I would recommend you to write that to your readme just to make sure nobody gets this issue again😉 Link to comment Share on other sites More sharing options...
Flebbi Posted March 12, 2020 Author Share Posted March 12, 2020 2 hours ago, kuyaya said: I think I may found the solution: PoSHMagiC0de mentioned the local administrators group. The script also didn't work for me, then I went step by step throught the script and that is exactly what brought me the soultion. I checked the groups by running that in powershell: Get-LocalGroup And then I checked what users in the group "administrators" are by running that: Get-LocalGroupMember "administrators" That's what brought me the solution. It gave me an error, the group 'administrators' don't exist. Then I ran Get-LocalGroup again and saw that the name wasn't "administrators", it was "administratoren", which is administrators in german. You probably are in the local administrators group, it just doesn't work because it isn't "administrators" in your language. The rest is really easy. Go to line 42 of the script and change "administrators" to <administrators in your language>. That should fix it. Posh, I would recommend you to write that to your readme just to make sure nobody gets this issue again😉 That actually worked for me. Thank you for your help, Posh and kuyaya. Link to comment Share on other sites More sharing options...
kuyaya Posted March 13, 2020 Share Posted March 13, 2020 I'm updating the lazassword payload based on that. Give me a few days and you'll have lazagne running as admin without the UAC prompt. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.