Scheduled tasks have been an exploitation vector for a very long time, as there has always been the need for automation, now more than ever. The following command can be used to make sure the Task Scheduler service is running: net start "Task Scheduler" Conclusion SCHTASKS /CREATE /SC MINUTE /TN "Task Name" /TR "path_to_shell" /ST HH:MMĪfter setting up the scheduled task, a Netcat listener can be setup to catch the reverse shell and gain remote access to the target system. #or the following, in newer versions of Windoows: #create a scheduled task to run after a minute This vulnerability exists because older versions of Windows used to run every scheduled task with system-level privileges, regardless of the owner of the task.Īfter generating a malicious shell using MSFvenom and placing it in an arbitrary folder, in the same way as the previous exploitation process, a new scheduled task can be created with one of the following commands: #check the system time with the "time" command This method only works on older versions of windows (Windows 2000, XP, or 2003), furthermore the current user must be a local administrator to be able to create new scheduled tasks. Once the scheduled task has run, the Powershell script was executed, connecting to the listener and therefore granting a remote shell: Creating a New Scheduled Task The next step is to set up a Netcat listener, which will catch our reverse shell when it is executed by the victim host, using the following flags: Since the current user has access to edit the Backup.ps1 script, the easiest way to exploit this is to simply add an extra line to it which will execute the reverse shell: echo path_to_shell > path_to_scheduled_script Transferring the shell.exe file to the Windows victim machine using the Python web server and the Windows Certutil utility. -f to specify the format, in this case exe.LPORT to specify the local port to connect to.LHOST to specify the local host IP address to connect to.-p to specify the payload type, in this case the Windows reverse TCP shell.This can be bypassed with an extra command line flag to automatically accept the EULA.\accesschk.exe /accepteula -quvw stef C:\Users\Administrator\Desktop\Backup.ps1Īs shown above, the current user has full access to the Backup.ps1 script, meaning additional code can be added to it, which will be executed when the scheduled task runs.įor this example, a reverse shell can be generated using MSFvenom, with the following flags: When executing any of the sysinternals tools for the first time the user will be presented with a GUI pop-up to accept the EULA. The tool can be downloaded from this GitHub repository. This tool will be helpful to identify whether the current user can modify the Backup.ps1 script which is run by the “Backup” scheduled task. The schtasks command will display all of the properties for a given scheduled task, such as the author, the task to run, the frequency etc.ĪccessChk is a command-line tool for viewing the effective permissions on files, registry keys, services, processes, kernel objects, and more. In the example below, the “Backup” scheduled task is running the Backup.ps1 Powershell script every day at 10:00am. Creating or modifying scheduled tasks (only works in older versions of Windows).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |