windows-LPE-schedtask.md 1.7 KB
title: Windows Priviledge Escalation Walkthrough - Windows XP schedtask categories: [cheatsheets]
Exploit found by: SandboxEscaper aka Polarbear
- Operated by the windows task scheduler (schtasks.exe)
- All Tasks are stored as XML Files in C:\Windows\System32\Tasks
Legacy Tasks are stored in C:\Windows\Tasks -> Legacy Tasks are stored in the ".job" format (not XML)
existing Tasks (XML-) Files cannot be manipulated, because Windows schtask-scheduler stores the hash of the original task to prevent manipulations.
Old Tasks can be converted to the new tasks with the old schtasks.exe and schtasks.dll by using the command:
schtasks.exe /change "OldTask" /RU <user> /RP <password>
This will take the Task OldTask from C:/Windows/Tasks and import it into the new task scheduler.
1) legacy schtasks.exe uses the RPC Call _SchRpcRegisterTask that is exposed by the task scheduler service.
2) The service impersontates the current user
3) In SetJobFileSecurityByName(..), the service impersonates NT SYSTEM!
4) Abuse this with the following code:
1) Copy old job file into C:/Windows/Tasks 2) schtasks.txt /change old /RU /RP 3) Delete the new job XML file in C:/windows/system32/tasks 4) Hardlink the file you want to obtain write privileges to that task 5) reexecute the schtasks command 6) Profit?!
Getting the Windows symbols by executing:
(symchk is a tool/executable that is provided with windbg.)
symchk /s srv*c:\symbols*https://msdl.microsoft.com/download/symbols c:\windows\system32\*.dll