Cleanup
I discovered that there is a scheduled task named, Cleanup, periodically running in the background.
ps c:\Windows\SysWOW64\inetsrv> schtasks /QUERY /TN Cleanup /V /FO LIST
folder: \
hostname: CONCEAL
taskname: \Cleanup
next run time: 20/01/2023 11:54:12
status: Ready
logon mode: Interactive/Background
last run time: 20/01/2023 11:49:12
last result: 0
author: CONCEAL\Administrator
task to run: powershell.exe -exec bypass -file c:\admin_checks\checks.ps1
start in: N/A
comment: N/A
scheduled task state: Enabled
idle time: Disabled
power management: Stop On Battery Mode, No Start On Batteries
run as user: Destitute
delete task if not rescheduled: Disabled
stop task if runs x hours and x mins: Disabled
schedule: Scheduling data is not available in this format.
schedule type: Daily
start time: 17:24:12
start date: 26/11/2018
end date: N/A
days: Every 1 day(s)
months: N/A
repeat: Every: 0 Hour(s), 5 Minute(s)
repeat: Until: Time: None
repeat: Until: Duration: 24 Hour(s), 0 Minute(s)
repeat: Stop If Still Running: Disabled
hostname: CONCEAL
taskname: \Cleanup
next run time: 20/01/2023 11:54:12
status: Ready
logon mode: Interactive/Background
last run time: 20/01/2023 11:49:12
last result: 0
author: CONCEAL\Administrator
task to run: powershell.exe -exec bypass -file c:\admin_checks\checks.ps1
start in: N/A
comment: N/A
scheduled task state: Enabled
idle time: Disabled
power management: Stop On Battery Mode, No Start On Batteries
run as user: Destitute
delete task if not rescheduled: Disabled
stop task if runs x hours and x mins: Disabled
schedule: Scheduling data is not available in this format.
schedule type: At system start up
start time: N/A
start date: N/A
end date: N/A
days: N/A
months: N/A
repeat: Every: N/A
repeat: Until: Time: N/A
repeat: Until: Duration: N/A
repeat: Stop If Still Running: N/Athe cleanup scheduled task is performing powershell.exe -exec bypass -file c:\admin_checks\checks.ps1 as the Destitute user
ps c:\admin_checks> dir
directory: C:\admin_checks
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 27/11/2018 16:01 checks
-a---- 27/11/2018 16:01 339 checks.ps1There is a directory here as well
ps c:\admin_checks> cat checks.ps1
# run standard checks
get-childitem -path c:\inetpub\wwwroot\upload\* -ErrorAction SilentlyContinue | Remove-Item -Force -ErrorAction SilentlyContinue
# run one time checks
foreach($check in (get-childitem c:\admin_checks\checks\*.ps1 -File)){
. $check.fullname
$check | Remove-Item -Force -ErrorAction SilentlyContinue
}The PowerShell script
- removes everything in the FTP server
- removes everything with .ps1 extension at the
c:\admin_checks\checks\directory
This explains why uploaded files were disappearing But why the other directory?
ps c:\admin_checks> dir -force C:\admin_checks\checksthe c:\admin_checks\checks\ directory is empty
ps c:\admin_checks> icacls .\checks.ps1
.\checks.ps1 conceal\administrator:(I)(RX)
conceal\destitute:(I)(RX)
Successfully processed 1 files; Failed processing 0 filesIt would appear that the Destitute user is unable to modify the script.
ps c:\admin_checks> schtasks /RUN /TN Cleanup
success: Attempted to run the scheduled task "Cleanup".
ps c:\admin_checks> schtasks /END /TN Cleanup
success: The scheduled task "Cleanup" has been terminated successfully.But I can terminate/start the task apparently
Can I change the “Task To Run” attribute too?
c:\admin_checks>schtasks /CHANGE /TN Cleanup /TR "C:\tmp\pe.exe"
schtasks /change /tn cleanup /tr "c:\tmp\pe.exe"
please enter the run as password for destitute: Oh my gawd
The VPN password did not work. no password reuse. I also tried cracking the current user’s NTLMv2 hash, but Hashcat fail cracking it
It doesn’t matter though since this task was running with privileges of the destitute user.
Even if I were to change the “Task To Run”, I would have never been able to escalate privileges this way.
Deadend.