Backup
Looking around the file system after a manual enumeration
PS C:\> ls
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 7/20/2020 7:08 AM Backup
d----- 12/7/2019 1:14 AM PerfLogs
d-r--- 5/4/2022 1:06 AM Program Files
d-r--- 12/3/2021 8:22 AM Program Files (x86)
d----- 2/7/2025 3:14 PM tmp
d-r--- 12/3/2021 8:29 AM Users
d----- 5/4/2022 1:52 AM Windows
d----- 2/7/2025 3:26 PM xampp
-a---- 2/7/2025 10:17 AM 2659 output.txtThere is an interesting directory; C:\Backup
PS C:\> cd Backup ; ls
Directory: C:\Backup
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 6/12/2020 7:45 AM 11304 backup.txt
-a---- 6/12/2020 7:45 AM 73 info.txt
-a---- 6/23/2020 7:49 PM 73802 TFTP.EXE There are 3 files
backup.txt
PS C:\Backup> cat backup.txt
AudMig: Device Ids match - {2}.\\?\hdaudio#func_01&ven_15ad&dev_1975&subsys_15ad1975&rev_1001#5&217be3d6&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\elineouttopo/00010001 {2}.\\?\hdaudio#func_01&ven_15ad&dev_1975&subsys_15ad1975&rev_1001#5&217be3d6&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\elineouttopo/00010001
AudMig: Migrated {a45c254e-df1c-4efd-8020-67d146a850e0},2 property at 1
AudMig: Migrated {9637b4b9-11ee-4c35-b43c-7b2452c993cc},1 property at 7
AudMig: Migrated {259abffc-50a7-47ce-af08-68c9a7d73366},12 property at 12
AudMig: Migrated {24dbb0fc-9311-4b3d-9cf0-18ff155639d4},1 property at 31
AudMig: Migrated {f19f064d-082c-4e27-bc73-6882a1bb8e4c},0 property at 32
AudMig: Migrated {b3f8fa53-0004-438e-9003-51a46e139bfc},0 property at 33
AudMig: Migrated {6737016f-5360-48ee-af05-e616c8ff27a7},2 property at 44
AudMig: Migrated {fd8a7b27-0b18-4025-ab1c-bdd6b32e1604},2 property at 45
AudMig: Migrated {908dba32-edff-4c28-8e45-c918561f6748},2 property at 46
AudMig: Migrated {913bc9a7-624b-4a30-96ac-5064a9fc6589},2 property at 47
AudMig: Migrated {a45429a4-aa63-4480-b7f8-3f2552daee93},2 property at 48
AudMig: Migrated {a45429a4-aa63-4480-b7f8-3f2552daee93},3 property at 49
AudMig: Migrated {a45429a4-aa63-4480-b7f8-3f2552daee93},4 property at 50
AudMig: Migrated {a45429a4-aa63-4480-b7f8-3f2552daee93},5 property at 51
AudMig: Migrated {a45429a4-aa63-4480-b7f8-3f2552daee93},6 property at 52
AudMig: Migrating role and device state from SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{581858CA-F58C-4A6C-951D-175D8D8ABEF8} to SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{DE259CA3-E0C9-415C-9A3E-836FE64A064A}
AudMig: Device Ids match - {2}.\\?\hdaudio#func_01&ven_15ad&dev_1975&subsys_15ad1975&rev_1001#5&217be3d6&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\emicintopo/00010001 {2}.\\?\hdaudio#func_01&ven_15ad&dev_1975&subsys_15ad1975&rev_1001#5&217be3d6&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\emicintopo/00010001
AudMig: Migrated {a45c254e-df1c-4efd-8020-67d146a850e0},2 property at 1
AudMig: Migrated {9637b4b9-11ee-4c35-b43c-7b2452c993cc},1 property at 7
AudMig: Migrated {259abffc-50a7-47ce-af08-68c9a7d73366},12 property at 12
AudMig: Migrated {f19f064d-082c-4e27-bc73-6882a1bb8e4c},0 property at 33
AudMig: Migrated {b3f8fa53-0004-438e-9003-51a46e139bfc},0 property at 36
AudMig: Migrating role and device state from SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Capture\{131E1481-E5E4-439E-BECB-5C4D2CA746FF} to SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Capture\{B1597C56-9B62-4E71-A707-F9FB2E4C4FDB}
2020-06-11 07:22:46, Info MIG MigHost started with command line: {5EFEA7CB-6DA7-42D7-9285-C9F14B94B937} /InitDoneEvent:MigHost.{5EFEA7CB-6DA7-42D7-9285-C9F14B94B937}.Event /ParentPID:9040
2020-06-11 07:22:46, Info MIG MigHost: CMigPluginSurrogate::Init: Successfully initialized surrogate.
2020-06-11 07:22:46, Info MIG MigHost: Initialized successfully with CLSID[{5EFEA7CB-6DA7-42D7-9285-C9F14B94B937}] and LogDir=[]
2020-06-11 07:22:46, Info MIG MigHost: CMigPluginSurrogate::LoadDllServer in progress: BinaryPath=[C:\$WINDOWS.~BT\Sources\ReplacementManifests\Microsoft-Windows-RasServer-MigPlugin\RasMigPlugin.dll], CLSID=[{D26AA4A5-92AD-48DB-8D59-95EF0DCE6939}], ApartmentThreadingModel=[0].
2020-06-11 07:22:46, Info MIG MigHost: CMigPluginSurrogate::COMGenericThreadingHostThreadProc: ThreadID=[0xbc], Server=[C:\$WINDOWS.~BT\Sources\ReplacementManifests\Microsoft-Windows-RasServer-MigPlugin\RasMigPlugin.dll], CLSID=[{D26AA4A5-92AD-48DB-8D59-95EF0DCE6939}], ApartmentThreadingModel=[0]
2020-06-11 07:22:46, Info MIG MigHost: CMigPluginSurrogate::LoadAndRegisterServerInThreadContext: Loaded server(C:\$WINDOWS.~BT\Sources\ReplacementManifests\Microsoft-Windows-RasServer-MigPlugin\RasMigPlugin.dll)
2020-06-11 07:22:46, Info MIG MigHost: CMigPluginSurrogate::LoadAndRegisterServerInThreadContext: Successfully loaded and registered server(C:\$WINDOWS.~BT\Sources\ReplacementManifests\Microsoft-Windows-RasServer-MigPlugin\RasMigPlugin.dll)
2020-06-11 07:22:46, Info MIG MigHost: CMigPluginSurrogate::COMGenericThreadingHostThreadProc: LoadAndRegisterServerInThreadContext() succeeded.
2020-06-11 07:22:46, Info MIG MigHost: CMigPluginSurrogate::LoadDllServer finished: Result=[0x0].
2020-06-11 07:22:46, Info MIG MigHost: CMigPluginSurrogate::COMGenericThreadingHostThreadProc: Exiting ThreadID=[0xbc].
2020-06-11 07:22:46, Info MIG MigHost: Exiting process.
2020-06-11 07:37:00, Info MIG MigHost started with command line: {E18CA047-3CAB-424D-A619-6908221CC4EF} /InitDoneEvent:MigHost.{E18CA047-3CAB-424D-A619-6908221CC4EF}.Event /ParentPID:9040
2020-06-11 07:37:00, Info MIG MigHost: CMigPluginSurrogate::Init: Successfully initialized surrogate.
2020-06-11 07:37:00, Info MIG MigHost: Initialized successfully with CLSID[{E18CA047-3CAB-424D-A619-6908221CC4EF}] and LogDir=[]
2020-06-11 07:37:05, Info MIG MigHost: Exiting process.
2020-06-11 07:37:05, Info MIG MigHost started with command line: {677D78AB-57DF-4334-A17D-9CE0FF827824} /InitDoneEvent:MigHost.{677D78AB-57DF-4334-A17D-9CE0FF827824}.Event /ParentPID:9040
2020-06-11 07:37:05, Info MIG MigHost: CMigPluginSurrogate::Init: Successfully initialized surrogate.
2020-06-11 07:37:05, Info MIG MigHost: Initialized successfully with CLSID[{677D78AB-57DF-4334-A17D-9CE0FF827824}] and LogDir=[]
2020-06-11 07:37:05, Info MIG MigHost: Exiting process.
2020-06-11 07:37:07, Info MIG MigHost started with command line: {782DCFA7-4D34-49D1-BA8C-9AFDCA518581} /InitDoneEvent:MigHost.{782DCFA7-4D34-49D1-BA8C-9AFDCA518581}.Event /ParentPID:9040
2020-06-11 07:37:07, Info MIG MigHost: CMigPluginSurrogate::Init: Successfully initialized surrogate.
2020-06-11 07:37:07, Info MIG MigHost: Initialized successfully with CLSID[{782DCFA7-4D34-49D1-BA8C-9AFDCA518581}] and LogDir=[]
2020-06-11 07:37:09, Info MIG MigHost: Exiting process.
2020-06-11 07:37:09, Info MIG MigHost started with command line: {C48597B6-CCD1-40C5-8713-C2AC75ED834C} /InitDoneEvent:MigHost.{C48597B6-CCD1-40C5-8713-C2AC75ED834C}.Event /ParentPID:9040
2020-06-11 07:37:09, Info MIG MigHost: CMigPluginSurrogate::Init: Successfully initialized surrogate.
2020-06-11 07:37:09, Info MIG MigHost: Initialized successfully with CLSID[{C48597B6-CCD1-40C5-8713-C2AC75ED834C}] and LogDir=[]
2020-06-11 07:37:09, Info MIG MigHost: Exiting process.
2020-06-11 07:37:12, Info MIG MigHost started with command line: {12A6A024-3D17-4D0C-BD70-4B4C6BDF7483} /InitDoneEvent:MigHost.{12A6A024-3D17-4D0C-BD70-4B4C6BDF7483}.Event /ParentPID:9040
2020-06-11 07:37:12, Info MIG MigHost: CMigPluginSurrogate::Init: Successfully initialized surrogate.
2020-06-11 07:37:12, Info MIG MigHost: Initialized successfully with CLSID[{12A6A024-3D17-4D0C-BD70-4B4C6BDF7483}] and LogDir=[]
2020-06-11 07:37:15, Info MIG MigHost: Exiting process.
2020-06-11 07:37:15, Info MIG MigHost started with command line: {A1B4EC9A-EFF0-4A74-A121-CEAFA75DFC70} /InitDoneEvent:MigHost.{A1B4EC9A-EFF0-4A74-A121-CEAFA75DFC70}.Event /ParentPID:9040
2020-06-11 07:37:15, Info MIG MigHost: CMigPluginSurrogate::Init: Successfully initialized surrogate.
2020-06-11 07:37:15, Info MIG MigHost: Initialized successfully with CLSID[{A1B4EC9A-EFF0-4A74-A121-CEAFA75DFC70}] and LogDir=[]
2020-06-11 07:37:15, Info MIG MigHost: Exiting process.
2020-06-11 07:37:18, Info MIG MigHost started with command line: {B09CB74E-6465-4D26-9962-5B4CFFAD352C} /InitDoneEvent:MigHost.{B09CB74E-6465-4D26-9962-5B4CFFAD352C}.Event /ParentPID:9040
2020-06-11 07:37:18, Info MIG MigHost: CMigPluginSurrogate::Init: Successfully initialized surrogate.
2020-06-11 07:37:18, Info MIG MigHost: Initialized successfully with CLSID[{B09CB74E-6465-4D26-9962-5B4CFFAD352C}] and LogDir=[]
2020-06-11 07:37:26, Info MIG MigHost: Exiting process.
2020-06-11 07:37:26, Info MIG MigHost started with command line: {D818C1A1-E0FF-4744-B1F4-8E69AA4581A2} /InitDoneEvent:MigHost.{D818C1A1-E0FF-4744-B1F4-8E69AA4581A2}.Event /ParentPID:9040
2020-06-11 07:37:26, Info MIG MigHost: CMigPluginSurrogate::Init: Successfully initialized surrogate.
2020-06-11 07:37:26, Info MIG MigHost: Initialized successfully with CLSID[{D818C1A1-E0FF-4744-B1F4-8E69AA4581A2}] and LogDir=[]
2020-06-11 07:37:26, Info MIG MigHost: Exiting process.
2020-06-11 07:43:50, Info MIG MigHost started with command line: {348C9C1D-D6A5-42E2-87EE-5DF53E8FA05B} /InitDoneEvent:MigHost.{348C9C1D-D6A5-42E2-87EE-5DF53E8FA05B}.Event /ParentPID:8220
2020-06-11 07:43:50, Info MIG MigHost: CMigPluginSurrogate::Init: Successfully initialized surrogate.
2020-06-11 07:43:50, Info MIG MigHost: Initialized successfully with CLSID[{348C9C1D-D6A5-42E2-87EE-5DF53E8FA05B}] and LogDir=[]
2020-06-11 07:43:50, Info MIG MigHost: CMigPluginSurrogate::LoadDllServer in progress: BinaryPath=[C:\$WINDOWS.~BT\Sources\ReplacementManifests\Microsoft-Windows-RasServer-MigPlugin\RasMigPlugin.dll], CLSID=[{D26AA4A5-92AD-48DB-8D59-95EF0DCE6939}], ApartmentThreadingModel=[0].
2020-06-11 07:43:50, Info MIG MigHost: CMigPluginSurrogate::COMGenericThreadingHostThreadProc: ThreadID=[0x1df8], Server=[C:\$WINDOWS.~BT\Sources\ReplacementManifests\Microsoft-Windows-RasServer-MigPlugin\RasMigPlugin.dll], CLSID=[{D26AA4A5-92AD-48DB-8D59-95EF0DCE6939}], ApartmentThreadingModel=[0]
2020-06-11 07:43:50, Info MIG MigHost: CMigPluginSurrogate::LoadAndRegisterServerInThreadContext: Loaded server(C:\$WINDOWS.~BT\Sources\ReplacementManifests\Microsoft-Windows-RasServer-MigPlugin\RasMigPlugin.dll)
2020-06-11 07:43:50, Info MIG MigHost: CMigPluginSurrogate::LoadAndRegisterServerInThreadContext: Successfully loaded and registered server(C:\$WINDOWS.~BT\Sources\ReplacementManifests\Microsoft-Windows-RasServer-MigPlugin\RasMigPlugin.dll)
2020-06-11 07:43:50, Info MIG MigHost: CMigPluginSurrogate::COMGenericThreadingHostThreadProc: LoadAndRegisterServerInThreadContext() succeeded.
2020-06-11 07:43:50, Info MIG MigHost: CMigPluginSurrogate::LoadDllServer finished: Result=[0x0].
2020-06-11 07:43:50, Info MIG MigHost: CMigPluginSurrogate::COMGenericThreadingHostThreadProc: Exiting ThreadID=[0x1df8].
2020-06-11 07:43:50, Info MIG MigHost: Exiting process.This appears to be some kind of a log captured during an in-place Windows upgrade or migration, specifically dealing with audio device settings migration. No notable information found
info.txt
PS C:\Backup> cat info.txt
Run every 5 minutes:
C:\Backup\TFTP.EXE -i 192.168.234.57 get backup.txtIt seems like there is a scheduled task executing, C:\Backup\TFTP.EXE -i 192.168.234.57 get backup.txt, every 5 minutes
PS C:\Backup> icacls .
. BUILTIN\Users:(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)
PS C:\Backup> icacls .\TFTP.EXE
.\TFTP.EXE BUILTIN\Users:(I)(F)
BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\Authenticated Users:(I)(M)The current user is able to modify the current directory as well as the TFTP.EXE file
If there is indeed a scheduled task running with a higher privilege, I can escalate the privilege by hijacking the binary