forked from itm4n/PrivescCheck
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path06_ScheduledTasks.ps1
87 lines (64 loc) · 3.43 KB
/
06_ScheduledTasks.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
function Invoke-ScheduledTasksImagePermissionsCheck {
<#
.SYNOPSIS
Enumrates scheduled tasks with a modifiable path
Author: @itm4n
License: BSD 3-Clause
.DESCRIPTION
This function enumerates all the scheduled tasks which are visible by the current user but are not owned by the current user. For each task, it extracts the command line and checks whether it contains a path pointing to a modifiable file. If a task is run as the current user, it is filtered out.
.EXAMPLE
PS C:\> Invoke-ScheduledTasksImagePermissionsCheck
TaskName : DummyTask
TaskPath : \CustomTasks\DummyTask
TaskFile : C:\Windows\System32\Tasks\CustomTasks\DummyTask
RunAs : NT AUTHORITY\SYSTEM
Command : C:\APPS\MyTask.exe
CurrentUserIsOwner : False
ModifiablePath : C:\APPS\
IdentityReference : NT AUTHORITY\Authenticated Users
Permissions : {Delete, WriteAttributes, Synchronize, ReadControl...}
#>
[CmdletBinding()] Param()
Get-ScheduledTaskList | Where-Object { -not $_.CurrentUserIsOwner } | ForEach-Object {
$CurrentTask = $_
$CurrentTask.Command | Get-ModifiablePath | Where-Object { $_ -and (-not [String]::IsNullOrEmpty($_.ModifiablePath)) } | ForEach-Object {
$ResultItem = $CurrentTask.PsObject.Copy()
$ResultItem | Add-Member -MemberType "NoteProperty" -Name "ModifiablePath" -Value $_.ModifiablePath
$ResultItem | Add-Member -MemberType "NoteProperty" -Name "IdentityReference" -Value $_.IdentityReference
$ResultItem | Add-Member -MemberType "NoteProperty" -Name "Permissions" -Value $_.Permissions
$ResultItem
}
}
}
function Invoke-ScheduledTasksUnquotedPathCheck {
<#
.SYNOPSIS
Enumerates scheduled tasks with an exploitable unquoted path
Author: @itm4n
License: BSD 3-Clause
.DESCRIPTION
This script first enumerates all the tasks that are visible to the current user. Then, it checks the 'Command' value to see if it is not surrounded by quotes (unquoted path). If so, it checks whether the path contains spaces and if one of the intermediate directories is exploitable. Note that, as a low privileged user, not all the tasks are visible.
.EXAMPLE
PS C:\> Invoke-ScheduledTasksUnquotedPathCheck
TaskName : VulnTask
TaskPath : \CustomTasks\VulnTask
TaskFile : C:\WINDOWS\System32\Tasks\CustomTasks\VulnTask
RunAs : NT AUTHORITY\SYSTEM
Command : C:\APPS\Custom Tasks\task.exe
CurrentUserIsOwner : False
ModifiablePath : C:\APPS
IdentityReference : NT AUTHORITY\Authenticated Users
Permissions : {Delete, WriteAttributes, Synchronize, ReadControl...}
#>
[CmdletBinding()] Param()
Get-ScheduledTaskList | Where-Object { $_.CurrentUserIsOwner -eq $false} | ForEach-Object {
$CurrentTask = $_
Get-ExploitableUnquotedPath -Path $CurrentTask.Command | ForEach-Object {
$ResultItem = $CurrentTask.PsObject.Copy()
$ResultItem | Add-Member -MemberType "NoteProperty" -Name "ModifiablePath" -Value $_.ModifiablePath
$ResultItem | Add-Member -MemberType "NoteProperty" -Name "IdentityReference" -Value $_.IdentityReference
$ResultItem | Add-Member -MemberType "NoteProperty" -Name "Permissions" -Value $_.Permissions
$ResultItem
}
}
}