Sunday, May 27, 2012

Fun with Sticky Keys, Utilman and Powershell

Recently, carnal0wnage and mubix blogged about sticky keys. I have implemented this in Kautilya and found this usefult during many internal penetration tests.

I thought of playing more with this and using this is as something more useful and powerful. I started using powershell as debugger for sethc.exe and no points for guessing this is what I get when I pressed shift 5 times (or Left Alt + Left Shift + PrntScr for that matter).


So powershell is getting executed but there is no interactive prompt (I have not looked into the reason for this). I tried executing a simple script (which calls calc.exe) by setting it as a debuuger to sethc.exe. I have to call powershell from cmd as without cmd powershell was throwing some errors.


and the result was


Wow the legendary calc is here!! Keep in mind that if you use any environment variable for path of your powershell script, it would not be same for different user profile. For example, in the above if you use %temp%\calc.ps1 as path of the script, on an unlocked system that would be Temp directory of currently logged in user "C:\Users\\AppData\Local\Temp\calc.ps1". But when the machine is locked %temp% would be "C:\Windows\Temp", because of SYSTEM profile will access it. Keep that in mind while testing.

So, I was able to call the powershell script. This means if you are able to drop a script on victim and set powershell with proper arguments as a debugger to sethc.exe (or utilman.exe), you can execute the script with SYSTEM privilege.

What if I can somehow download and execute a meterpreter executable on the victim? Yes it is quite easy using this powershell one liner.



This looks good, a meterpreter executable downloaded and executed on a locked machine! But pulling a meterpreter executable on a machine is not a good idea for obvious reasons. Why not pulling a powershell script which can execute code in memory? Yes I am talking about Matt's work from his blog Exploit Monday.


So what we have now? A powershell command which executes meterpreter from memory, set as debugger to sethc.exe which gets executed with SYSTEM level privilege. Wow!!

But is this over yet? Let's play more :) How to maintain access to the machine? Using persistence and other methods available with meterpreter is one option. I would like to use a little more powershell here.

Let's do this. Our powershell one liner will download another script (let's say payload.ps1). Payload.ps1 will keep polling a tinypaste id in an interval of one hour (or less) and would download and execute whatever powershell script is present there. So let's set our sethc.exe or Utilman.exe Debugger to below.

using this


and now the result is


So what we have now is a payload which uses tinypaste as its C&C thingy and executes powershell scripts there with SYSTEM privilege :D

This is quite similar to my unpublished work called Maareech which is a sort of automated domain takeover tool in powershell.

payload.ps1 is the following powershell script. I know its ugly, I am still learning to write clean powershell scripts.


The payload, which polls tinypaste after given interval is very similar to "Time based execution" payload of Kautilya (just one line is different) but still for sake of usage, will be added as "Externally controlled payload" in some upcoming version of Kautilya.

Hope you enjoyed this. Feedback and suggestions are welcome.

11 comments:

  1. hi, i'm a student.
    In the past i've read about privilege escalation hacks using combo keys like win + u and now i want to try your funny game described in this post. So in my lock screen i've pressed five times the left shift key and i obtained only a popups that says me if i want to enable a "key filter". Then i've pressed left alt + left shift + print screen keys and another popups about contrast of color appears on the screen :(
    what have i wrong ? what it is that i have not understand ?
    thz !

    ReplyDelete
  2. Hi Break,

    Try using simple "cmd.exe" as debugger. If that works check if you have entered the Debugger string right. Just to check, also try setting the registry key manually using regedit. Hope this helps.

    ReplyDelete
  3. thanks, now it's works !
    same time ago i've used a similar hack to recover the domain administrator password of win2k3 pdc and it's worked fine !
    I love this kind of privilege escalation, it's funny and easy!

    best regards

    ReplyDelete
  4. Hi!
    First of all congratulations on your great project!
    I've a teensy 2.0 and for windows everything worked perfectly fine.

    However I've set up OS X Mountain Lion in vmware and when I connect the teensy to the machine it writes all its commands in the finder window (located upper right) without opening the terminal.
    Have you ever encountered a similar problem?

    I use the shell_reverse_tcp payload generated with kautilya 0.4.2.

    In Arduino my settings are:
    USB Type DiskInternal + Keyboard
    Keyboard Layout German(Mac)

    ReplyDelete
    Replies
    1. Thanks.

      Seems like a problem with German keyboard layout. Try using a US Keyboard on Mac and see if it works. Unfortunately, Kautilya is tested only on US keyboard layout. Please let me know if this helps.

      Delete
  5. Wow, I would love to see this as a single payload, downloading and executing a meterpreter with system level privileges. By locked, do you mean on the login page? If so, this would be extremely powerful. Please add it to Kautilya.

    ReplyDelete
  6. Wow, I would love to see this as a single payload, downloading and executing a meterpreter with system level privileges. By locked, do you mean on the login page? If so, this would be extremely powerful. Please add it to Kautilya. This time I this posted on my Google account so I can be notified of a reply.

    ReplyDelete
    Replies
    1. This is already available with Kauitlya.

      Delete
    2. Does it work on the sign in screen? Is that what you mean by locked? Also, what is the payloads name?

      Delete
    3. For the HID to be able to type the payload the machine must be unlocked. On a locked screen, the payload can be triggered.

      Delete
  7. I wanted to know, how to open a webpage on a default browser of the target machine and then keylog whatever they type like their username and password. Please help.

    ReplyDelete