DefCon24 icon indicating copy to clipboard operation
DefCon24 copied to clipboard

Published 20 hours ago verified publisher icon FuzzySecurity

Windows Version

Open C9H13NO3 opened this issue 2 years ago • 3 comments

I have a need to test applocker bypass techniques but limited time to setup an environment and came across this. I know its a few years old, do you know what version of Windows 10 you were using when running this? The link pulls down 1809 and whilst it seems to work, I got errors running the ps1 script.... they were too quick to capture, will rerun and look to update if I can capture them in a log file.

Users have been created, restricted1 and kiosk2 behave as expected by running scripts and logging off once done, just dont know if the errors in running the initial ps1 script will cause me issues further down the line?

C9H13NO3 avatar Jul 14 '22 14:07 C9H13NO3

PS C:\Windows\system32> C:\Users\IEUser\Downloads\DefCon24-master\DefCon24-master\Windows_Breakout_PrivEsc_Setup_v1.2.ps1 [+] Disabling Notification Centre [+] Disabling Windows Defender [+] Disabling SmartScreen [+] Disabling Windows Update [+] Disabling AutoLogin for Admin [+] Disabling Sign-in Animation [+] Setting UI to Best Performance [+] Creating NoApplocker group [+] Fixing Applocker Services [+] Starting AppIDSvc service [+] Applying AppLocker Policy [+] Adding restricted1 and restricted2 users to NoAppLocker group [+] Invoking restricted2 [+] Applying restrictions to restricted2 reg : ERROR: The parameter is incorrect. At C:\Users\IEUser\Downloads\DefCon24-master\DefCon24-master\Windows_Breakout_PrivEsc_Setup_v1.2.ps1:399 char:1 reg add HKU$RestrictedSID\Software\Microsoft\Windows\CurrentVersion\ ... CategoryInfo : NotSpecified: (ERROR: The parameter is incorrect.:String) [], RemoteException FullyQualifiedErrorId : NativeCommandError reg : ERROR: The parameter is incorrect. At C:\Users\IEUser\Downloads\DefCon24-master\DefCon24-master\Windows_Breakout_PrivEsc_Setup_v1.2.ps1:400 char:1 reg add HKU$RestrictedSID\Software\Microsoft\Windows\CurrentVersion\ ... CategoryInfo : NotSpecified: (ERROR: The parameter is incorrect.:String) [], RemoteException FullyQualifiedErrorId : NativeCommandError [+] Adding Kiosk1 and Kiosk2 users to NoAppLocker group [+] Invoking Kiosk1 [+] Applying kiosk lockdown to kiosk1 New-Item : The registry key at the specified path does not exist. At C:\Users\IEUser\Downloads\DefCon24-master\DefCon24-master\Windows_Breakout_PrivEsc_Setup_v1.2.ps1:420 char:1 New-Item -Path HKU:$KioskSID1\Software\Microsoft\Windows\CurrentVers ... + CategoryInfo : InvalidArgument: (HKEY_USERS\S-1-...ersion\Policies:String) [New-Item], ArgumentException + FullyQualifiedErrorId : System.ArgumentException,Microsoft.PowerShell.Commands.NewItemCommand Set-ItemProperty : Cannot find path 'HKU:\S-1-5-21-3461203602-4096304019-2269080069-1008\Software\Microsoft\Windows\CurrentVersion\Policies\System' because it does not exist. At C:\Users\IEUser\Downloads\DefCon24-master\DefCon24-master\Windows_Breakout_PrivEsc_Setup_v1.2.ps1:421 char:1 Set-ItemProperty -Path HKU:$KioskSID1\Software\Microsoft\Windows\Cur ... + CategoryInfo : ObjectNotFound: (HKU:\S-1-5-21-3...Policies\System:String) [Set-ItemProperty], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.SetItemPropertyCommand [+] Creating onlogon scheduled task for restricted1 and kiosk2 [+] Invoking lowpriv [+] Adding lowpriv to NoAppLocker group [+] Creating folder structures for vulnerable services [+] Applying folder restrictions to 'Vuln Folder 1' and 'VulnFolder3' [+] Creating vulnerable services [+] Modifying permissions on vulnService3 [+] Inserting password in registry [+] Creating Unattend folder and file [+] Creating folder structure for vulnerable scheduled task [+] Creating mock log files [+] Creating sample FTP config file [+] Creating vulnerable scheduled task [+] Enabling AlwaysInstallElevated registry key New-Item : The registry key at the specified path does not exist. At C:\Users\IEUser\Downloads\DefCon24-master\DefCon24-master\Windows_Breakout_PrivEsc_Setup_v1.2.ps1:680 char:1 New-Item -Path HKU:$LowprivSID\SOFTWARE\Policies\Microsoft\Windows\I ... CategoryInfo : InvalidArgument: (HKEY_USERS\S-1-...crosoft\Windows:String) [New-Item], ArgumentException FullyQualifiedErrorId : System.ArgumentException,Microsoft.PowerShell.Commands.NewItemCommand Set-ItemProperty : Cannot find path 'HKU:\S-1-5-21-3461203602-4096304019-2269080069-1010\SOFTWARE\Policies\Microsoft\Windows\Installer' because it does not exist. At C:\Users\IEUser\Downloads\DefCon24-master\DefCon24-master\Windows_Breakout_PrivEsc_Setup_v1.2.ps1:681 char:1 Set-ItemProperty -Path HKU:$LowprivSID\SOFTWARE\Policies\Microsoft\W ... CategoryInfo : ObjectNotFound: (HKU:\S-1-5-21-3...ndows\Installer:String) [Set-ItemProperty], ItemNotFoundException FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.SetItemPropertyCommand [+] Renaming IEUser to Admin and changing password to '123' [+] Done

C9H13NO3 avatar Jul 14 '22 14:07 C9H13NO3

Tired a Windows 10 Pro 1607 as that was released same time as script, downloaded an ISO and setup as a new install with the default using being IEUser so the script would work without updating, that actually has more issues; same registry ones plus some wmic ones, so VM looks best option.... just need to figure out the registry key issues

C9H13NO3 avatar Jul 14 '22 15:07 C9H13NO3

Fixed... sort of! The reg add/new-item lines dont work until the SID exists in HKU; which doesnt happen until a user logs on, so ran the setup script, logged on as every user and then reran the lines that failed.

C9H13NO3 avatar Jul 15 '22 17:07 C9H13NO3