search

itm4n / PrivescCheck

Privilege Escalation Enumeration Script for Windows
BSD 3-Clause "New" or "Revised" License
2.79k stars 416 forks source link

Exception during Registry Permissions check #25

Closed exploide closed 2 years ago

exploide commented 2 years ago

When running Invoke-PrivescCheck on my current target, I get the following exception.

+------+------------------------------------------------+------+
| TEST | SERVICES > Registry Permissions                | VULN |
+------+------------------------------------------------+------+
| DESC | Parse the registry and check whether the current user |
|      | can modify the configuration of any registered        |
|      | service.                                              |
+------+-------------------------------------------------------+
Get-Acl : Es wurde versucht, einen nicht autorisierten Vorgang auszuführen.
In Zeile:1189 Zeichen:19
+ ...   $KeyAcl = Get-Acl -Path $Path -ErrorAction SilentlyContinue -ErrorV ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-Acl], UnauthorizedAccessException
    + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.GetAclCommand

The German line roughly says "An unauthorized task was attempted."

It is possible to run PrivescCheck with -ErrorAction SilentlyContinue but maybe this can be fixed.

itm4n commented 2 years ago

Hi!

OK, I see. It seems Get-Acl does not handle all errors nicely with -ErrorAction.

Could you tell me which registry key is triggering the error, and what is the DACL of this registry key as well?

exploide commented 2 years ago

Hi, thank you for the reply.

Unfortunately, I no longer have access to the device after the engagement ended yesterday. I'm probably of not much help anymore. I'm sorry. I better had run that with verbose or debug options I guess.

I see that the issue might be hard to reproduce and only happens under certain circumstances. If not reproducible at all, maybe close the issue until me or someone else encounters this special case again.

itm4n commented 2 years ago

Hi,

Don't worry, that's OK. This is indeed a corner case, but I know how to fix it. :)

itm4n commented 2 years ago

I took a look at my previous code and realized I already surrounded a Get-Acl call with a "try/catch" elsewhere, precisely because it doesn't handle -ErrorAction properly. Therefore, I applied the same fix to the two other locations where I call Get-Acl.

This was indeed a mistake. So, thank you for your feedback! :slightly_smiling_face:

exploide commented 2 years ago

Great, thanks for the fix. I think we can close this then.