search

itm4n / PrivescCheck

Privilege Escalation Enumeration Script for Windows
BSD 3-Clause "New" or "Revised" License
2.79k stars 416 forks source link

Specified cast is not valid #40

Closed exploide closed 1 year ago

exploide commented 1 year ago

I got some of the following errors on a Microsoft Windows Server 2019 Datacenter.

Specified cast is not valid.
At line:1077 char:17
+             if (($ServiceItem.Type -band $TypeMask) -gt 0) {
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [], InvalidCastException
    + FullyQualifiedErrorId : System.InvalidCastException

This happens during multiple checks:

Running as admin doesn't change this. I tried adding -Verbose but no interesting information was shown to narrow down the issue.

Does this make sense for you? I probably have access to this particular system for only one day. So if this isn't enough information, we may close this until it is clearly reproducible. But feel free to tell me which information might be helpful.

itm4n commented 1 year ago

Does the error occur only once (or just a couple of times) during each check, or do you get a long list of errors? In the first case, there is probably an issue with a specific service that has an unrecognized (or null) type. In the second case, well, this would be a bit more problematic... :/

exploide commented 1 year ago

Thanks for the fast reply. The error occurs exactly once per check listed above (when running Invoke-Privesccheck with -ErrorAction Continue).

itm4n commented 1 year ago

Ok, so I think my guess was correct. Do you think you would have time for a simple debug? It's totally ok if not, of course.

Here is the procedure, just in case.

  1. In the file 02_Helpers.ps1, edit the code of Get-ServiceList as follows.
  2. From the project's folder, run the script Build.ps1, to generate an updated version of PrivescCheck.ps1.
  3. Run the cmdlet Get-ServiceList in verbose mode: Get-ServiceList -Verbose (no need to run the script entirely).
try {
            $TypeMask = $ServiceTypeEnum::Win32OwnProcess -bor $ServiceTypeEnum::Win32ShareProcess -bor $ServiceTypeEnum::InteractiveProcess
            if (($ServiceItem.Type -band $TypeMask) -gt 0) {

                # FilterLevel = 2 - Add the service to the list if it's not a driver
                if ($FilterLevel -le 2) { $ServiceItem; continue }

                if (-not (Test-IsKnownService -Service $ServiceItem)) {

                    # FilterLevel = 3 - Add the service if it's not a built-in Windows service
                    if ($FilterLevel -le 3) { $ServiceItem; continue }
                }
            }
} catch {
    Write-Verbose $ServiceItem.Name
}
exploide commented 1 year ago

I needed to supply 3 as the filter level value, and now it hit something:

VERBOSE: WindowsAzureTelemetryService
itm4n commented 1 year ago

Nice, thank you. Yes, I forgot about the filter level, sorry.

Is it possible to get the service's detail from the registry? The path should be HKLM\SYSTEM\CurrentControlSet\Services\WindowsAzureTelemetryService.

exploide commented 1 year ago

My work day is over now, but I might get a chance to access the system on Monday again. I'll try to collect the information.

exploide commented 1 year ago

It seems there aren't many registry entries within that service. This is all:

telemetry-service-registry

itm4n commented 1 year ago

Ok, I see.... All the usual service settings are missing, so the Type is null, hence the cast error. This was my initial guess. It's really weird, first time I see this. :thinking: Anyway, thank you very much for taking the time to check. :) The fix will be pretty simple.

itm4n commented 1 year ago

Services without an explicit type are now ignored.