Scheduled tasks
There might be a possibility that a scheduled task on a Windows machine may have lost the attached binary, or using one that we have write permissions on. The schtasks command can be utilized to view scheduled tasks.
C:\> schtasks
Folder: \
TaskName Next Run Time Status
======================================== ====================== ===============
vulntask N/A Ready
...
...Perform the following command to view detailed information about a particular task:
C:\> schtasks /query /tn <taskname> /fo list /vEg. To view the detailed information about the vulntask task
C:\> schtasks /query /tn vulntask /fo list /v
Folder: \
HostName: WPRIVESC1
TaskName: \vulntask
Next Run Time: N/A
Status: Ready
...
Task To Run: C:\tasks\schtask.bat
...
...schtasks command flags:
a) /query: To list information
b) /tn: Task name
c) /fo: Output format (list in this case)
d) /v: Verbose
The important value to note is Task To Run. The icacls command can be used to find out if we are able to modify the contents of the C:\tasks\schtask.bat (Task To Run) file.
C:\> icacls c:\tasks\schtask.bat
c:\tasks\schtask.bat NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(F)Explanation of the(I) and (F) permissions:
(I): Inherited permissions - from a parent folder(F): Full control
As all the account and groups: SYSTEM, Administrator and Users have (F) permissions, it means all of them can read, write and modify the file.
The BUILTIN\Users:(I)(F) group permissions means that every single user on the system (privileged or non-privileged) are able to modify the file. This can exploited to insert malicious code into the schtask.bat file, such as a reverse shell.
Last updated