Scheduled tasks

There might be a possibility that a scheduled task on a Windows machine may have lost the attached binary, or using one that we have write permissions on. The schtasks command can be utilized to view scheduled tasks.

C:\> schtasks

Folder: \                                                                                                               
TaskName                                 Next Run Time          Status                                                  
======================================== ====================== ===============                                         
vulntask                                 N/A                    Ready

...
...

Perform the following command to view detailed information about a particular task:

C:\> schtasks /query /tn <taskname> /fo list /v

Eg. To view the detailed information about the vulntask task

C:\> schtasks /query /tn vulntask /fo list /v

Folder: \ 
HostName:                             WPRIVESC1                                                                         
TaskName:                             \vulntask                    
Next Run Time:                        N/A                                                                               
Status:                               Ready                                                                             
...                                                        
Task To Run:                          C:\tasks\schtask.bat   
...
...

schtasks command flags:

a) /query: To list information

b) /tn: Task name

c) /fo: Output format (list in this case)

d) /v: Verbose

The important value to note is Task To Run. The icacls command can be used to find out if we are able to modify the contents of the C:\tasks\schtask.bat (Task To Run) file.

C:\> icacls c:\tasks\schtask.bat
c:\tasks\schtask.bat NT AUTHORITY\SYSTEM:(I)(F)
                    BUILTIN\Administrators:(I)(F)
                    BUILTIN\Users:(I)(F)

Explanation of the(I) and (F) permissions:

1. (I): Inherited permissions - from a parent folder

2. (F): Full control

As all the account and groups: SYSTEM, Administrator and Users have (F) permissions, it means all of them can read, write and modify the file.

The BUILTIN\Users:(I)(F) group permissions means that every single user on the system (privileged or non-privileged) are able to modify the file. This can exploited to insert malicious code into the schtask.bat file, such as a reverse shell.