CeramicSkate0 Blog adventures

CeramicSkate0s Blog (Yes I finally made one) and its not shiney

View on GitHub

Looking Deeper into CVE-2022-24696 - LPE

Yes i did contact the vendor first. Yes they said its still CVE-2022-24696. So thats out of the way.

I always say when doing research even when its old to dig deeper. So why? Lets see…

The Start

I was looking around a target machine on a test one day. I see this strange (to me) app I havent seen before in the process list. I see its a service. All Cool cool so far.

I then do what any one who has taken OSCP does (and dont say you dont). I googled it. Boom! The TrustedSec Article has alot of detail im going to gloss over because im assuming you read it as it is kinda the basis for this continuation of this research. Great! But it says i need this 3rd party app to do some super l33t LPE via RogueWinRM. Well poop :( Defender flags it super fast. We dont have another machine on the network. What to do since thats not an option?

Think about it……and think….and think….

Well what do we know?

service3

  1. I can make this service running as Local Service run any local app i want.
  2. Powershell stagers are taboo
  3. EDR and AV flag alot of the LOLBINs
  4. I remember SECCDC where old tricks work great
  5. EDR and AV wont flag normal admin tasks
  6. Our old tool dev Ralph M. once mentioned an old trick (that works on CRTO lab) where i can use cmd to do stuff as a service this way >:)

Hmmm…

So idea 1 make the service run net dah dah dah… But how?

service2

AND!!!…..poop didnt work….why?? well as mentioned in the article the service ORIGINALLY runs as “Local Service”. Meaning you cant do much of anything we want to do as that account. Permissions and all. :(

So we HAVE to use something like RogueWinRM right? Some cool exploit kinda thing remotely maybe a Potatoe something….

NOPE!

What if you just click a button to run as system :D

service

BOOM! Now you are running what you want at the same level as someone who can run MIMIIKATZ logonpasswords

Now you might say what if i dont have GUI access. Fine let me do everything for you….Well something like sc dah dah dah obj=.\LocalSystem might help you. Yes i know its not exact. Its a free blog…. Im trying to only spend 1 hour per article here.

Detections

Fixs

Timeline

back