Exception during Registry Permissions check

Question

Exception during Registry Permissions check

exploide opened this issue 3 years ago · comments

When running Invoke-PrivescCheck on my current target, I get the following exception.

+------+------------------------------------------------+------+
| TEST | SERVICES > Registry Permissions                | VULN |
+------+------------------------------------------------+------+
| DESC | Parse the registry and check whether the current user |
|      | can modify the configuration of any registered        |
|      | service.                                              |
+------+-------------------------------------------------------+
Get-Acl : Es wurde versucht, einen nicht autorisierten Vorgang auszuführen.
In Zeile:1189 Zeichen:19
+ ...   $KeyAcl = Get-Acl -Path $Path -ErrorAction SilentlyContinue -ErrorV ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-Acl], UnauthorizedAccessException
    + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.GetAclCommand

The German line roughly says "An unauthorized task was attempted."

It is possible to run PrivescCheck with -ErrorAction SilentlyContinue but maybe this can be fixed.

Clément Labro · Answer 1 · Wed Sep 01 2021 21:06:44 GMT+0800 (China Standard Time)

Hi!

OK, I see. It seems Get-Acl does not handle all errors nicely with -ErrorAction.

Could you tell me which registry key is triggering the error, and what is the DACL of this registry key as well?

Jannik Vieten · Answer 2 · Fri Sep 03 2021 02:02:09 GMT+0800 (China Standard Time)

Hi, thank you for the reply.

Unfortunately, I no longer have access to the device after the engagement ended yesterday. I'm probably of not much help anymore. I'm sorry. I better had run that with verbose or debug options I guess.

I see that the issue might be hard to reproduce and only happens under certain circumstances.
If not reproducible at all, maybe close the issue until me or someone else encounters this special case again.

Clément Labro · Answer 3 · Fri Sep 03 2021 02:05:17 GMT+0800 (China Standard Time)

Hi,

Don't worry, that's OK.
This is indeed a corner case, but I know how to fix it. :)

Clément Labro · Answer 4 · Fri Sep 03 2021 22:45:02 GMT+0800 (China Standard Time)

I took a look at my previous code and realized I already surrounded a Get-Acl call with a "try/catch" elsewhere, precisely because it doesn't handle -ErrorAction properly. Therefore, I applied the same fix to the two other locations where I call Get-Acl.

This was indeed a mistake. So, thank you for your feedback! 🙂

Jannik Vieten · Answer 5 · Sat Sep 04 2021 00:30:46 GMT+0800 (China Standard Time)

Great, thanks for the fix. I think we can close this then.