itm4n/PrivescCheck

Exception during Registry Permissions check

exploide opened this issue · 5 comments

When running Invoke-PrivescCheck on my current target, I get the following exception.

+------+------------------------------------------------+------+
| TEST | SERVICES > Registry Permissions                | VULN |
+------+------------------------------------------------+------+
| DESC | Parse the registry and check whether the current user |
|      | can modify the configuration of any registered        |
|      | service.                                              |
+------+-------------------------------------------------------+
Get-Acl : Es wurde versucht, einen nicht autorisierten Vorgang auszuführen.
In Zeile:1189 Zeichen:19
+ ...   $KeyAcl = Get-Acl -Path $Path -ErrorAction SilentlyContinue -ErrorV ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-Acl], UnauthorizedAccessException
    + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.GetAclCommand

The German line roughly says "An unauthorized task was attempted."

It is possible to run PrivescCheck with -ErrorAction SilentlyContinue but maybe this can be fixed.

itm4n commented

Hi!

OK, I see. It seems Get-Acl does not handle all errors nicely with -ErrorAction.

Could you tell me which registry key is triggering the error, and what is the DACL of this registry key as well?

Hi, thank you for the reply.

Unfortunately, I no longer have access to the device after the engagement ended yesterday. I'm probably of not much help anymore. I'm sorry. I better had run that with verbose or debug options I guess.

I see that the issue might be hard to reproduce and only happens under certain circumstances.
If not reproducible at all, maybe close the issue until me or someone else encounters this special case again.

itm4n commented

Hi,

Don't worry, that's OK.
This is indeed a corner case, but I know how to fix it. :)

itm4n commented

I took a look at my previous code and realized I already surrounded a Get-Acl call with a "try/catch" elsewhere, precisely because it doesn't handle -ErrorAction properly. Therefore, I applied the same fix to the two other locations where I call Get-Acl.

This was indeed a mistake. So, thank you for your feedback! 🙂

Great, thanks for the fix. I think we can close this then.