Exception during Registry Permissions check
exploide opened this issue · 5 comments
When running Invoke-PrivescCheck
on my current target, I get the following exception.
+------+------------------------------------------------+------+
| TEST | SERVICES > Registry Permissions | VULN |
+------+------------------------------------------------+------+
| DESC | Parse the registry and check whether the current user |
| | can modify the configuration of any registered |
| | service. |
+------+-------------------------------------------------------+
Get-Acl : Es wurde versucht, einen nicht autorisierten Vorgang auszuführen.
In Zeile:1189 Zeichen:19
+ ... $KeyAcl = Get-Acl -Path $Path -ErrorAction SilentlyContinue -ErrorV ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-Acl], UnauthorizedAccessException
+ FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.GetAclCommand
The German line roughly says "An unauthorized task was attempted."
It is possible to run PrivescCheck with -ErrorAction SilentlyContinue
but maybe this can be fixed.
Hi!
OK, I see. It seems Get-Acl
does not handle all errors nicely with -ErrorAction
.
Could you tell me which registry key is triggering the error, and what is the DACL of this registry key as well?
Hi, thank you for the reply.
Unfortunately, I no longer have access to the device after the engagement ended yesterday. I'm probably of not much help anymore. I'm sorry. I better had run that with verbose or debug options I guess.
I see that the issue might be hard to reproduce and only happens under certain circumstances.
If not reproducible at all, maybe close the issue until me or someone else encounters this special case again.
Hi,
Don't worry, that's OK.
This is indeed a corner case, but I know how to fix it. :)
I took a look at my previous code and realized I already surrounded a Get-Acl
call with a "try/catch" elsewhere, precisely because it doesn't handle -ErrorAction
properly. Therefore, I applied the same fix to the two other locations where I call Get-Acl
.
This was indeed a mistake. So, thank you for your feedback! 🙂
Great, thanks for the fix. I think we can close this then.