Hello and welcome to this course in which we're talking about using Python for privilege escalation. In this video, we're going to talk about the use of login scripts and this applies to both privilege escalation and maintaining persistence on a system. With logon scripts, we are going to be talking about the Windows registry. We have talked about the Windows registry in the past and how it's a configuration database for the Windows operating system. In this video, we're going to talk about a particular registry key that allows certain scripts to be run when a user logs on to a system. We're going to be using two files in this particular video. We got a file called LogonScript.py that we see here and then one called BuildExe.py. The BuildExe.py script isn't directly relevant to our use of logon scripts. Its goal is to create an executable from a Python file and that way we have a Windows executable file 2.2 with our logon script. Up at the top of our LogonScript.py file, we have a few variables defined. We're specifying a particular directory that we're going to point our logon script key to, we've got a file name. In this case, we're going to create a file called benign.exe. Then we've got a file path which is the combination of those two. It'll be at our current working directory/temp/benign.exe. We then have a couple of lines of clean up code here that just ensure that if this program's already been run, that we delete the file that's created so the new one can be built. Here down at line 11, we're going to use our BuildExe.py executable to create a Windows executable from a Python script. This particular file uses PyInstaller to create an executable file from a Python script. As you know with Python, you need to have Python installed on a system in any dependencies or libraries that are particular script needs in order for that particular script to work on the system. PyInstaller removes this requirement by wrapping a script and all of its dependencies up inside of a Windows executable, which makes it possible to run it on any system, whether or not Windows is installed. Up here, we've got a few variables that we're defining. Our initial script is called malicious.py. We're going to be creating executable called benign.exe and we're going to assign it the Firefox icon and then our present working directory is pulled in using OS. Then again that's saying clean up and then we're going to use PyInstaller to create a single executable file with the script and all of its dependencies bundled in. Then finally down here at the bottom is a bit of clean up, moving our created executable to the present working directory and deleting all of the directories and files that PyInstaller creates in the process. The end of running this BuildExe file, we have executable file called benign.exe in the current working directory that contains the functionality of our Python malicious.py file. Now let's switch over to taking a look at our logon script file. Here, after we've created our executable, we're going to move it to our desired directory, and we're ready to start working with the Windows registry. We're going to be using the winreg Python library to access and modify registry keys. For a logon script, we need to set environment and variables. A logon script can exist at a user director [inaudible] , so in the reghive HKEY CURRENT USER in the Environment key. We're going to have a variable called UserInit MpLogonScript. Whatever value is associated with that name within the environment is going to be run automatically on user logon. In order to access and modify the Windows registry again, we're going to be using winreg. The first step in this process is connecting to the registry. We use ConnectRegistry, we pass in a value of none to specify that we want to modify the local registry. Then we specify the hive that we want to connect to. In this case HKEY_ current_ user or HKCU for short. After that we need to open a particular key so we specify that registry connection, the path that we want to open in this case Environment. A reserved value of 0 and then specify that we want right access to this particular key allowing us to modify the values that it contains. Finally we're going to perform that modification using the SetValueEx file. We'll, again we'll pass in that key that we opened up in the previous step. Specify the name that's associated with Windows logon scripts that reserve value of 0. Again the type of value that we want in this case, a REG_ SZ. Then finally the file path which specifies the program that we want to be run automatically. In this case it's going to be the currentworkingdirectory/temp/bonign.exe. When we run this we're going to be modifying a key in the registry to add this logon script. Going to minimize this and roll over here, going to run the program in the command prompt on the left. On the right here we see that we're at that current at the desired location within the Windows Registry. You can access this using regedit which you can just type right over here. Run that, It'll open up this Registry Editor view pane, and then we see that the Hive that we're working with HKEY current user. Then the particular key that we're accessing this environment. There are some variables already specified here and we're going to be adding another when we run this. I'm going to run python LogonScript.py hit "Enter" and after giving it a moment to create that executable, put it in place and create the Registry key. We're going to be able to see it over here in Registry Editor, so we see that execution is complete. We click view here, refresh and we successfully have created our desired registry key. Should be that next time we login to this particular account that we're able to have our program run automatically. This particular modification that we've made so far is primarily focused on achieving persistence. Because we haven't really changed the permissions or access that we have on the computer right now. We theoretically already had access to this user account to start with. All we've done is ensured that this program is going to be run again next time we try to access the user account. However, we can use the Registry and logon scripts for privilege escalation or at least gaining access to other user accounts. To do so we need to understand the relationship between HKEY current user and HKEY users. If you're familiar with aliasing and essentially pointers, that's essentially what HKEY current user is. Is it provides easy access to the user Hive for the particular user? As we see here we don't have useful information here. We have a lot of user identifiers, but not much information about which ones are associated with a particular user. When we're interacting with the system currently, where the current user since we're the logged in user. This makes it so we don't have to search through this set of potential usernames to identify which account actually belongs to us and modify the appropriate keys. However, we can take advantage of this HKEY hive users to achieve privilege escalation or at least access to other accounts. The first thing that we need to do is to understand which user accounts are associated with which identifiers under HKEY users. How we can do this is by using this command here on the Windows command prompt, WMIC, useraccount get name, SID. If I run this, we get a listing that translates some of the numbers that we see here on the system. Currently we're under the HEPOS user account, which has, if we move all the way over, the last value of 1,001, meaning that this is our current user account. In fact, if we take a look inside of it, we can verify this at some level. Looking at our environment up here, we see that we've created that logon script. If we click environment down here, that exact same logon script still exists. We see that it's pointing to our benign.exe file. This is really just a shortcut to our particular user account. However, we have seen that there's another user on the system called test user, that has a different key and set of keys inside the HKEY users hive. We look in here, we can see that they also have an environment variable. This provides us the opportunity to run things in the context of the other user account. Returning to our Python file here, we see that I've already got a setup to take advantage of this in our Python file. Instead of using the HKEY current user hive and just the environment path, we're going to be using HKEY users and we're going to specify the environment path for that other user account, which you may have noticed ended with 1,002. Saving this and running it over here in the command prompt, I need to point out something. Notice that we're running this as administrator. If you try to run this as a normal user, then you're not able to change the environment variables in the other user account. The primary value of this is for privilege expansion or gaining access to other user accounts by causing programs to be run in their context. From there, you may be able to install keylogger or take other action to observe their use of passwords, etc, to steal information that may provide direct access to their account. If I run this Python file and give it a moment to again create that executable place in the desired directory, and finally, create our logon script key within the registry, we'll see once it completes that if we refresh our registry view, that our new logon key has been created. Notice that we have a slight problem here in that this file is located within the HKEY post users directory and so this probably won't work. However, with the right level of access, we probably could place an executable in there that would work or we could take advantage of file list malware and instead of running a particular executable, run commands to say, download malware to the system and execute it in the context of this other user account. This demonstration here, using this WMIC user account to identify the SID associated with another user and then writing to their registry demonstrates how logon scripts can be used for privilege escalation or expansion by providing access to other user accounts on the system. Thank you.
