2011-07-31 22:33:26
By Tim Brown
So recently I had a penetration test where the client had a requirement to allow normal users to execute a specific command as a local admin. Normally, when I hear such a requirement my eyes light up as it can often be a quick way to get SYSTEM and then the domain. However in this instance, the client proudly told me about his underhanded method. Rather than use something like psexec, he'd discovered a nifty little utility called cpau which purported to encode the credentials to make it safe for use by normal users. Red rag to a bull, I decided to take a look, perhaps the encoding was weak and I could retrieve those all important credentials.
I wasn't sure what I'd find and whether I'd have time to fully reverse the encoding algorithm but I started off my attack by loading cpau into OllyDbg. OllyDbg has a useful function where it will show you the functions a binary has imported and I was hoping for a tell as to how the job file used by cpau was encrypted. I navigated to the list of imports and began scanning for function I recognised and low and behold spotted it was using CreateProcessWithLogonW:
Now at this point I could have put a breakpoint on the function and extracted the username and password from the running memory but I wanted to try a different trick. I'd recently downloaded API Monitor and wanted to give that a shot. I loaded it up and configured it to hook the process as follows:
This yielded the following results:
Mood: Tired
Music: Dave - Mock The Week
You are unknown, comment