Scheduled Tasks

Scheduled Tasks on Windows are Cron Jobs that allow Users to Schedule the launch of Programs or Scripts at a Specified Time or on a Repeating Schedule. Scheduled Tasks can be listed using the schtasks command.

Task to Run: Indicates what gets Executed by the Scheduled Task.
Run as User: Indicates the User that will be used to Execute the Task.

SchTask
Output

schtasks /query /tn VulnerableTask /fo list /v

Folder: \
HostName:                             ADOBE-PC1
TaskName:                             \VulnerableTask
Task To Run:                          C:\VulnerableTask\Path\VulnTask.bat
Run As User:                          "Username (Task Runs as this User)"

If our Current User can Modify or Overwrite Task To Run Executable we can Control what gets Executed by the Task User resulting in Privilege Escalation.

In this case the Group BUILTIN\Users has Full Access (F) on the Binary. This means we can modify the .bat file in this case and insert any PAYLOAD of our Preference.

Command
Output

:: Show File Permissions
icacls C:\VulnerableTask\Path\VulnTask.bat

C:\VulnerableTask\Path\VulnTask.bat NT AUTHORITY\SYSTEM:(I)(F)
                                    BUILTIN\Administrators:(I)(F)
                                    BUILTIN\Users:(I)(F)

Starting the Task

Note

In a Normal case Scenario we would likely have to wait for the Task to Trigger if we don't have the Required Permissions.

In case we have the Required Permissions to Start the Task, we can use the schtasks command.

schtasks /run /tn VulnerableTask

Starting the Task​

Starting the Task