VB Script!

So,

Recently I have spent alot of time on Local Lockdown testing and 98 times out of a 100 they allow VBScript to be run. Very bad mistake.

With VBScript it is possible to do lots of wonderful this that a normal locked down user wouldn’t, i.e.

  • Access Registry
  • Execute Programs
  • Get File Permissions
  • Query LDAP

Here is a few cool ways I was able to leverage VBScript to get me more information that I should have had access to.

LDAP Query that Returns Excel Doc:

On Error Resume Next

Counter = 2
Worksheets("Sheet1").cells(1, 1).Value = "Username"
Worksheets("Sheet1").cells(1, 2).Value = "Group"

Const E_ADS_RPOPERTY_NOT_FOUND = &H8000500D
Set objou = GetObject("LDAP://ou=users,dc=microsoft,dc=com")
objou.Filter = Array("user") 

For Each objUser in objou
Worksheets("Sheet1").cells(Counter, 1).Value = (objUser.cn)
arrMemberOf = objUser.GetEx("memberOf")

If Err.Number <> E_ADS_RPOPERTY_NOT_FOUND Then
For Each  Group In arrMemberOf
Worksheets("Sheet1").cells(Counter, 1).Value = (objUser.cn)
Worksheets("Sheet1").cells(Counter, 2).Value = (vbTab & Group)
Counter = Counter + 1
Next
Else
Worksheets("Sheet1").cells(Counter, 1).Value = (objUser.cn)
Worksheets("Sheet1").cells(Counter, 2).Value = (vbTab & "attribnotset")
Counter = Counter + 1
Err.Clear
End If
Next

Check Service Permissions: (still in working progress)

On Error Resume Next

objFileName = "services.txt"
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.CreateTextFile((objFileName))
Set objShell = CreateObject("WScript.Shell")

Set services = CreateObject("System.Collections.ArrayList")
arrComputers = Array("localhost")

For Each strComputer In arrComputers
   WScript.Echo
   WScript.Echo "=========================================="
   WScript.Echo "Computer: " & strComputer
   WScript.Echo "=========================================="

   Set objWMIService = GetObject("winmgmts:{impersonationLevel=Impersonate}!\\" & strComputer & "\root\CIMV2")
   Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_Service")

   For Each objItem In colItems 
	pat = ".*.exe"
	strFileName = objItem.PathName

	Set myRegExp = New RegExp
	myRegExp.IgnoreCase = True
	myRegExp.Global = True
	myRegExp.Pattern = ".*.exe"

	Set myMatches = myRegExp.Execute(strFileName)
	For Each myMatch in myMatches
	services.Add myMatch.Value
	Next
   Next

Next

For Each service in services
	Set myRegExp = New RegExp
	myRegExp.IgnoreCase = True
	myRegExp.Global = True
	myRegExp.Pattern = chr(34)

serfor = myRegExp.Replace(service, "")

Set oExec = objShell.Exec("cacls " & chr(34) & serfor & chr(34))
      Do While Not oExec.StdOut.AtEndOfStream
           str = oExec.StdOut.ReadAll
           objFile.WriteLine(str)
      Loop
Set oExec = nothing

Next

Reading Registry Keys:

Dim Shell, Reg 
'RegKey = "HKLM\Software\test\testkey"
RegKey = UserInput( "Enter Registry Path:" )
Set Shell = CreateObject("WScript.Shell")
Reg = Shell.RegRead(RegKey)
MsgBox Reg

Running an Application With Parameters (think when no command prompt is available)

Set Shell = CreateObject("WScript.Shell")
Shell.Run("""C:\windows\system32\cmd.exe"" /c net users")

Nothing too great but handy to have when you need them 🙂

 

Leave a comment

Your email address will not be published. Required fields are marked *