> The task scheduler service has an alpc endpoint, supporting the method “SchRpcSetSecurity”. The prototype looks like this:
long _SchRpcSetSecurity(
[in][string] wchar_t* arg_1, //Task name
[in][string] wchar_t* arg_2, //Security Descriptor string
[in]long arg_3);
> Tasks created by the task scheduler will create a corresponding folder/file in c:\windows\system32\tasks. This function seems to be designed to write the DACL of tasks located there, and will do so while impersonating.
> However, for some reason it will also check if a .job file exists under c:\windows\tasks and try to set the DACL while not impersonating.
> Since a user, and even a user belonging to the guests group can create files in this folder, we can simply create a hardlink to another file (all we need is read access). Because of the hardlink, we can let the task scheduler write an arbitrary DACL (see second parameter of SchRpcSetSecurity) to a file of our choosing.
> So any file that we have read access over as a user and that system has the write DACL permission for, we can pivot into full control and overwrite it.
If you find the default font size too small, I know at least Chrome and Firefox support a minimum font size in their settings.
I personally set my minimum font size to 9. While I can't easily read font that small, I can at least notice it is there and zoom or otherwise compensate if I care what it says while still mostly preserving the aesthetic of the web page (assuming the font is purposefully small for a reason).
> The task scheduler service has an alpc endpoint, supporting the method “SchRpcSetSecurity”. The prototype looks like this:
> Tasks created by the task scheduler will create a corresponding folder/file in c:\windows\system32\tasks. This function seems to be designed to write the DACL of tasks located there, and will do so while impersonating.> However, for some reason it will also check if a .job file exists under c:\windows\tasks and try to set the DACL while not impersonating.
> Since a user, and even a user belonging to the guests group can create files in this folder, we can simply create a hardlink to another file (all we need is read access). Because of the hardlink, we can let the task scheduler write an arbitrary DACL (see second parameter of SchRpcSetSecurity) to a file of our choosing.
> So any file that we have read access over as a user and that system has the write DACL permission for, we can pivot into full control and overwrite it.