Markup job.bat script not executing

Jessedc42 · December 3, 2023, 6:42pm

Executing ps on the Markup machine doesn’t reveal any process resembling ‘wevtutil’. Because of this, as I reason, the script doesn’t execute and make to call to my attacking machine listening on port XXXX. Below is the full output of ps on Markup.

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
     74       5     2444       4140               628   1 cmd
     74       5     3300       4188              2776   1 cmd
     72       5     2240       3676              3192   1 cmd
    228      12     7424       8456              3808   1 cmd
     77       5     2344       3932       0.00   4952   0 cmd
    155      10     6312      12868              3184   1 conhost
    155      11     6364       4180              3232   1 conhost
    116       6     1204       4904       0.75   3796   0 conhost
    156      10     7036       5744              3920   1 conhost
    157      11     6352      12152              4368   1 conhost
    155      10     6908       2884       0.39   4484   1 conhost
    392      16     2260       5276               376   0 csrss
    304      15     2136       5248               488   1 csrss
    255      13     3936      13432              2732   0 dllhost
     49       6     1520       4932               784   1 fontdrvhost
     49       6     1264       4176               792   0 fontdrvhost
    179      28     9504       3452       0.53   4640   1 httpd
    499      49    18720       4180       1.30   4700   1 httpd
      0       0       56          8                 0   0 Idle
    829      20     4684      12424               640   0 lsass
    223      13     3104      10508              3048   0 msdtc
    585      72   164864     140060              1864   0 MsMpEng
    147      15   209940      41616              1676   0 mysqld
     74       6      876       3180              4996   1 PING
    753      34    73176      91492       2.73   3344   0 powershell
      0       9     3832       6840                88   0 Registry
    409      10     3700       7712               620   0 services
     53       3      492       1220               288   0 smss
    123      22     1948       7268              1588   0 sshd
    129       9     2480       7804              2708   0 sshd
    139       9     2480       7700       0.48   4948   0 sshd
    184       9     1760       7596               328   0 svchost
    427       9     2712       8896               340   0 svchost
    217      11     1968       9544               344   0 svchost
     85       5      876       3844               736   0 svchost
    278      12     2892       9476               756   0 svchost
    165      11     1736       7992               772   0 svchost
    532      16     3312       9556               868   0 svchost
    231      10     1692       6912               908   0 svchost
    115       7     1228       5348               992   0 svchost
    424      13    23684      27956              1004   0 svchost
    325      17     3964      13224              1028   0 svchost
    123      15     3164       7164              1052   0 svchost
    234      13     2832       8212              1084   0 svchost
    216       9     1960       7440              1092   0 svchost
    384      31     5840      13884              1196   0 svchost
    186      11     1844       7788              1288   0 svchost
    115       7     1164       5756              1340   0 svchost
    186      10     1772       8700              1416   0 svchost
    454      17     3072      10888              1480   0 svchost
    396      17     9032      21196              1500   0 svchost
    242      25     3416      12288              1508   0 svchost
    171       9     1956       7032              1516   0 svchost
    136       8     1424       6204              1544   0 svchost
    334      14     3856      10988              1564   0 svchost
    118       7     1164       5516              1608   0 svchost
    207      11     2260       8416              1660   0 svchost
    207      12     1800       7484              1756   0 svchost
    391      16    11448      20468              1764   0 svchost
    227      13     2916      10840              1892   0 svchost
    269      10     2228       8172              2200   0 svchost
    163      10     2100       7696              2316   0 svchost
    251      14     7276      11236              2756   0 svchost
    107       7     2476       5552              3064   0 svchost
    310      17    14104      26832              3648   0 svchost
    131       8     2932       9436              4064   0 svchost
    312      20     9328      14232              4144   0 svchost
    124       7     1212       5632              4256   0 svchost
   1206       0      192        144                 4   0 System
    210      12     1944       9692              3748   1 taskhostw
    167      11     2896      10924              1668   0 VGAuthService
    141       8     1684       6940              1652   0 vm3dservice
    138      10     2292       8040              1972   1 vm3dservice
    361      22     9440      21444              1692   0 vmtoolsd
    201      16     4712      13664              3320   1 vmtoolsd
    170      11     1472       6952               480   0 wininit
    259      12     2528      11432               544   1 winlogon
    311      15     7192      15848              2992   0 WmiPrvSE

I did try executing job.bat myself, but obviously this didn’t work since I don’t have admin privileges.

In addition, below is the output of schtasks:

Folder: \
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
INFO: There are no scheduled tasks presently available at your access level.

Folder: \Microsoft
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
INFO: There are no scheduled tasks presently available at your access level.

Folder: \Microsoft\Windows
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
INFO: There are no scheduled tasks presently available at your access level.

Folder: \Microsoft\Windows\.NET Framework
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
.NET Framework NGEN v4.0.30319           N/A                    Ready
.NET Framework NGEN v4.0.30319 64        N/A                    Ready
.NET Framework NGEN v4.0.30319 64 Critic N/A                    Disabled
.NET Framework NGEN v4.0.30319 Critical  N/A                    Disabled

Folder: \Microsoft\Windows\Active Directory Rights Management Services Client
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
AD RMS Rights Policy Template Management N/A                    Disabled
AD RMS Rights Policy Template Management N/A                    Ready

Folder: \Microsoft\Windows\AppID
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
PolicyConverter                          N/A                    Disabled
VerifiedPublisherCertStoreCheck          N/A                    Disabled

Folder: \Microsoft\Windows\Application Experience
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
Microsoft Compatibility Appraiser        12/4/2023 3:56:05 AM   Ready

Folder: \Microsoft\Windows\Chkdsk
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
ProactiveScan                            N/A                    Ready
SyspartRepair                            N/A                    Ready

Folder: \Microsoft\Windows\Customer Experience Improvement Program
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
Consolidator                             12/3/2023 12:00:00 PM  Ready

Folder: \Microsoft\Windows\Data Integrity Scan
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
Data Integrity Scan                      12/23/2023 1:24:14 AM  Ready
Data Integrity Scan for Crash Recovery   N/A                    Ready

Folder: \Microsoft\Windows\Defrag
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
ScheduledDefrag                          N/A                    Ready

Folder: \Microsoft\Windows\Device Information
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
Device                                   12/4/2023 3:36:19 AM   Ready

Folder: \Microsoft\Windows\Flighting
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
INFO: There are no scheduled tasks presently available at your access level.

Folder: \Microsoft\Windows\Flighting\OneSettings
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
RefreshCache                             12/3/2023 4:03:05 PM   Ready

Folder: \Microsoft\Windows\MUI
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
LPRemove                                 N/A                    Ready

Folder: \Microsoft\Windows\NetTrace
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
GatherNetworkInfo                        N/A                    Ready

Folder: \Microsoft\Windows\PLA
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
Server Manager Performance Monitor       N/A                    Disabled
 
Folder: \Microsoft\Windows\Plug and Play
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
Device Install Group Policy              N/A                    Ready
Device Install Reboot Required           N/A                    Ready
Sysprep Generalize Drivers               N/A                    Ready

Folder: \Microsoft\Windows\PowerShell
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
INFO: There are no scheduled tasks presently available at your access level.

Folder: \Microsoft\Windows\Server Manager
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
CleanupOldPerfLogs                       N/A                    Ready

Folder: \Microsoft\Windows\Servicing
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
StartComponentCleanup                    N/A                    Ready

Folder: \Microsoft\Windows\Shell
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
CreateObjectTask                         N/A                    Ready

Folder: \Microsoft\Windows\Software Inventory Logging
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
Collection                               N/A                    Disabled
Configuration                            N/A                    Ready

Folder: \Microsoft\Windows\SpacePort
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
SpaceAgentTask                           N/A                    Ready
SpaceManagerTask                         N/A                    Ready

Folder: \Microsoft\Windows\Storage Tiers Management
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
Storage Tiers Management Initialization  N/A                    Ready
Storage Tiers Optimization               N/A                    Disabled

Folder: \Microsoft\Windows\TextServicesFramework
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
MsCtfMonitor                             N/A                    Running

Folder: \Microsoft\Windows\Time Synchronization
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
SynchronizeTime                          N/A                    Ready

Folder: \Microsoft\Windows\Time Zone
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
SynchronizeTimeZone                      N/A                    Ready

Folder: \Microsoft\Windows\Windows Defender
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
Windows Defender Cache Maintenance       N/A                    Ready
Windows Defender Cleanup                 N/A                    Ready
Windows Defender Scheduled Scan          12/4/2023 2:00:36 AM   Ready
Windows Defender Verification            N/A                    Ready

Folder: \Microsoft\Windows\Windows Error Reporting
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
QueueReporting                           12/3/2023 11:23:48 AM  Ready

Folder: \Microsoft\Windows\Windows Filtering Platform
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
BfeOnServiceStartTypeChange              N/A                    Ready

Folder: \Microsoft\Windows\WindowsUpdate
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
Scheduled Start                          12/4/2023 10:11:30 AM  Ready

Folder: \Microsoft\Windows\Wininet
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
CacheTask                                N/A                    Running

Please advise or point me in the right direction.Thank you.

Jessedc42 · December 4, 2023, 7:21pm

Can someone please help with this? Thanks!

ppseprus · January 4, 2024, 11:31am

Hey! I’m having the exact same issue! The wevtutil is not running.

PS C:\Log-Management> ps

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
     77       5     2300       4184       0.06   1988   0 cmd
     72       5     2232       3872              3696   1 cmd
    228      12     7436       8388              3916   1 cmd
    116       6     1228       5240       0.08   2692   0 conhost
    155      10     6324      13376              3688   1 conhost
    156      11     7044       8136              3976   1 conhost
    157      11     6916       3096       0.30   4416   1 conhost
    390      16     2188       5252               376   0 csrss
    290      15     1944       5236               492   1 csrss
    255      13     3996      13544              2648   0 dllhost
     49       6     1504       4932               788   1 fontdrvhost
     49       6     1248       4180               796   0 fontdrvhost
    179      28     9516       2812       0.45   4476   1 httpd
    514      50    21916       3392       0.48   4868   1 httpd
      0       0       56          8                 0   0 Idle
    826      20     4536      12356               644   0 lsass
    223      13     3064      10472              2900   0 msdtc
    518      73   163836     158932              1784   0 MsMpEng
    153      15   210328      42940              1640   0 mysqld
     74       6      852       3172              2156   1 PING
    578      28    62692      69852       0.34   3148   0 powershell
      0       9     1132       8340                88   0 Registry
    412      11     3760       7772               624   0 services
     53       3      504       1248               292   0 smss
    123      11     1940       7232              1560   0 sshd
    139       9     2500       7716       0.08   1752   0 sshd
    129       9     2500       7716              4980   0 sshd
    184       9     1760       7568               344   0 svchost
    425       9     2812       9000               368   0 svchost
    217      11     2000       9552               400   0 svchost
     85       5      928       3900               744   0 svchost
    281      12     2896       9532               764   0 svchost
    534      15     3308       9552               876   0 svchost
    107       7     2500       5580               888   0 svchost
    231      10     1712       6924               920   0 svchost
    425      13    23508      27664              1012   0 svchost
    115       7     1220       5348              1020   0 svchost
    164      11     1712       7940              1028   0 svchost
    323      17     3776      13080              1052   0 svchost
    120      14     2936       7000              1064   0 svchost
    214       9     1996       7524              1104   0 svchost
    230      13     2692       8112              1112   0 svchost
    384      31     5868      13916              1180   0 svchost
    186      11     1872       7800              1248   0 svchost
    115       7     1260       5856              1340   0 svchost
    118       7     1176       5528              1412   0 svchost
    176      22     2476       9736              1420   0 svchost
    394      17     8600      21608              1432   0 svchost
    152       8     1700       6996              1468   0 svchost
    338      15     4040      11192              1500   0 svchost
    253      14     7568      11040              1540   0 svchost
    136       8     1468       6240              1552   0 svchost
    209      11     2324       8416              1584   0 svchost
    319      24     8468      15504              1592   0 svchost
    388      16    10420      19292              1596   0 svchost
    186      10     1792       8668              1608   0 svchost
    209      12     1804       7460              1720   0 svchost
    227      13     2808      10884              1816   0 svchost
    297      20    10764      14176              1840   0 svchost
    456      17     3056      11032              2028   0 svchost
    269      10     2220       8172              2204   0 svchost
    163      10     1820       7408              2484   0 svchost
    308      17    14104      26856              3424   0 svchost
    135       8     2880       9616              3560   0 svchost
    124       7     1220       5628              5112   0 svchost
   1180       0      192        148                 4   0 System
    208      12     1964       9688              3908   1 taskhostw
    167      11     2904      10944              1700   0 VGAuthService
    141       8     1672       6928              1712   0 vm3dservice
    138      10     2312       8136              2012   1 vm3dservice
    361      22     9296      21620              1688   0 vmtoolsd
    201      16     4760      13732              4020   1 vmtoolsd
    170      11     1464       6972               484   0 wininit
    259      12     2536      11404               548   1 winlogon
    313      15     7376      16440              2968   0 WmiPrvSE

ppseprus · January 4, 2024, 11:51am

Btw. The privilege escalation still worked.

Topic		Replies	Views
Markup job.bat difficulties Machines help-me	9	1220	January 19, 2025
Starting Point: Markup Machines starting-point	3	694	October 28, 2023
Starting Point: Markup, job.bat and getting the admin shell Machines starting-point , markup	14	4415	February 9, 2025
Starting Point - Markup - job.bat Machines starting-point	2	1262	April 15, 2020
Starting Point tier 2 - markup (VIP) Machines starting-point , markup	3	491	November 30, 2023

Markup job.bat script not executing

Related topics