Windows PrivEsc: Weak Service Permission

Presuming we have got a low privileged shell of victim machine, trailing content will walk you through how can we find and exploit one of windows insecure configuration i.e. weak permissions on a service.

Sometimes in windows, we discover services that run with SYSTEM level privileges but doesn’t have proper permissions set by an administrator. These services mostly exist in third party softwares and these services are the best victims for privilege escalation.

Let’s check how to find and exploit these services.

Find and exploit -

Note — IPs have been obfuscated in this blog post.

Suppose we have got a meterpreter reverse shell of victim BOB as shown below.

Let’s analyse what privileges user has on services using accesschk.exe tool from Sysinternal.

Windows Sysinternals is a website which offers technical resources and utilities for a Microsoft Windows environment to manage, diagnose, troubleshoot, and monitor them.

Download the accesschk.exe Tool from below URL.

https://web.archive.org/web/20080530012252/http://live.sysinternals.com/accesschk.exe

To upload the tool on victim shell, use upload command of meterpreter as shown in Exhibit.

The tool will be uploaded onto victim shell as shown.

Accept the terms and conditions as shown.

As we are authenticated with bob shell access in the victim machine.Lets find what all services authenticated users have modify access to onto the victim shell.

Below command list all the services that an authenticated user can modify.

SERVICES_ALL_ACCESS means user has full control on both of these services and can modify the properties of these services.

Let’s find out the status of these services and if the services is running with high level privileges and what binary path name it has.

As observed, both of these services run with high level privileges but one is set to start on demand and the other is disabled.So we can only target the start on demand service.

And the worst that has made these services victim of privilege escalation is their binary path, which is TEMP folder of windows where all the users usually have write permissions.

Now in this case, we can either replace the binary egMligicpG.exe with our netcat bind or reverse shell or as we also have full permissions on service, we can change the binary path with our commands that can be either adding an administrator user or giving reverse shell with netcat.As the service will execute with high privileged user i.e. NT Authority/SYSTEM, we will get the command executed as SYSTEM user.

So the thing to note here is, either we should have modify permissions on service configurations or we can have write access to the folder path where the service is stored and in this case we have both.

Let’s change the binary path configuration of service to execute our commands on system.

One way is by adding the current user(bob) to local administrator group and then restarting the service will escalate our privileges even after when it shows service not responding message as shown below, bob user will be added to the local administrator group.And that can be confirmed using net user bob command.

As we are already aware that the highest privilege is SYSTEM and not administrator.So let’s see whether we can escalate to that.

And Yeah!!! … we can do that.

Let’s explore how…

To get the highest level privilege let’s inject the command in binary path that take the reverse shell through nc.exe and escalate our privileges when restarting the service.

Let’s configure netcat listener on port 6666, and start the service.Service will throw error that its not responding, however we will get the reverse shell connected to our listener with high level privilege SYSTEM that our service is executing with.

Remediation -

Privilege escalation through weak service permission can be re-mediated with properly configuring the service permissions and the folders where the service exist. Normal user should not be able to start or stop the service and Administrator should only have access to the folder where the binary is stored.

References -