Windows Privileged Escalation-Manual and using Metasploit framework-Ch.1
During a initial phase of a pentest or during an authenticated scan you must have come across a vulnerability known as Microsoft Windows Unquoted service path enumeration Qualys id- 105484 , Nessus Plugin ID 63155 .
This vulnerability is of use when the binary path of service with system privileges is unquoted(i.e-When the service path is a long name and contains a space and not quoted, the file name becomes ambiguous.) as a result of which Windows will try to find it and execute it inside every folder of this path until they reach the executable.For example, consider the string “c:\program files\sub dir test\program name”. This string can be interpreted in a number of ways. The system tries to interpret the possibilities in the following order:
c:\program.exe files\sub test dir \program name
c:\program files\sub.exe test dir\program name
c:\program files\sub test dir\program.exe name
If an attacker is able to place a malicious executable in one of these unexpected paths, sometimes escalate privileges if run as SYSTEM.
Manual exploitation -To identify these unquoted services you can run this command on Windows Command Shell:wmic service get name,displayname,pathname,startmode |findstr /i “Auto” |findstr /i /v “C:\Windows\\” |findstr /i /v “””
So assuming the Photon Plus service is running as SYSTEM which obviously you can check in the servcies panel and is not enclosed in quoted tags the final check is to determine if standard users have “Write” access in the directory of where the service is located or in any previous directory like C:\ or C:\Program Files (x86)\. Folder permissions can be identified with the use of a Windows built-in tool called icacls .
Now we can use Msfvenom in Kali Linux so as to generate our exe payload and can plant the same in one the path specified in the scan results. After which from Metasploit a listener needs to be configured so the payload can establish a connection back to the system of the penetration tester:
Exploitation using Metasploit-
There is also a module in the Metasploit that can help with all these things at one go right from testing of a system level unquoted service to generation and implantation of the payload along with restart of the vulnerable service. Below link would help you get the required payload.After your initial foothold on the host you can use this exploit module to get the system level privileges.
https://www.exploit-db.com/exploits/20543/
Key points to be noted-While performing an internal tests there are a lot of chances that you may come across this vulnerability because of several custom build apps to fulfill organization’s needs So in order to be able to successfully exploit this issue for privilege escalation the following requirements are to be noted-
- The exe runs under the SYSTEM priviledges.
- the binary path of service is not enclosed in quote tags
- Users should be able to restart the service or can wait for the system/server for auto restart
- Users should have Write access in one of the file folder directories of the original exe path which can be checked using icacls (native windows build-in-tool .
