Blog Archive windows privilege escalation via weak service permissions. When performing security testing on a Windows environment, or any environment for that matter, one of the things youll need to check is if you can escalate your privileges from a low privilege user to a high privileged user. No matter what environment you are testing there are going to be a range or roles with varying privileges, for the most part on a local windows environment there going to be three roles privileged users. System. 2. Administrator. Regular user. Most people would think administrator has the highest privilege but actually its the system account. A regular user is typically the most limited role which may be so limited that it cant even install software. In the previous paragraph I mentioned local windows environment thats because when it comes to a network or active directory environment you have to take other things into consideration. The scenario Ill be going over involves a single install of a windows operating system. So lets say youre performing  a security test on a system environment where all youre given is a low level privileged account but you want to try and escalate those privileges so that you can get system level privileges, what do you do There are a number of routes you can take. Scott Sutherland has written a nice article on windows privilege escalation and some of the techniques that you can try. Also the guys over at insomniasec. Last but certainly not least pentestmonkey has written a python script that will search the system for potential areas of privilege escalation and report back. Obviously the technique Im going to be discussing is leveraging windows services that have low or weak permissions. For those that arent aware a windows service is a process that is ran in the background and a regular user would never know that this process is running unless they specifically checked for it, meaning there is no window or GUI associated with a service. The command prompt is an antiquated, but powerful Windows tool. Well show you the most useful commands every Windows user needs to know. But a service is just like a process in the fact that its an executable. You can determine all the services on your machine by using the wmic command. Your output should be similar to below, Ive snipped the output for brevity. WMPNetwork. Svc                   0          Manual     Stopped  OK1. WPCSvc                          0          Manual     Stopped  OK0         WPDBus. Notepad-2017-08-25-14_10_24.png?resize=600%2C355&ssl=1' alt='Check Running Processes Windows Cmd Tricks' title='Check Running Processes Windows Cmd Tricks' />Windows 7 Command Prompt Commands A Complete List of CMD Commands Available in Windows 7. Solution 6 Update your OS. Make sure that youre running the latest Windows OS updates on your machine. As a quick reminder, Microsoft constantly rolls out. Not really a command perse, but a way to get there. For those of you that find yourself going to Start Run cmd a lot, you can cut down some steps. Battery life is a pretty important factor for mobile devices. While Windows 10 does offer new features to manage power settings, the defaults are not necessarily. C326&ssl=1' alt='Check Running Processes Windows Cmd Tricks' title='Check Running Processes Windows Cmd Tricks' />Enum                      0          Manual     Stopped  OK0         wscsvc                          7. Auto       Running  OK0         WSearch                         2. Auto       Running  OK0         wuauserv                        8. Auto       Running  OKFirst column is the exit code, second column is the name of the service, third column is the process ID PID of the service, fourth column states how the service is to be started start mode, fifth column states if the process is running state, and the last column gives the status of the service itself. You can also right click on your taskbar, same bar as the start menu, then select task manager. Within the task manager you can select the services tab to see this same information, keep in mind there is no services tab within the task manager for XP for this scenario Im using windows 7. So now that you know how to determine what services are available and running on a particular machine how can we determine if they have weak permissions By weak permissions I mean the folder where the service EXE is allows write access. Having write access allows me to replace that executable with my malicious executable, start the service and voila Ive got access. Thats it in a nutshell but lets walk through the steps to quickly determine which services are vulnerable and how to attack that vulnerable weak service permission. On a windows machine there can be a ton of services, going through each folder where the service executable is located, right clicking and determining the permission can be a pain in the butt. First thing well need to do is run a couple of commands to easily pull all the permissions for all the services. The first command uses wmic to list the services, looks for the full path of the executable, filters out system. The second command parses that text file getting rid of some junk in the path name then does the icacls command on that path to determine the permissions on that service executable. A snippet of the output youll see on the command line is below. Usershomer cmd. C WindowsMicrosoft. NETFrameworkv. 4. SMSvc. Host. exe. C WindowsMicrosoft. NETFrameworkv. 4. SMSvc. Host. exe  BUILTINIISIUSRS IRX. NT AUTHORITYSYSTEM IF. BUILTINAdministrators IF. Avg Internet Security Software 2013 more. BUILTINUsers IRX. Successfully processed 1 files Failed processing 0 files. Usershomer cmd. C Program FilesCommon FilesMicrosoft SharedSource EngineOSE. EXE. C Program FilesCommon FilesMicrosoft SharedSource EngineOSE. EXE BUILTINUsers IF. NT AUTHORITYSYSTEM IF. BUILTINAdministrators IF. WIN B5. JHUDECH2. Phomer IF. Successfully processed 1 files Failed processing 0 files. Usershomer cmd. C Program FilesCommon FilesMicrosoft SharedOffice. Software. Protection. PlatformOSPPSVC. EXE. C Program FilesCommon FilesMicrosoft SharedOffice. Software. Protection. PlatformOSPPSVC. EXE NT AUTHORITYSYSTEM IF. BUILTINAdministrators IF. BUILTINUsers IRX. Successfully processed 1 files Failed processing 0 files. For my particular commands Ive excluded service executables that live in c windowssystem. The services Im more interested in are third party applications because they get installed by a user and either the user improperly configures the folder permissions or during the install the application misconfigures the folder permissions. So this is the main reason why I filter out c windowssystem. The output of the icacls command can be a little confusing but what you want to look for is if BUILTINUsers have full access which will be designated as F. If you have full access to the folder where the service executable lives then you can replace the service executable with your own malicious service executable. So when the service starts, either at boot automatically or manually, your malicious executable will run hopefully giving you full access to the device. So my snippet of output actually has a  service with weak permissions which can also be seen on line 1. C Usershomer cmd. C Program FilesCommon FilesMicrosoft SharedSource EngineOSE. EXEC Program FilesCommon FilesMicrosoft SharedSource EngineOSE. EXE BUILTINUsers FThe Source Engine folder is a standard folder for windows 7 and out of the box has the proper permissions, meaning a regular user will not have write access to that folder. For this demonstration Ive manually modified the permissions of the Source Engine folder to highlight the effect of improper permissions. So now that youve found a folder of a service that allows the write permission its time to insert upload our malicious executable. The most convenient way Ive found is using the msfpayload functionality within metasploit. For the uninitiated and overwhelmed folks that try to deal with metasploit and msfpayload it might just be best to use backtrack. Just grab backtrack which comes with everything installed and ready to go. Im not going to go through all of the steps of getting metasploit up and running but if you have any troubles feel free to email me travisaltmangmail.