Weak Permissions
Permissive File System ACLs
Sharpup
To check weak ACL
Checking permissions with icacls
Previously discovered appliaction:
Replace service binary
Weak Service Permissions
Check sharpup again for misconfigured services:
Check permission with accesschk
The flags we use, in order, are -q (omit banner), -u (suppress errors), -v (verbose), -c (specify name of a Windows service), and -w (show only objects that have write access).
Here we can see that all Authenticated Users have SERVICE_ALL_ACCESS rights over the service, which means full read/write control over it.
We are not in admin group currently
Change service binary path
Then restart service:
Now we are in local admin group:
Another notable example is the Windows Update Orchestrator Service (UsoSvc)
Unquoted Service Path
For example: C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe
The following paths are search and .exe is implied
C:\Program
C:\Program Files
C:\Program Files (x86)\System
`C:\Program Files (x86)\System Explorer\service\SystemExplorerService64``
So if we can create these files we can get admin privilege:
C:\Program.exe\
C:\Program Files (x86)\System.exe
To find:
Permissive Registry ACLs
It is also worth searching for weak service ACLs in the Windows Registry. We can do this using accesschk.
Checking for Weak Service ACLs in Registry
We can abuse this using the PowerShell cmdlet Set-ItemProperty to change the ImagePath value, using a command such as:
Modifiable Registry Autorun Binary
Check Startup Programs
Last updated