- If you have no admin privs, do GodPotato (OS version and privs must check out, see doumentation)
- Vulnerable Services
Services are one of the largest attack surfaces for privilege escalation on Windows because they frequently run as SYSTEM and can be misconfigured or vulnerable in a variety of ways.
Information about installed services can be gathered using built-in Windows utilities such as sc.exe, and wmic.exe; the Get-Service and Get-WmiObject PowerShell cmdlets; or via custom tools that interact with APIs such as EnumServicesStatusEx.
- Path Interception
- PATH is constructed from two locations:
- User → read from the
HKEY_CURRENT_USER\\Environment
- Machine → read from the
HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\Environment
- Search Order Hijacking
- Unquoted Paths
- Weak Service Permissions
- Service File Permissions
- If we can edit/replace a file run by a service
- Service Registry Permissions
- When a new service is installed, an entry is written into the registry at
HKLM\\SYSTEM\\CurrentControlSet\\Services.
- If a weak ACE is granted on the service's registry key during installation, an adversary may be able to modify the service's configuration to execute their malicious payload
- Get access details to registry key →
Get-Acl -Path HKLM:\\SYSTEM\\CurrentControlSet\\Services\\BadWindowsService | fl
- Change the binary path so that the service points to a completely different binary
- DLL Search Order Hijacking
- Software Vulnerabilities
- Example: deserialization with ysoserial
- User Account Control
- Mandatory Integrity Control (MIC) adds an extra layer of security levels
- low, medium, high, and system
- A user’s, even a local admin, has medium-level access by default
- hence cmd.exe runs on medium access
- UAC pops up when a user wants to perform a higher-level action