Windows Privilege Escalation: Automatically Detecting Vulnerable Services

Standard

Hello People,

I know I know, it’s been a while, but who’s counting!

So, a very quick overview of Windows privilege escalation using misconfigured services: If a service’s executable DACLs allows any normal user (non-admin) to delete it, that means that any user can replace that executable with another one of his choosing, thus running any software as Admin! (Please ignore the plethora of  “Any”…)

Below is a mini/mildly-dirty script that I wrote to check all local services for any vulnerable services:

$vulnList=$NULL
foreach ($proc in (Get-WmiObject win32_service | select  @{Name="Path"; Expression={$_.PathName.split('"')[1]}})){
	if (($proc.Path).length -ne 0){
		[string]$resp = icacls $proc.Path
	}

	if ($resp.contains("Everyone:(F)") -or $resp.contains("Everyone:(I)(F)")){
		$vulnList = $vulnList+ $proc.Path
	}
}
$vulnList

This script will enumerate all the local services paths and check the DACLs of each one, searching for the following ACE: Everyone (F), which means “Everyone” has full control over this file.

While testing on a dummy machine, I found a sneaky service that comes by default with this specific computer model:

Continue reading

Advertisements