Windows Service Privilege Escalation
Windows Privilege Escalation - Exploiting Insecure Service Permissions
Udesh
· 2 Min
Introduction
In today’s tutorial, we’ll walk through a Windows privilege escalation technique that leverages insecure service permissions. This method is particularly useful when you’ve already exploited a vulnerability on a Windows machine using a publicly available exploit and want to escalate your privileges to gain administrative rights.
Identifying Insecure Services
Before diving into the exploitation process, it’s essential to identify whether the target machine has any insecure running services. One of the best tools for this task is the “WinPEAS.exe” script, which can quickly scan a system and identify potential privilege escalation vectors, including insecure services.
For this scenario, our victim machine has an insecure running service named daclsvc. Let’s explore how we can exploit this service to gain elevated privileges.
Step 1: Creating a Payload
The first step in this process is to create a payload that will give us an active session as a low-privileged user. We’ll use msfvenom to generate a Windows payload for this purpose.
Here’s the command to generate the payload:
Make sure to update the LHOST IP address to match your attack machine’s IP.
Once the payload file is generated, transfer it to the victim machine. In this example, we’ll place the payload in the C:\PrivEsc\ directory on the victim machine. One straightforward way to transfer the file is by starting an SMB server on your Kali machine and using the standard Windows copy command:
Now that the payload is on the victim machine, we’re ready to proceed with the privilege escalation attack.
Step 2: Analyzing the Insecure Service
Next, we need to check the user account permissions for the daclsvc service. We’ll use SharpUp.exe for this purpose. SharpUp is a C# tool that implements some of the privilege escalation checks found in PowerUp, making it a valuable resource for identifying security issues.
You can download SharpUp from the following link: SharpUp
Run SharpUp.exe to identify any modifiable services on the victim machine. In this case, you’ll see that the daclsvc service is modifiable, meaning we can change its configuration.
Step 3: Exploiting the Service
Now that we know the service is modifiable, the next step is to query the service and check its configuration, specifically its SERVICE_START_NAME, which tells us the privilege level it runs with. We can do this using the following command:
As you can see, the daclsvc service is running as the NT AUTHORITY\SYSTEM account, which is the highest privilege level on Windows. This means that if we can modify the service and execute our payload, we’ll gain SYSTEM-level access.
Modify the service configuration to change the BINARY_PATH_NAME (binpath) to point to the reverse.exe executable we created earlier:
Step 4: Starting the Service
Now, start a Netcat listener on your Kali machine to catch the reverse shell. Once the listener is active, start the daclsvc service on the victim machine:
If everything has been set up correctly, the service will execute the reverse.exe payload, and you’ll receive a reverse shell running with SYSTEM privileges on your Netcat listener.
And that’s it! You’ve successfully escalated your privileges on a Windows machine by exploiting an insecure service. This technique is a powerful way to gain administrative access to a system once you’ve already compromised it.