Elevation of Privilege in Windows

Elevation of Privilege in Windows
Imagine this: You got a Meterpreter session on a machine, and you are ready to rungetsystemCommand, but if the request fails, are you ready to admit it? Only a coward can admit defeat. But you are not, are you? You are a brave man !!!

In this article, I will introduce the method of Elevation of Privilege in Windows and demonstrate how to manually escalate privilege to its corresponding Metasploit module. When we upgrade the permission from the local administrator to the system, it is easier to perform some operations. However, improper system configuration allows low-Permission users to escalate their permissions to high permissions.

Note: In this article, we mainly focus on Elevation of Privilege without relying on Kernel vulnerabilities, such as KiTrap0d (MeterpretergetsystemOne of the four methods for Elevation of Privilege)

Trusted Service Paths

This vulnerability exists in the binary service file path. These services are generally run with system permissions. If we use these services, we may escalate privileges to the system. For example, the following file path:

C:\Program Files\Some Folder\Service.exe

The space in the above file path, Windows will try to find and execute the program with the name of the word before the space, the operating system will find all possible matches in the file path until a match is found. For example, Windows will try to locate and execute the following program:

C:\Program.exeC:\Program Files\Some.exeC:\Program Files\Some Folder\Service.exe

Note: This feature occurs when developers do not include the entire file path in quotation marks. The inclusion of file paths in quotation marks can reduce the vulnerability threat. Therefore, this vulnerability is called "Unquoted Service Paths .)"

If we place a specially crafted malicious file under this folder, we will have a malicious program running with System privileges after the service is restarted. However, before placing malware, we must first ensure that we have permissions on the target folder. Let's take a look at how to discover and exploit this vulnerability.

First, we can use the following WMI command query (Author: @ Danial Compton) to list all the service paths on the target machine that are not enclosed in quotation marks:

wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """

 

Active! The path of the PFNet service does not contain quotation marks and spaces in the path. Here we want to take advantage of the need to have folder permissions. Suppose we already have the Administrator permission on the device, we can use the Windows built-in tool icacls to view the permissions of the affected folders in the path:

icacls "C:\Program Files (x86)\Privacyware"

 

Note the first lineBUILTIN\Users:(OI)(CI)(M): Lists the permissions of each user. (M) indicates the permission to modify. This is our permission. You can read, write, and delete files and subfolders in folders. We are so lucky! Now we can create and delete the namePrivatefirewall.exeMalicious software. Let's get started!

Note: If we have the write permission for the Privacyware folder, we can do the same thing,