It is known that running a windows service as local system it is a bad security practice as if this service is compromised in any way it would give the same level of privileges to an attacker as well. However it is also possible to escalate privileges from a service that is not running as SYSTEM but as a network service as well.

From Service Account to System

There are many occasions in penetration testing engagements that the penetration tester has managed to compromise a service like Apache, IIS, SQL, MySQL etc. but unfortunately this service is not running as local system or under a high privileged account but as network service.

Apache Service running as Network Service
Apache Service running as Network Service

The list of available tokens via Meterpeter in this case is limited only to the Network Service as the Apache is running under this account.

Network Service Available Tokens
Meterpreter – Available Tokens

However there is a technique which can be used that tries to trick the “NT Authority\System” account to negotiate and authenticate via NTLM locally so the token for the “NT Authority\System” account would become available and therefore privilege escalation possible. This technique is called Rotten Potato and it was introduced in DerbyCon 2016 by Stephen Breen and Chris Mallz.

Privilege Escalation - Rotten Potato
Privilege Escalation – Rotten Potato

Service Running as Administrator

Alternatively if the service is running as high privileged user like administrator or if the service allows users to connect via Windows authentication (i.e. SQL Server allows that) then it is possible to escalate privilege by impersonating the token of the administrator account.

Apache Service Running as Administrator
Apache Service Running as Administrator

This can be done through the Metasploit Framework incognito extension or directly through MWR Infosecurity tool incognito.

Metasploit - Token Impersonation
Metasploit – Token Impersonation
Incognito - Token Impersonation
Incognito – Listing the available tokens

PowerSploit

Manipulation of system tokens can be done also through PowerSploit as Joseph Bialek inspired by the tool incognito wrote a PowerShell script which can perform the same activities.

PowerSploit - Token Enumeration
PowerSploit -Token Enumeration

 

PowerSploit - Token Manipulation
PowerSploit – Token Manipulation

References

Rotten Potato – Privilege Escalation from Service Accounts to SYSTEM

https://clymb3r.wordpress.com/2013/11/03/powershell-and-token-impersonation/

https://labs.mwrinfosecurity.com/blog/incognito-v2-0-released/

https://www.trustedsec.com/january-2015/account-hunting-invoke-tokenmanipulation/

Leave a comment