weyne/pwnwiki.github.io
1
0
Fork 0
mirror of https://github.com/oXis/pwnwiki.github.io.git synced 2025-10-29 16:56:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #82 from v-p-b/master

Browse Source 
Added Windows privesc tools and info about unquoted services
This commit is contained in:
tekwizz123 2014-06-07 19:48:46 +01:00
commit f97a9697ab
1 changed files with 32 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
privesc/windows/index.md
View File

@ -14,3 +14,35 @@ Command that can be executed from the context of a shell prompt that help escala
* `net use \\[computername|IP] /user:DOMAIN\username password`
* `net time \\[computername|IP]`
* `at \\[computername|IP] 13:20 c:\temp\evil.bat`
# Service security
### Unquoted service names
Services with unquoted binary paths may allow privilege escalation.
* Assume ServiceA refers to the unquoted path C:\Program Files\Some Service\service.exe
* Service is started with desirable privileges (e.g. domain, SYSTEM)
* If attacker can create files as c:\Program.exe or ''c:\Program Files\Some.bat'' the next time the service starts the attacker controlled binary will execute
* This is because the system can not decide if a space in the command string indicates a space in the binary path or a separator between command line arguments. The system starts with the first substring before the first space and checks if there is a file with an executable extension there (in this case C:\Program.exe, C:\Program.bat, etc.). If there is not, it checks for the next substring (C:\Program Files\Some.exe, C:\Program Files\Some.bat, etc.) and so on. If you can create a file that is checked before the intended executable, you win.
* The scenario is typical when services are created from the command line with sc: `sc create PrivEsc binpath= "..."`
# Tools
* [Windows Privesc Check](https://code.google.com/p/windows-privesc-check/)
* Python + PyInstaller
* No unicode support ([attempt to fix this](https://github.com/silentsignal/wpc))
* Awful code base
* [Windows Privesc Check 2.0](https://github.com/silentsignal/wpc/tree/wpc-2.0)
* Python + PyInstaller
* Code is still very hard to maintain
* Still painful to use on non-English systems
* [PowerUp](https://github.com/HarmJ0y/PowerUp)
* Smart PowerShell cmdlets (you can run these at remote hosts also!)
* Offensive approach
* Checks only the privileges of the executing user
* [WPC-PS](https://github.com/silentsignal/wpc-ps)
* PowerShell
* Tends to check privileges for all accounts (thus identifying potential targets for privesc)
* Still experimental