windows privilege escalation by dhruv shah
TRANSCRIPT
Windows Privilege Escalation
Because gaining shell to the system is just not enough
C:\> type disclaimer.txt
• The opinions expressed in this presentation are mine and not those of my employer.
• Dhruv Shah• @snypter• http://security-geek.in
What are we here for ?
• Different scenarios leading to privilege escalation
• Design issues , implementation flaws, untimely system updates , permission issues etc
• We ain’t talking about overflows here , just logics and techniques
Flavours are we looking at ?
• Windows XP• Windows 7 • Windows 2003
Two Types of Escalation
• Admin to System– Easy , not much effort needed
• User to System– Here is where the real deal lies in
Admin to System
( Piece of Cake )
• The famous “at” command
• “psexec” anyone ?
Demo
System Privilege using “at”
Pass the Hash
• Managed to get the user hash• Password is complex will take long time to
crack via rainbowtables• Boom Boom Pow.
Abusing Scheduled Tasks
• Admin creates a scheduler task with System privileges
Abusing Scheduled Tasks
• Sadly the file to be executed is accessible by everyone
Demo
Creds in Files
• C:\users\victim\Desktop\password.xls• C:\>dir /b /s web.config• C:\>dir /b /s unattend.xml• C:\>dir /b /s sysprep.inf• C:\>dir /b /s sysprep.xml• C:\>dir /b /s *pass*• Registries are also a good place to have a look
at
Weak Directory Permissions
Lets have some fun
Demo
Abusing Service misconfigurations
• Possible attack vectors ?– Editing the service config– Editing the binary path
Todays Discusssion – Unquoted Service path Vulnerability
Unquoted Service Path
Unquoted Service Path
• c:\program*files\sub*dir\program*name• c:\program.exe files\sub dir\program name• c:\program files\sub.exe dir\program name• c:\program files\sub dir\program.exe name
Unquoted Service Path
Unquoted Service Path
Demo
Editing Service Binaries
• What are service binaries ? • How do we exploit them ?
• Lets exploit upnphost of the Windows system a default servcice that runs
Editing Service Binaries
Editing Service Binaries
Editing Service Binaries
Demo
Thank you
• Questions ?