Windows Privilege Escalation

Because gaining shell to the system is just not enough

C:\> type disclaimer.txt

• The opinions expressed in this presentation are mine and not those of my employer.

• Dhruv Shah• @snypter• http://security-geek.in

What are we here for ?

• Different scenarios leading to privilege escalation

• Design issues , implementation flaws, untimely system updates , permission issues etc

• We ain’t talking about overflows here , just logics and techniques

Flavours are we looking at ?

• Windows XP• Windows 7 • Windows 2003

Two Types of Escalation

• Admin to System– Easy , not much effort needed

• User to System– Here is where the real deal lies in

Admin to System

( Piece of Cake )

• The famous “at” command

• “psexec” anyone ?

Demo

System Privilege using “at”

Pass the Hash

• Managed to get the user hash• Password is complex will take long time to

crack via rainbowtables• Boom Boom Pow.

Abusing Scheduled Tasks

• Admin creates a scheduler task with System privileges

Abusing Scheduled Tasks

• Sadly the file to be executed is accessible by everyone

Demo

Creds in Files

• C:\users\victim\Desktop\password.xls• C:\>dir /b /s web.config• C:\>dir /b /s unattend.xml• C:\>dir /b /s sysprep.inf• C:\>dir /b /s sysprep.xml• C:\>dir /b /s *pass*• Registries are also a good place to have a look

at

Weak Directory Permissions

Lets have some fun

Demo

Abusing Service misconfigurations

• Possible attack vectors ?– Editing the service config– Editing the binary path

Todays Discusssion – Unquoted Service path Vulnerability

Unquoted Service Path

Unquoted Service Path

• c:\program*files\sub*dir\program*name• c:\program.exe files\sub dir\program name• c:\program files\sub.exe dir\program name• c:\program files\sub dir\program.exe name

Unquoted Service Path

Unquoted Service Path

Demo

Editing Service Binaries

• What are service binaries ? • How do we exploit them ?

• Lets exploit upnphost of the Windows system a default servcice that runs

Editing Service Binaries

Editing Service Binaries

Editing Service Binaries

Demo

Thank you

• Questions ?