📁Executable Files
In the context of Windows Privilege Escalation, executable files play a crucial role. Specifically, the focus is often on unquoted service paths, which can lead to privilege escalation vulnerabilities.
An unquoted service path vulnerability occurs when the path to a service executable lacks quotes and contains spaces. For example, C:\Program Files\SomeExecutable.exe
. If the service path is unquoted and the user has permissions to manipulate objects in the specified path, it may be exploited for privilege escalation
Overview
So first go to your rdesktop window and go into the powerup file:
Run a
Next we went and tried to run the command C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wvu "C:\Program Files\File Permissions Service"
and it reveals a potential security risk related to unrestricted file permissions. Specifically, it highlights that the "Everyone" user group possesses "FILE_ALL_ACCESS" permissions on the filepermservice.exe
executable.
Accesschk64: Accesschk is a Windows utility used for checking effective permissions on files, directories, registry keys, etc. The command
accesschk64.exe -wvu "C:\Program Files\File Permissions Service"
is checking the permissions of the specified file.-wvu Option:
-w
: Checks the effective permissions.-v
: Verbose mode, provides detailed output.-u
: Shows ownership information.
It was first seen in the powerUp output:
and then confirmed manually:
Observe the output for the filepermservice.exe
file. If the "Everyone" group has "FILE_ALL_ACCESS" permissions, it indicates a potential security vulnerability.
Escalation
download the x.exe file in the previous room on your windows machine again, but this time
save it at this location and overwrite the already existing filepermservice file
for the moment, we don't have any unusual people in our administrators local group:
except if we do a
that's more than an easy win
so basically with the powerup tool we found that we had an executable file called filepermsvc that was modifiable by anyone, so we modified it with a malicious C file that made us escalate to administrators local group
if needed, here is the malicious C file
Last updated