16 Win. Priv. esc. Leveraging Windows Services Flashcards
What is a Windows service ? What is similar in linux world ?
A Windows Service is a long-running background executable or application managed by the Service Control Manager and is similar to the concept of daemons on Unix systems.
How can be managed a windows service ? (3)
Windows services can be managed by the Services snap-in, PowerShell, or the sc.exe command line tool. Windows uses the LocalSystem (includes the SIDs of NT AUTHORITY\SYSTEM and BUILTIN\Administrators in its token), Network Service, and Local Service user accounts to run its own services. Users or programs creating a service can choose either one of those accounts, a domain user, or a local user.
What windows service are important for priv. esc. ?
Windows services are one of the main areas to analyze when searching for privilege escalation vectors. In this Learning Unit, we’ll review three different ways to elevate our privileges by abusing services.
What is Service Binary Hijacking ?
Each Windows service has an associated binary file.
A scenario in which a software developer creates a program and installs an application as a Windows service. During the installation, the developer does not secure the permissions of the program, allowing full Read and Write access to all members of the Users group. As a result, a lower-privileged user could replace the program with a malicious one. To execute the replaced binary, the user can restart the service or, in case the service is configured to start automatically, reboot the machine. Once the service is restarted, the malicious binary will be executed with the privileges of the service, such as LocalSystem.
How get a list of all installed Windows services ? What are the interesting information (3)
Get-Service
Get-CimInstance
Get-CimInstance -ClassName win32service | Select Name,State,PathName | Where-Object {$.State -like ‘Running’}
Two XAMPP services Apache2.4 and mysql stand out as the binaries are located in the C:\xampp\ directory instead of C:\Windows\System32. This means the service is user-installed and the software developer is in charge of the directory structure as well as permissions of the software. These circumstances make it potentially prone to service binary hijacking.
How enumerate the permissions on both service binaries ?
We can choose between the traditional icacls Windows utility or the PowerShell Cmdlet Get-ACL.
Listing permisions with icals, what are the most useful flag ?
Mask:
F => Full access
M => Modify access
RX => Read and execute access
R => Read-only access
W => Write-only access
How list permissions of binary file “C:\xampp\apache\bin\httpd.exe” ?
How interpret the results :
1.
C:\xampp\apache\bin\httpd.exe BUILTIN\Administrators:(F)
NT AUTHORITY\SYSTEM:(F)
BUILTIN\Users:(RX)
NT AUTHORITY\Authenticated Users:(RX)
Successfully processed 1 files; Failed processing 0 files
2.
XXXX> “C:\xampp\mysql\bin\mysqld.exe”
C:\xampp\mysql\bin\mysqld.exe NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
BUILTIN\Users:(F)
icacls “C:\xampp\apache\bin\httpd.exe”
- As member of the built-in Users group, dave only has Read and Execute (RX) rights on httpd.exe, meaning we cannot replace the file with a malicious binary.
- The output of listing shows that members of the Users group have the Full Access (F) permission, allowing us to write to and modify the binary and therefore, replace it. Due to the missing indicator (I) preceding this permission, we know that it was set on purpose and not inherited by the parent directory.
Latest read paraph for next time
16.2.1 Service Binary Hijacking
The output of Listing 43 shows that members of the Users group have the Full Access (F) permission, allowing us to write to and modify the binary and therefore, replace it. Due to the missing indicator (I) preceding this permission, we know that it was set on purpose and not inherited by the parent directory. Administrators often set Full Access permissions when they configure a service and are not entirely sure about the required permissions. Setting it to Full Access avoids most permission problems, but creates a security risk as we’ll show in this example.
