![]() Here we can see that our current user has write permissions (FILE_ADD and FILE_WRITE) on the Startup folder, just the same as we saw with icacls. \accesschk64.exe -wvud "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp" -accepteula With accesschk64.exe on the system, we can use the following command to enumerate the machine Startup folder. We can transfer a copy of accesschk64.exe to our victim using any of the techniques found in this post here. Technically, using accesschk can be considered a manual technique however, the tool is not built-in so we need to label it as such. This tool works a lot like icacls except it has the ability to extract the permissions from more than just file and directory ACL’s. accesschk.exeįirst we will use accesschk64.exe to enumerate the permissions on the folder. Here we can see that the victim is running a Windows 10 Pro machine – Build 17134 (version 1803) with an 64-bit operating system. systeminfo | findstr /B /C:"Host Name" /C:"OS Name" /C:"OS Version" /C:"System Type" /C:"Hotfix(s)" However, before we transfer any tools onto the victim, we should determine the architecture of the operating system so that we transfer the correct versions of our tools. With both of the above tools on our attacker machine, we will see how we can use them to enumerate the machine Startup folder. You can download Sysinternals here and a compiled version of winPEAS.exe here For this example we will use winPEAS.exe. Tools we can use to find this misconfiguration are accesschk.exe from the Sysinternal’s Suite of Tools as well as any of the good privilege escalation scripts. If we find that the folder shows any of the three permissions (F, M, W) assigned to any of the above user’s / groups, we can exploit this to get an admin shell! icacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"įrom this output we can see that the user we currently have a foothold on the system as has (W) next to their name, which symbolizes that they have write permissions on this folder! Enumerating Startup Applications Using Tools The user we are currently logged in as (%USERNAME%).The user / group permissions we are looking for are the following: The permissions we are looking for on the folder are any one of the following three permissions: To do this, we can use the icacls command, which is a built-in command used to check the permissions of folder and file ACLs. One of the things that should always be checked are the permissions on the machine Startup folder. With a foothold established on the victim, we can begin our enumeration using manual techniques. Manually Enumerating Startup Applicationsįor this example we have obtained a foothold on a Windows 10 target as a standard user cmarko. We can enumerate the Startup folder permissions using built-in commands as well as tools. Since we are interested in escalating our privileges, we will only be focusing on the machine startup folder for this exploit. The second folder however is the machine startup folder, which means that any startup applications in that folder (executables or batch scripts) will execute when ANY user logs on to the system. The first folder is tied to the specific user logging on and only executes for that user. C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup.C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup.The Startup folders can be found in the following locations: When a user logs on to the system, there are two folders where programs automatically start (execute) from called the Startup folders. Hunting for Weak Startup Folder Permissions ![]() Then, we will see how we are able to elevate to an admin shell once the administrator account logs on. With this discovery, we will see how we can craft a custom batch script right on the victim in the Startup folder. From there, we will discover that our current user has the ability to write in the “machine” startup folder. To start, we will see how we can enumerate the targets Startup folder permissions. In this post, we will see how we can leverage loose permissions on the machine Startup folder to obtain an administrator shell. In terms of Windows privilege escalation, most often we will find that vulnerabilities that affect programs that start automatically are due to weak file / folder permissions. On Windows machines there are multiple ways to automatically start a program, which include: services, startup registry keys, and startup applications. Exploiting Weak Startup Application Permissions.Enumerating Startup Applications Using Tools.Manually Enumerating Startup Applications.Hunting for Weak Startup Folder Permissions.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |