![]() Once nc.exe is uploaded to your victim, take note of its current path, because we will need it now we are going to edit the parameters from the upnphost service. You can download the Windows executables (32bit and 64bit) from Netcat here. Again, don't forget to put your FTP session in binary, or you won't be able to execute the executable via CLI. What we will do is upload the netcat binary (nc.exe) to our victim. One option is to generate our own binary with msfvenom, but that's out of scope for this article. There are multiple ways to approach this. ![]() We first need to edit its parameters so the service will execute a binary of our choice. If we run upnphost now though, it won't do much good for us. The SSDP Discovery Service service was started successfully.Īwesome! We now have our dependency running to start the upnphost service. The SSDP Discovery Service service is starting. SSDPSRV is successfully set to AUTOMATIC (AUTO_START)! Now let's try to start SSDPSRV again. # Double check if it's set to AUTOMATIC (or AUTO_START) This is important, else the command will fail. # NOTE: There is a space between = and auto. We can do this with the following commands. Once the service is set to AUTOMATIC we will be able to start it. In order to fix this, we will need to set the SSDPSRV from DISABLED to AUTOMATIC. The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. (NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) If we try to start this service, we will get an error, as shown below. If we take a look at the current status of SSDPSRV with the command sc query SSDPSRV we can see that the service is currently STOPPED. As you can see upnphost has a dependency, it requires SSDPSRV to run aswel. Upnphost is the service we are going to use to escalate our privileges. SERVICE_START_NAME : NT AUTHORITY\LocalService When we edit these services so they execute a binary of our choice, we can escalate our privileges to SYSTEM.īefore we exploit these services, let's check out how their parameters look at the moment.īINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalServiceĭISPLAY_NAME : Universal Plug and Play Device Host ![]() Let's take a closer look at both services.Ĭ:\> accesschk.exe /accepteula -ucqv SSDPSRVĬ:\> accesschk.exe /accepteula -ucqv upnphost The output implies that we have access to two services from which we can edit the service parameters, named upnphost and SSDPSRV. # If we are on a Windows XP SP0 or SP1 OS we will receive the following output We can do this with the following query:Ĭ:\> accesschk.exe /accepteula -uwcqv "Authenticated Users" * Once you have uploaded the older version of accesschk.exe to your victim, we can use it to look for vulnerable services we can exploit. With that issue out of the way, let's continue. You can download older versions with the /accepteula parameter from here and here. That being said, we will have to download an older version of accesschk.exe to fulfill our needs. In older versions of accesschk.exe there was a parameter /accepteula which did exactly that, but they removed the parameter in newer releases. ![]() Wouldn't they build in some kind of parameter in the accesschk.exe binary to accept the EULA via CLI? Yes, they actually did. If we run accesschk.exe via CLI it would freeze our shell. Why you ask? Well, when you run accesschk.exe for the first time in a GUI environment, it will give you a pop up window asking you to accept their EULA. When accesschk.exe is uploaded and we execute the latest version of accesschk.exe from SysInternals, we won't be able to execute this in our low level shell. You can do this by typing 'binary' in your FTP session. NOTE: Any binary you transfer via FTP requires you to set your FTP session to binary. In order to check if we have any vulnerable service(s) on our system, we need to download accesschk.exe from SysInternals, and transfer it to our victim's machine via the low privilege shell we have already established. Vulnerable in this case, means that we can edit the services' parameters. Most services in newer Windows versions (starting from Windows XP SP2) are no longer vulnerable. If you meet the requirements above, we can continue! This method of privilege escalation relies on vulnerable Microsoft Services. You have enumerated this machine and concluded that the operating system is Windows XP with SP0 or SP1 installed. REQUIREMENTS: This article assumes that you have already obtained a low privilege shell on your victim's computer.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |