Remote Host Weak Services|Folders Path Permissions
This Module allows attackers to Remote search for weak 'Service|Folder' Path Permissions [ Everyone:(F)(M) OR Unquoted service path vulns ]. And Also 'Rotten Potato' vulnerable settings. This type of vulnerability's in windows file system allows attackers to hijack an original binary execution to be abble to 'Elevate Privileges|Bypass Uac' or to simple run our malicious binary everytime the 'service its started' (Achieving persistence). [url] File System Permissions Weakness - Mitre ATT&CK T1044
Remark
- ALL the Modules Used in this article does not require the Client to be executed with Admin Privs
- Some Modules uses 'icacls.exe' windows native binary to retrieve '
Folder|Files' permissions
- This Module Helps attackers to Identify '
Privilege Escalation or UAC bypasses' vulnerability's
- None of the Modules described in this article will '
exploit' any vulnerability found (only report).
Article Quick Jump List
- meterpeter - Retrieve User Sellected Folder Permissions
- meterpeter - Search for weak Folder Permissions recursive
- meterpeter - Search for Unquoted Service Folder Paths
- meterpeter - Search for Rotten Potato Vulnerability
- meterpeter - search in registry for Weak Service permissions
1º - Sellect meterpeter 'AdvInfo' Module
2º - Sellect meterpeter 'ListPriv' Module
3º - Sellect meterpeter 'Check' Module
This Module allows attacker to manualy input one directory to be scaned for 'Mitre T1044'.
1º - Sellect meterpeter 'AdvInfo' Module
2º - Sellect meterpeter 'ListPriv' Module
3º - Sellect meterpeter 'WeakDir' Module
This Module will start scanning from the User Input directory recursive for 'Everyone (F) (M)' Weak Permissions in Folders|Files Paths and presents a list of found directorys (IF any) .. Those Directorys can then be used to 'Elevate Privileges' like described in the follow Article: 'greyhathacker.net' or to Execute your Binary|Application with 'SYSTEM' Privileges..
1º - Sellect meterpeter 'AdvInfo' Module
2º - Sellect meterpeter 'ListPriv' Module
3º - Sellect meterpeter 'Service' Module
This Module will Search in 'Services' for any binary paths containing empty spaces in folder name and Unquoted.) This Directorys can then be used to 'Elevate Privileges' like described in the follow Article: 'ired.team' or to Execute your Binary|Application with 'SYSTEM' Privileges or even 'persiste' your Client at service Start|StartUp..
1º - Sellect meterpeter 'AdvInfo' Module
2º - Sellect meterpeter 'ListPriv' Module
-
Remark
Client must be executed without ADMINISTRATOR privileges for correct report Information.
3º - Sellect meterpeter 'RottenP' Module
In the 1º screenshot we have executed the 'Client with Admin privileges' = meterpeter reports that one vulnerable setting has found ('SeImpersonatePrivilege'), but this setting its normal under one elevated process (elevated console = elevated privileges = Normal behavior) ..
In the 2º screenshot we have executed the 'Client without Admin Privileges' = meterpeter reports that none vulnerable settings as found (Normal behavior for a 'NON VULN' target system. The presence of any settings under 'USER' privs reveal us that in fact we are in the presence of one vulnerable system)
-
Remark:
The vuln its trigger when under 'USER-Level' privileges (For attacker to be able to elevate session)
1º - Sellect meterpeter 'AdvInfo' Module
2º - Sellect meterpeter 'ListPriv' Module
3º - Sellect meterpeter 'RegACL' Module
This Module will ask attacker to input the User\Group ('Owner of the process') and List all HKLM Insecure Registry service permitions that contains the flag 'FullControl' Active (if found any) ..
Example searching in 'NT AUTHORITY\SYSTEM' User\Group
Example searching in 'BUILTIN\Users' User\Group
- TODO:
-
rOTTEN pOTATO: ask User if he wants to downgrade session { SYSTEM -> USERLAND } to scan for vuln ????
-
rOTTEN pOTATO: ask User if he wants to downgrade session { SYSTEM -> USERLAND } to scan for vuln ????