-
Notifications
You must be signed in to change notification settings - Fork 103
Remote Host Weak Services|Folders Path Permissions
This Module allows attackers to Remote search for weak 'Service|Folder
' Path Permissions [ Everyone:(F)(M) OR Unquoted service path vulns ]. And Also 'Rotten Potato
' vulnerable settings. This type of vulnerability's in windows file system allows attackers to hijack an original binary execution to be abble to 'Elevate Privileges|Bypass Uac
' or to simple run our malicious binary everytime the 'service its started' (Achieving persistence). [url] File System Permissions Weakness - Mitre ATT&CK T1044
Remark
- ALL the Modules Used in this article does not require the Client to be executed with Admin Privs
- Some Modules uses 'icacls.exe' windows native binary to retrieve '
Folder|Files
' permissions
- This Module Helps attackers to Identify '
Privilege Escalation or UAC bypasses
' vulnerability's
- None of the Modules described in this article will '
exploit
' any vulnerability found (only report).
Article Quick Jump List
- meterpeter - Retrieve User Sellected Folder Permissions
- meterpeter - Search for weak Folder Permissions recursive
- meterpeter - Search for Unquoted Service Folder Paths
- meterpeter - Search for Rotten Potato Vulnerability
- meterpeter - search in registry for Weak Service permissions
1º - Sellect meterpeter 'AdvInfo
' Module
2º - Sellect meterpeter 'ListPriv
' Module
3º - Sellect meterpeter 'Check
' Module
This Module allows attacker to manualy input one directory to be scaned for 'Mitre T1044
'.
1º - Sellect meterpeter 'AdvInfo
' Module
2º - Sellect meterpeter 'ListPriv
' Module
3º - Sellect meterpeter 'WeakDir
' Module
This Module will start scanning from the User Input directory recursive for 'Everyone (F) (M)' Weak Permissions in Folders|Files Paths and presents a list of found directorys (IF any) .. Those Directorys can then be used to 'Elevate Privileges' like described in the follow Article: 'greyhathacker.net' or to Execute your Binary|Application with 'SYSTEM' Privileges..
1º - Sellect meterpeter 'AdvInfo
' Module
2º - Sellect meterpeter 'ListPriv
' Module
3º - Sellect meterpeter 'Service
' Module
This Module will Search in 'Services
' for any binary paths containing empty spaces in folder name and Unquoted.) This Directorys can then be used to 'Elevate Privileges' like described in the follow Article: 'ired.team' or to Execute your Binary|Application with 'SYSTEM' Privileges or even 'persiste' your Client at service Start|StartUp..
1º - Sellect meterpeter 'AdvInfo
' Module
2º - Sellect meterpeter 'ListPriv
' Module
-
Remark
Client must be executed without ADMINISTRATOR privileges for correct report Information.
3º - Sellect meterpeter 'RottenP
' Module
In the 1º screenshot we have executed the 'Client with Admin privileges' = meterpeter reports that one vulnerable setting has found ('SeImpersonatePrivilege
'), but this setting its normal under one elevated process (elevated console = elevated privileges = Normal behavior) ..
In the 2º screenshot we have executed the 'Client without Admin Privileges' = meterpeter reports that none vulnerable settings as found (Normal behavior for a 'NON VULN
' target system. The presence of any settings under 'USER' privs reveal us that in fact we are in the presence of one vulnerable system)
-
Remark:
The vuln its trigger when under 'USER-Level
' privileges (For attacker to be able to elevate session)
1º - Sellect meterpeter 'AdvInfo
' Module
2º - Sellect meterpeter 'ListPriv
' Module
3º - Sellect meterpeter 'RegACL
' Module
This Module will ask attacker to input the User\Group ('Owner of the process') and List all HKLM Insecure Registry service permitions that contains the flag 'FullControl
' Active (if found any) ..
Example searching in 'NT AUTHORITY\SYSTEM
' User\Group
Example searching in 'BUILTIN\Users
' User\Group
- TODO:
- rOTTEN pOTATO: ask User if he wants to downgrade session { SYSTEM -> USERLAND } to scan for vuln ????