Windows privilege escalation by Dhruv Shah

OWASP Delhi
Security Researcher at Adobe, Chapter Leader at OWASP & null
Aug. 31, 2016
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv Shah
1 of 28

Windows privilege escalation by Dhruv Shah

Aug. 31, 2016
Download to read offline
Internet

Different scenarios leading to privilege escalation Design issues , implementation flaws, untimely system updates , permission issues etc We ain’t talking about overflows here , just logics and techniques

OWASP Delhi
Security Researcher at Adobe, Chapter Leader at OWASP & null

Recommended

Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Hossam .M Hamed988 views60 slides
Level Up! - Practical Windows Privilege EscalationLevel Up! - Practical Windows Privilege Escalation
Level Up! - Practical Windows Privilege Escalationjakx_3.5K views51 slides
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash670 views25 slides
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingNezar Alazzabi1.2K views14 slides
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava2.1K views27 slides
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland7.5K views54 slides

More Related Content

Slideshows for you

System hackingSystem hacking
System hackingCAS2.4K views28 slides
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingNetsparker16.6K views26 slides
Secure Code Review 101Secure Code Review 101
Secure Code Review 101Narudom Roongsiriwong, CISSP6K views25 slides
How fun of privilege escalation Red Pill2017How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017Ammarit Thongthua ,CISSP CISM GXPN CSSLP CCNP3.9K views123 slides
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov1.7K views76 slides
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi26.5K views31 slides

Slideshows for you(20)

System hackingSystem hacking
System hacking
CAS2.4K views
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Netsparker16.6K views
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
Narudom Roongsiriwong, CISSP6K views
How fun of privilege escalation Red Pill2017How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017
Ammarit Thongthua ,CISSP CISM GXPN CSSLP CCNP3.9K views
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov1.7K views
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi26.5K views
IBM AppScan - the total software security solutionIBM AppScan - the total software security solution
IBM AppScan - the total software security solution
hearme limited company3.1K views
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SAST
Blueinfy Solutions2.7K views
Thick Client Penetration Testing.pdfThick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdf
SouvikRoy114738413 views
Dom based xssDom based xss
Dom based xss
Lê Giáp3K views
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat Modelling
Priyanka Aash4.1K views
Api security-testingApi security-testing
Api security-testing
n|u - The Open Security Community634 views
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
Codemotion1.6K views
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defenses
Mohammed A. Imran17.5K views
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
Michael Furman2.7K views
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
Matthew Dunwoody39.5K views
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
Rob Ragan7K views
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
Prateek Jain788 views
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
Will Schroeder12.3K views
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Florian Roth1.9K views

Viewers also liked

Fundamentals of Linux Privilege EscalationFundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege Escalationnullthreat13.1K views44 slides
Cyber threat Intelligence and Incident Response by:-Sandeep SinghCyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep SinghOWASP Delhi2.8K views33 slides
Privilege Escalation And Misconfigurations Part2Privilege Escalation And Misconfigurations Part2
Privilege Escalation And Misconfigurations Part2Caleb Sima1.3K views28 slides
How to own the world, one desktop at a timeHow to own the world, one desktop at a time
How to own the world, one desktop at a timeSaumil Shah1.3K views22 slides
The Mysteries Of JavaScript-Fu (@media Europe Edition)The Mysteries Of JavaScript-Fu (@media Europe Edition)
The Mysteries Of JavaScript-Fu (@media Europe Edition)danwrong2.3K views86 slides
Raspberry piRaspberry pi
Raspberry piDhruv Shah1.4K views17 slides

Viewers also liked(20)

Fundamentals of Linux Privilege EscalationFundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege Escalation
nullthreat13.1K views
Cyber threat Intelligence and Incident Response by:-Sandeep SinghCyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
OWASP Delhi2.8K views
Privilege Escalation And Misconfigurations Part2Privilege Escalation And Misconfigurations Part2
Privilege Escalation And Misconfigurations Part2
Caleb Sima1.3K views
How to own the world, one desktop at a timeHow to own the world, one desktop at a time
How to own the world, one desktop at a time
Saumil Shah1.3K views
The Mysteries Of JavaScript-Fu (@media Europe Edition)The Mysteries Of JavaScript-Fu (@media Europe Edition)
The Mysteries Of JavaScript-Fu (@media Europe Edition)
danwrong2.3K views
Raspberry piRaspberry pi
Raspberry pi
Dhruv Shah1.4K views
An Introduction to SysinternalsAn Introduction to Sysinternals
An Introduction to Sysinternals
Riyaz Walikar503 views
Hostile Subdomain Takeover by Ankit PrateekHostile Subdomain Takeover by Ankit Prateek
Hostile Subdomain Takeover by Ankit Prateek
OWASP Delhi826 views
Hot potato Privilege EscalationHot potato Privilege Escalation
Hot potato Privilege Escalation
Sunny Neo2.2K views
Attack on SonyAttack on Sony
Attack on Sony
Nick Bilogorskiy3.4K views
From zero to SYSTEM on full disk encrypted windows systemFrom zero to SYSTEM on full disk encrypted windows system
From zero to SYSTEM on full disk encrypted windows system
Nabeel Ahmed9K views
Thwarting The Surveillance in Online Communication by Adhokshaj MishraThwarting The Surveillance in Online Communication by Adhokshaj Mishra
Thwarting The Surveillance in Online Communication by Adhokshaj Mishra
OWASP Delhi429 views
Hack.LU - The Infosec CrossroadsHack.LU - The Infosec Crossroads
Hack.LU - The Infosec Crossroads
Saumil Shah2.8K views
Intro To Privilege ElevationIntro To Privilege Elevation
Intro To Privilege Elevation
Michael Shalyt738 views
Prepare Yourself to Become Infosec ProfessionalPrepare Yourself to Become Infosec Professional
Prepare Yourself to Become Infosec Professional
M.Syarifudin, ST, OSCP, OSWP 14.3K views
Quadrant holdings issa asadQuadrant holdings issa asad
Quadrant holdings issa asad
issa asad361 views
Técnicas de redimension Técnicas de redimension
Técnicas de redimension
LUISALAMADRID156 views
GDES 5341 Presentation - App.LyGDES 5341 Presentation - App.Ly
GDES 5341 Presentation - App.Ly
Rachit Gupta333 views
How To Stop SmokingHow To Stop Smoking
How To Stop Smoking
NewSourceMarket426 views
Voicing our elasticity Voicing our elasticity
Voicing our elasticity
Umar Basim251 views

Similar to Windows privilege escalation by Dhruv Shah

Windows Privilege EscalationWindows Privilege Escalation
Windows Privilege EscalationRiyaz Walikar15.1K views47 slides
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2Royce Davis2.4K views23 slides
Windows Malware TechniquesWindows Malware Techniques
Windows Malware TechniquesLee C342 views56 slides
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access darkRoyce Davis3.5K views23 slides
So you want to be a security expertSo you want to be a security expert
So you want to be a security expertRoyce Davis1.9K views24 slides
unit 2 confinement techniques.pdfunit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfRohitGautam26112794 views37 slides

Similar to Windows privilege escalation by Dhruv Shah(20)

Windows Privilege EscalationWindows Privilege Escalation
Windows Privilege Escalation
Riyaz Walikar15.1K views
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2
Royce Davis2.4K views
Windows Malware TechniquesWindows Malware Techniques
Windows Malware Techniques
Lee C342 views
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access dark
Royce Davis3.5K views
So you want to be a security expertSo you want to be a security expert
So you want to be a security expert
Royce Davis1.9K views
unit 2 confinement techniques.pdfunit 2 confinement techniques.pdf
unit 2 confinement techniques.pdf
RohitGautam26112794 views
Securing the Container PipelineSecuring the Container Pipeline
Securing the Container Pipeline
Salesforce Engineering1.7K views
1000 to 01000 to 0
1000 to 0
Sunny Neo385 views
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
Will Schroeder2.3K views
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
Scott Sutherland16.7K views
Containers and Security for DevOpsContainers and Security for DevOps
Containers and Security for DevOps
Salesforce Engineering333 views
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
Hackito Ergo Sum471 views
Technical track-afterimaging Progress DatabaseTechnical track-afterimaging Progress Database
Technical track-afterimaging Progress Database
Vinh Nguyen1.4K views
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
Peter Hlavaty374 views
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
NetSPI4.7K views
Заполучили права администратора домена? Игра еще не оконченаЗаполучили права администратора домена? Игра еще не окончена
Заполучили права администратора домена? Игра еще не окончена
Positive Hack Days473 views
Securing the Container Pipeline at Salesforce by Cem Gurkok Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok
Docker, Inc.5.5K views
Scientific Computing - HardwareScientific Computing - Hardware
Scientific Computing - Hardware
jalle61.3K views
Ultimate pen test compromising a highly secure environment (nikhil)Ultimate pen test compromising a highly secure environment (nikhil)
Ultimate pen test compromising a highly secure environment (nikhil)
ClubHack1.1K views
Common Pitfalls of Functional Programming and How to Avoid Them: A Mobile Gam...Common Pitfalls of Functional Programming and How to Avoid Them: A Mobile Gam...
Common Pitfalls of Functional Programming and How to Avoid Them: A Mobile Gam...
gree_tech3.3K views

More from OWASP Delhi

Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesOWASP Delhi649 views17 slides
Securing dns records from subdomain takeoverSecuring dns records from subdomain takeover
Securing dns records from subdomain takeoverOWASP Delhi277 views22 slides
Effective Cyber Security Report WritingEffective Cyber Security Report Writing
Effective Cyber Security Report WritingOWASP Delhi623 views20 slides
Data sniffing over Air GapData sniffing over Air Gap
Data sniffing over Air GapOWASP Delhi311 views29 slides
UDP HunterUDP Hunter
UDP HunterOWASP Delhi102 views14 slides
Demystifying Container EscapesDemystifying Container Escapes
Demystifying Container EscapesOWASP Delhi337 views12 slides

More from OWASP Delhi(20)

Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
OWASP Delhi649 views
Securing dns records from subdomain takeoverSecuring dns records from subdomain takeover
Securing dns records from subdomain takeover
OWASP Delhi277 views
Effective Cyber Security Report WritingEffective Cyber Security Report Writing
Effective Cyber Security Report Writing
OWASP Delhi623 views
Data sniffing over Air GapData sniffing over Air Gap
Data sniffing over Air Gap
OWASP Delhi311 views
UDP HunterUDP Hunter
UDP Hunter
OWASP Delhi102 views
Demystifying Container EscapesDemystifying Container Escapes
Demystifying Container Escapes
OWASP Delhi337 views
Automating WAF using TerraformAutomating WAF using Terraform
Automating WAF using Terraform
OWASP Delhi388 views
Actionable Threat IntelligenceActionable Threat Intelligence
Actionable Threat Intelligence
OWASP Delhi260 views
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
OWASP Delhi1.2K views
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
OWASP Delhi4.4K views
Recon with Nmap Recon with Nmap
Recon with Nmap
OWASP Delhi1.7K views
Securing AWS environments by Ankit GiriSecuring AWS environments by Ankit Giri
Securing AWS environments by Ankit Giri
OWASP Delhi211 views
DMARC OverviewDMARC Overview
DMARC Overview
OWASP Delhi1.3K views
Cloud assessments by :- Aakash GoelCloud assessments by :- Aakash Goel
Cloud assessments by :- Aakash Goel
OWASP Delhi305 views
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
OWASP Delhi5.9K views
Wireless security beyond password cracking by Mohit RanjanWireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit Ranjan
OWASP Delhi148 views
IETF's Role and Mandate in Internet Governance by Mohit BatraIETF's Role and Mandate in Internet Governance by Mohit Batra
IETF's Role and Mandate in Internet Governance by Mohit Batra
OWASP Delhi516 views
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj MishraMalicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
OWASP Delhi507 views
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep Singh
OWASP Delhi1.5K views
DFIR using Docker Containers by Deep Shankar YadavDFIR using Docker Containers by Deep Shankar Yadav
DFIR using Docker Containers by Deep Shankar Yadav
OWASP Delhi343 views

Recently uploaded

巴塞罗那自治大学文凭认证真实留信网认证巴塞罗那自治大学文凭认证真实留信网认证
巴塞罗那自治大学文凭认证真实留信网认证dadot23 views1 slide
办美国本科毕业证实拍图毕业证本科硕士文凭哪家好办美国本科毕业证实拍图毕业证本科硕士文凭哪家好
办美国本科毕业证实拍图毕业证本科硕士文凭哪家好sovcyuv3 views1 slide
购买杨百翰大学毕业证成绩单杨百翰大学毕业文凭证书购买杨百翰大学毕业证成绩单杨百翰大学毕业文凭证书
购买杨百翰大学毕业证成绩单杨百翰大学毕业文凭证书yovuyhp3 views1 slide
美国罗德岛大学毕业证文凭认证 - 购买国外文凭证书美国罗德岛大学毕业证文凭认证 - 购买国外文凭证书
美国罗德岛大学毕业证文凭认证 - 购买国外文凭证书dadot24 views1 slide
如何办理温切斯特大学毕业证成绩单改成绩如何办理温切斯特大学毕业证成绩单改成绩
如何办理温切斯特大学毕业证成绩单改成绩uywmmd3 views1 slide
买毕业证靠谱吗罗切斯特大学毕业证成绩单买毕业证靠谱吗罗切斯特大学毕业证成绩单
买毕业证靠谱吗罗切斯特大学毕业证成绩单uncesxy3 views1 slide

Recently uploaded(20)

巴塞罗那自治大学文凭认证真实留信网认证巴塞罗那自治大学文凭认证真实留信网认证
巴塞罗那自治大学文凭认证真实留信网认证
dadot23 views
办美国本科毕业证实拍图毕业证本科硕士文凭哪家好办美国本科毕业证实拍图毕业证本科硕士文凭哪家好
办美国本科毕业证实拍图毕业证本科硕士文凭哪家好
sovcyuv3 views
购买杨百翰大学毕业证成绩单杨百翰大学毕业文凭证书购买杨百翰大学毕业证成绩单杨百翰大学毕业文凭证书
购买杨百翰大学毕业证成绩单杨百翰大学毕业文凭证书
yovuyhp3 views
美国罗德岛大学毕业证文凭认证 - 购买国外文凭证书美国罗德岛大学毕业证文凭认证 - 购买国外文凭证书
美国罗德岛大学毕业证文凭认证 - 购买国外文凭证书
dadot24 views
如何办理温切斯特大学毕业证成绩单改成绩如何办理温切斯特大学毕业证成绩单改成绩
如何办理温切斯特大学毕业证成绩单改成绩
uywmmd3 views
买毕业证靠谱吗罗切斯特大学毕业证成绩单买毕业证靠谱吗罗切斯特大学毕业证成绩单
买毕业证靠谱吗罗切斯特大学毕业证成绩单
uncesxy3 views
格拉斯哥大学假文凭英国假文凭回国找工作格拉斯哥大学假文凭英国假文凭回国找工作
格拉斯哥大学假文凭英国假文凭回国找工作
uncesxy3 views
Bioinformatics2015.pdfBioinformatics2015.pdf
Bioinformatics2015.pdf
AbdetaImi5 views
英国杜伦大学毕业证的制作流程英国杜伦大学毕业证的制作流程
英国杜伦大学毕业证的制作流程
sovcyuv3 views
制作澳洲文凭证书实拍图墨尔本大学毕业证原版一模一样制作澳洲文凭证书实拍图墨尔本大学毕业证原版一模一样
制作澳洲文凭证书实拍图墨尔本大学毕业证原版一模一样
dadot23 views
Richard - IEEE CSCN 2022 - Panel.pdfRichard - IEEE CSCN 2022 - Panel.pdf
Richard - IEEE CSCN 2022 - Panel.pdf
Richard Renwei Li4 views
德比大学文凭认证真实留信网认证德比大学文凭认证真实留信网认证
德比大学文凭认证真实留信网认证
uywmmd8 views
办美国大学毕业证学位证圣约翰大学毕业证制作|办美国大学毕业证学位证圣约翰大学毕业证制作|
办美国大学毕业证学位证圣约翰大学毕业证制作|
vweuwx3 views
Automation Suite PPT (2).pptxAutomation Suite PPT (2).pptx
Automation Suite PPT (2).pptx
RohitRadhakrishnan850 views
毕业证靠谱[办理莱斯利大学毕业证文凭学历认证]毕业证靠谱[办理莱斯利大学毕业证文凭学历认证]
毕业证靠谱[办理莱斯利大学毕业证文凭学历认证]
yovuyhp3 views
UiPath Community_Process Mining.pdfUiPath Community_Process Mining.pdf
UiPath Community_Process Mining.pdf
RohitRadhakrishnan849 views
internet architecture.pdfinternet architecture.pdf
internet architecture.pdf
qhawengcongo4 views
PPTx Infographics-Dark.pptxPPTx Infographics-Dark.pptx
PPTx Infographics-Dark.pptx
LinaMMoralesBernal4 views
Richard - MedComNet Panel - Final Version.pdfRichard - MedComNet Panel - Final Version.pdf
Richard - MedComNet Panel - Final Version.pdf
Richard Renwei Li4 views
IDNOG 8: APNIC MeasurementsIDNOG 8: APNIC Measurements
IDNOG 8: APNIC Measurements
APNIC124 views

Windows privilege escalation by Dhruv Shah

  1. Windows Privilege Escalation Because gaining shell to the system is just not enough
  2. C:> type disclaimer.txt • The opinions expressed in this presentation are mine and not those of my employer.
  3. • Dhruv Shah • @snypter • http://security-geek.in
  4. What are we here for ? • Different scenarios leading to privilege escalation • Design issues , implementation flaws, untimely system updates , permission issues etc • We ain’t talking about overflows here , just logics and techniques 
  5. Flavours are we looking at ? • Windows XP • Windows 7 • Windows 2003
  6. Two Types of Escalation • Admin to System – Easy , not much effort needed • User to System – Here is where the real deal lies in 
  7. Admin to System ( Piece of Cake ) • The famous “at” command • “psexec” anyone ?
  8. Demo
  9. System Privilege using “at”
  10. Pass the Hash • Managed to get the user hash • Password is complex will take long time to crack via rainbowtables • Boom Boom Pow.
  11. Abusing Scheduled Tasks • Admin creates a scheduler task with System privileges
  12. Abusing Scheduled Tasks • Sadly the file to be executed is accessible by everyone
  13. Demo
  14. Creds in Files • C:usersvictimDesktoppassword.xls • C:>dir /b /s web.config • C:>dir /b /s unattend.xml • C:>dir /b /s sysprep.inf • C:>dir /b /s sysprep.xml • C:>dir /b /s *pass* • Registries are also a good place to have a look at
  15. Weak Directory Permissions Lets have some fun
  16. Demo
  17. Abusing Service misconfigurations • Possible attack vectors ? – Editing the service config – Editing the binary path Todays Discusssion – Unquoted Service path Vulnerability
  18. Unquoted Service Path
  19. Unquoted Service Path • c:program*filessub*dirprogram*name • c:program.exe filessub dirprogram name • c:program filessub.exe dirprogram name • c:program filessub dirprogram.exe name
  20. Unquoted Service Path
  21. Unquoted Service Path
  22. Demo
  23. Editing Service Binaries • What are service binaries ? • How do we exploit them ? • Lets exploit upnphost of the Windows system a default servcice that runs
  24. Editing Service Binaries
  25. Editing Service Binaries
  26. Editing Service Binaries
  27. Demo
  28. Thank you • Questions ?