Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Windows privilege escalation by Dhruv Shah

821 views

Published on

Different scenarios leading to privilege escalation
Design issues , implementation flaws, untimely system updates , permission issues etc

We ain’t talking about overflows here , just logics and techniques

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Windows privilege escalation by Dhruv Shah

  1. 1. Windows Privilege Escalation Because gaining shell to the system is just not enough
  2. 2. C:> type disclaimer.txt • The opinions expressed in this presentation are mine and not those of my employer.
  3. 3. • Dhruv Shah • @snypter • http://security-geek.in
  4. 4. What are we here for ? • Different scenarios leading to privilege escalation • Design issues , implementation flaws, untimely system updates , permission issues etc • We ain’t talking about overflows here , just logics and techniques 
  5. 5. Flavours are we looking at ? • Windows XP • Windows 7 • Windows 2003
  6. 6. Two Types of Escalation • Admin to System – Easy , not much effort needed • User to System – Here is where the real deal lies in 
  7. 7. Admin to System ( Piece of Cake ) • The famous “at” command • “psexec” anyone ?
  8. 8. Demo
  9. 9. System Privilege using “at”
  10. 10. Pass the Hash • Managed to get the user hash • Password is complex will take long time to crack via rainbowtables • Boom Boom Pow.
  11. 11. Abusing Scheduled Tasks • Admin creates a scheduler task with System privileges
  12. 12. Abusing Scheduled Tasks • Sadly the file to be executed is accessible by everyone
  13. 13. Demo
  14. 14. Creds in Files • C:usersvictimDesktoppassword.xls • C:>dir /b /s web.config • C:>dir /b /s unattend.xml • C:>dir /b /s sysprep.inf • C:>dir /b /s sysprep.xml • C:>dir /b /s *pass* • Registries are also a good place to have a look at
  15. 15. Weak Directory Permissions Lets have some fun
  16. 16. Demo
  17. 17. Abusing Service misconfigurations • Possible attack vectors ? – Editing the service config – Editing the binary path Todays Discusssion – Unquoted Service path Vulnerability
  18. 18. Unquoted Service Path
  19. 19. Unquoted Service Path • c:program*filessub*dirprogram*name • c:program.exe filessub dirprogram name • c:program filessub.exe dirprogram name • c:program filessub dirprogram.exe name
  20. 20. Unquoted Service Path
  21. 21. Unquoted Service Path
  22. 22. Demo
  23. 23. Editing Service Binaries • What are service binaries ? • How do we exploit them ? • Lets exploit upnphost of the Windows system a default servcice that runs
  24. 24. Editing Service Binaries
  25. 25. Editing Service Binaries
  26. 26. Editing Service Binaries
  27. 27. Demo
  28. 28. Thank you • Questions ?

×