SlideShare a Scribd company logo

Unquoted service path exploitation

Download as PPTX, PDF
Dhruv Sharma
Dhruv Sharma

This slide is useful to understand about "Unquoted Service Path Exploitation" and how we can prevent our operating system against these kind of attacks.

Technology
1 of 13
Unquoted Service Path exploitation By Dhruv Sharma
Introduction • This exploitation technique is used to perform Privilege Escalation from non admin / non Root user to System / Admin user. We will exploit unquoted service path for the services. • Used with Windows Operating System. • Services running on the server can be: • Unquoted • Quoted
Introduction Are all unquoted service path are vulnerable ? • A: No. If there are no spaces in the name of the directory i.e. ProgramFiles [non vulnerable] || Program Files [vulnerable] Service Path: C:Program FilesA SubfolderB SubfolderC SubfolderSomeExecutable.exe In order to run SomeExecutable.exe, the system will interpret this path in the following order from 1 to 5. Step 1: C:Program.exe Step 2: C:Program FilesA.exe Step 3: C:Program FilesA SubfolderB.exe Step 4: C:Program FilesA SubfolderB SubfolderC.exe Step 5: C:Program FilesA SubfolderB SubfolderC SubfolderSomeExecutable.exe If C:Program.exe is not found, then C:Program FilesA.exe would be executed. If C:Program FilesA.exe is not found, then C:Program FilesA SubfolderB.exe would be executed and so on.
Tips • Use below script to search for vulnerable services: wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:Windows" | findstr /i /v ""“ • Service name = Some Vulnerable Service. • Path name = C:Program FilesA SubfolderB SubfolderC SubfolderSomeExecutable.exe • Display name = Some Vulnerable Service • Start mode = Auto
Lab Demo • Step 1: We ran our command to find out any possible vulnerable services. Only last 3 services are not quoted – Some Vulnerable services, Babi Service & myBabi Service.
Lab Demo • Check the services. This service is configured for Auto Start, which means it will try to automatically started after reboot.
Lab Demo https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7
Lab Demo • Step 2: In this case we will try to exploit it. Let’s check if our user has privileges. The folder has Write privileges, which is inherited from the parent folder.
Lab Demo • Step 3: We analyzed the directory and placed babi.exe (reverse shell payload) as shown below.
Lab Demo • Finally we start to run the application. It is not important for us to run the service, but going through the path is important.
Create your own vulnerable Service • Create your own service for dhruv.exe • Provide write access to Dhruv Sharma directory icacls "C:Program FilesA Subfolder" /grant "BUILTINUsers":(F) /t [full access] icacls "C:Program FilesA Subfolder" /grant "BUILTINUsers":W [write access]
References • https://medium.com/@SumitVerma101/windows-privilege- escalation-part-1-unquoted-service-path-c7a011a8d8ae
Unquoted service path exploitation

Recommended

Introduce anypoint studio
Introduce anypoint studioIntroduce anypoint studio
Introduce anypoint studio
Son Nguyen
 
Anypoint mq acknowledgement mode
Anypoint mq acknowledgement modeAnypoint mq acknowledgement mode
Anypoint mq acknowledgement mode
Son Nguyen
 
Running mule as worker role on azure
Running mule as worker role on azureRunning mule as worker role on azure
Running mule as worker role on azure
Son Nguyen
 
Troubleshooting mule
Troubleshooting muleTroubleshooting mule
Troubleshooting mule
Son Nguyen
 
Mule tcat server - common problems and solutions
Mule tcat server - common problems and solutionsMule tcat server - common problems and solutions
Mule tcat server - common problems and solutions
Shanky Gupta
 
Using maven with mule
Using maven with muleUsing maven with mule
Using maven with mule
Sindhu VL
 
Konstantinos Sidiropoulos - Testing microservices a real example
Konstantinos Sidiropoulos - Testing microservices a real exampleKonstantinos Sidiropoulos - Testing microservices a real example
Konstantinos Sidiropoulos - Testing microservices a real example
PetrosPlakogiannis
 
Configuring Anypoint Studio MQ connector
Configuring Anypoint Studio MQ connectorConfiguring Anypoint Studio MQ connector
Configuring Anypoint Studio MQ connector
Shanky Gupta
 

Recommended

Introduce anypoint studio
Introduce anypoint studioIntroduce anypoint studio
Introduce anypoint studio
Son Nguyen
 
Anypoint mq acknowledgement mode
Anypoint mq acknowledgement modeAnypoint mq acknowledgement mode
Anypoint mq acknowledgement mode
Son Nguyen
 
Running mule as worker role on azure
Running mule as worker role on azureRunning mule as worker role on azure
Running mule as worker role on azure
Son Nguyen
 
Troubleshooting mule
Troubleshooting muleTroubleshooting mule
Troubleshooting mule
Son Nguyen
 
Mule tcat server - common problems and solutions
Mule tcat server - common problems and solutionsMule tcat server - common problems and solutions
Mule tcat server - common problems and solutions
Shanky Gupta
 
Using maven with mule
Using maven with muleUsing maven with mule
Using maven with mule
Sindhu VL
 
Konstantinos Sidiropoulos - Testing microservices a real example
Konstantinos Sidiropoulos - Testing microservices a real exampleKonstantinos Sidiropoulos - Testing microservices a real example
Konstantinos Sidiropoulos - Testing microservices a real example
PetrosPlakogiannis
 
Configuring Anypoint Studio MQ connector
Configuring Anypoint Studio MQ connectorConfiguring Anypoint Studio MQ connector
Configuring Anypoint Studio MQ connector
Shanky Gupta
 
Webservice performance testing with SoapUI
Webservice performance testing with SoapUIWebservice performance testing with SoapUI
Webservice performance testing with SoapUIPhuoc Nguyen
 
Less02 2 e_testermodule_1
Less02 2 e_testermodule_1Less02 2 e_testermodule_1
Less02 2 e_testermodule_1Suresh Mishra
 
Invoke component demo in mule
Invoke component demo in muleInvoke component demo in mule
Invoke component demo in mule
Ramakrishna kapa
 
Logger
LoggerLogger
Logger
Srilatha Kante
 
Testing Rapidly Changing Applications With Self-Testing Object-Oriented Selen...
Testing Rapidly Changing Applications With Self-Testing Object-Oriented Selen...Testing Rapidly Changing Applications With Self-Testing Object-Oriented Selen...
Testing Rapidly Changing Applications With Self-Testing Object-Oriented Selen...seleniumconf
 
ALP. Short facts
ALP. Short factsALP. Short facts
ALP. Short facts
Alex
 
Logger
LoggerLogger
Logger
krishashi
 
Hybrid automation framework
Hybrid automation frameworkHybrid automation framework
Hybrid automation framework
doai tran
 
POST/CON 2019 Workshop: Experts
POST/CON 2019 Workshop: ExpertsPOST/CON 2019 Workshop: Experts
POST/CON 2019 Workshop: Experts
Postman
 
Python component in mule
Python component in mulePython component in mule
Python component in mule
Ramakrishna kapa
 
Accelerate Quality with Postman Advance
Accelerate Quality with Postman AdvanceAccelerate Quality with Postman Advance
Accelerate Quality with Postman Advance
Knoldus Inc.
 
Programming and the web for beginners
Programming and the web for beginnersProgramming and the web for beginners
Programming and the web for beginners
Son Nguyen
 
Mule
MuleMule
Mule
irfan1008
 
Deployment automation framework with selenium
Deployment automation framework with seleniumDeployment automation framework with selenium
Deployment automation framework with selenium
Wenhua Wang
 
Used Java Component To Access Flow and Session Vars
Used Java Component To Access Flow and Session VarsUsed Java Component To Access Flow and Session Vars
Used Java Component To Access Flow and Session Vars
Christian Hipolito
 
Selena Deckelmann - Sane Schema Management with Alembic and SQLAlchemy @ Pos...
Selena Deckelmann - Sane Schema Management with Alembic and SQLAlchemy @ Pos...Selena Deckelmann - Sane Schema Management with Alembic and SQLAlchemy @ Pos...
Selena Deckelmann - Sane Schema Management with Alembic and SQLAlchemy @ Pos...PostgresOpen
 
Ppt of soap ui
Ppt of soap uiPpt of soap ui
Ppt of soap ui
pkslide28
 
Selenium
SeleniumSelenium
Selenium
Sun Technlogies
 
Apache JMeter Introduction
Apache JMeter IntroductionApache JMeter Introduction
Apache JMeter IntroductionSøren Lund
 
Solution about automating end to end server test
Solution about automating end to end server testSolution about automating end to end server test
Solution about automating end to end server test
Yu Tao Zhang
 
2
22
2
Chandrakant Shinde
 
2
22
2shital904928
 

More Related Content

What's hot

Webservice performance testing with SoapUI
Webservice performance testing with SoapUIWebservice performance testing with SoapUI
Webservice performance testing with SoapUIPhuoc Nguyen
 
Less02 2 e_testermodule_1
Less02 2 e_testermodule_1Less02 2 e_testermodule_1
Less02 2 e_testermodule_1Suresh Mishra
 
Invoke component demo in mule
Invoke component demo in muleInvoke component demo in mule
Invoke component demo in mule
Ramakrishna kapa
 
Logger
LoggerLogger
Logger
Srilatha Kante
 
Testing Rapidly Changing Applications With Self-Testing Object-Oriented Selen...
Testing Rapidly Changing Applications With Self-Testing Object-Oriented Selen...Testing Rapidly Changing Applications With Self-Testing Object-Oriented Selen...
Testing Rapidly Changing Applications With Self-Testing Object-Oriented Selen...seleniumconf
 
ALP. Short facts
ALP. Short factsALP. Short facts
ALP. Short facts
Alex
 
Logger
LoggerLogger
Logger
krishashi
 
Hybrid automation framework
Hybrid automation frameworkHybrid automation framework
Hybrid automation framework
doai tran
 
POST/CON 2019 Workshop: Experts
POST/CON 2019 Workshop: ExpertsPOST/CON 2019 Workshop: Experts
POST/CON 2019 Workshop: Experts
Postman
 
Python component in mule
Python component in mulePython component in mule
Python component in mule
Ramakrishna kapa
 
Accelerate Quality with Postman Advance
Accelerate Quality with Postman AdvanceAccelerate Quality with Postman Advance
Accelerate Quality with Postman Advance
Knoldus Inc.
 
Programming and the web for beginners
Programming and the web for beginnersProgramming and the web for beginners
Programming and the web for beginners
Son Nguyen
 
Mule
MuleMule
Mule
irfan1008
 
Deployment automation framework with selenium
Deployment automation framework with seleniumDeployment automation framework with selenium
Deployment automation framework with selenium
Wenhua Wang
 
Used Java Component To Access Flow and Session Vars
Used Java Component To Access Flow and Session VarsUsed Java Component To Access Flow and Session Vars
Used Java Component To Access Flow and Session Vars
Christian Hipolito
 
Selena Deckelmann - Sane Schema Management with Alembic and SQLAlchemy @ Pos...
Selena Deckelmann - Sane Schema Management with Alembic and SQLAlchemy @ Pos...Selena Deckelmann - Sane Schema Management with Alembic and SQLAlchemy @ Pos...
Selena Deckelmann - Sane Schema Management with Alembic and SQLAlchemy @ Pos...PostgresOpen
 
Ppt of soap ui
Ppt of soap uiPpt of soap ui
Ppt of soap ui
pkslide28
 
Selenium
SeleniumSelenium
Selenium
Sun Technlogies
 
Apache JMeter Introduction
Apache JMeter IntroductionApache JMeter Introduction
Apache JMeter IntroductionSøren Lund
 
Solution about automating end to end server test
Solution about automating end to end server testSolution about automating end to end server test
Solution about automating end to end server test
Yu Tao Zhang
 

What's hot (20)

Webservice performance testing with SoapUI
Webservice performance testing with SoapUIWebservice performance testing with SoapUI
Webservice performance testing with SoapUI
 
Less02 2 e_testermodule_1
Less02 2 e_testermodule_1Less02 2 e_testermodule_1
Less02 2 e_testermodule_1
 
Invoke component demo in mule
Invoke component demo in muleInvoke component demo in mule
Invoke component demo in mule
 
Logger
LoggerLogger
Logger
 
Testing Rapidly Changing Applications With Self-Testing Object-Oriented Selen...
Testing Rapidly Changing Applications With Self-Testing Object-Oriented Selen...Testing Rapidly Changing Applications With Self-Testing Object-Oriented Selen...
Testing Rapidly Changing Applications With Self-Testing Object-Oriented Selen...
 
ALP. Short facts
ALP. Short factsALP. Short facts
ALP. Short facts
 
Logger
LoggerLogger
Logger
 
Hybrid automation framework
Hybrid automation frameworkHybrid automation framework
Hybrid automation framework
 
POST/CON 2019 Workshop: Experts
POST/CON 2019 Workshop: ExpertsPOST/CON 2019 Workshop: Experts
POST/CON 2019 Workshop: Experts
 
Python component in mule
Python component in mulePython component in mule
Python component in mule
 
Accelerate Quality with Postman Advance
Accelerate Quality with Postman AdvanceAccelerate Quality with Postman Advance
Accelerate Quality with Postman Advance
 
Programming and the web for beginners
Programming and the web for beginnersProgramming and the web for beginners
Programming and the web for beginners
 
Mule
MuleMule
Mule
 
Deployment automation framework with selenium
Deployment automation framework with seleniumDeployment automation framework with selenium
Deployment automation framework with selenium
 
Used Java Component To Access Flow and Session Vars
Used Java Component To Access Flow and Session VarsUsed Java Component To Access Flow and Session Vars
Used Java Component To Access Flow and Session Vars
 
Selena Deckelmann - Sane Schema Management with Alembic and SQLAlchemy @ Pos...
Selena Deckelmann - Sane Schema Management with Alembic and SQLAlchemy @ Pos...Selena Deckelmann - Sane Schema Management with Alembic and SQLAlchemy @ Pos...
Selena Deckelmann - Sane Schema Management with Alembic and SQLAlchemy @ Pos...
 
Ppt of soap ui
Ppt of soap uiPpt of soap ui
Ppt of soap ui
 
Selenium
SeleniumSelenium
Selenium
 
Apache JMeter Introduction
Apache JMeter IntroductionApache JMeter Introduction
Apache JMeter Introduction
 
Solution about automating end to end server test
Solution about automating end to end server testSolution about automating end to end server test
Solution about automating end to end server test
 

Similar to Unquoted service path exploitation

Si fa presto a dire serverless
Si fa presto a dire serverlessSi fa presto a dire serverless
Si fa presto a dire serverless
Alessio Coser
 
sst ppt.pptx
sst ppt.pptxsst ppt.pptx
sst ppt.pptx
PRIANKA R
 
Components lab
Components labComponents lab
Components lab
Joanne Scouler
 
mini proj_batch1.pptx online secure file transfer system
mini proj_batch1.pptx online secure file transfer systemmini proj_batch1.pptx online secure file transfer system
mini proj_batch1.pptx online secure file transfer system
KorbanMaheshwari
 
Testing - How Vital and How Easy to use
Testing - How Vital and How Easy to useTesting - How Vital and How Easy to use
Testing - How Vital and How Easy to use
Uma Ghotikar
 
Software testing & its technology
Software testing & its technologySoftware testing & its technology
Software testing & its technologyHasam Panezai
 
Components lab
Components labComponents lab
Components lab
IBM Rational software
 
CH-3.pdf
CH-3.pdfCH-3.pdf
CH-3.pdf
ArchishaKhandareSS20
 
Performancetestingjmeter 121109061704-phpapp02
Performancetestingjmeter 121109061704-phpapp02Performancetestingjmeter 121109061704-phpapp02
Performancetestingjmeter 121109061704-phpapp02
Shivakumara .
 
Selenium Training in Chennai
Selenium Training in ChennaiSelenium Training in Chennai
Selenium Training in Chennai
Thecreating Experts
 
Manual testing by reddy
Manual testing by reddyManual testing by reddy
Manual testing by reddy
Krishna Gurjar
 
ST Unit-3.pptx
ST Unit-3.pptxST Unit-3.pptx
ST Unit-3.pptx
JhonLiver
 
Windows privilege escalation
Windows privilege escalationWindows privilege escalation
Windows privilege escalation
Dhruv Shah
 
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv Shah
OWASP Delhi
 
Laravel Load Testing: Strategies and Tools
Laravel Load Testing: Strategies and ToolsLaravel Load Testing: Strategies and Tools
Laravel Load Testing: Strategies and Tools
Muhammad Shehata
 
Apache J meter
Apache J meterApache J meter
Apache J meter
Livares Technologies Pvt Ltd
 
Performance testing jmeter
Performance testing jmeterPerformance testing jmeter
Performance testing jmeterBhojan Rajan
 

Similar to Unquoted service path exploitation (20)

2
22
2
 
2
22
2
 
Si fa presto a dire serverless
Si fa presto a dire serverlessSi fa presto a dire serverless
Si fa presto a dire serverless
 
sst ppt.pptx
sst ppt.pptxsst ppt.pptx
sst ppt.pptx
 
Components lab
Components labComponents lab
Components lab
 
Software Testing
Software TestingSoftware Testing
Software Testing
 
mini proj_batch1.pptx online secure file transfer system
mini proj_batch1.pptx online secure file transfer systemmini proj_batch1.pptx online secure file transfer system
mini proj_batch1.pptx online secure file transfer system
 
Testing - How Vital and How Easy to use
Testing - How Vital and How Easy to useTesting - How Vital and How Easy to use
Testing - How Vital and How Easy to use
 
Software testing & its technology
Software testing & its technologySoftware testing & its technology
Software testing & its technology
 
Components lab
Components labComponents lab
Components lab
 
CH-3.pdf
CH-3.pdfCH-3.pdf
CH-3.pdf
 
Performancetestingjmeter 121109061704-phpapp02
Performancetestingjmeter 121109061704-phpapp02Performancetestingjmeter 121109061704-phpapp02
Performancetestingjmeter 121109061704-phpapp02
 
Selenium Training in Chennai
Selenium Training in ChennaiSelenium Training in Chennai
Selenium Training in Chennai
 
Manual testing by reddy
Manual testing by reddyManual testing by reddy
Manual testing by reddy
 
ST Unit-3.pptx
ST Unit-3.pptxST Unit-3.pptx
ST Unit-3.pptx
 
Windows privilege escalation
Windows privilege escalationWindows privilege escalation
Windows privilege escalation
 
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv Shah
 
Laravel Load Testing: Strategies and Tools
Laravel Load Testing: Strategies and ToolsLaravel Load Testing: Strategies and Tools
Laravel Load Testing: Strategies and Tools
 
Apache J meter
Apache J meterApache J meter
Apache J meter
 
Performance testing jmeter
Performance testing jmeterPerformance testing jmeter
Performance testing jmeter
 

More from Dhruv Sharma

RAVPN EAP-IKEv2 VPN.pptx
RAVPN EAP-IKEv2 VPN.pptxRAVPN EAP-IKEv2 VPN.pptx
RAVPN EAP-IKEv2 VPN.pptx
Dhruv Sharma
 
Load Balance with NSX-T.pptx
Load Balance with NSX-T.pptxLoad Balance with NSX-T.pptx
Load Balance with NSX-T.pptx
Dhruv Sharma
 
NSX_Troubleshooting.pptx
NSX_Troubleshooting.pptxNSX_Troubleshooting.pptx
NSX_Troubleshooting.pptx
Dhruv Sharma
 
ASA VPN_Certificate authentication_ISE Authorization.pptx
ASA VPN_Certificate authentication_ISE Authorization.pptxASA VPN_Certificate authentication_ISE Authorization.pptx
ASA VPN_Certificate authentication_ISE Authorization.pptx
Dhruv Sharma
 
Setting up CDP (Cisco Discovery Protocol) between Cisco IOS and VMware Virtua...
Setting up CDP (Cisco Discovery Protocol) between Cisco IOS and VMware Virtua...Setting up CDP (Cisco Discovery Protocol) between Cisco IOS and VMware Virtua...
Setting up CDP (Cisco Discovery Protocol) between Cisco IOS and VMware Virtua...
Dhruv Sharma
 
Routebased-Policybased VPN.pptx
Routebased-Policybased VPN.pptxRoutebased-Policybased VPN.pptx
Routebased-Policybased VPN.pptx
Dhruv Sharma
 
Ansible Network Automation session1
Ansible Network Automation session1Ansible Network Automation session1
Ansible Network Automation session1
Dhruv Sharma
 
Setting up Cisco WSA Proxy in Transparent and Explicit Mode
Setting up Cisco WSA Proxy in Transparent and Explicit ModeSetting up Cisco WSA Proxy in Transparent and Explicit Mode
Setting up Cisco WSA Proxy in Transparent and Explicit Mode
Dhruv Sharma
 
Factory setup wsa_9.2_v1.0
Factory setup wsa_9.2_v1.0Factory setup wsa_9.2_v1.0
Factory setup wsa_9.2_v1.0
Dhruv Sharma
 
Tacacs+ with ise 2.4_ CCIE
Tacacs+ with ise 2.4_ CCIE Tacacs+ with ise 2.4_ CCIE
Tacacs+ with ise 2.4_ CCIE
Dhruv Sharma
 
Get vpn multicast for CCIE Security
Get vpn multicast for CCIE SecurityGet vpn multicast for CCIE Security
Get vpn multicast for CCIE Security
Dhruv Sharma
 
Route tags with OSPF
Route tags with OSPFRoute tags with OSPF
Route tags with OSPF
Dhruv Sharma
 
Aci vmware integration_youtube
Aci vmware integration_youtubeAci vmware integration_youtube
Aci vmware integration_youtube
Dhruv Sharma
 
Introduction to nexux from zero to Hero
Introduction to nexux from zero to HeroIntroduction to nexux from zero to Hero
Introduction to nexux from zero to Hero
Dhruv Sharma
 
Cisco umbrella youtube
Cisco umbrella youtubeCisco umbrella youtube
Cisco umbrella youtube
Dhruv Sharma
 
GTM vs AWS Route 53 with Cisco umbrella
GTM vs AWS Route 53 with Cisco umbrellaGTM vs AWS Route 53 with Cisco umbrella
GTM vs AWS Route 53 with Cisco umbrella
Dhruv Sharma
 
Setting up VPN between F5 LTM & ASA
Setting up VPN between F5 LTM & ASASetting up VPN between F5 LTM & ASA
Setting up VPN between F5 LTM & ASA
Dhruv Sharma
 
Getting started kali linux
Getting started kali linuxGetting started kali linux
Getting started kali linux
Dhruv Sharma
 

More from Dhruv Sharma (18)

RAVPN EAP-IKEv2 VPN.pptx
RAVPN EAP-IKEv2 VPN.pptxRAVPN EAP-IKEv2 VPN.pptx
RAVPN EAP-IKEv2 VPN.pptx
 
Load Balance with NSX-T.pptx
Load Balance with NSX-T.pptxLoad Balance with NSX-T.pptx
Load Balance with NSX-T.pptx
 
NSX_Troubleshooting.pptx
NSX_Troubleshooting.pptxNSX_Troubleshooting.pptx
NSX_Troubleshooting.pptx
 
ASA VPN_Certificate authentication_ISE Authorization.pptx
ASA VPN_Certificate authentication_ISE Authorization.pptxASA VPN_Certificate authentication_ISE Authorization.pptx
ASA VPN_Certificate authentication_ISE Authorization.pptx
 
Setting up CDP (Cisco Discovery Protocol) between Cisco IOS and VMware Virtua...
Setting up CDP (Cisco Discovery Protocol) between Cisco IOS and VMware Virtua...Setting up CDP (Cisco Discovery Protocol) between Cisco IOS and VMware Virtua...
Setting up CDP (Cisco Discovery Protocol) between Cisco IOS and VMware Virtua...
 
Routebased-Policybased VPN.pptx
Routebased-Policybased VPN.pptxRoutebased-Policybased VPN.pptx
Routebased-Policybased VPN.pptx
 
Ansible Network Automation session1
Ansible Network Automation session1Ansible Network Automation session1
Ansible Network Automation session1
 
Setting up Cisco WSA Proxy in Transparent and Explicit Mode
Setting up Cisco WSA Proxy in Transparent and Explicit ModeSetting up Cisco WSA Proxy in Transparent and Explicit Mode
Setting up Cisco WSA Proxy in Transparent and Explicit Mode
 
Factory setup wsa_9.2_v1.0
Factory setup wsa_9.2_v1.0Factory setup wsa_9.2_v1.0
Factory setup wsa_9.2_v1.0
 
Tacacs+ with ise 2.4_ CCIE
Tacacs+ with ise 2.4_ CCIE Tacacs+ with ise 2.4_ CCIE
Tacacs+ with ise 2.4_ CCIE
 
Get vpn multicast for CCIE Security
Get vpn multicast for CCIE SecurityGet vpn multicast for CCIE Security
Get vpn multicast for CCIE Security
 
Route tags with OSPF
Route tags with OSPFRoute tags with OSPF
Route tags with OSPF
 
Aci vmware integration_youtube
Aci vmware integration_youtubeAci vmware integration_youtube
Aci vmware integration_youtube
 
Introduction to nexux from zero to Hero
Introduction to nexux from zero to HeroIntroduction to nexux from zero to Hero
Introduction to nexux from zero to Hero
 
Cisco umbrella youtube
Cisco umbrella youtubeCisco umbrella youtube
Cisco umbrella youtube
 
GTM vs AWS Route 53 with Cisco umbrella
GTM vs AWS Route 53 with Cisco umbrellaGTM vs AWS Route 53 with Cisco umbrella
GTM vs AWS Route 53 with Cisco umbrella
 
Setting up VPN between F5 LTM & ASA
Setting up VPN between F5 LTM & ASASetting up VPN between F5 LTM & ASA
Setting up VPN between F5 LTM & ASA
 
Getting started kali linux
Getting started kali linuxGetting started kali linux
Getting started kali linux
 

Recently uploaded

Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIs
Vlad Stirbu
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
Peter Spielvogel
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
Enhancing Performance with Globus and the Science DMZ
Enhancing Performance with Globus and the Science DMZEnhancing Performance with Globus and the Science DMZ
Enhancing Performance with Globus and the Science DMZ
Globus
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
Alex Pruden
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 

Recently uploaded (20)

Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIs
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Enhancing Performance with Globus and the Science DMZ
Enhancing Performance with Globus and the Science DMZEnhancing Performance with Globus and the Science DMZ
Enhancing Performance with Globus and the Science DMZ
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 

Unquoted service path exploitation

  • 1. Unquoted Service Path exploitation By Dhruv Sharma
  • 2. Introduction • This exploitation technique is used to perform Privilege Escalation from non admin / non Root user to System / Admin user. We will exploit unquoted service path for the services. • Used with Windows Operating System. • Services running on the server can be: • Unquoted • Quoted
  • 3. Introduction Are all unquoted service path are vulnerable ? • A: No. If there are no spaces in the name of the directory i.e. ProgramFiles [non vulnerable] || Program Files [vulnerable] Service Path: C:Program FilesA SubfolderB SubfolderC SubfolderSomeExecutable.exe In order to run SomeExecutable.exe, the system will interpret this path in the following order from 1 to 5. Step 1: C:Program.exe Step 2: C:Program FilesA.exe Step 3: C:Program FilesA SubfolderB.exe Step 4: C:Program FilesA SubfolderB SubfolderC.exe Step 5: C:Program FilesA SubfolderB SubfolderC SubfolderSomeExecutable.exe If C:Program.exe is not found, then C:Program FilesA.exe would be executed. If C:Program FilesA.exe is not found, then C:Program FilesA SubfolderB.exe would be executed and so on.
  • 4. Tips • Use below script to search for vulnerable services: wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:Windows" | findstr /i /v ""“ • Service name = Some Vulnerable Service. • Path name = C:Program FilesA SubfolderB SubfolderC SubfolderSomeExecutable.exe • Display name = Some Vulnerable Service • Start mode = Auto
  • 5. Lab Demo • Step 1: We ran our command to find out any possible vulnerable services. Only last 3 services are not quoted – Some Vulnerable services, Babi Service & myBabi Service.
  • 6. Lab Demo • Check the services. This service is configured for Auto Start, which means it will try to automatically started after reboot.
  • 8. Lab Demo • Step 2: In this case we will try to exploit it. Let’s check if our user has privileges. The folder has Write privileges, which is inherited from the parent folder.
  • 9. Lab Demo • Step 3: We analyzed the directory and placed babi.exe (reverse shell payload) as shown below.
  • 10. Lab Demo • Finally we start to run the application. It is not important for us to run the service, but going through the path is important.
  • 11. Create your own vulnerable Service • Create your own service for dhruv.exe • Provide write access to Dhruv Sharma directory icacls "C:Program FilesA Subfolder" /grant "BUILTINUsers":(F) /t [full access] icacls "C:Program FilesA Subfolder" /grant "BUILTINUsers":W [write access]