search

itm4n / PrivescCheck

Privilege Escalation Enumeration Script for Windows
BSD 3-Clause "New" or "Revised" License
2.79k stars 416 forks source link

Get-ServiceManagerDacl: handle NULL DACL case #16

Closed cnotin closed 3 years ago

cnotin commented 3 years ago

As discussed on Twitter NULL DACL is a very rare case which gives all access to everyone! I confirmed it by being able to remotely sc \\dc.lab.lan query with an unprivileged user (which wasn't possible before).

Here's how to create this case:

sc.exe sdset scmanager "D:NO_ACCESS_CONTROL"

And this is what it returns:

PS > Invoke-SCMPermissionsCheck

AceType           AccessRights       IdentitySid     IdentityName                                            
-------           ------------       -----------     ------------                                            
AccessAllowed     AllAccess          S-1-1-0         Everyone
itm4n commented 3 years ago

Wow! Thank you for your PR!

I initially wondered how I should report something that does not exist. But yeah, FullAccess for Everyone is exactly what a NULL DACL yields. So creating a list with a single ACE that represents such permission was a smart idea! 🙂

I'll just make some minor changes in the code you submitted so that I won't have to refactor it afterwards.

Thanks again! 🙏

itm4n commented 3 years ago

Done!

Merci encore pour ton aide! It is very much appreciated. It saved me a lot of time. 🙂

Now, I'll just have to implement the same thing in every other DACL check. :/

cnotin commented 3 years ago

Ahah good luck!