search

itm4n / PrivescCheck

Privilege Escalation Enumeration Script for Windows
BSD 3-Clause "New" or "Revised" License
2.79k stars 416 forks source link

SERVICES > Unquoted Path not work as expected #48

Closed Malayke closed 1 year ago

Malayke commented 1 year ago

I'm running the TryHackMe Windows PrivEsc machine,

image

and there is a service binary path is unquoted path:

C:\Users\user>sc qc unquotedsvc
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: unquotedsvc
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Unquoted Path Service
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

C:\Users\user>C:\PrivEsc\accesschk.exe /accepteula -uwdq "C:\Program Files\Unquoted Path Service\"
C:\Program Files\Unquoted Path Service
  Medium Mandatory Level (Default) [No-Write-Up]
  RW BUILTIN\Users
  RW NT SERVICE\TrustedInstaller
  RW NT AUTHORITY\SYSTEM
  RW BUILTIN\Administrators

C:\Users\user>whoami /all

USER INFORMATION
----------------

User Name            SID
==================== ==============================================
win-qba94kb3iof\user S-1-5-21-3025105784-3259396213-1915610826-1000

GROUP INFORMATION
-----------------

Group Name                             Type             SID          Attributes
====================================== ================ ============ ==================================================
Everyone                               Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                          Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Desktop Users           Alias            S-1-5-32-555 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\REMOTE INTERACTIVE LOGON  Well-known group S-1-5-14     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE               Well-known group S-1-5-4      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization         Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account             Well-known group S-1-5-113    Mandatory group, Enabled by default, Enabled group
LOCAL                                  Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication       Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label            S-1-16-8192

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== ========
SeShutdownPrivilege           Shut down the system           Disabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled

C:\Users\user>

but PrivescCheck said:

C:\PrivEsc>powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"

...

+------+------------------------------------------------+------+
| TEST | SERVICES > Unquoted Path                       | VULN |
+------+------------------------------------------------+------+
| DESC | List registered services and check whether any of     |
|      | them is configured with an unquoted path that can be  |
|      | exploited.                                            |
+------+-------------------------------------------------------+
[!] Not vulnerable.

...

I'm not sure if there is a bug or if I run it in the wrong way. I think this project is cool and powerful, and I would like to contribute to its improvement. However, I am not very familiar with PowerShell.

itm4n commented 1 year ago

Hi!

Your analysis is correct, you did not do anything wrong. I think I might have introduced a regression in the code at some point. :grimacing:

No worries, you don't need to write code or submit a PR to contribute. Opening an issue with this level of detail is largely enough to help. :slightly_smiling_face:

Thanks for reporting this bug. I'll have a look at this. :+1:

itm4n commented 1 year ago

Thanks to the information you reported, I was able to reproduce the issue on my lab machine.

There were two problems:

  1. I was checking whether the permission WriteData/AddFile was granted. That was valid before I implemented a helper function that makes the difference between files and folders. This helper just returns WriteData if it's a file, and AddFile if it's a folder. I forgot to update the code to reflect this change, hence the first regression.
  2. At some point, I modified the helper function Get-ModifiablePath so that it returns the permission as a string (joined array) rather than an array. Since I had a test like $PermissionSet -contains $Permission, this did no longer work. This was the second regression.

Now, it should report exploitable unquoted paths correctly.

+------+------------------------------------------------+------+
| TEST | SERVICES > Unquoted Path                       | VULN |
+------+------------------------------------------------+------+
| DESC | List registered services and check whether any of     |
|      | them is configured with an unquoted path that can be  |
|      | exploited.                                            |
+------+-------------------------------------------------------+
[*] Found 1 result(s).

Name              : unquotedsvc
ImagePath         : c:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe
User              : LocalSystem
ModifiablePath    : C:\Program Files\Unquoted Path Service
IdentityReference : BUILTIN\Users
Permissions       : Delete, WriteAttributes, Synchronize, ReadControl, ListDirectory, AddSubdirectory,
                    WriteExtendedAttributes, ReadAttributes, AddFile, ReadExtendedAttributes, Traverse
Status            : Stopped
UserCanStart      : False
UserCanStop       : False

The moral of the story is "I should have implemented unit tests"... :/

Anyways, thank you very much for reporting this. This is much appreciated. :pray:

Malayke commented 1 year ago

🙏 Thank you for providing a detailed description of the issue and quickly resolving it. I will now close this issue. 🌟