search

peass-ng / PEASS-ng

PEASS - Privilege Escalation Awesome Scripts SUITE (with colors)
https://book.hacktricks.xyz
Other
16.19k stars 3.11k forks source link

WinPEAS missing writeable service #11

Closed IppSec closed 4 years ago

IppSec commented 4 years ago

I noticed this doing a machine on HackTheBox - Before November 2019, the UsoSvc was writable by the Network Service group (CVE-2019-1322). A user commonly has this permission when exploiting a web server.

AccessChk.exe Output:

UsoSvc                                                                                                                                  
  Medium Mandatory Level (Default) [No-Write-Up]                                                                                        
  RW NT AUTHORITY\SYSTEM                                                                                                                
        SERVICE_ALL_ACCESS                                                                                                              
  RW NT AUTHORITY\SERVICE                                                                                                               
        SERVICE_ALL_ACCESS

Identified by PowerUp:

[*] Checking service permissions...                                                                                                     

ServiceName   : UsoSvc                                                                                                                  
Path          : C:\Windows\system32\svchost.exe -k netsvcs -p                                                                           
StartName     : LocalSystem                                                                                                             
AbuseFunction : Invoke-ServiceAbuse -ServiceName 'UsoSvc'

I've checked the entire output of winpeas cmd and winpeas cmd fast and did not see this service listed.

carlospolop commented 4 years ago

Hey @IppSec, Thank you very much for letting me know.

Have you tried the new version of WinPEAS I uploaded some days ago? I made some changes regarding the access to the registry. However, the error could be happening even with the latest version, so as soon as I have some minutes I will test it. Also, I think I know in which machine you found the issue, but feel free to contact me via telegram in @pcnick to confirm the machine (I'm SirBroccoli in HTB, you can check there that I have already done every current active Windows machine).

IppSec commented 4 years ago

I sent a PM via the HackTheBox site, I'm not on Telegram. I had pulled it yesterday and compiled it myself to verify it was the latest.

carlospolop commented 4 years ago

Check the last commit commit I've made, the bug should be fixed. Let me know if it doesn't please!

IppSec commented 4 years ago

It's catching it now, however I think there is a bug in the next section. It's showing every service as writable. If you intend to show CREATOR_OWNER GenericAll, it should be done in a verbose flag or something or at minimum not red print.

  [+] Modifiable Services(T1007)                                                                                                        
   [?] Check if you can modify any service https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services              
    LOOKS LIKE YOU CAN MODIFY SOME SERVICE/s:                                                                                               
    UsoSvc: AllAccess                                                                                                                   

  [+] Looking if you can modify any service registry()                                                                                  
   [?] Check if you can modify the registry of a service https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services-registry-permissions                                                                                                                   
    HKLM\system\currentcontrolset\services\.NET CLR Data (CREATOR OWNER [GenericAll])                                                   
    HKLM\system\currentcontrolset\services\.NET CLR Networking (CREATOR OWNER [GenericAll])                                             
    HKLM\system\currentcontrolset\services\.NET CLR Networking 4.0.0.0 (CREATOR OWNER [GenericAll])                                     
    HKLM\system\currentcontrolset\services\.NET Data Provider for Oracle (CREATOR OWNER [GenericAll])                                   
    HKLM\system\currentcontrolset\services\.NET Data Provider for SqlServer (CREATOR OWNER [GenericAll])
    HKLM\system\currentcontrolset\services\.NET Memory Cache 4.0 (CREATOR OWNER [GenericAll])
    HKLM\system\currentcontrolset\services\.NETFramework (CREATOR OWNER [GenericAll])
    HKLM\system\currentcontrolset\services\1394ohci (CREATOR OWNER [GenericAll])
    HKLM\system\currentcontrolset\services\3ware (CREATOR OWNER [GenericAll])
    HKLM\system\currentcontrolset\services\ACPI (CREATOR OWNER [GenericAll])
    HKLM\system\currentcontrolset\services\AcpiDev (CREATOR OWNER [GenericAll])
    HKLM\system\currentcontrolset\services\acpiex (CREATOR OWNER [GenericAll])
    HKLM\system\currentcontrolset\services\acpipagr (CREATOR OWNER [GenericAll])
    HKLM\system\currentcontrolset\services\AcpiPmi (CREATOR OWNER [GenericAll])
    HKLM\system\currentcontrolset\services\acpitime (CREATOR OWNER [GenericAll])
    HKLM\system\currentcontrolset\services\ADOVMPPackage (CREATOR OWNER [GenericAll])
    HKLM\system\currentcontrolset\services\ADP80XX (CREATOR OWNER [GenericAll])
    HKLM\system\currentcontrolset\services\adsi (CREATOR OWNER [GenericAll])
    HKLM\system\currentcontrolset\services\AFD (CREATOR OWNER [GenericAll])
    HKLM\system\currentcontrolset\services\afunix (CREATOR OWNER [GenericAll])
...
carlospolop commented 4 years ago

Hi @IppSec,

I'm glad to hear that the initial bug was fixed. Anyway, that output is weird. When I execute the latest winpeas version on the HTB machine I find that I can modify the vulnerable service, but I don't have special permissions on any service registry: image

Also, if you have GenericAll on every registry, that means (I think) that you can modify any registry, which is very weird if you are a non-privileged user.

Are you executing winpeas with any special privileges? Notice that the output of the image is the one I'm getting executing winpeas right after compromising the service (I'm using exactly the winpeas binary compiled located at https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/raw/master/winPEAS/winPEASexe/winPEAS/bin/Release/winPEAS.exe)

carlospolop commented 4 years ago

Hey, I found what was happening and have fixed it. There was a problem deep inside the code on how permissions were being checked. Feel free to check it again if you want.

Thank you again for letting me know the issue, and please, let me know if you find any new bug or if you have any suggestion.