search

peass-ng / PEASS-ng

PEASS - Privilege Escalation Awesome Scripts SUITE (with colors)
https://book.hacktricks.xyz
Other
16.16k stars 3.11k forks source link

Modifiable service no longer detected #203

Closed AlanFoster closed 3 years ago

AlanFoster commented 3 years ago

Issue description

Before

An older version of winpeasany.exe correctly detects a modifiable service running on the host machine:

[+] Modifiable Services(T1007) [?] Check if you can modify any service https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services
LOOKS LIKE YOU CAN MODIFY SOME SERVICE/s: daclsvc: WriteData/CreateFiles

Example: image

After

The latest compiled binaries no longer detect this vulnerable service correctly:

╔══════════╣ Modifiable Services ╚ Check if you can modify any service https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services You cannot modify any service

Example:

image

Steps to reproduce the issue

I am following this guide: https://www.udemy.com/course/windows-privilege-escalation

I set up a windows 10 environment and ran this script: https://github.com/Tib3rius/Windows-PrivEsc-Setup/blob/master/setup.bat

I'm not sure what version of winpeas was provided with the course, or how it was compiled.

Which parameters did you use for executing the script and how did you execute it?

Running directly on the host via powershell

.\winpeas.exe servicesinfo

If winpeas, did you use a clean or obfuscated winpeas, and for which architecture?

This version of the precompiled binary: https://github.com/carlospolop/PEASS-ng/tree/c5d9569437ee5ec4238e661c8a1af93c111db881/winPEAS/winPEASexe/binaries/Release

Is there any AV / Threat protection in the system?

It is disabled

Please, indicate the OS, the OS version, and the kernel version (build number in case of Windows)

systeminfo:

PS C:\Users\admin\AppData\Local\Temp\tools> systeminfo

Host Name:                 DESKTOP-N3MAG5R
OS Name:                   Microsoft Windows 10 Enterprise
OS Version:                10.0.18363 N/A Build 18363
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User

Vulnerable service:

PS C:\Users\admin\AppData\Local\Temp\tools> ./accesschk.exe /accepteula -uwcqv user daclsvc
RW daclsvc
        SERVICE_QUERY_STATUS
        SERVICE_QUERY_CONFIG
        SERVICE_CHANGE_CONFIG
        SERVICE_INTERROGATE
        SERVICE_ENUMERATE_DEPENDENTS
        SERVICE_START
        SERVICE_STOP
        READ_CONTROL

How did you expect it to work?

The service is detected like the older version of winpeas

makikvues commented 3 years ago

hello @AlanFoster and thanks for reporting the issue, please check the latest release once the PR with fix is merged.

AlanFoster commented 3 years ago

Looks like it's working again now with the latest version, thanks! :+1:

image