Friday, November 23, 2012

Windows Privilege Escalation



I am one week in OSCP labs and its brutal. Before signing up for the lab I had studied quite a bit on Linux privilege escalation and was quite confident about it but you are never too prepared for OSCP lab. Right at the start I was tasked to learn Windows Privilege Escalation... YES! NO! it can not be ignored. After some searching on the Interwebs. I came across this awesome post on windows privilege escalation via weak service permissions but the author had mostly shown examples in Powershell and AFAIK WMIC does not work on older Windows version for limited users. But to my surprise someone had actually posted the solution in the comments... but needed some refinement. So off I was learning cmd.exe command line, many times during this course I wondered if Microsoft engineers had held contest to come up with world's most ugly syntax. *shudder*
Anyway, I survived and managed to make a working albeit crude script. This Batch script outputs a text file which lists permissions on all user installed services. Rest of the procedure of exploiting this is explained in the original post mentioned above. Have fun!



@echo off
for /F "tokens=2" %%i in ('"sc query state= all | findstr SERVICE_NAME"') do @sc qc %%i | findstr BINARY_PATH_NAME | find /I /V "system32" >> usrsrvcs.txt
 for /F "tokens=3" %%b in (usrsrvcs.txt) do @icacls %%b >> srvperms.txt
del usrsrvcs.txt