Welcome back, my aspiring cyberwarriors.
Since the beginning of the Russian invasion of Ukraine many American companies have pulled out of Russia, forcing local developers to build replacement tools. The number of these companies is growing, but their software often lacks proper security design. Some of these tools get flagged by antivirus, which leaves the system exposed. Other tools allow modifications that can lead to privilege escalation.
In this article, we will be going over a simple Windows privilege escalation method. We’ll walk through a real case where Russian-developed software allowed any user to modify files in the installation directory, which gave us a way to move from a regular domain user to Domain Admin. This kind of misconfiguration is common and can be hard for a normal sysadmin to catch. It’s something to look for during Windows pentests. Since we’re using built-in Windows binaries, antivirus won’t pick it up; that’s what makes this method powerful and dangerous.
Listing Services
The first step is listing services. Once installed, third-party software often runs as a service managed by Windows. Most of these services run with SYSTEM privileges. If you hijack one, you have full access.
Use this command to list running services:
PS > Get-CimInstance -ClassName win32_service | Select Name,State,PathName,StartName | Where-Object {$_.State -like ‘Running’}
This gives a long list including native Windows services. Focus on services that look foreign or don’t match the system’s language. These are usually third-party and often misconfigured.
Binary Enumeration
Next, you check the permissions on those binaries. Some systems will have dozens of services, others just a few, but you need to check them all.
Run this to see who can access the binary:
PS > icacls “C:\Program Files\RusService\service.exe”
In our example, everyone had full access (F). That means any user can replace the file and run arbitrary code as SYSTEM.
Boot
After finding a vulnerable binary, check if the service is set to run on boot. If it’s set to Auto, your payload will trigger automatically after a reboot.
To check boot settings:
PS > Get-CimInstance -ClassName Win32_Service -Filter “Name=’service'” | Select-Object StartMode
To check boot settings:
PS > Get-CimInstance -ClassName Win32_Service -Filter “Name=’service'” | Select-Object StartMode
Even if the output is in Russian, you can locate the boot time easily.
Permissions
Now go to the directory where the service binary is stored. As you can see, we are allowed to create and replace files freely.
Crafting an Exploit
Now it’s time to write the payload. This step might look tricky but it’s simple. Start by writing a small C program that creates a new admin user. Later, you’ll compile this on Linux.
The first two lines in main handle privilege escalation. The last two remove your payload and restore the original binary. The first reboot might cause the service to fail, but once the original binary is restored, it will work normally again. You can also add a line to execute the renamed original software, but we kept it basic for clarity.
We’re not showing the file path in this example for security reasons. Note that file paths in Windows use double backslashes.
This method works even outside of Active Directory. But if you’re in a domain, some setups let you create users from any machine, not just the domain controller. Other times, you just use stolen domain user creds to escalate from there.
Compiling the Exploit
Once your code is ready, compile it into an executable on Linux using:
kali > x86_64-w64-mingw32-gcc adduser.c -o adduser.exe
Copy it into the vulnerable software’s folder and rename it to match the original binary name. If the names don’t match, Windows won’t run it.
In our test, the binary didn’t raise any alerts. Even if it gets flagged as suspicious, it probably won’t be noticed for a while. Many foreign software vendors have devs with full access, but response time varies. If you take your time and plan each step, you can avoid detection and clean up afterward.
Conclusion
Privilege escalation on Windows can come from many angles. In this case, Russian software with weak folder and file permissions let us go from domain user to domain admin without triggering any alarms. It worked even in a locked-down environment where regular users had limited access. Creativity, patience, and a close eye on poor third-party integrations pave the way to success.
Source: HackersArise
Source Link: https://hackers-arise.com/windows-privilege-escalation-with-russian-software/