Utilizing PowerUp.ps1 to Escalate Privileges on Windows 7 using an Unquoted Path Vulnerability

I found a great write-up by the Veris Group on how to use PowerUp.ps1 @ http://www.verisgroup.com/2014/06/17/powerup-usage/.  I thought I would take some time and walk through this tutorial on a Windows 7 box with a non-privileged user.

Following the Veris groups instructions:

1. I downloaded the PowerUp.ps1 script from their github repo at https://github.com/HarmJ0y/PowerUp.  Notice as of Dec 2014 this repo is no longer supported.

2. Drop the file PowerUp.ps1 into a location you can write to.  I have a folder I created called c:\PowerUp.

3. Then execute “powershell.exe -nop -exec bypass” to enable the execution bypass.

4. Then execute “import-module c:\PowerUp\powerup.ps1” of the full path plus the filename of the powershell script.

5. To setup the stage of having a vulnerable service to demonstrate with, I modified the following registry key to allow for an unquoted path vulnerability.

6. I removed the quotes around the path listed in the ImagePath of the registry.  Sometimes this is as easy as checking to see if your user can modify these paths on any service that has started.
7. Then I modified the permissions to the VMWare folder to where the user can read/write to the directory.
8.  With that the service normally it does not start automatically so I changed it to start automatically.
9. Now with this setup we can utilize the PowerUp.ps1 script to create a user account using this service.
10. Using powerup.ps1 we now execute “Invoke-AllChecks”.  The first check that it runs is for an unquoted path vulnerability and it finds the one that we setup.
11. Then we create the file that will create the backdoor account by the following command:
12.  The service.exe file was created now we copy that file into the directory of “C:\Program Files\VMWare” and call it VMWare.exe.  It will execute instead of going into the directory of “VMWare Tools”.  However we do not have access to restart this service so we need to wait for the user to reboot the machine.  However, with limited access you could generate some errors for the user which would give them an indication that it needed to be rebooted.
13.  After the workstation restarted then the service loads as the local service account and  creates the account “backdoor” as an administrator on the workstation.
This is only one method of exploiting the unquoted path vulnerability on a workstation or server to gain administrative privileges on the computer.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s