The output implies that we have access to two services from which we can edit the service parameters, named upnphost and SSDPSRV. # If we are on a Windows XP SP0 or SP1 OS we will receive the following output We can do this with the following query:Ĭ:\> accesschk.exe /accepteula -uwcqv "Authenticated Users" * Once you have uploaded the older version of accesschk.exe to your victim, we can use it to look for vulnerable services we can exploit. With that issue out of the way, let's continue. You can download older versions with the /accepteula parameter from here and here. That being said, we will have to download an older version of accesschk.exe to fulfill our needs. In older versions of accesschk.exe there was a parameter /accepteula which did exactly that, but they removed the parameter in newer releases. Wouldn't they build in some kind of parameter in the accesschk.exe binary to accept the EULA via CLI? Yes, they actually did. If we run accesschk.exe via CLI it would freeze our shell. Why you ask? Well, when you run accesschk.exe for the first time in a GUI environment, it will give you a pop up window asking you to accept their EULA. When accesschk.exe is uploaded and we execute the latest version of accesschk.exe from SysInternals, we won't be able to execute this in our low level shell. You can do this by typing 'binary' in your FTP session. NOTE: Any binary you transfer via FTP requires you to set your FTP session to binary. In order to check if we have any vulnerable service(s) on our system, we need to download accesschk.exe from SysInternals, and transfer it to our victim's machine via the low privilege shell we have already established.
Vulnerable in this case, means that we can edit the services' parameters.
Most services in newer Windows versions (starting from Windows XP SP2) are no longer vulnerable. If you meet the requirements above, we can continue! This method of privilege escalation relies on vulnerable Microsoft Services. You have enumerated this machine and concluded that the operating system is Windows XP with SP0 or SP1 installed. REQUIREMENTS: This article assumes that you have already obtained a low privilege shell on your victim's computer.
0 kommentar(er)
