修改apache的注册表值提高系统权限

In Windows environments when a service is registered with the system a new key is created in the registry which contains the binary path. Even though that this escalation vector is not very common due to the fact that write access to the services registry key is granted only to Administrators by default however it should not be omitted by the penetration tester as another possible check.

The process of privilege escalation via insecure registry permissions is very simple. Registry keys for the services that are running on the system can be found in the following registry path:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services

If a standard user has permissions to modify the registry key “ImagePath” which contains the path to the application binary then he could escalate privileges to system as the Apache service is running under these privileges.

ImagePath Registry Key

The only thing that is required is to add a registry key that will change the ImagePath to the location of where the malicious payload is stored.

meterpreter > shell
Process 1812 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Users\pentestlab\Desktop>reg add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Apache"
/t REG_EXPAND_SZ /v ImagePath /d "C:\xampp\pentestlab2.exe" /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Apache"
/t REG_EXPAND_SZ /v ImagePath /d "C:\xampp\pentestlab2.exe" /f

The operation completed successfully

Registry ImagePath Modification

The next time that the service will restart, the custom payload will be executed instead of the service binary and it will return back a Meterpreter session as SYSTEM.

Privilege Escalation via Insecure Registry Permissions