I was working on one of the currently live machines and was able to get root, but only because someone made a comment that lead me to the right service . The way in is through the service permissions, but to me everything looks perfectly fine. I have been told that with experience something should stand out. I know how to manipulate the service, but can anyone give me some pointers on how to identify it in the first place? Here are the privileges I have in the shell and the permissions of the two vulnerable services. I was able to change the binpath on service 1 to get it to run my shell code but everyone insists service 2 is the obvious choice ( even though I can not modify it).
Can anyone give me some pointers as to 1) why am I able to modify service 1. 2) what might the approach to service 2 be. 3) how would I identify these as vulnerable?
I think I see what stands out in service 2, but how would I exploit it?
c:\Users\Public>whoami
iis apppool\defaultapppool
PRIVILEGES INFORMATION
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
The service paths are either quoted or have no spaces
Service 1 permissions:
Medium Mandatory Level (Default) [No-Write-Up]
R NT AUTHORITY\Authenticated Users
SERVICE_QUERY_STATUS
SERVICE_QUERY_CONFIG
SERVICE_INTERROGATE
SERVICE_ENUMERATE_DEPENDENTS
SERVICE_START
SERVICE_USER_DEFINED_CONTROL
R BUILTIN\Administrators
SERVICE_QUERY_STATUS
SERVICE_QUERY_CONFIG
SERVICE_INTERROGATE
SERVICE_ENUMERATE_DEPENDENTS
SERVICE_START
SERVICE_STOP
SERVICE_USER_DEFINED_CONTROL
READ_CONTROL
R S-1-5-21-3799463084-4290437372-2261193466-500
SERVICE_QUERY_STATUS
SERVICE_QUERY_CONFIG
SERVICE_INTERROGATE
SERVICE_ENUMERATE_DEPENDENTS
SERVICE_START
SERVICE_STOP
SERVICE_USER_DEFINED_CONTROL
READ_CONTROL
RW NT AUTHORITY\SYSTEM
SERVICE_ALL_ACCESS
RW NT AUTHORITY\SERVICE
SERVICE_ALL_ACCESS
DA;;CCLCSWRPLOCR;;;AU)(A;;CCLCSWRPWPLOCRRC;;;BA)(A; ;CCLCSWRPWPLOCRRC;;;S-1-5-21-3799463084-4290437372-2261193466-500)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLC SWRPWPDTLOCRSDRCWDWO;;;SU)
Service 2 Permissions
Medium Mandatory Level (Default) [No-Write-Up]
RW NT AUTHORITY\SYSTEM
SERVICE_ALL_ACCESS
RW BUILTIN\Administrators
SERVICE_ALL_ACCESS
R NT AUTHORITY\INTERACTIVE
SERVICE_QUERY_STATUS
SERVICE_QUERY_CONFIG
SERVICE_INTERROGATE
SERVICE_ENUMERATE_DEPENDENTS
SERVICE_USER_DEFINED_CONTROL
READ_CONTROL
R NT AUTHORITY\SERVICE
SERVICE_QUERY_STATUS
SERVICE_QUERY_CONFIG
SERVICE_INTERROGATE
SERVICE_ENUMERATE_DEPENDENTS
SERVICE_USER_DEFINED_CONTROL
READ_CONTROL
DA;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRS DRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRR C;;;SU)
Any and all pointers would be appreciated