If we run accesschk.exe via CLI it would freeze our shell. Why you ask? Well, when you run accesschk.exe for the first time in a GUI environment, it will give you a pop up window asking you to accept their EULA. When accesschk.exe is uploaded and we execute the latest version of accesschk.exe from SysInternals, we won't be able to execute this in our low level shell. You can do this by typing 'binary' in your FTP session. NOTE: Any binary you transfer via FTP requires you to set your FTP session to binary. In order to check if we have any vulnerable service(s) on our system, we need to download accesschk.exe from SysInternals, and transfer it to our victim's machine via the low privilege shell we have already established. Vulnerable in this case, means that we can edit the services' parameters. Most services in newer Windows versions (starting from Windows XP SP2) are no longer vulnerable. If you meet the requirements above, we can continue! This method of privilege escalation relies on vulnerable Microsoft Services. You have enumerated this machine and concluded that the operating system is Windows XP with SP0 or SP1 installed. REQUIREMENTS: This article assumes that you have already obtained a low privilege shell on your victim's computer.
0 Comments
Leave a Reply. |