Wednesday, May 20, 2015

Privilege escalation and the authenticated users group

While studying for OSCP I learned that while "Program Files" and "Program Files (x86) directories are secure from non-administrators tampering with files (authenticated user group doesn't have rights), any directory/file created by a user under the root of the C drive can be tampered with because by default your folder is created with inherited permissions that allow the "Authenticated Users" group Modify rights.

I as well as other admins that I know like to put admin scripts and programs in C:\temp, and all a coworker or attacker has to do is edit a script or backdoor/replace a binary to get malicious code to run. For example, a help desk tech could have themselves added to domain admins group by adding "net group "Domain\Domain Admins" username /add" to one of my scripts.

Any time you create a directory under the root of the C drive, make sure that you remove inherited permissions and delete the "Authenticated Users" group from the permissions. If you have XAMPP, Python, etc. installed to C:\, think about what I just said. The XAMPP control panel has options to run as a service with SYSTEM privileges, and it's possible for any authenticated user to replace the binaries or scripts for it.