Windows Privilege Escalation - Unquoted Service Path

Рет қаралды 15,659

Conda

Күн бұрын

Пікірлер: 60

@celeretaudaxx 4 жыл бұрын

Another banger, well explained, well presented, well exploited thank you!

@c0nd4 4 жыл бұрын

Thank you for the kind words 😁

@programmingcheatsheet 3 жыл бұрын

Stumbled on this video looking for details on a homework assignment, and as someone with no previous experience doing anything security related this was well done and coherent enough for me to follow. Liked, subbed, & bookmarked. Don't stop making videos like this

@dawnsix 4 жыл бұрын

Your content is really good man, much appreciated.

@c0nd4 4 жыл бұрын

No problem! I appreciate the support!

@bex3911 3 жыл бұрын

Great explained realy helped me out 😁 ... cant wait for more WindosPrivesc Vids.

@c0nd4 3 жыл бұрын

Thank you! Glad I could help. If all goes as planned, there could be a new windows priv esc video out tomorrow 😉

@kallikantzaros Жыл бұрын

Born to be educator :) Well put my friend, explained it very well like in your other videos.

@c0nd4 Жыл бұрын

Thank you!

@will227inyoface2 Жыл бұрын

Are you still making videos? I just found this while studying for my PenTest+ and this content is fantastic! Subscribed!

@waltzofthestars2078 4 жыл бұрын

wonderfully explained, makes it seem simple af while also noting every little detail. Thanks!

@c0nd4 4 жыл бұрын

No problem! Thank you for the feedback, I appreciate it 🙂

@travispatt907 8 ай бұрын

You are awesome, thank you. This helped me so much with understanding some material for Pentest+.

@HK-sw3vi 3 жыл бұрын

had to login to say how good this video is. thanks a bunch man

@c0nd4 3 жыл бұрын

Thank you!

@tomyates5346 2 жыл бұрын

Good stuff. Clear and concise explanation. Thanks!

@wolfgang-lj2hp 2 жыл бұрын

Very well explained and demonstrated. Thanks

@aahringer Жыл бұрын

It would be great to talk about how Windows Defender/AV/EDR and AMSI react to well known tools like PowerSploit and default payloads from msfvenom as they would likely cause an alert to the blue team or be blocked entirely in many situations.

@8080VB 2 ай бұрын

God tier explanation. Thank you!

@madhavnakar9396 4 жыл бұрын

Another great video, thank you. Any tips about how to use this when powershell is not available on a box? I frequently come across boxes that when I run powershell commands, the reverse shell drops, which can be frustrating.

@c0nd4 4 жыл бұрын

Thank you! If you don't have powershell available, you can find services that have unquoted paths with a wmic command. I don't remember the syntax off the top of my head, but I'm sure you can find out online. Good luck!

@slythx5231 4 жыл бұрын

Hi@@c0nd4, that must be "wmic service get pathname,startname", right? But this is manual checking. How can we automate this or at least lessen the output for the unquoted path services only?

@c0nd4 4 жыл бұрын

Try this command: wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """

@slythx5231 4 жыл бұрын

I think this will work: wmic service get pathname,startmode | findstr /V "C:\Windows\\" | findstr /i /v "c:\" | findstr /i /v """

@c0nd4 4 жыл бұрын

Great minds think alike 😉

@volodymyrgorbachov 3 жыл бұрын

That was perfect! Thank you!

@c0nd4 3 жыл бұрын

Thanks!

@ajaykumark107 4 жыл бұрын

Keep them coming!

@bernietamberg8581 2 жыл бұрын

excellent video.

@scout17s17 4 жыл бұрын

Thank you very much!

@c0nd4 4 жыл бұрын

No problem!

@aryavrata4542 4 жыл бұрын

I don't have vulnservice running in my services.

@c0nd4 4 жыл бұрын

Sorry if it that wasn't clear. Windows does not come with a service called "VulnService". I created that for the video. You can create this service using the "sc create" command if you'd like to try it. Good luck!

@ytg6663 2 жыл бұрын

Gow can i automate it using c++ programmatically ?

@skyredfive 2 жыл бұрын

Very nicely explained! Came across this video while researching for my assignment. Can I confirm what is the CVE for this vulnerability and which Microsoft patch remediates this vulnerability? This information would be useful for my assignment and my own try out on my VM. Thanks!

@Saw-o3h 8 ай бұрын

why you didnt do last part in terminal? we dont have access to the rdp. this part wasnt good actually. I know how to do that but many people dont and come here to leran mate. I wish you did last part in terminal too. thanks

@koushiksuthar95 4 жыл бұрын

Very helpful 👍

@c0nd4 4 жыл бұрын

Glad to hear. Thanks!

@MrJingy08 4 жыл бұрын

excellent stuff

@c0nd4 4 жыл бұрын

Thank you!

@taiquangong9912 2 жыл бұрын

Done this on THM and was missing a step.

@jamalnasir5648 2 жыл бұрын

So how do you fix this? Should have explained that as well

@c0nd4 2 жыл бұрын

Put quotes around the service path

@jamalnasir5648 2 жыл бұрын

@@c0nd4 Thanks. I found the settings in the registry to change to quotes

@Waseemakram-eb9ws 4 жыл бұрын

awesome man

@c0nd4 4 жыл бұрын

Thanks!

@roya2045 3 жыл бұрын

Hi if i have the domain admin password i can access the local systems in my domain using the password. But if i want to access a system that is connected to local Lan but without being in domain how can I gain access to that system I tried using my domain admin password on that system but seems like that does not work. Please reply

@c0nd4 3 жыл бұрын

A domain administrator password will only work on domain joined machines