A little gift to all the pentesters out there...
All versions of Windows Server from 2008 R2 to 2019 are prone to a DLL hijacking in the %PATH% directories.
Run as SYSTEM
No reboot required
Can be triggered by a normal user on demand
https://itm4n.github.io/windows-server-netman-dll-hijacking/ …pic.twitter.com/Zi9njmo9M6
-
-
What we need is a list of apps that add a non-admin-writable folder to system PATH, and get these fixed. I agree this isn't a vuln in Windows. So we all know Python is such an app, what are some others?
-
I think Ruby and cygwin are also good examples...
- 2 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
Anyway... Nice one.
I've spent countless hours looking for this kind of "vuln" in services running as SYSTEM on a default installation and I only found a handful of them, and none on the latest Windows 10.
I must be really dumb. 
