If you can write to any SYSTEM PATH as a non-privileged user, you win. I've written a PowerShell script to check for this:https://gist.github.com/wdormann/eb714d1d935bf454eb419a34be266f6f …
-
-
-
Cool! I’ll check this out.
Kraj razgovora
Novi razgovor -
-
-
I found this bug not too long ago. however, quick google search shows it was already discovered/published by
@markus_pieton earlier this year https://www.a12d404.net/windows/2019/01/13/persistance-via-path-directories.html …. Nice find nonetheless! -
I didn’t know it was there! Cool stuff ;)
Kraj razgovora
Novi razgovor -
-
-
Wait so... if I can write to any path as low priv. It means I can privesc to Admin?
-
If you can write to any folder in the system PATH on Windows 10. Drop a DLL named wptsextensions.dll and reboot. Will execute as SYSTEM under the task scheduler.
Kraj razgovora
Novi razgovor -
-
-
So you must be admin first to be able to change PATH? Then any non-admin can elevate itself to LOCAL SERVICE? Is it good practice to have only non-writeable folders on PATH?
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
-
-
this only works for programming language or put POC in any folder and spawn ADMIN like hilarious potato?
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
-
-
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
-
-
Dunno what am I doing wrong. I created a DLL x64 which runs a program on load, like the example code in your post. I placed it in C:\test folder and added C:\test to the global PATH env var. Then I ran the svchost command you mentioned, also I stopped CDPSvc and started again ->
-
The DLL won't loaded by svchost.exe. Am I missing something?
- Još 1 odgovor
Novi razgovor -
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.