Offensive Security Notes
  • OSCP Checklist
    • Privilege Escalation Windows
  • Menu
    • Services
      • Remote Desktop (RDP) (3389)
      • FTP (21)
      • Telnet (23)
      • SMTP (25)
      • HTTP/HTTPS (80/443)
        • OWASP TOP 10 (2017)
      • Kerberos (88) / Active Directory (AD)
      • NetBIOS (139)
      • Samba / SMB (445)
      • IMAP (143/993)
      • MySQL / MariaDB (3389)
      • PostgreSQL (5432)
    • Vulnerability Methods
      • Padding Oracle Attack
      • Unsecure JSON Web Token (JWT)
      • XXE (XML External Entity)
      • LFI / RFI (Local / Remote File Inclusion)
      • CSRF (Cross-Site Request Forgery)
      • Session Fixation
      • SSRF (Server-Side Request Forgery)
      • Wildcard Injection
    • Tools of the Trade
      • powershell
      • hashcat
      • responder
      • OWASP Favicon DB
      • misc
      • meterpreter
      • Bloodhound
      • powerview
      • redis
      • wpscan
      • cewl
    • Walkthroughs
      • Try Hack Me
        • Attacktive Directory
      • OSCP Practice
        • Vector
        • Vault
        • QuarterJack
        • PayDay
        • Pelican
        • Postfish
        • Readys
Powered by GitBook
On this page
  • PrivEsc
  • Utilman.exe Abuse with RDP
  1. Menu
  2. Services

Remote Desktop (RDP) (3389)

PrivEsc

Utilman.exe Abuse with RDP

If you have access to write into the C:\Windows\System32 folder then we can abuse that privilege to gain access as NT_USER by abusing the RDP session.

The utilman.exe is a built-in Windows application that is designed to allow users to configure system accessibility options such as the Magnifier, High Contrast Theme, Narrator, and On Screen Keyboard before they log in to the system.

This application is triggered by issuing the WIN + U key combination while on the Windows Logon screen. It's important to note that the application runs with SYSTEM privileges.

We can leverage our write access in the system directory C:\Windows\System32 to replace utilman.exe with cmd.exe.

*Evil-WinRM* PS C:\Users\svc_apache$\Documents> move C:\Windows\System32\utilman.exe C:\Windows\System32\utilman.old
*Evil-WinRM* PS C:\Users\svc_apache$\Documents> move C:\Windows\System32\cmd.exe C:\Windows\System32\utilman.exe
*Evil-WinRM* PS C:\Users\svc_apache$\Documents>

If we can now trigger the application, it should grant us a SYSTEM shell. Let's give this a try using Remote Desktop Protocol with rdesktop.

rdesktop -u enox -p california -g 1920x1080 -z heist.offsec

We'll issue WIN + U (CMD + U on Mac keyboards) on the logon screen to trigger the execution of utilman.exe. We can also just click the support tools icon on the lower right. If all went well, the application should run cmd.exe with system-level integrity.

PreviousServicesNextFTP (21)

Last updated 3 years ago