Why AppReadiness can be exploited

Privilege Escalation Via Services lab is all about Privilege Escalation by abusing Services, which is the AppReadiness. why AppReadiness can be abused by a malicious hacker?

Your current user has configuration modification rights on the service - PowerUp detects that and then executes commands starting and stopping the service as needed.

1 Like

FuzzySecurity | Anatomy of UAC Attacks

This is a link from the PTP course. I always start labs and go through the modules at the same time. I found this post EXTREMELY revealing having similar questions of my own. In “Finding and Exploiting DLL Hijacking Vulnerabilities” you’re walked through using sysmon to identify vulnerable DLL’s. I suggest reading this post and then going back to the appreadiness lab and checking for “NAME NOT FOUND” and other vulnerable properties in Appreadiness’ DLL’s in Sysmon and the auto-elevate flag in the Appreadiness manifest with sigcheck.exe -m. Other vulnerable properties too are outlined in the post and if you dig a little bit and maybe hit “edit” on the metasploit exploit and read the code the answer will reveal itself… Or maybe it’s NOT the only vulnerable service?? I’m pretty sure I got another privesc via service abuse before using the writeup.

1 Like