SentryHD 02.01.12e Privilege Escalation

Homepage:

http://www.minutemanups.com/

Description:

Every user can read file: c:\Program Files (x86)\SentryHD\config.ini.

C:\Program Files (x86)\SentryHD>cacls config.ini
C:\Program Files (x86)\SentryHD\config.ini NT AUTHORITY\SYSTEM:(ID)F
                                           BUILTIN\Administrators:(ID)F
                                           BUILTIN\Users:(ID)R

Inside this ini file we can find login and password for web panel.

UPSMan is running on autostart as System.

wmic service where name="UPSMan" get StartName
StartName
LocalSystem

Using Execute Command File we can execute commands on Scheduled system shutdown and because UPSMan is running as SYSTEM we execute them as Priveleged user.

Proof of Concept:

This exploit open config.ini file, then try to find Administrator credentials.

Next, try to add create new user command using Execute Command File.

Then it schedule system shutdown in order to execute this command.

After successful admin creation it cancel shutdown.

Download Exploit

Timeline: