DLL Hijacking
Overview
Dynamic Link Libraries are like executables but they aren't directly executable. They are shared libraries that contain functions, classes, resources, variables etc and they often run with executables.
When a Windows applications or services start up they look for their DLLs to run with.However if the DLL they're looking for doesn't exist or is missing AND the path to it is writable then we can get malicious with it.
Escalation via DLL Hijacking
Simulation Steps:
List running services and find one that sticks out
Spin up Procmon
Filter menu > Filter > Process Name > is > <service binary>
Add filter of "Result is NAME NOT FOUND then Include"
Add filter of "Path ends with .dll then Include"
Restart the service
This will show all of the NAME NOT FOUND for DLLs
We can exploit this if the location of the non existing DLL is writable
C:\Program Files is usually writable
Start service and see if it's looking for a DLL to a writable path
After ones been found can put a fake DLL there make it call to a malicious executable and pop a shell
In this case we can compile a malicious dll payload from a c program and make the dll add the user we're using the the local admin group or pop a shell
Save to the writable location and restart service
OR
Last updated
