$ ./rce.sh
[+] Checking credentials: Anders Kusk
[+] OSCP Cert loaded
[+] OSCE Cert loaded
[+] Parsing cv.bin
0x00002007: 4461 6e69 7368 2050 6f6c 6963 652c 204f 6666 6963 6572 2020 2020 2020 2020 200a Danish Police, Officer .
0x00002018: 5444 432c 2049 6e74 6572 6e61 6c20 5065 6e74 6573 7465 7220 2020 2020 2020 200a TDC, Internal Pentester .
0x00002019: 496d 7072 6f73 6563 2c20 5365 6375 7269 7479 2041 6476 6973 6f72 2020 2020 200a Improsec, Security Advisor .
[=] Loading externals
-> mutt -s "Hello" a@rce.sh < /dev/null
-> curl -v https://www.linkedin.com/in/anders-kusk
-> curl -v https://github.com/kusk/
-> curl -v https://www.hackthebox.eu/profile/9409
-> curl -v https://twitter.com/anderskusk
$ echo return to root
$ cat ./blog/brlapi/brltty and a pretty far-out privileged escalation path to NT Authority\Local Service.md

brlapi/brltty and a pretty far-out privileged escalation path to NT Authority\Local Service

While being bored and poking around various functions in Windows settings I saw that in the "Ease of Access" -> "Narrator" page a function to install a third-party braille software called brltty, including the brlapi. While this is in no way worthy a CVE or could even be called a real vulnerability, I just wanted to document it for the sake of documentation. ¯\_(ツ)_/¯

So after clicking the "Download and install braille" button(requires admin access), Windows installs brltty(and brlapi) to the directory C:\Windows\brltty. It furthermore installs the service "brlapi", which all members of the group INTERACTIVE can start and stop. The service runs as "NT Authority/Local Service".

When starting/restarting the service various files will be loaded, and like alot of other Linux-ported-to-Windows applications, the path loading order is pretty messed up. The service will try to read/create files/devices in c:\dev\null and c:\etc\xdg\brltty. If the c:\etc\xdg\brltty directory exists, the configuration file "brltty.conf" will be loaded. While the configuration files had a few interesting settings, none provided other (malicious)functionality other than creating a directory anywhere as "NT Authority\Local Service".

However further into the start process, the service will try to load the DLL-file "libusbK.DLL" from directories in the system environment paths.

If an low privileged user have access to any of these, a privileged escalation to "NT Authority\Local Service" would be possible.

Since this privileged escalation requires so many factors to align, it can't really be called a vulnerability.

Oh, and for some reason Windows by default installs brltty 5.5 while brltty 6.1 is currently the latest version.