search

Service Privilege Escalation

hashtag
Service Privilege Escalationarrow-up-right

Each service has an ACL which defines certain service-specific permissions. Some permissions are innocuous (e.g. SERVICE_QUERY_CONFIG, SERVICE_QUERY_STATUS). Some may be useful (e.g. SERVICE_STOP, SERVICE_START). Some are dangerous (e.g. SERVICE_CHANGE_CONFIG, SERVICE_ALL_ACCESS)

If our user has permission to change the configuration of a service which runs with SYSTEM privileges, we can change the executable the service uses to one of our own. Potential Rabbit Hole: If you can change a service configuration but cannot stop/start the service, you may not be able to escalate privileges!

hashtag
Rewrite Service BinPatharrow-up-right

#Check the permissions on any Service, given to BOB

accesschk.exe /accepteula –uwcqv yourusername servicename 
accesschk.exe /accepteula -uwcqv IWAM_BOB *    

# -u: Suppress errors
# -w: Show only objects that have write access
# -c: Name is a Windows Service, e.g. ssdpsrv. Specify "*" as the name to show all services and "scmanager" to check the security of the Service Control Manager.
# -q: Omit Banner
# -v: Verbose (includes Windows Vista Integrity Level) 

# Check Service configuration
sc qc SSDPSRV

# Check Service status
sc query SSDPSRV
Spooler example
Wauaserv example

hashtag
Rewrite Unquoted Service Patharrow-up-right

When a Service has an unquoted path that also contains spaces under the Service Path such as 'Common Files' in C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe, you can create a Common.exe and rewrite the Service path as C:\Program Files\Unquoted Path Service\Common.exe

hashtag
Insecure Service Executablesarrow-up-right

If the original service executable is modifiable by our user, we can simply replace it with our reverse shell executable.

hashtag
Change ImagePath in Registryarrow-up-right

PreviousOther quick winsNextScheduled Tasks

Last updated