Service Privilege Escalation
Each service has an ACL which defines certain service-specific permissions. Some permissions are innocuous (e.g. SERVICE_QUERY_CONFIG, SERVICE_QUERY_STATUS). Some may be useful (e.g. SERVICE_STOP, SERVICE_START). Some are dangerous (e.g. SERVICE_CHANGE_CONFIG, SERVICE_ALL_ACCESS)
If our user has permission to change the configuration of a service which runs with SYSTEM privileges, we can change the executable the service uses to one of our own. Potential Rabbit Hole: If you can change a service configuration but cannot stop/start the service, you may not be able to escalate privileges!
#Check the permissions on any Service, given to BOB
accesschk.exe /accepteula –uwcqv yourusername servicename
accesschk.exe /accepteula -uwcqv IWAM_BOB *
# -u: Suppress errors
# -w: Show only objects that have write access
# -c: Name is a Windows Service, e.g. ssdpsrv. Specify "*" as the name to show all services and "scmanager" to check the security of the Service Control Manager.
# -q: Omit Banner
# -v: Verbose (includes Windows Vista Integrity Level)
# Check Service configuration
sc qc SSDPSRV
# Check Service status
sc query SSDPSRV
When a Service has an unquoted path that also contains spaces under the Service Path such as 'Common Files' in C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe, you can create a Common.exe and rewrite the Service path as C:\Program Files\Unquoted Path Service\Common.exe
If the original service executable is modifiable by our user, we can simply replace it with our reverse shell executable.
Last updated