// notes/ PrivEsc — Windows
🪟

Executable Files

Sometimes there will be services that have executables attached to them. If we have the permissions to manipulate it (FILE\ALL\ACCESS) then we can replace it with a malicious exec…

#windows privilege escalation#adot8
source · oscp.adot8.com · windows-privilege-escalation/executable-files

Executable Files

Overview

Sometimes there will be services that have executables attached to them. If we have the permissions to manipulate it (FILE_ALL_ACCESS) then we can replace it with a malicious executable and get it to do what we want as system.

Escalation via Service Executables

Run PowerUp and check for ModifileableFileIdentityReference within Service executables.

<figure><img src="/files/ARCO1WFcIGdfrSHgHwBu" alt=""><figcaption></figcaption></figure>

Manually check the permissions on the service using accesschk64

code
01accesschk64.exe -wvu "C:\Program Files\File Permissions Service"

Compile, upload the malicious exe, replacing the old executable and start the service

code
01svc start filepermsvc