// notes/ PrivEsc — Windows
🪟
Executable Files
Sometimes there will be services that have executables attached to them. If we have the permissions to manipulate it (FILE\ALL\ACCESS) then we can replace it with a malicious exec…
#windows privilege escalation#adot8
source · oscp.adot8.com · windows-privilege-escalation/executable-files ↗Executable Files
Overview
Sometimes there will be services that have executables attached to them. If we have the permissions to manipulate it (FILE_ALL_ACCESS) then we can replace it with a malicious executable and get it to do what we want as system.
Escalation via Service Executables
Run PowerUp and check for ModifileableFileIdentityReference within Service executables.
<figure><img src="/files/ARCO1WFcIGdfrSHgHwBu" alt=""><figcaption></figcaption></figure>Manually check the permissions on the service using accesschk64
code
01accesschk64.exe -wvu "C:\Program Files\File Permissions Service"Compile, upload the malicious exe, replacing the old executable and start the service
code
01svc start filepermsvc