accesschk
from SysInternals and look for SERVICE_ALL_ACCESS
or SERVICE_CHANGE_CONFIG
as these privileges allow attackers to modify service configuration:mantvydas
has full access to the service:program.exe
that the vulnerable service VulnSvc
kicked off, is not a compatible service binary. To save the session, migrate it to another sprocess:SERVICE_ALL_ACCESS
for the service evilsvc
. Let's check the service binary path:icals
and look for (M)odify or (F)ull permissions for Authenticated Users
or the user you currently have a shell with:sc start evilsvc
is executed. Note that the shell will die if we do not migrate the process same way as mentioned earlier:NT AUTHORITY\SYSTEM
, our malicious binary gets executed with SYSTEM
privileges: