search
Personal BlogTwitterGitHubContact

Service Exploitation

Basic commands when abusing services to elevate privileges after being identified with a tool such as WinPEAS.

hashtag
Basic Commands

# Query the configuration of a service
sc.exe qc $service_name

# Query the current status of a service
sc.exe query $service_name

# Modify an option on a service
sc.exe config $service_name $option= $value

# Start and stop a service
net start/stop $service_name

hashtag
Accesschk.exe

hashtag
Use Accesschk.exearrow-up-right to validate service permissions:

.\accesschk.exe /accepteula -uwcqv user $service_name

  • What we are looking for in the output is the SERVICE_START and SERVICE_STOP permissions.

  • We also want to confirm that it is running under a user with higher privileges (e.g., LocalSystem)

hashtag
Notes

  • Validate if you can start/stop the service or the machine. If you cannot then you may not be able to use it to escalate your privileges.

  • Check if we can reboot the system with whoami /priv

  • An easy way to escalate privileges utilizing a service is to modify the binaries path. The following demonstrates an example of this:

PreviousSeLoadDriverPrivilegeNextInitial Access

Last updated