Insecure Service Permissions
If we can change the configuration of a service, and at thesame time we can stop/start the service , then we can achieve Privilege Escalation if the service runs with a SYSTEM privileges by modify the path of the executable i.e binpath to one of our own.
Enumeration
We are going to exploit insecure service to escalate our privileges to SYSTEM. Let’s check our current user.
Now, We will be using powerup.ps1 script to conduct an enumeration on the available services. Let’s import powerup.ps1 and execute Get-ServicePermission to get the list of services that have permission issues.
As you can see, daclsvc is vulnerable to insecure service permission, which means we can be able to change the configuration of the service.
To be able to exploit a service and escalate our privileges, we need to:
be able to start/stop the servicehave the service runs with higher privileges
We are going to check the above conditions using accesschk.exe and sc.exe, if all the conditions are satisfied, we can achieve privilege escalation.
Let’s execute accesschk /accepteula -cqv user daclsvc .
Well…As you can see, we have permission to start/stop the service.
We will execute sc qc daclsvc to check whether or not the service runs with SYSTEM privilege.
Nice!! It runs with SYSTEM privilege. All conditions are satisfied, so we are going to exploit the service.
Exploitation
We are going to change the BINARY_PATH_NAME of the service to point to our own executable. To do that, we will execute sc config daclsvc binpath="C:\path_to_our_executable".
Now, we will setup our reverse shell listener and start the service by executing net start daclsvc.
Well…As you can see, we have obtained shell with SYSTEM privilege.