Insecure Services¶
Manually enumerate insecure services¶
View user service permissions
$acl = get-acl HKLM:\System\CurrentControlSet\Services
ConvertFrom-SddlString -Sddl $acl.Sddl -type RegistryRights | ForEach-Object {$_.DiscretionaryAcl}
List services: Running as: SYSTEM & Start/stop type: manual
$services = Get-ItemProperty -Path HKLM:\System\CurrentControlSet\Services\*
$services | where { ($_.ObjectName -match 'LocalSystem') -and ($_.Start -match '3') }
$names = $services.pschildname
$canStart = Foreach ($service in $names) { $sddl = (cmd /c sc sdshow $service); if ($sddl -match "RP[A-Z]*?;;;AU") { $service }}
| Tool | Task | Command |
|---|---|---|
| winPEAS | Check for service vulnerabilities | winPEASany.exe quiet servicesinfo |
| sc.exe | Start/Stop a service | sc.exe start/stop <service name> |
| sc.exe | Query the configuration of a service | sc.exe qc <name> |
| sc.exe | Query the current status of a service | sc.exe query <name> |
| sc.exe | Modify a configuration option of a service | sc.exe config <name> <option>= <value> |
| sc.exe | Change service start type | sc config <Service Name> start= auto |
| sc.exe | Change binary path (example) | sc config <name> binpath= "\"C:\path\to\service_binary.exe\"" |
| accesschk.exe | Check for services we have rights/privileges to | accesschk.exe /accepteula -uwcqv "Authenticated Users" * |
| accesschk.exe | More details on user groups rights/privileges to a service | accesschk.exe /accepteula -ucqv <Service Name> |
| accesschk.exe | Verify user permissions to a service | accesschk.exe /accepteula -ucqv <username> <service> |
| accesschk.exe | Check for permissions to write in a directory | accesschk.exe /accepteula -uwdq C:\directory |
| accesschk.exe | Check for access to insecure executables | accesschk.exe /accepteula -quvw <Executable> |
| net | Start/Stop a service | net start/stop <name> |
| wmic | Check service start options | wmic service where caption="<ServiceName>" get name, caption, state, startmode |
| wmic | Check running services | wmic service get name,displayname,pathname,startmode |
| powershell | Start service | Start-Service <service> |
| cmd | List running services | tasklist |
| icacls | Check directory permissions | icacls "C:\<Directory>" |
| icacls | Check for access to insecure executable | Icacls "<Executable>" |
Get running services that are auto and not standard windows
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows"`
List running services
Get-WmiObject win32_service | Select-Object Name, State, PathName | Where-Object {$_.State -like 'Running'}`
Insecure Service Properties¶
Change binary path - Example
sc.exe config usosvc binpath="cmd.exe /c powershell.exe -EncodedCommand <base64>
Unquoted Service Path¶
Replace a path location to a reverse shell executable.
```titl="Unquoted Service Path Example" C:\Program Files\Unquoted Path Service\Common Files\originalservice.exe
> windows would try to execute "Program" first, then "Unquoted", then "Common", and finally "originalservice.exe"
>
> If we can create a reverse shell named "Program.exe", "Unquoted.exe", etc, we can get reverse shell
## Insecure Service Executables
Replace a service executable with our own.
```title="Check for access with accesschk.exe"
accesschk.exe /accepteula -quvw "C:\<executable>"