{"id":4141,"date":"2024-08-31T14:16:00","date_gmt":"2024-08-31T12:16:00","guid":{"rendered":"https:\/\/andreas-klingler.de\/infosec\/?p=4141"},"modified":"2024-09-01T13:56:59","modified_gmt":"2024-09-01T11:56:59","slug":"windows-service-exploitation","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=4141","title":{"rendered":"Windows Service Exploitation"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Enumeration<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">In PowerShell<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Cau\u00adtion<\/strong>: This com\u00admand works via <span class=\"caps\">RDP<\/span> in an inter\u00adac\u00adtive ses\u00adsion, but <span class=\"caps\">NOT<\/span> in a non-priv\u00adi\u00adleged bind\/winrm shell.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">All ser\u00advices:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">PS&gt; Get-CimInstance -ClassName win32_service | Select Name,State,PathName<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">All run\u00adning services:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">PS&gt; Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}<br><br>PS&gt; Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'} | Where-Object { -not ($_.PathName -like '*indows*') }<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">All autostart <em>pro\u00adgrams<\/em> (not ser\u00advices, but it fits here anyway\u2026):<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Get-CimInstance Win32_StartupCommand | Select-Object Name, command, Location, User | Format-List<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Check if a ser\u00advice will start auto\u00admat\u00adi\u00adcal\u00adly on boot&nbsp;time:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">PS&gt; Get-CimInstance -ClassName win32_service | Select Name, StartMode | Where-Object {$_.Name -like 'mysq*'} \/\/ This is not grep! Add * here!<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">In Windows command line<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">schtasks \/query \/fo LIST \/v<br>net start<br>tasklist \/v<br>tasklist \/SVC \/\/ Shows all running processes only<br>accesschk.exe \/accepteula -ucqv $servicename \/\/ Show which users have permissions for a service<br><code>accesschk64.exe \/accepteula -wvucq $currentUserName $serviceexe<\/code> \/\/ Shows the permissions you have<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">The fol\u00adlow\u00ading lists all ser\u00advice names and the bina\u00adries for them. After this, check inter\u00adest\u00ading files with cacls \/ icacls.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sc query state= all | findstr \"SERVICE_NAME:\" &gt;&gt; Servicenames.txt<br>FOR \/F \"tokens=2 delims= \" %i in (Servicenames.txt) DO @echo %i &gt;&gt; services.txt<br>FOR \/F %i in (services.txt) DO @sc qc %i | findstr \"BINARY_PATH_NAME\" &gt;&gt; path.txt<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Show all path of exe\u00adcute\u00adable files which are used by Win\u00addows services<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sc query state= all | findstr \"SERVICE_NAME:\" &gt;&gt; a &amp; FOR \/F \"tokens=2 delims= \" %i in (a) DO @echo %i &gt;&gt; b &amp; FOR \/F %i in (b) DO @(@echo %i &amp; @echo --------- &amp; @sc qc %i | findstr \"BINARY_PATH_NAME\" &amp; @echo.) &amp; del a 2&gt;nul &amp; del b 2&gt;nul<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">With escalation scripts<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Exe\u00adcute <code>winPEASany.exe quiet servicesinfo<\/code> and see if there are inter\u00adest\u00ading services.<\/li>\n\n\n\n<li>Use <a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=1284\">PowerUp<\/a> with AllChecks to see also ser\u00advices and their exe\u00adcuta\u00adbles. Note if there is a ser\u00advice with <em>Can\u00adRestart: True<\/em>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Handling services with&nbsp;sc<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">sc query state= all \/\/ shows all services<br>sc qc $service \/\/ shows one service<br>sc start $service<br>sc stop $service<br>sc config $service start= demand \/\/ only needed to manually activate a service which is disabled. Remember to disable it afterwards again.<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Handling services with&nbsp;wmic<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Show process\u00ades:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">wmic \/node:$victim \/user:$user \/password:$password process list brief<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Kill process\u00ades by <span class=\"caps\">PID<\/span> or&nbsp;name:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">wmic \/node:$victim \/user:$user \/password:$password process where processid=\"$pid\" delete\nwmic \/node:$victim \/user:$user \/password:$password process where name=\"$name\" delete<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Note<\/strong>: Check file per\u00admis\u00adsions for each ser\u00advice file \u2014 if we can write to one, we can change the file or inject own code with shelter!<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Exploitation<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">If you need to restart a service:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">PS&gt; Restart-Service BetaService<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Binary hijacking<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">There is a bina\u00adry write\u00adable you can exe\u00adcute? <a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=4119\" data-type=\"post\" data-id=\"4119\">See bina\u00adry hijacking.<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"caps\">DLL<\/span> injection + hijacking<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Does the tar\u00adget run a (priv\u00adi\u00adleged) soft\u00adware you can install on an own <span class=\"caps\">VM<\/span>? Try to inves\u00adti\u00adgate with Proc\u00admon, if it loads DLLs you could over\u00adwrite. <a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=4123\" data-type=\"post\" data-id=\"4123\">See the <span class=\"caps\">DLL<\/span> injec\u00adtion article.<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Unquoted Service Paths<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Check if a (priv\u00adi\u00adleged) ser\u00advice is run\u00adning in a direc\u00adto\u00adry with spaces in which we could write a bina\u00adry. <a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=4137\" data-type=\"post\" data-id=\"4137\">See the Unquot\u00aded Ser\u00advice Path article.<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Enu\u00admer\u00ada\u00adtion In Pow\u00ader\u00adShell Cau\u00adtion: This com\u00admand works via <span class=\"caps\">RDP<\/span> in an inter\u00adac\u00adtive ses\u00adsion, but <span class=\"caps\">NOT<\/span> in a non-priv\u00adi\u00adleged bind\/winrm shell. All ser\u00advices: <span class=\"caps\">PS<\/span>&gt; Get-CimIn\u00adstance \u2011Class\u00adName win32_service | Select Name,State,PathName All run\u00adning ser\u00advices: <span class=\"caps\">PS<\/span>&gt; Get-CimIn\u00adstance \u2011Class\u00adName win32_service | Select Name,State,PathName | Where-Object {$_.State \u2011like \u2018Running\u2019}<span class=\"caps\">PS<\/span>&gt; Get-CimIn\u00adstance \u2011Class\u00adName win32_service | Select Name,State,PathName | Where-Object {$_.State \u2011like \u2018Run\u00adning\u2019} [\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[471],"tags":[504],"class_list":["post-4141","post","type-post","status-publish","format-standard","hentry","category-privesc","tag-windows-service"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/4141","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4141"}],"version-history":[{"count":4,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/4141\/revisions"}],"predecessor-version":[{"id":4173,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/4141\/revisions\/4173"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4141"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4141"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4141"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}