Service Binary Hijacking
Hijacking the service binarys of the windows machines to escalate our privileges.
How to get the service binaries
Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}
Check Permissions on the suspected Binary
icacls "C:\program\location\in\machine\program.exe"
Look for the permissions as given in the table below
| Mask | Permissions |
|---|---|
| R | Read-only access |
| W | Write-only access |
| RX | Read and execute access |
| F | Full access |
| M | Modify access |
If user has permission BUILTIN\Users:(F) then this program.exe can be levereged into replacing with a malicious binary to add/remove user , to change password etc...
Checking further
Having BUILTIN\Users:(F) will not be enough to exploit a binary , You have to find out how to trigger this binary which is to check if you have permission to restart the binary or if triggred automatically do you have permission to restart the system.
- Binary execution Permission
- System Permission
you can use this command to check how the binary is started :
Get-CimInstance -ClassName win32*service | Select Name, StartMode | Where-Object {$*.Name -like 'BinaryName'}You can use this command to check if you have permission to restart the system if you see SeShutdownPrivilege Shut down the system Enabled
whoami /priv