Windows 10 with freeSSHd 1.3.1, installed by default and with the option running as a system service.
Command to check Unquoted Service Path. The service is unquoted by default.
The process is running as SYSTEM by default.
Create a Reverse Shell with MSFVenom to check the connection against an attacker and rename the executable Program.exe configured to connect against the attacker IP (192.168.158.133:4444):
And configure the listener to handle the connection:
Windows Network configuration:
When the Service is restarted, it executes Program.exe with SYSTEM privileges, returning a “NT AUTHORITY\SYSTEM” shell:
