for demonstrating privilege escalation via weak service executable permissions.
If a service binary file is writable by a low-priv user
(check ACLs with icacls Windows command or
AccessChk from Sysinternals),
and the service binary runs with high-priv rights (e.g. LocalSystem
,
check it with sc qc <service name>
), replacing the binary
with your malicious service binary should elevate to system rights.
Here is a sample service source template with customizable payload: service.c.
The example payload adds a custom admin user to the system.
Payload is implemented using Windows API calls (instead of calling
external net
commands) in order to be much more silent,
meaning easier AV bypass.
Cross-compiling works using MinGW on Linux:
x86_64-w64-mingw32-gcc service.c -DINCLUDE_PAYLOAD -lnetapi32 -s -o service.exe
For alternative usage (without payload, specifying custom service name):
x86_64-w64-mingw32-gcc service.c -DSERVICE_NAME=\"InfobloxBloxOne\" -lnetapi32 -s -o infoblox_rc_service.exe
Compiling was tested on Arch Linux with BlackArch repos (for MinGW), Service was tested on Windows 10 Pro (Build 18363).