4

Context:

Doing a lab pentest on a windows VM, I got a shell as LocalService. I modified the binpath to execute a meterpreter. Then I changed the SERVICE_START_NAME to "LocalSystem" by doing:

sc config upnphost obj= "LocalSystem" password= ""

I got a reverse shell as NT AUTHORITY\SYSTEM

I understand that this works only because Localsystem has no password set. If I were to run this service as "John", I would need to type John´s pass.

So, does this mean that I can own any system just by having write access to one service (and the ability to start it)? <=> Being LocalService implies easy SYSTEM?

bolachas
  • 41
  • 1

1 Answers1

1

I understand that this works only because Localsystem has no password set.

Not correct. The misconfiguration here is the missing write protection for the service object. It has nothing to do with the password.

So, does this mean that I can own any system just by having write access to one service

Yes. This is a classical privilege escalation vector on Windows. Services must be write protected for non-admin users.

kaidentity
  • 2,634
  • 13
  • 30