Context:
Doing a lab pentest on a windows VM, I got a shell as LocalService. I modified the binpath to execute a meterpreter. Then I changed the SERVICE_START_NAME to "LocalSystem" by doing:
sc config upnphost obj= "LocalSystem" password= ""
I got a reverse shell as NT AUTHORITY\SYSTEM
I understand that this works only because Localsystem has no password set. If I were to run this service as "John", I would need to type John´s pass.
So, does this mean that I can own any system just by having write access to one service (and the ability to start it)? <=> Being LocalService implies easy SYSTEM?