Hi guys, sorry if this is a dumb issue, but I think there's a security check missing in powerup.
One way of escalating privileges with services is to modify the registry key associated with the service in hklm\System\CurrentControlSet\Services. I see a check against the dacl associated with the service, but I can't seem to find any check against the registry key.
#Try to write every service with its current content (to check if you have write permissions)
for /f %a in ('reg query hklm\system\currentcontrolset\services') do del %temp%\reg.hiv 2>nul & reg save %a %temp%\reg.hiv 2>nul && reg restore %a %temp%\reg.hiv 2>nul && echo You can modify %a
Shouldn't powerup include a check such as this? Or is this functionality included in Test-ServiceDaclPermission and I'm missing something?
Hi guys, sorry if this is a dumb issue, but I think there's a security check missing in powerup.
One way of escalating privileges with services is to modify the registry key associated with the service in hklm\System\CurrentControlSet\Services. I see a check against the dacl associated with the service, but I can't seem to find any check against the registry key.
In https://book.hacktricks.xyz/windows/windows-local-privilege-escalation, under Services registry permissions, they test this attempting to modify every service registry key and checking the result:
Shouldn't powerup include a check such as this? Or is this functionality included in Test-ServiceDaclPermission and I'm missing something?