Misconfigured Registry Hives

We may have over privileged access to some registry keys that we can abuse for privilege escalation.

accesschk.exe -accepteula -kvuqsw hklm\System\CurrentControlSet\services > file.txt

In this file, we want to look at "Authenticated Users", and see if we have any interesting privileges to any interesting keys. For example, if we have "KEY_ALL_ACCESS" to a service, we can abuse this for privilege escalation.

To abuse this, we can issue the following command:

reg add HKLM\SYSTEM\CurrentControlSet\services\service /v ImagePath /t REG_EXPAND_SZ /d C:\executable /f  

We know have to wait for the service to restart, or somehow trigger it to restart.

Last updated