Skip to content

Weak Registry Permissions#

As previously mentioned, each service is associated with a registry entry in the Windows Registry which is located at HKLM\SYSTEM\CurrentControlSet\Services\<service>. This entry is essentially the configuration of the service and if it is writable, then it can be abused by an adversary to overwrite the path to the binary application of the service with a malicious one.

![[res/Modifiable Registry Service Entry.png]]

Querying regsvc reveals that it is running with system privileges and its registry entry is writable by all logged-on users (NT AUTHORITY\INTERACTIVE).

![[res/Query regsvc.png]]

All we need to do now is overwrite the ImagePath registry key in the service's entry to point to our malicious executable:

reg add HKLM\SYSTEM\CurrentControlSet\services\<service> /v ImagePath /t REG_EXPAND_SZ /d <path> /f

![[res/Overwritten ImagePath Key.png]]

Restart the service and catch the shell:

net start regsvc

![[res/Shell.png]]