Introduction There are many service which have spaces in them and that is unquoted. First we have to find out how many services are running in our system , that we can process in runtime. $tasklist /svc Let’s take “AnyDesk” as an example, query the service . $sc qc AnyDesk As…

Service directory write based privesc — 2nd Method Before exploiting the service, we will create the vulnerable machine ourselves and perform the exploit. Copy the Lab Setup and Initial Access steps from previous blog: Windows Privilege Escalation — Service directory write based privesc Service directory write based privesc Let’s perform the window privilege escalation attack (Service directory write based privesc )

Service directory write based privesc Before exploiting the service, we will create the vulnerable machine ourselves and perform the exploit. Let’s Start Install any Remote desktop application, We will install “RustDesk” application, run the application once and close it. Lets check for any normal user account. $net user Then checking if the “test” user is…

Service binary path write-based privesc with Service Full Access Before exploiting the service, we will create the vulnerable machine ourselves and perform the exploit. Let’s Start Install any Remote desktop application, We will install “Anydesk” , run the application once and close it. To check services in running condition in our system $tasklist /svc $sc qc <service-name> “AnyDesk” is…