Fish_domain1

domain1 Service

---

An interesting service has been identified. It’s running with privileges of SYSTEM

PS C:\Users\arthur> sc.exe qc domain1
[SC] QueryServiceConfig SUCCESS
 
SERVICE_NAME: domain1
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\glassfish4\glassfish\domains\domain1\bin\domain1Service.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : domain1 GlassFish Server
        DEPENDENCIES       : tcpip
        SERVICE_START_NAME : LocalSystem

The BINARY_PATH_NAME attribute is set to C:\glassfish4\glassfish\domains\domain1\bin\domain1Service.exe

PS C:\Users\arthur> icacls C:\glassfish4\glassfish\domains\domain1\bin
C:\glassfish4\glassfish\domains\domain1\bin BUILTIN\Administrators:(I)(OI)(CI)(F)
                                            NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
                                            BUILTIN\Users:(I)(OI)(CI)(RX)
                                            NT AUTHORITY\Authenticated Users:(I)(M)
                                            NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)
 
Successfully processed 1 files; Failed processing 0 files

Checking the parent directory, C:\glassfish4\glassfish\domains\domain1\bin, for permissions reveals that it’s writable by anyone. This was also discovered by PEAS Given the process is running with SYSTEM, privilege escalation is achievable by replacing the binary.