InfoSec LAB

Hepet_VeyonService

Created: 1 min read

VeyonService

The VeyonService service has been identified to be running with privileges of SYSTEM. PEAS has revealed that the current user, ela arwel, has complete control over the binary; C:\Users\Ela Arwel\Veyon\veyon-service.exe

PS C:\Users\Ela Arwel\Veyon> cmd /c sc qc VeyonService
[SC] QueryServiceConfig SUCCESS
 
SERVICE_NAME: VeyonService
        TYPE               : 10  WIN32_OWN_PROCESS 
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Users\Ela Arwel\Veyon\veyon-service.exe
        LOAD_ORDER_GROUP   : 
        TAG                : 0
        DISPLAY_NAME       : Veyon Service
        DEPENDENCIES       : 
        SERVICE_START_NAME : LocalSystem
 
PS C:\Users\Ela Arwel\Veyon> cmd /c sc stop VeyonService
[SC] OpenService FAILED 5:
 
Access is denied.
 
PS C:\Users\Ela Arwel\Veyon> cmd /c sc start VeyonService
[SC] StartService: OpenService FAILED 5:
 
Access is denied.
 
PS C:\Users\Ela Arwel\Veyon> icacls .\veyon-service.exe
.\veyon-service.exe NT AUTHORITY\SYSTEM:(I)(F)
                    BUILTIN\Administrators:(I)(F)
                    HEPET\Ela Arwel:(I)(F)
 
Successfully processed 1 files; Failed processing 0 files

This can be confirmed manually.

  • The current user is unable to restart the service
  • The START_TYPE parameter is set to AUTO_START
  • Th current user has full access to the C:\Users\Ela Arwel\Veyon\veyon-service.exe file

Moving on to the Privilege Escalation phase

Interactive Graph View

Backlinks