Weak Registry Permissions
The Windows registry stores entries for each service. Since registry entries can have ACLs, if the ACL is misconfigured, it may be possible to modify a service’s configuration even if we cannot modify the service directly.
Run winPEAS to check for service misconfigurations:
Note that the “regsvc” service has a weak registry entry. We can confirm this with PowerShell:
Alternatively accesschk.exe can be used to confirm:
verify that we can start the service:
now lets check the current value of the service registry entry:
Overwrite the ImagePath registry key to point to our reverse shell executable:
Start a listener on Kali, and then start the service to trigger the exploit:
Last updated