Control write-up by limbernie

From taking baby steps to uncover SQLi, to the discovery of a privileged user who can modify Windows service.

Interesting to see you chose the SecLogon service rather than Wuauserv (windows update) like a lot of us. I have an issue with both of these though, and that is that we only had permission to start the services, not stop them.

So if you (or anyone else) had already started the service, either with the legit binary path or with your own binary that didn’t timeout/crash, then now you and everyone ekse on the box is screwed right?

I wrote a script to find all services that we had permission to start and that weren’t disabled (and weren’t per-user services or templates) and the only results it found were:


I only tried two of those, so not sure if all of them work. But even if they do, that’s still not a lot of chances for people to mess up the box for themselves and everyone else. I know I screwed myself out of one service by starting it just to see if I had permission, and then couldn’t stop it so had to move on to another one. So yeah I’d be really interested to see if anyone else found a better way of doing it