Questions about exploiting Windows service permissions

I was working on one of the currently live machines and was able to get root, but only because someone made a comment that lead me to the right service . The way in is through the service permissions, but to me everything looks perfectly fine. I have been told that with experience something should stand out. I know how to manipulate the service, but can anyone give me some pointers on how to identify it in the first place? Here are the privileges I have in the shell and the permissions of the two vulnerable services. I was able to change the binpath on service 1 to get it to run my shell code but everyone insists service 2 is the obvious choice ( even though I can not modify it).

Can anyone give me some pointers as to 1) why am I able to modify service 1. 2) what might the approach to service 2 be. 3) how would I identify these as vulnerable?

I think I see what stands out in service 2, but how would I exploit it?

c:\Users\Public>whoami
iis apppool\defaultapppool

PRIVILEGES INFORMATION

Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled

The service paths are either quoted or have no spaces

Service 1 permissions:

Medium Mandatory Level (Default) [No-Write-Up]
R NT AUTHORITY\Authenticated Users
SERVICE_QUERY_STATUS
SERVICE_QUERY_CONFIG
SERVICE_INTERROGATE
SERVICE_ENUMERATE_DEPENDENTS
SERVICE_START
SERVICE_USER_DEFINED_CONTROL
R BUILTIN\Administrators
SERVICE_QUERY_STATUS
SERVICE_QUERY_CONFIG
SERVICE_INTERROGATE
SERVICE_ENUMERATE_DEPENDENTS
SERVICE_START
SERVICE_STOP
SERVICE_USER_DEFINED_CONTROL
READ_CONTROL
R S-1-5-21-3799463084-4290437372-2261193466-500
SERVICE_QUERY_STATUS
SERVICE_QUERY_CONFIG
SERVICE_INTERROGATE
SERVICE_ENUMERATE_DEPENDENTS
SERVICE_START
SERVICE_STOP
SERVICE_USER_DEFINED_CONTROL
READ_CONTROL
RW NT AUTHORITY\SYSTEM
SERVICE_ALL_ACCESS
RW NT AUTHORITY\SERVICE
SERVICE_ALL_ACCESS

DA;;CCLCSWRPLOCR;;;AU)(A;;CCLCSWRPWPLOCRRC;;;BA)(A; ;CCLCSWRPWPLOCRRC;;;S-1-5-21-3799463084-4290437372-2261193466-500)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLC SWRPWPDTLOCRSDRCWDWO;;;SU)

Service 2 Permissions

Medium Mandatory Level (Default) [No-Write-Up]
RW NT AUTHORITY\SYSTEM
SERVICE_ALL_ACCESS
RW BUILTIN\Administrators
SERVICE_ALL_ACCESS
R NT AUTHORITY\INTERACTIVE
SERVICE_QUERY_STATUS
SERVICE_QUERY_CONFIG
SERVICE_INTERROGATE
SERVICE_ENUMERATE_DEPENDENTS
SERVICE_USER_DEFINED_CONTROL
READ_CONTROL
R NT AUTHORITY\SERVICE
SERVICE_QUERY_STATUS
SERVICE_QUERY_CONFIG
SERVICE_INTERROGATE
SERVICE_ENUMERATE_DEPENDENTS
SERVICE_USER_DEFINED_CONTROL
READ_CONTROL

DA;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRS DRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRR C;;;SU)

Any and all pointers would be appreciated

Depends how you changed the binpath. There’s a few ways to do it - one of which is via the registry (which means all those permissions you just listed are irrelevant as they only apply to requests made through the Service Control Manager API)

Send me a PM with which services and which machine you’re talking about and I’ll try explain in more detail.

Actually looking at the permissions again, I’d guess its because in the first service there’s this entry:

(A;;CCDCLC SWRPWPDTLOCRSDRCWDWO;;;SU)

The last part of this specifies the account/group being granted permissions. In this case it is “SU” and if we look that up here: SID Strings - Win32 apps | Microsoft Docs

We see that SU means “Service logon user. This is a group identifier added to the token of a process when it was logged as a service.”

So basically, any process that is running as a windows service. In this case, you’re running as the IIS user account presumably from a web reverse shell, and IIS runs as a service. So your user account is included in this “SU” permission. What permissions is being granted on the first service? Everything. From your nicer format of the SDDL you can see that:

RW NT AUTHORITY\SERVICE
SERVICE_ALL_ACCESS

So that means you have permission to do anything you want, including modify the service config and its binpath.

On service 2 you don’t have that permissions because SU (other services) only has these permissions:

R NT AUTHORITY\SERVICE
SERVICE_QUERY_STATUS
SERVICE_QUERY_CONFIG
SERVICE_INTERROGATE
SERVICE_ENUMERATE_DEPENDENTS
SERVICE_USER_DEFINED_CONTROL
READ_CONTROL