CQURE 5-Day Challenge – Day 1: Changing Service Rights
I recently signed up for CQURE’s 5-day Challenge and in this post I will do a write-up of the first day practical challenge. For those of you not familiar with CQURE, it’s a security company founded in Poland in 2008 and offers a wide range of services like security audits, penetration testing and security training. Their main focus is Windows Internals and Security and they are great at that. The company is led by Paula Januszkiewicz and Greg Tworek and it’s a pleasure learning from them.
During CQURE’s 5-day Challenge they provide a tutorial video and also a challenge for each day from May 8th to May 12th. Now that the challenges are officially over, I feel comfortable writing about them. The first day challenge is about service rights and you can find the link here. I don’t know how long they are going to keep these up, but hopefully it will be a while.
Let’s dive in …
After the tutorial video I realized I need to learn more about permissions and SDDL. Hearing Paula talking about permissions and SDDL like it was grade 3 math should be enough of an incentive to study more about this topic.
The first step of the challenge is to download a zip file that contains an executable, ‘StopMeIfYouCan.exe’. Turns out the executable is actually a service. Open cmd.exe (or powershell.exe) as administrator and install the service using the command ‘StopMeIfYouCan.exe /install’. Now, there are multiple ways to complete the rest of the steps. My first choice is PowerShell and that’s what I’ll describe first, but I’ll also go through a similar process using legacy tools under cmd.exe.
After installing the service, we have to start it.
Start-Service -DisplayName StopMeIfYouCan
Ok, now let’s stop it.
Stop-Service -DisplayName StopMeIfYouCan
Hmmm … this is interesting. Let’s try the ‘-Force’ flag. Same thing. Let’s use psExec from Sysinternals to start PowerShell as local system and stop the service.
PsExec.exe -s -i -d powershell.exe
Now this is frustrating. Let’s check the permissions for this service. Usually you would use ‘Get-Acl’ cmdlet for ACLs but unfortunately this is not working with services. I found an excellent PowerShell module written to work with ACLs for services. You can find it here. After a few minutes to familiarize myself with the module, I figured it out how to use it to accomplish what I needed.
Get-Service -DisplayName StopMeIfYouCan | Get-AccessControlEntry
At first glance, it should not be a permissions issue. Let’s find more about ‘Administrators’ and ‘SYSTEM’ permissions for this service.
Get-Service -DisplayName StopMeIfYouCan | Get-AccessControlEntry -Principal Administrators, SYSTEM | Format-List *
We got confirmation that permissions are not an issue. ‘Administrators’ have FullControl over this service and ‘SYSTEM’ local account can certainly Stop the service.
What to do next? Well, let’s find out more about the service.
Get-Service -DisplayName StopMeIfYouCan | Format-List *
Interestingly enough, the service cannot be paused or stopped, but accepts a shutdown. Using WMI we can find out the ProcessId of the service in question.
Get-WmiObject -Class Win32_Service -Filter "DisplayName='StopMeIfYouCan'" | Format-List *
ProcessId is 6428. Let’s try and stop the process.
Stop-Process -Id 6428 -Force
No errors. That’s always a good sign. Let’s verify the service status.
Success ! The service is in stopped Status.
So what exactly has happened ? Apparently, when a service is developed, you can set different flags for it. One such flag is ‘NOT_STOPPABLE’ which effectively removes the ability to stop a process, regardless of your permissions. Now, since this service is set to start automatic, it will start the next time a reboot happens. But of course, that can be changed 🙂
Enough PowerShell, let’s turn to our usual suspects, net.exe and sc.exe. Following will be a brief description of the commands to accomplish the same thing I did with PowerShell.
- Start the service : net start StopMe
- Try to stop the service : net stop StopMe
- Try to stop the service : sc stop StopMe
- Check permissions for the service: sc sdshow StopMe
- Get information about the service: sc queryex StopMe (using ‘queryex’ instead of ‘query’ reveals the PID as well)
- Stop the process associated with the service: taskkill /PID 4260 /F (4260 was the PID on my computer when I wrote this, replace it with the value from the previous command)
- Confirm the service is stopped : sc queryex StopMe
Now, just uninstall the service with the command ‘StopMeIfYouCan.exe /uninstall’.
This is the end of the Day 1 Challenge. Tomorrow I’ll write about Day 2 Challenge. Stay tuned !