CQURE is running an online challenge contest this week (May 8-12, 2017). I am participating and I will blog about the assessment challenge the day after the challenge. These are my notes and lessons learned from the first day challenge.
The first day challenged my knowledge of security settings of Windows Services. You too might have banged your head against a wall about this before, for example trying to stop a service. Of course you knew you had to have admin rights. The service wouldn’t stop anyway. Maybe you thought of elevating a command prompt to Local System using psexec. And still the service wouldn’t stop. Do you know how to check the access control list for a service? Do you know how to change the permissions? That’s what this first day’s challenge was all about.
Some key command lines are:
sc sdshow stopme to show the security descriptor of the service with name “stopme.” This is in Security Descriptor Definition Language. A few key points to remember are that “D:” begins the DACL and “S:” the SALC section. Each descriptor is contained in parentheses. The first character is A or D and stands for Allow or Deny respectively. Then there are the permissions, where RP (“Read Property”) means “start” and WP (“Write Property”) means “stop” as it relates to a service.
sc sdset stopme <SDDL string> is the command to set a new security descriptor.
The assessment challenge had me install a service with display name StopMeIfYouCan. This service was developed by CQURE for demo purposes; it doesn’t actually do anything while it’s running. You can start it, but you can’t stop it. It turns out that unlike in the video demonstration, the service’s permissions do allow Builtin Administrator and Local System to stop the service (A;;...WP...;;;BA|SY). Yet, the service could not be stopped from services.msc or from the command line with net stop stopme. I had to think a little bit and some searching led me to this excellent blog post by Scott Sutherland. The post describes that services can have an attribute called NOT_STOPPABLE (among others). The attribute means that regardless of permissions or privileges, the service cannot be stopped using traditional means. Read Scott’s blog post for the low down on how to get rid of such a service. Key commands include sc query stopme and sc qc stopme (where “stopme” is the service name).
CQURE Academy’s blog has a post on the topic of this challenge as well, which you can find here.
A little background on how I came to follow Paula and CQURE: I first met Paula at TechEd 2011 in Atlanta, GA. She had won the previous year’s Speaker Idol competition and was judging the competition in 2011 where I participated. (I must have done something right, as I was the finalist and had the privilege of speaking at TechEd 2012.)
Sven Aelterman 
2 thoughts on “CQURE Academy 5-Day Challenge: Day 1”