This is a technique which leverages misconfigurations in the service permissions for a specific user. If permissions for a specific user differ from the ones described in the table here, then they may manifest as a possible vulnerability.
To identify such services, it is useful to use WinPEAS.
It appears that user
has write access to the service daclsvc
and can also start the service. We can query the service to see what user account is actually executing it:
sc qc <service>
It appears that the service is running as LocalSystem
which is an account with more privileges than our user
account. If we can write to the service, then we can alter its configuration and change the path to the executable which is supposed to be run:
sc config <service> binpath="\"<path>\""
All we now need to do is setup a listener and run the service:
net start <service>
And we get a system shell back: