It is known that running a windows service as local system it is a bad security practice as if this service is compromised in any way it would give the same level of privileges to an attacker as well. However it is also possible to escalate privileges from a service that is not running as SYSTEM but as a network service as well.
From Service Account to System
There are many occasions in penetration testing engagements that the penetration tester has managed to compromise a service like Apache, IIS, SQL, MySQL etc. but unfortunately this service is not running as local system or under a high privileged account but as network service.
The list of available tokens via Meterpeter in this case is limited only to the Network Service as the Apache is running under this account.
However there is a technique which can be used that tries to trick the “NT Authority\System” account to negotiate and authenticate via NTLM locally so the token for the “NT Authority\System” account would become available and therefore privilege escalation possible. This technique is called Rotten Potato and it was introduced in DerbyCon 2016 by Stephen Breen and Chris Mallz.
Service Running as Administrator
Alternatively if the service is running as high privileged user like administrator or if the service allows users to connect via Windows authentication (i.e. SQL Server allows that) then it is possible to escalate privilege by impersonating the token of the administrator account.
This can be done through the Metasploit Framework incognito extension or directly through MWR Infosecurity tool incognito.
Manipulation of system tokens can be done also through PowerSploit as Joseph Bialek inspired by the tool incognito wrote a PowerShell script which can perform the same activities.
Rotten Potato – Privilege Escalation from Service Accounts to SYSTEM