DLL hijacking

Windows DLLs are libraries that are used or called when applications or services are started. If the application or service cannot locate the required DLLs, we can force the application or service to load our own DLL that will run arbitrary commands in order to elevate our privileges.

For this to work, we must first locate an application that runs with SYSTEM privileges and must have the appropriate path permissions that can allow us to upload our custom DLL.

Applications can load DLLs from various paths on Windows and will typically follow this order:

1. Application path or directory
2. C:\Windows\System32
3. C:\Windows\System
4. C:\Windows
5. C:\Program Files
6. The PATH environment variable

We can also perform DLL hijacking on application or service DLLs that do not have a defined path. The following code snippet is an example of an absolute path:

PATH = C:\Windows\System32\example.dll

As you can see in the preceding code snippet, the path...