search

Unquoted Service Path

One of my favorite

-> If there is space between the path and it is not enclosed in double quotes then we can exploit it. Example: C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe

-> How system tries to execute an Unquoted service path

C:\Program.exe C:\Program Files\My.exe C:\Program Files\My Program\My.exe C:\Program Files\My Program\My service\service.exe

hashtag
Detection

# PowerView
Import-Module ./PowerView.ps1
Invoke-AllChecks OR Get-UnquotedService

OR

wmic service get displayname,pathname

OR

# Best one
Get-CimInstance -ClassName win32_service | Select Name,State,PathName # Powershell

OR

# Best one
wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\"


Found the anomaly unquoted service path? # Services with no quotes & spaces in path
Write Path and Service name in notes first # Service name can be found in winpeas, Powerview

icacls <Path of the file>
Example: C:\Program Files\yolo Apps\Current Version\yolo.exe

# TRY IN THIS FASHION ONLY
-> icacls C:\Program Files, icacls C:\Program Files\yolo Apps, and vice versa.
-> Once we see W or anything on the folder, pick up the next file and put binary
WE WANT W on BUILTIN/USERS or AUTHENTICATED USERS or USERNAME access

# Example
C:\Program Files\yolo Apps\Current Version\yolo.exe
icacls C:\Program Files\yolo Apps # Gives W on Users
Put malicious Current.exe in the yolo folder

hashtag
Exploitation

My go-to resource for literally everything:

LogoUnquoted Service Paths โ€“ Windows Privilege EscalationJuggernaut Pentesting Blog - A blog to help others achieve their goals in Cyber Security.chevron-right
PreviousSE PrivilegesNextScheduled Tasks

Last updated