Unquoted Service Path
Unquoted Service Paths β Windows Privilege Escalation
Last updated
Unquoted Service Paths β Windows Privilege Escalation
Last updated
In simple terms, when a service is created whose executable path contains spaces and isn't enclosed within quotes, leads to a vulnerability known as Unquoted Service Path which allows a user to gain SYSTEM privileges (only if the vulnerable service is running with SYSTEM privilege level which most of the time it is).
Check service without quotes:
Check File or Directory Permissions:
Check Service Permissions:
First, import PowerUp.ps1 to memory.
Then, check for privilege escalation vectors using this command:
Alternatively, for checking unquoted service paths specifically, use this command:
Example output:
For detail information about the vulnerable service, use this command:
Now, for abusing the service, you can use Write-ServiceBinary command:
Basically, the above command will replace the original files with a malicious file that contains a reverse shell command.
If you have ability to restart the service, you can run:
But, since you don't have the privilege to restart the service (CanRestart = False), you can reboot the machine since the service is set to autostart.
Now, your netcat listener will have a session with the NT\SYSTEM user.
