<\/p>\n\n\n\n
To understand this vulnerability we must first understand how windows looks for executables when quotes are not present. Let’s take the following service for example.<\/p>\n\n\n\n We can see the intended path to the executable in the If we are able to create any of these executables before the intended one then the service will run our arbitrary executable under the permissions of the service (usually SYSTEM). In order for this to work you must be able to write to the directory the service is installed under. In this example the service is installed under In this example the <\/p>\n\n\n\n With our executable in place we can restart the service and get a shell. <\/p>\n\n\n\n Exploiting unquoted services paths does require some permissions and some mess ups on the blue team side. A common issue to run into would be that by default most services are installed under To protect yourself from this kind of vulnerability all you need to do is put quotes around your service paths. This command will return all service paths with spaces and no quotes so you can fix them via the registry or the command line.<\/p>\n\n\n\n https:\/\/tryhackme.com\/room\/windowsprivesc20<\/a><\/p>\n\n\n\n![\"\"](\"https:\/\/merrillnewman.tech\/wp-content\/uploads\/2023\/02\/image-23-1024x389.png\")
BINARY_PATH_NAME<\/code> argument. However since there are now quotes Windows will look for the service executable in the following order.<\/p>\n\n\n\n
C:\\MyPrograms<\/code>, we can check the permissions of this directory using icacls<\/code>.<\/p>\n\n\n\n![\"\"](\"https:\/\/merrillnewman.tech\/wp-content\/uploads\/2023\/02\/image-24.png\")
BUILTIN\\USERS<\/code> group has AD<\/code> and WD<\/code> permissions on the C:\\MyPrograms<\/code> directory, these give us write and append privileges respectively. From here all we need to do is create our executable and place it one of the previously mentioned locations.<\/p>\n\n\n\n![\"\"](\"https:\/\/merrillnewman.tech\/wp-content\/uploads\/2023\/02\/image-25-1024x180.png\")
![\"\"](\"https:\/\/merrillnewman.tech\/wp-content\/uploads\/2023\/02\/image-26-1024x324.png\")
![\"\"](\"https:\/\/merrillnewman.tech\/wp-content\/uploads\/2023\/02\/image-27-1024x596.png\")
![\"\"](\"https:\/\/merrillnewman.tech\/wp-content\/uploads\/2023\/02\/image-28-1024x423.png\")
Caveats<\/h3>\n\n\n\n
C:\\Program Files<\/code> or C:\\Program Files (x86)<\/code> directory which are both only writable by administrator accounts. Another issue is that often you will not have permissions to start\/stop the service, in this case its possible to restart the computer and achieve execution that way if it is an auto-start service but in many situations restarting the computer can cause unacceptable downtime. <\/p>\n\n\n\nRemediation<\/h3>\n\n\n\n
wmic service get name,displayname,pathname,startmode |findstr \/i \"auto\" |findstr \/i \/v \"c:\\windows\\\\\" |findstr \/i \/v \"\"\"<\/code><\/pre>\n\n\n\nReferences<\/h3>\n\n\n\n