Privilege escalation techniques on Windows.
- Unquoted Service Paths (Red Teaming Experiments)
Use this technique when we do not have access to replace the binary executed by a service, but:
- We have access to the service’s main directory and subdirectories
- The path of the binary to execute contains spaces, but the service is configured without quotes to escape spaces.
Detect the vulnerability
Known vulnerabilities
searchsploit unquoted
Services with path containing spaces without quotes
wmic service get name,pathname,startmode | findstr /i /v "c:\windows\\" | findstr /i /v """
sc query <service name>
Running services
powershell
Get-WmiObject win32_service | Select-Object Name, State, PathName | Where-Object {$_.State -like 'Running'}
Exploit
This was tested. Be careful, Microsoft’s documentation is sometimes wrong about this…
For example, a service uses program:
C:\Program Files (x86)\Sync Breeze Enterprise\bin\syncbrs.exe
Without using quotes in the service configuration, characters after spaces will be treated as potential program arguments. Windows will search in this order:
C:\Program.exe
C:\Program Files (x86)\Sync.exe
C:\Program Files (x86)\Sync Breeze Enterprise\bin\syncbrs.exe
To exploit, create the malicious executable in one of these paths and restart the service.
This is a design decision by Microsoft to run the service as described. The space is treated as an optional path to explore for that program. The fix is to use quotes.