search

Unquoted service paths

hashtag
Unquoted service paths

A properly configured service path would look something like this:

"C:\Program Files (x86)\Common Files\Steam\SteamService.exe"

You might, however, come across a misconfigured service path during your OSCP exam. An unquoted service path would look something like this:

C:\Program Files (x86)\Common Files\Steam\SteamService.exe

This can be a vulnerability because Windows looks for service executables in hierarchical order.

It would look for ‘SteamService.exe’ in the following order:

  • Program Files (x86)

  • Common Files

  • Steam

This means that you could add a maliscious file called ‘SteamService.exe’ to the ‘Common Files’ directory if you have write permissions.

All you’d have to do then is restart the service to execute your maliscious file.

But first, you need to run a few checks because:

  • you might not have directory write permissions

  • You might be unable to restart the service

  • The service might not be running as an elevated user

Check for unquoted service paths with winPEAS

Do you have permissions to execute the service?

Do you have write permissions for any of the directories? (Check each directory)

Let’s assume you have write permssions for the ‘Common Files ‘ directory.

Generate a reverse shell payload:

Download your payload to the target and copy into the writeable directory:

Setup a listener in Metasploit and restart the service:

PreviousService ExploitsNextMimikatz

Last updated