Unqouted Service Path
We will create a service with a Unquoted Service Path to escalate privileges from a low privileges user account to SYSTEM.
Last updated
We will create a service with a Unquoted Service Path to escalate privileges from a low privileges user account to SYSTEM.
Last updated
Login to WS01 as the Administrator user with password Welcome01!.
Start PowerShell as administrator and run the following commands to create a service:
Name = Service
Executable path = C:\Program Files\bin folder\program\bin x64\Service.exe
Start = auto
3. Run the following command to create the folders for the service:
4. Run icacls to check the current permissions on the directories with a space in it:
5. Run icacls to give the BUILTIN\Users write permissions on C:\Program Files\bin folder\program.
6. Run icacls again the check the permissions on the directory:
When a service exists whose executable path contains spaces and it isn't enclosed within quotes it could be used to run an executable of our choice. This is because if the service is not enclosed within quotes and it has spaces, it would handle the space as a break and pass the rest of the service path as an argument.
If the filename is a long string of text which contains spaces, and is not enclosed within quotation marks, the filename will be executed in the order from left to right until the space is reached and will append .exe at the end of this spaced path. For example, consider we have the following path:
C:\Program Files\A Folder\B Folder\C Folder\Program.exe
Windows will try to execute the following:
C:\Program Files\A.exe
C:\Program Files\A Folder\B.exe
C:\Program Files\A Folder\B Folder\C.exe
C:\Program Files\A Folder\B Folder\C Folder\Program.exe
Icacls.exe
Download PowerUp on your attacking machine and host it on a webserver
2. Login on WS01 with the user John and the password Welcome2022!.
3. Open Powershell, execute a amsi bypass such ass the one below and download PowerUp into memory with iex and iwr (Invoke-Expression and Invoke-WebRequest)
4. Execute Invoke-AllChecks to run all the checks from PowerUp.
5. The output tells us there is a service with the name Service and it has a unqouted service path (C:\Program Files\bin folder\program\bin x64\service.exe).
6. To check if we can write a binary in one of the folders check the permissions the folders before the one with a space in it. Since we need to write the binaries C:\Program Files\bin.exe or C:\Program Files\bin folder\program\bin.exe.
We have no write permissions in C:\Program Files:
But we do have write permissions in C:\Program Files\bin folder\program.
7. To abuse this run the following command from PowerUp, which will create a executable bin.exe in the path C:\Program Files\bin folder\program which will add a new local administrator.
8. Our current user can't start the service, which means we should restart the machine and check if the user privesc is created.
9. Start a new PowerShell session as Administrator and fill in the credentials privesc:Welcome2022!.
Remove the user privesc and the binary
Periodically check for vulnerable services and directory permissions.
Currently the low privileged users can't create any files in the directories with a space. BUILTIN\Users has (RX) privileges. Which is RX (read and execute access). For more information about the icacls access rights check out post.
