Windows Privilege Escalation — Part 1 (Unquoted Service Path)

<h1><strong>Prerequisites</strong></h1> <p>This blog post assumes that you have gotten a low privileged shell (either through netcat, meterpreter session, etc).</p> <h1><strong>Aim</strong></h1> <p>We will be creating a vulnerable service and shall be exploiting it in order to escalate our privilege level from low privileged user account to SYSTEM.</p> <h1><strong>What in the world is Unquoted Service Path?</strong></h1> <p>When a&nbsp;<strong>service&nbsp;</strong>is created whose&nbsp;<strong>executable path</strong>&nbsp;contains&nbsp;<strong><em>spaces</em></strong>&nbsp;and isn&rsquo;t enclosed within&nbsp;<strong><em>quotes</em></strong>, leads to a vulnerability known as Unquoted Service Path which allows a user to gain&nbsp;<strong>SYSTEM</strong>&nbsp;privileges (only if the vulnerable service is running with SYSTEM privilege level which most of the time it is).</p> <p>In Windows, if the service is not enclosed within quotes and is having spaces, it would handle the space as a break and pass the rest of the service path as an argument.</p> <p><a href="https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae"><strong>Click Here</strong></a></p>