Windows Privilege Escalation — Part 1 (Unquoted Service Path)
<h1><strong>Prerequisites</strong></h1>
<p>This blog post assumes that you have gotten a low privileged shell (either through netcat, meterpreter session, etc).</p>
<h1><strong>Aim</strong></h1>
<p>We will be creating a vulnerable service and shall be exploiting it in order to escalate our privilege level from low privileged user account to SYSTEM.</p>
<h1><strong>What in the world is Unquoted Service Path?</strong></h1>
<p>When a <strong>service </strong>is created whose <strong>executable path</strong> contains <strong><em>spaces</em></strong> and isn’t enclosed within <strong><em>quotes</em></strong>, leads to a vulnerability known as Unquoted Service Path which allows a user to gain <strong>SYSTEM</strong> privileges (only if the vulnerable service is running with SYSTEM privilege level which most of the time it is).</p>
<p>In Windows, if the service is not enclosed within quotes and is having spaces, it would handle the space as a break and pass the rest of the service path as an argument.</p>
<p><a href="https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae"><strong>Click Here</strong></a></p>