SlideShare a Scribd company logo

Unquoted service path exploitation

Download as PPTX, PDF
Dhruv Sharma, profile picture
Dhruv Sharma

The document discusses unquoted service path exploitation as a privilege escalation technique in Windows operating systems, allowing non-admin users to gain administrative access by exploiting the way Windows handles service paths. It explains the conditions under which a service path is vulnerable, provides a method for identifying such vulnerabilities, and outlines steps for exploiting them in a lab setup. Additionally, it offers guidance for creating a vulnerable service for demonstration purposes.

Technology
1 of 13
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
Unquoted Service Path exploitation By Dhruv Sharma
Introduction • This exploitation technique is used to perform Privilege Escalation from non admin / non Root user to System / Admin user. We will exploit unquoted service path for the services. • Used with Windows Operating System. • Services running on the server can be: • Unquoted • Quoted
Introduction Are all unquoted service path are vulnerable ? • A: No. If there are no spaces in the name of the directory i.e. ProgramFiles [non vulnerable] || Program Files [vulnerable] Service Path: C:Program FilesA SubfolderB SubfolderC SubfolderSomeExecutable.exe In order to run SomeExecutable.exe, the system will interpret this path in the following order from 1 to 5. Step 1: C:Program.exe Step 2: C:Program FilesA.exe Step 3: C:Program FilesA SubfolderB.exe Step 4: C:Program FilesA SubfolderB SubfolderC.exe Step 5: C:Program FilesA SubfolderB SubfolderC SubfolderSomeExecutable.exe If C:Program.exe is not found, then C:Program FilesA.exe would be executed. If C:Program FilesA.exe is not found, then C:Program FilesA SubfolderB.exe would be executed and so on.
Tips • Use below script to search for vulnerable services: wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:Windows" | findstr /i /v ""“ • Service name = Some Vulnerable Service. • Path name = C:Program FilesA SubfolderB SubfolderC SubfolderSomeExecutable.exe • Display name = Some Vulnerable Service • Start mode = Auto
Lab Demo • Step 1: We ran our command to find out any possible vulnerable services. Only last 3 services are not quoted – Some Vulnerable services, Babi Service & myBabi Service.
Lab Demo • Check the services. This service is configured for Auto Start, which means it will try to automatically started after reboot.
Lab Demo https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7
Lab Demo • Step 2: In this case we will try to exploit it. Let’s check if our user has privileges. The folder has Write privileges, which is inherited from the parent folder.
Lab Demo • Step 3: We analyzed the directory and placed babi.exe (reverse shell payload) as shown below.
Lab Demo • Finally we start to run the application. It is not important for us to run the service, but going through the path is important.
Create your own vulnerable Service • Create your own service for dhruv.exe • Provide write access to Dhruv Sharma directory icacls "C:Program FilesA Subfolder" /grant "BUILTINUsers":(F) /t [full access] icacls "C:Program FilesA Subfolder" /grant "BUILTINUsers":W [write access]
References • https://medium.com/@SumitVerma101/windows-privilege- escalation-part-1-unquoted-service-path-c7a011a8d8ae
Unquoted service path exploitation

More Related Content

PPTX
Introduce anypoint studio
Son Nguyen
 
PPTX
Anypoint mq acknowledgement mode
Son Nguyen
 
PPTX
Running mule as worker role on azure
Son Nguyen
 
PPTX
Troubleshooting mule
Son Nguyen
 
PPTX
Mule tcat server - common problems and solutions
Shanky Gupta
 
PPTX
Using maven with mule
Sindhu VL
 
PPTX
Konstantinos Sidiropoulos - Testing microservices a real example
PetrosPlakogiannis
 
PPTX
Configuring Anypoint Studio MQ connector
Shanky Gupta
 
Introduce anypoint studio
Son Nguyen
 
Anypoint mq acknowledgement mode
Son Nguyen
 
Running mule as worker role on azure
Son Nguyen
 
Troubleshooting mule
Son Nguyen
 
Mule tcat server - common problems and solutions
Shanky Gupta
 
Using maven with mule
Sindhu VL
 
Konstantinos Sidiropoulos - Testing microservices a real example
PetrosPlakogiannis
 
Configuring Anypoint Studio MQ connector
Shanky Gupta
 

What's hot (20)

ODP
Webservice performance testing with SoapUI
Phuoc Nguyen
 
PPT
Less02 2 e_testermodule_1
Suresh Mishra
 
PPTX
Invoke component demo in mule
Ramakrishna kapa
 
PPTX
Logger
Srilatha Kante
 
PPTX
Testing Rapidly Changing Applications With Self-Testing Object-Oriented Selen...
seleniumconf
 
PPT
ALP. Short facts
Alex
 
PPTX
Logger
krishashi
 
PPTX
Hybrid automation framework
doai tran
 
PDF
POST/CON 2019 Workshop: Experts
Postman
 
PPTX
Python component in mule
Ramakrishna kapa
 
ODP
Accelerate Quality with Postman Advance
Knoldus Inc.
 
PPTX
Programming and the web for beginners
Son Nguyen
 
PPTX
Mule
irfan1008
 
PDF
Deployment automation framework with selenium
Wenhua Wang
 
PPT
Used Java Component To Access Flow and Session Vars
Christian Hipolito
 
PDF
Selena Deckelmann - Sane Schema Management with Alembic and SQLAlchemy @ Pos...
PostgresOpen
 
PPT
Ppt of soap ui
pkslide28
 
PPT
Selenium
Sun Technlogies
 
ODP
Apache JMeter Introduction
Søren Lund
 
PPTX
Solution about automating end to end server test
Yu Tao Zhang
 
Webservice performance testing with SoapUI
Phuoc Nguyen
 
Less02 2 e_testermodule_1
Suresh Mishra
 
Invoke component demo in mule
Ramakrishna kapa
 
Logger
Srilatha Kante
 
Testing Rapidly Changing Applications With Self-Testing Object-Oriented Selen...
seleniumconf
 
ALP. Short facts
Alex
 
Logger
krishashi
 
Hybrid automation framework
doai tran
 
POST/CON 2019 Workshop: Experts
Postman
 
Python component in mule
Ramakrishna kapa
 
Accelerate Quality with Postman Advance
Knoldus Inc.
 
Programming and the web for beginners
Son Nguyen
 
Mule
irfan1008
 
Deployment automation framework with selenium
Wenhua Wang
 
Used Java Component To Access Flow and Session Vars
Christian Hipolito
 
Selena Deckelmann - Sane Schema Management with Alembic and SQLAlchemy @ Pos...
PostgresOpen
 
Ppt of soap ui
pkslide28
 
Selenium
Sun Technlogies
 
Apache JMeter Introduction
Søren Lund
 
Solution about automating end to end server test
Yu Tao Zhang
 
Ad

Similar to Unquoted service path exploitation (20)

DOCX
2
shital904928
 
DOCX
2
Chandrakant Shinde
 
PPTX
SE-Unit 4_software testing stretagy.pptx
nilampatoliya
 
PDF
Si fa presto a dire serverless
Alessio Coser
 
PPTX
sst ppt.pptx
PRIANKA R
 
DOC
Components lab
Joanne Scouler
 
PPT
Software Testing
Abhishek Saxena
 
PPTX
mini proj_batch1.pptx online secure file transfer system
KorbanMaheshwari
 
PDF
Testing - How Vital and How Easy to use
Uma Ghotikar
 
PPT
Software testing & its technology
Hasam Panezai
 
DOC
Components lab
IBM Rational software
 
PPTX
SOFTWARE TESTINg ghhhhhhhgggggfdhnhhjjju
nehalsiddiqui7
 
PDF
CH-3.pdf
ArchishaKhandareSS20
 
PDF
Performancetestingjmeter 121109061704-phpapp02
Shivakumara .
 
PPTX
Selenium Training in Chennai
Thecreating Experts
 
PDF
Manual testing by reddy
Krishna Gurjar
 
PPTX
ST Unit-3.pptx
JhonLiver
 
PPTX
Windows privilege escalation
Dhruv Shah
 
PPTX
Windows privilege escalation by Dhruv Shah
OWASP Delhi
 
PDF
Laravel Load Testing: Strategies and Tools
Muhammad Shehata
 
2
shital904928
 
2
Chandrakant Shinde
 
SE-Unit 4_software testing stretagy.pptx
nilampatoliya
 
Si fa presto a dire serverless
Alessio Coser
 
sst ppt.pptx
PRIANKA R
 
Components lab
Joanne Scouler
 
Software Testing
Abhishek Saxena
 
mini proj_batch1.pptx online secure file transfer system
KorbanMaheshwari
 
Testing - How Vital and How Easy to use
Uma Ghotikar
 
Software testing & its technology
Hasam Panezai
 
Components lab
IBM Rational software
 
SOFTWARE TESTINg ghhhhhhhgggggfdhnhhjjju
nehalsiddiqui7
 
CH-3.pdf
ArchishaKhandareSS20
 
Performancetestingjmeter 121109061704-phpapp02
Shivakumara .
 
Selenium Training in Chennai
Thecreating Experts
 
Manual testing by reddy
Krishna Gurjar
 
ST Unit-3.pptx
JhonLiver
 
Windows privilege escalation
Dhruv Shah
 
Windows privilege escalation by Dhruv Shah
OWASP Delhi
 
Laravel Load Testing: Strategies and Tools
Muhammad Shehata
 
Ad

More from Dhruv Sharma (18)

PPTX
RAVPN EAP-IKEv2 VPN.pptx
Dhruv Sharma
 
PPTX
Load Balance with NSX-T.pptx
Dhruv Sharma
 
PPTX
NSX_Troubleshooting.pptx
Dhruv Sharma
 
PPTX
ASA VPN_Certificate authentication_ISE Authorization.pptx
Dhruv Sharma
 
PPTX
Setting up CDP (Cisco Discovery Protocol) between Cisco IOS and VMware Virtua...
Dhruv Sharma
 
PPTX
Routebased-Policybased VPN.pptx
Dhruv Sharma
 
PPTX
Ansible Network Automation session1
Dhruv Sharma
 
PPTX
Setting up Cisco WSA Proxy in Transparent and Explicit Mode
Dhruv Sharma
 
PPTX
Factory setup wsa_9.2_v1.0
Dhruv Sharma
 
PPTX
Tacacs+ with ise 2.4_ CCIE
Dhruv Sharma
 
PPTX
Get vpn multicast for CCIE Security
Dhruv Sharma
 
PPTX
Route tags with OSPF
Dhruv Sharma
 
PPTX
Aci vmware integration_youtube
Dhruv Sharma
 
PPTX
Introduction to nexux from zero to Hero
Dhruv Sharma
 
PPTX
Cisco umbrella youtube
Dhruv Sharma
 
PPTX
GTM vs AWS Route 53 with Cisco umbrella
Dhruv Sharma
 
PPTX
Setting up VPN between F5 LTM & ASA
Dhruv Sharma
 
PPTX
Getting started kali linux
Dhruv Sharma
 
RAVPN EAP-IKEv2 VPN.pptx
Dhruv Sharma
 
Load Balance with NSX-T.pptx
Dhruv Sharma
 
NSX_Troubleshooting.pptx
Dhruv Sharma
 
ASA VPN_Certificate authentication_ISE Authorization.pptx
Dhruv Sharma
 
Setting up CDP (Cisco Discovery Protocol) between Cisco IOS and VMware Virtua...
Dhruv Sharma
 
Routebased-Policybased VPN.pptx
Dhruv Sharma
 
Ansible Network Automation session1
Dhruv Sharma
 
Setting up Cisco WSA Proxy in Transparent and Explicit Mode
Dhruv Sharma
 
Factory setup wsa_9.2_v1.0
Dhruv Sharma
 
Tacacs+ with ise 2.4_ CCIE
Dhruv Sharma
 
Get vpn multicast for CCIE Security
Dhruv Sharma
 
Route tags with OSPF
Dhruv Sharma
 
Aci vmware integration_youtube
Dhruv Sharma
 
Introduction to nexux from zero to Hero
Dhruv Sharma
 
Cisco umbrella youtube
Dhruv Sharma
 
GTM vs AWS Route 53 with Cisco umbrella
Dhruv Sharma
 
Setting up VPN between F5 LTM & ASA
Dhruv Sharma
 
Getting started kali linux
Dhruv Sharma
 

Recently uploaded (20)

PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Approach and Philosophy of On baking technology
30anthuong17
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Cloud computing and distributed systems.
kkkkkhan
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 

Unquoted service path exploitation

  • 1. Unquoted Service Path exploitation By Dhruv Sharma
  • 2. Introduction • This exploitation technique is used to perform Privilege Escalation from non admin / non Root user to System / Admin user. We will exploit unquoted service path for the services. • Used with Windows Operating System. • Services running on the server can be: • Unquoted • Quoted
  • 3. Introduction Are all unquoted service path are vulnerable ? • A: No. If there are no spaces in the name of the directory i.e. ProgramFiles [non vulnerable] || Program Files [vulnerable] Service Path: C:Program FilesA SubfolderB SubfolderC SubfolderSomeExecutable.exe In order to run SomeExecutable.exe, the system will interpret this path in the following order from 1 to 5. Step 1: C:Program.exe Step 2: C:Program FilesA.exe Step 3: C:Program FilesA SubfolderB.exe Step 4: C:Program FilesA SubfolderB SubfolderC.exe Step 5: C:Program FilesA SubfolderB SubfolderC SubfolderSomeExecutable.exe If C:Program.exe is not found, then C:Program FilesA.exe would be executed. If C:Program FilesA.exe is not found, then C:Program FilesA SubfolderB.exe would be executed and so on.
  • 4. Tips • Use below script to search for vulnerable services: wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:Windows" | findstr /i /v ""“ • Service name = Some Vulnerable Service. • Path name = C:Program FilesA SubfolderB SubfolderC SubfolderSomeExecutable.exe • Display name = Some Vulnerable Service • Start mode = Auto
  • 5. Lab Demo • Step 1: We ran our command to find out any possible vulnerable services. Only last 3 services are not quoted – Some Vulnerable services, Babi Service & myBabi Service.
  • 6. Lab Demo • Check the services. This service is configured for Auto Start, which means it will try to automatically started after reboot.
  • 8. Lab Demo • Step 2: In this case we will try to exploit it. Let’s check if our user has privileges. The folder has Write privileges, which is inherited from the parent folder.
  • 9. Lab Demo • Step 3: We analyzed the directory and placed babi.exe (reverse shell payload) as shown below.
  • 10. Lab Demo • Finally we start to run the application. It is not important for us to run the service, but going through the path is important.
  • 11. Create your own vulnerable Service • Create your own service for dhruv.exe • Provide write access to Dhruv Sharma directory icacls "C:Program FilesA Subfolder" /grant "BUILTINUsers":(F) /t [full access] icacls "C:Program FilesA Subfolder" /grant "BUILTINUsers":W [write access]