akde/infosec

Information security is ultimately about managing risk

Unquoted Service Path hijacking

  1. Check if there is some ser­vice in a path which con­tains spaces (out­side of the win­dows direc­to­ry):
    wmic service get name,pathname | findstr /i /v "C:\Windows\" | findstr /i /v """
    Alter­na­tive­ly in Pow­er­shell: See the Win­dows Ser­vice Exploita­tion article.
  2. Check that it is pos­si­ble to restart the ser­vice, e.g. via Start-Service $serviceName in Powershell.
  3. If this is pos­si­ble, check if we can write some­where. For exam­ple, the exe­cute­able ser­vice is C:\Program Files\Super App\SuperApp.exe. Then, the fol­low­ing direc­to­ries should be checked with icacls: 
    1. C:\Program.exe
    2. C:\Program Files\Super.exe
    3. C:\Program Files\Super App\SuperApp.exe
  4. If you have write access, com­pile a bina­ry e.g. from the Bina­ry hijack­ing post and place it there and €prof­it.

Leave a Reply

About

Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.

Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.

Checklists

Categories

Checklists: Ports

python -c 'import pty;pty.spawn("/bin/bash")';

python3 -c 'import pty;pty.spawn("/bin/bash")';