# Using WMIC
wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
# Using sc
sc query
sc qc service name
# Look for Binary_path_name and see if it is unquoted.
If the path contains a space and is not quoted, the service is vulnerable.
Exploit It
If the path to the binary is:
c:\Program Files\something\winamp.exe
We can place a binary like this
c:\program.exe
When the program is restarted it will execute the binary program.exe, which we of course control. We can do this in any directory that has a space in its name. Not only program files.
There is also a metasploit module for this is: exploit/windows/local/trusted_service_path
Enumeration with powerup.ps1
upload the script with metasploit
Now run the script with Powershell
• List services which can be configured 👍
We are also given the command to execute it.
• Unquoted Service Path 👍
Now create a reverse shell payload
using reverse meterpreter payload dies if used and we have to chain it with post/windows/manage/migrate
Now upload the malicious file and changer meterpreter to shell, stop the service and then copy the file the same location, start listener at port 4443 and start the service again.
