Can't enumerate any Unquoted Service Paths in Public Service Announcement

PeculiarCapybara9003 · July 27, 2024, 12:09am

Dear all,

I’ve completed the Windows Services learning path and figured I’d take a shot at the Public Service Announcement Practice lab.

However I can’t seem to find any services that are vulnerable to an unquoted service path attack; the wording in the instructions “There is a service on the Windows server that is vulnerable to an Unquoted Service Path attack” makes it sound to me like there already is a vulnerable service running, and you don’t have to introduce one like you did during the Windows Service learning.

I’ve tried enumerating using the:

wmic service get name,displayname,startmode,pathname | findstr /i /v "C:\Windows\\" |findstr /i /v """

and several variations thereof, as well as the ps command:

Get-WmiObject -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select Name,DisplayName,StartMode,PathName

But have come up empty handed so far.

Please advice.

JosephWhite · July 27, 2024, 2:53am

Your search is excluding c:\windows ( | findstr /i /v “C:\Windows”. C:\Windows is normally excluded as it is not writable BUT in this lab you are have administrator access, so you can search in c:\windows as well as you will be able to exploit any unquoted service paths found. This question tests how well you understand the search command

PeculiarCapybara9003 · July 27, 2024, 7:34am

Thank You so much for the quick reply Joseph!