Unquoted Service Paths
When a service is created whose executable path contains spaces and isn’t enclosed within quotes, it leads to Unquoted Service Path vulnerability, which allows an attacker to gain elevated privileges.
After finding the vulnerable service, we need to check the folder permissions. If low/same privilege users have writeable access, privilege escalation is possible.
wmic service get name,displayname,pathname,startmode |findstr /i “auto” |findstr /i /v “c:\windows\” |findstr /i /v “””
Wmic command: The WMI command-line (WMIC) utility provides a command-line interface for Windows Management Instrumentation (WMI). WMIC is compatible with existing shells and utility commands.
Unqouted Serverice Path
Unqouted Service Path
Vulnerable Application: Sandboxie-Plus v0.7.4