Closed Malayke closed 1 year ago
Hi!
Your analysis is correct, you did not do anything wrong. I think I might have introduced a regression in the code at some point. :grimacing:
No worries, you don't need to write code or submit a PR to contribute. Opening an issue with this level of detail is largely enough to help. :slightly_smiling_face:
Thanks for reporting this bug. I'll have a look at this. :+1:
Thanks to the information you reported, I was able to reproduce the issue on my lab machine.
There were two problems:
WriteData/AddFile
was granted. That was valid before I implemented a helper function that makes the difference between files and folders. This helper just returns WriteData
if it's a file, and AddFile
if it's a folder. I forgot to update the code to reflect this change, hence the first regression.Get-ModifiablePath
so that it returns the permission as a string (joined array) rather than an array. Since I had a test like $PermissionSet -contains $Permission
, this did no longer work. This was the second regression.Now, it should report exploitable unquoted paths correctly.
+------+------------------------------------------------+------+
| TEST | SERVICES > Unquoted Path | VULN |
+------+------------------------------------------------+------+
| DESC | List registered services and check whether any of |
| | them is configured with an unquoted path that can be |
| | exploited. |
+------+-------------------------------------------------------+
[*] Found 1 result(s).
Name : unquotedsvc
ImagePath : c:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe
User : LocalSystem
ModifiablePath : C:\Program Files\Unquoted Path Service
IdentityReference : BUILTIN\Users
Permissions : Delete, WriteAttributes, Synchronize, ReadControl, ListDirectory, AddSubdirectory,
WriteExtendedAttributes, ReadAttributes, AddFile, ReadExtendedAttributes, Traverse
Status : Stopped
UserCanStart : False
UserCanStop : False
The moral of the story is "I should have implemented unit tests"... :/
Anyways, thank you very much for reporting this. This is much appreciated. :pray:
🙏 Thank you for providing a detailed description of the issue and quickly resolving it. I will now close this issue. 🌟
I'm running the
TryHackMe
Windows PrivEsc machine,and there is a service binary path is unquoted path:
but PrivescCheck said:
I'm not sure if there is a bug or if I run it in the wrong way. I think this project is cool and powerful, and I would like to contribute to its improvement. However, I am not very familiar with PowerShell.