# Unquoted service path

Given a particular service that is configured to call an executable at an unquoted path, it can be exploited to trick the service into running a different exectuable - controlled by us.

Lets compare two services:

1. `quoted_path_exec`
2. `unquoted_path_exec`

***quoted\_path\_exec***

```powershell
C:\> sc qc quoted_path_exec
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: quoted_path_exec
        TYPE               : ...
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 0   IGNORE
        BINARY_PATH_NAME   : C:\quoted\path\exec.exe
        ...
```

***unquoted\_path\_exec***

```powershell
C:\> sc qc unquoted_path_exec
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: unquoted_path_exec
        TYPE               : ...
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 0   IGNORE
        BINARY_PATH_NAME   : C:\rand_path\unquoted path\exec.exe
        ...
```

Notice that there is a space in the executable path. This makes it ambiguous, as there are 2 possible path that the service will look for the binary:

1. `C:\rand_path\unquoted`, with `path\exec.exe` as the argument
2. `C:\rand_path\unquoted path\exec.exe` (expected)

Assuming that we have permission to create a file in the `C:\rand_path` directory (check using the `icacls` command). We can create a payload with `msfvenom`, and `move` it to the directory to trick the service to call our executable instead.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://jarrettgxz-sec.gitbook.io/penetration-testing-ethical-hacking-concepts/privilege-escalation/windows/vulnerabilities-exploit/service-misconfigurations/unquoted-service-path.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.