CreateProcess
API calls:If you are using a long file name that contains a space, use quoted strings to indicate where the file name ends and the arguments begin; otherwise, the file name is ambiguous. For example, consider the string "c:\program files\sub dir\program name". This string can be interpreted in a number of ways. The system tries to interpret the possibilities in the following order:c:\program.exe c:\program files\sub.exe c:\program files\sub dir\program.exec:\program files\sub dir\program name.exe...
ws01
for any potentially misconfigured services - those services that do not have their binary paths wrapped in quotes:c:\program.exe
, we may be able to stop/start the VulnerableSvc
and get our binary at c:\program.exe
to run with NT\System privileges:VulnerableSvc
. Doing so gives us a meterpreter session with nt authority\system
privileges: