Unquoted service path may be exploited to privesc combined with weak file permissions in the parent directories.
When a service is unquoted, Windows splits the path up by space and checks for valid executables from left to right: C:\Program.exeC:\Program Files\Vulnerable.exeC:\Program Files\Vulnerable Services\Service.exe
If the permissions to any of the parent directories can be written to, we can drop a executable there to escalate privilege. We can use Get-Acl to check the permissions on a directory:
Enumeration
This can be discovered with SharpUp in Cobalt Strike:
An alternative is winPEAS.
Exploitation
For Cobalt Strike, we need to generate a service executable payload for a listener. These payloads will contain svc in the filename. It is recommended to create a TCP peer-to-peer beacon bound to localhost only for privilege escalation. Upload the file using the beacon upload command and place it appropriately. When the exploit is successful, the service will be START_PENDING, and will turn to STOPPED when checked with sc query ServiceName (by design for stealth). In order to finalize the beacon creation, we must connect to the listener on an existing beacon with connect localhost [tcp beacon port].
Note that regular users cannot start or stop services, so you would have to rely on reboots.
To restore the service, delete the beacon payload and restart the service.