Abusing Token Privileges For Windows Local Privilege Escalation Past Times @Dronesec Together With @Breenmachine

This a projection my friend drone <@dronesec> together with I conduct maintain been poking at for quite exactly about fourth dimension together with are glad to in conclusion endure releasing. As the championship implies, we’re going to endure looking at leveraging Windows access tokens amongst the destination of local privilege escalation. For those familiar amongst exactly about of my previous come about “Rotten Potato” this mightiness audio familiar, notwithstanding drone together with I took this 10 steps further.
In this post I’m exactly going to endure providing a summary of the work. The total article together with all associated code tin endure constitute at: https://github.com/hatRiot/token-priv.
This post is going to endure broken into 2 sections, the get-go for penetration testers together with reddish teamers, together with the minute for exploit developers.

For the Red Team

Like the “Rotten Potato” project, this projection volition endure useful for penetration testing together with reddish squad scenarios where an aggressor has gained access to a non-administrative service draw of piece of occupation organization human relationship together with is looking to lift privileges to “SYSTEM”. If you lot recollect from the “Rotten Potato” project, inward companionship for the master copy assault to work, your draw of piece of occupation organization human relationship needed to conduct maintain the “SeImpersonatePrivilege”, or “SeAssignPrimaryPrivilege”. Drone together with I decided to expect at what other privileges could endure abused to gain SYSTEM degree access together with were able to notice a whole collection of them! If this is where your involvement lies, experience complimentary to skip to sections 3.1 together with 3.3 of the newspaper linked inward a higher house together with conduct maintain a expect at the published code. Each of the modules is associated amongst a specific privilege together with volition larn you lot SYSTEM degree access or something nearly every bit good.
Here is the listing of privileges that nosotros were able to abuse:

• SeImpersonatePrivilege
• SeAssignPrimaryPrivilege
• SeTcbPrivilege
• SeBackupPrivilege
• SeRestorePrivilege
• SeCreateTokenPrivilege
• SeLoadDriverPrivilege
• SeTakeOwnershipPrivilege
• SeDebugPrivilege

From a penetration testing perspective, exactly type “whoami /priv” at a Windows command prompt. If you lot conduct maintain 1 of the inward a higher house privileges, you lot win.
It may endure beneficial to hunt for specific service accounts that conduct maintain these privileges. For event if you lot tin gain access to the Backup service account, it volition nearly for certain conduct maintain the SeBackupPrivilege together with SeRestorePrivilege. Gaining access to these service accounts tin endure accomplished inward a issue of ways including the following:

• The service itself is compromised through exactly about vulnerability. Typical
  scenarios include spider web application vulnerabilities which allow execution
  inward the context of the draw of piece of occupation organization human relationship running IIS, together with SQL injection
  vulnerabilities where XP_CMDSHELL tin endure used to run code inward the
  context of the SQL service account.
• Service draw of piece of occupation organization human relationship credentials are leaked inward exactly about way.
• Kerberoast mode attacks. Influenza A virus subtype H5N1 Kerberos ticket is requested for the target
  draw of piece of occupation organization human relationship from the domain controller. Part of this ticket is encrypted
  using the target account’s password hash. This tin endure efficiently
  cracked offline to yield the draw of piece of occupation organization human relationship password.
• Forcing NTLM negotiation. For example, amongst a backup service, if you lot were to forcefulness it to backup an SMB portion that is served upwards past times Responder.py.

As always, you lot may involve to endure creative here.
For farther details, delight meet the newspaper inward the GitHub repository https://github.com/hatRiot/token-priv.

For the Exploit Devs

This projection was originally conceived past times drone every bit a tool for exploit developers to greatly simplify the exploitation of partial write vulnerabilities. Partial write vulnerabilities are those where nosotros tin write something to a chosen place inward memory, notwithstanding nosotros may non command the value beingness written. The consider hither is to abuse the partial write to flip exactly about bits inward your users token, so enabling 1 of the exploitable privileges. From this betoken forward, the “exploitation” of the vulnerability involves abusing intended (albeit undocumented) conduct of a serial of Windows API calls.
The payoff of this type of strategy for abusing partial writes is that it evades all of the novel substance exploit mitigations! Drone shows inward the newspaper how he was able to greatly simplify the exploits for exactly about recent partial write vulnerabilities. The other swell affair is that the exploit code is completely portable. Once the correct bits are flipped inward the token, the exploit developer needs exclusively to run 1 of the modules from our project.
For farther details, delight meet the newspaper inward the GitHub repository https://github.com/hatRiot/token-priv.

https://foxglovesecurity.com/2017/08/25/abusing-token-privileges-for-windows-local-privilege-escalation/