However, they both require a handle to a token. Let’s take a look at CreateProcessWithToken() and CreateProcessAsUser() now:Īs you can see, they are not much different than the standard CreateProcess() function. It contains the handles to the target process and thread. Finally, the last parameter is a reference to a PROCESS_INFORMATION structure which will be returned by the function upon success. Then, a lot of settings can be specified in order to customize the environment and the security context of the child process. The first two parameters allow you to specify the application or the command line you want to execute. To do so, you can call CreateProcessWithToken() if you have SeImpersonatePrivilege or CreateProcessAsUser() if you have SeAssignPrimaryTokenPrivilege.īefore talking about these two particular functions, I want to quickly remind you what the standard CreateProcess() function looks like:
They allow you to run code or even create a new process in the context of another user. These two privileges are very powerful indeed.
That’s a deliberately provocative shortcut obviously, but it’s not far from the truth. I want to start things off with this quote from “ if you have SeAssignPrimaryToken or SeImpersonate privilege, you are SYSTEM”. Please keep this in mind as you read this post. I could have chosen to cancel the publication of my post but I eventually realized that it was still worth it. Note: I developed the tool and started preparing this blog post prior to the publication of this blog post by James Forshaw: Sharing a Logon Session a Little Too Much. To my knowledge, I think there hasn’t been any public mention about using this particular trick in this context but, of course, I might be wrong. In fact, I’m going to discuss two very well-known techniques that can be combined together in order to achieve privilege escalation from LOCAL SERVICE or NETWORK SERVICE to SYSTEM. If you read this article in the hope of learning a new leet technique, you will be disappointed. Please note that I used the term “new tool” and not “new technique”. Today, I want to introduce a new tool that will allow pentesters to easily leverage these privileges again. Though, recent changes to the operating system have intentionally or unintentionally reduced the power of these techniques on Windows 10 and Server 2016/2019. Over the last few years, tools such as RottenPotato, RottenPotatoNG or Juicy Potato have made the exploitation of impersonation privileges on Windows very popular among the offensive security community.
0 kommentar(er)
