Shulou(Shulou.com)06/01 Report--

Today, I will talk to you about the use of the nine permissions of Windows Token, which may not be well understood by many people. in order to make you understand better, the editor has summarized the following contents for you. I hope you can get something according to this article.

Preface of 0x00

What methods are available for the special Token of the average user (or LocalService user)? Can you raise the right? How to judge?

This article will combine my own experience and refer to a number of open source tools and materials to try to summarize this skill and share my learning experience.

Referenced open source tools and materials:

Hot Potato: https://github.com/foxglovesec/Potato

Powershell version Hot Potato: https://github.com/Kevin-Robertson/Tater

Rotten Potato: https://github.com/breenmachine/RottenPotatoNG

Lonelypotato: https://github.com/decoder-it/lonelypotato

Juicy Potato: https://github.com/ohpe/juicy-potato

Https://github.com/hatRiot/token-priv

Https://foxglovesecurity.com/2017/08/25/abusing-token-privileges-for-windows-local-privilege-escalation/

Https://foxglovesecurity.com/2016/01/16/hot-potato/

Https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/

Https://foxglovesecurity.com/2017/08/25/abusing-token-privileges-for-windows-local-privilege-escalation/

Introduction to 0x01

This article will introduce the following:

Brief utilization train of thought

Utilization ideas and Open Source Code corresponding to SeImpersonatePrivilege permissions

Utilization ideas and Open Source Code corresponding to SeAssignPrimaryPrivilege permissions

Utilization ideas and Open Source Code corresponding to SeTcbPrivilege permissions

Utilization ideas and Open Source Code corresponding to SeBackupPrivilege permissions

Utilization ideas and Open Source Code corresponding to SeRestorePrivilege permissions

Utilization ideas and Open Source Code corresponding to SeCreateTokenPrivilege permissions

Utilization ideas and Open Source Code corresponding to SeLoadDriverPrivilege permissions

Utilization ideas and Open Source Code corresponding to SeTakeOwnershipPrivilege permissions

Utilization ideas and Open Source Code corresponding to SeDebugPrivilege permissions

Thoughts on the brief use of 0x02

1. After obtaining the access permissions of the target, check the available permissions.

Whoami / priv

For example, the permissions that an ordinary user has are shown in the following figure.

The permissions of the administrator user are shown in the following figure.

The permissions of the iis user are shown in the following figure.

The Privilege Name entry indicates the permission you have, and State indicates the status of the permission. You can set the permission to Disabled or Enabled through WinAPI AdjustTokenPrivileges.

Implementation code for reference:

Https://github.com/3gstudent/Homework-of-C-Language/blob/master/EnablePrivilegeandGetTokenInformation.cpp

The code enables the specified permissions (SeDebugPrivilege) and looks at the current user name and permissions

2. If the following nine permissions are included, we can make further use of them.

SeImpersonatePrivilege

SeAssignPrimaryPrivilege

SeTcbPrivilege

SeBackupPrivilege

SeRestorePrivilege

SeCreateTokenPrivilege

SeLoadDriverPrivilege

SeTakeOwnershipPrivilege

SeDebugPrivilege

Note:

Users of iis or sqlserver usually have SeImpersonatePrivilege and SeAssignPrimaryPrivilege permissions

Backup service users usually have SeBackupPrivilege and SeRestorePrivilege privileges

The thought of using the right of 0x03 SeImpersonatePrivilege

Reference:

Https://github.com/hatRiot/token-priv/blob/master/abusing_token_eop_1.0.txt#L327

SeImpersonatePrivilege

Impersonate client after authentication (Impersonatea client after authentication)

Processes with this permission can impersonate an existing token, but cannot create a new token

The following users have this permission:

Members of the local administrators group and local service accounts

Services started by the Service Control Manager

A COM server started by the component object Model (COM) infrastructure and configured to run under a specific account

Typically, iis or sqlserver users have this permission

Utilization of ideas

Using NTLM Relay to Local Negotiation to obtain Token for System users can use open source tools such as Rotten Potato, lonelypotato or Juicy Potato

Create a new process through WinAPI CreateProcessWithToken. The Token passed into the System user can only be created successfully with SeImpersonatePrivilege permission.

The Token has System permission

Test code for reference:

Https://github.com/3gstudent/Homework-of-C-Language/blob/master/EnableSeImpersonatePrivilege.cpp

The code enables the SeImpersonatePrivilege permission of the current process, calls CreateProcessWithToken, passes in the Token of the current process, and creates a process, together with RottenPotato, which can be used to raise rights from LocalService to System permissions.

The thought of using the right of 0x04 SeAssignPrimaryPrivilege

Reference:

Https://github.com/hatRiot/token-priv/blob/master/abusing_token_eop_1.0.txt#L359

SeAssignPrimaryPrivilege

Assign token to a process (a newly created or suspended process)

Typically, iis or sqlserver users have this permission

Make use of idea 1

Using NTLM Relay to Local Negotiation to obtain the Token of System users

Create a new process through WinAPI CreateProcessAsUser and pass in the Token of the System user

The Token has System permission

Test code for reference:

Https://github.com/3gstudent/Homework-of-C-Language/blob/master/EnableSeAssignPrimaryTokenPrivilege.cpp

The code enables the SeAssignPrimaryTokenPrivilege permission of the current process, calls CreateProcessAsUser, passes in the Token of the current process, and creates a process, together with RottenPotato, which can be used to raise rights from LocalService to System permissions.

Use idea 2

Using NTLM Relay to Local Negotiation to obtain the Token of System users

Create a new pending process through WinAPI CreateProcess with the parameter set to CREATE_SUSPENDED

Replace the Token of the new process with the Token of the System user through WinAPI NtSetInformationProcess

The Token has System permission

The thought of using the right of 0x05 SeTcbPrivilege

Reference:

Https://github.com/hatRiot/token-priv/blob/master/abusing_token_eop_1.0.txt#L418

SeTcbPrivilege

It is equivalent to obtaining the * permission of the system.

Utilization of ideas

Call LsaLogonUser to get Token

Add the Token to the Local System account group

The Token has System permission

Test code for reference:

Https://github.com/3gstudent/Homework-of-C-Language/blob/master/EnableSeTcbPrivilege.cpp

The code implements the SeTcbPrivilege permission to open the current process, log in to the user test1, add it to the Local System account group, obtain the System permission, and create the registry key HKEY_LOCAL_MACHINE\ SOFTWARE\ testtcb

The thought of using the right of 0x06 SeBackupPrivilege

Reference:

Https://github.com/hatRiot/token-priv/blob/master/abusing_token_eop_1.0.txt#L495

SeBackupPrivilege

It is used to realize the backup operation and has read access to any files in the current system.

Utilization of ideas

Read the registry HKEY_LOCAL_MACHINE\ SAM, HKEY_LOCAL_MACHINE\ SECURITY and HKEY_LOCAL_MACHINE\ SYSTEM

The command to export all users of the current system hash mimikatz is as follows:

Lsadump::sam / sam:SamBkup.hiv / system:SystemBkup.hiv

Test code for reference:

Https://github.com/3gstudent/Homework-of-C-Language/blob/master/EnableSeBackupPrivilege.cpp

The code implements the SeBackupPrivilege permission to open the current process, reads the registry, and saves it into files C:\\ test\\ SAM, C:\\ test\\ SECURITY and C:\\ test\\ SYSTEM

The thought of using the right of 0x07 SeRestorePrivilege

Reference:

Https://github.com/hatRiot/token-priv/blob/master/abusing_token_eop_1.0.txt#L528

SeRestorePrivilege

It is used to implement the recovery operation and has write access to any files in the current system.

Make use of idea 1

To obtain SeRestorePrivilege permission, modify the registry HKLM\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Image File Execution Options

Start hijacking exe files

Realize the promotion of power or serve as a back door.

Use idea 2

Get SeRestorePrivilege permission to write dll files to any path

Implement dll hijacking

Realize the promotion of power or serve as a back door.

Test code for reference:

Https://github.com/3gstudent/Homework-of-C-Language/blob/master/EnableSeRestorePrivilege.cpp

The code implements the SeRestorePrivilege permission to open the current process and creates the registry key HKEY_LOCAL_MACHINE\ SOFTWARE\ testrestore

The thought of using the right of 0x08 SeCreateTokenPrivilege

Reference:

Https://github.com/hatRiot/token-priv/blob/master/abusing_token_eop_1.0.txt#L577

SeCreateTokenPrivilege

Used to create Primary Token

Utilization of ideas

Create a Primary Token through WinAPI ZwCreateToken

Add Token to the local administrator group

The Token has System permission

Test code for reference:

Https://github.com/3gstudent/Homework-of-C-Language/blob/master/EnableSeCreateTokenPrivilege.cpp

The code implements the SeCreateTokenPrivilege permission to open the current process, create a Primary Token, add it to the local administrator group, and enable SeDebugPrivilege and SeTcbPrivilege permissions.

The thought of using the right of 0x09 SeLoadDriverPrivilege

Reference:

Https://github.com/hatRiot/token-priv/blob/master/abusing_token_eop_1.0.txt#L626

SeLoadDriverPrivilege

Used to load driver files

Utilization of ideas

Create a registry of driver files

Reg add hkcu\ System\ CurrentControlSet\ CAPCOM / v ImagePath / t REG_SZ / d "?\ C:\ test\ Capcom.sys" reg add hkcu\ System\ CurrentControlSet\ CAPCOM / v Type / t REG_DWORD / d 1

Load the driver file Capcom.sys

There are vulnerabilities in Capcom.sys. After the system is loaded, it can be upgraded from ordinary user permissions to System permissions. For more information on the code, please see: https://github.com/tandasat/ExploitCapcom

Get System permission

Test code for reference: https://github.com/3gstudent/Homework-of-C-Language/blob/master/EnableSeLoadDriverPrivilege.cpp

The code implements the SeLoadDriverPrivilege permission to open the current process, reads the registry key hkcu\ System\ CurrentControlSet\ CAPCOM, and loads the driver file Capcom.sys

The thought of using the right of 0x0A SeTakeOwnershipPrivilege

Reference:

Https://github.com/hatRiot/token-priv/blob/master/abusing_token_eop_1.0.txt#L688

SeTakeOwnershipPrivilege

Similar to SeRestorePrivilege, it has write access to any file on the current system.

Make use of idea 1

To obtain SeTakeOwnershipPrivilege permission, modify the registry HKLM\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Image File Execution Options

Start hijacking exe files

Realize the promotion of power or serve as a back door.

Use idea 2

Get SeTakeOwnershipPrivilege permission to write dll files to any path

Implement dll hijacking

Realize the promotion of power or serve as a back door.

Test code for reference:

Https://github.com/3gstudent/Homework-of-C-Language/blob/master/EnableSeTakeOwnershipPrivilege.cpp

The code implements the SeTakeOwnershipPrivilege permission to open the current process, and modifies the permission of the registry key hklm\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Image File Execution Options. Ordinary user permissions have complete operation rights on it.

Subsequent write operations:

Reg add "hklm\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Image File Execution Options" / v takeownership / t REG_SZ / d "C:\\ Windows\\ System32\\ calc.exe"

The thought of using the right of 0x0B SeDebugPrivilege

Reference:

Https://github.com/hatRiot/token-priv/blob/master/abusing_token_eop_1.0.txt#L736

SeDebugPrivilege

Used to debug specified processes, including read and write memory, and is often used to implement dll injection

Utilization of ideas

The process of finding System permissions

Dll injection

Get System permission

Test code for reference:

Https://github.com/3gstudent/Homework-of-C-Language/blob/master/EnableSeDebugPrivilege.cpp

The code implements the SeDebugPrivilege permission to open the current process and injects dll into the specified process

Summary of 0x0C

This paper summarizes the utilization methods of nine kinds of permissions in the Token of ordinary users (or LocalService users), analyzes the ideas of utilization, and improves the implementation code.

After reading the above, do you have any further understanding of the use of the nine permissions of Windows Token? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.