Abusing Tokens

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Tokens

Ikiwa hujui ni nini Windows Access Tokens soma ukurasa huu kabla ya kuendelea:

Access Tokens

Labda unaweza kuwa na uwezo wa kupandisha mamlaka kwa kutumia tokens ulizonazo tayari

SeImpersonatePrivilege

Hii ni mamlaka ambayo inashikiliwa na mchakato wowote inayo ruhusu uigaji (lakini si uundaji) wa token yoyote, ikiwa tu mkono wake unaweza kupatikana. Token yenye mamlaka inaweza kupatikana kutoka kwa huduma ya Windows (DCOM) kwa kuifanya ifanye uthibitishaji wa NTLM dhidi ya exploit, na hivyo kuwezesha utekelezaji wa mchakato wenye mamlaka ya SYSTEM. Uthibitisho huu unaweza kutumika kwa kutumia zana mbalimbali, kama vile juicy-potato, RogueWinRM (ambayo inahitaji winrm iwe imezimwa), SweetPotato, na PrintSpoofer.

RoguePotato, PrintSpoofer, SharpEfsPotato, GodPotato JuicyPotato

SeAssignPrimaryPrivilege

Ni sawa sana na SeImpersonatePrivilege, itatumia mbinu ile ile kupata token yenye mamlaka. Kisha, mamlaka hii inaruhusu kupewa token ya msingi kwa mchakato mpya/uliokamatwa. Kwa token ya uigaji yenye mamlaka unaweza kuunda token ya msingi (DuplicateTokenEx). Kwa token hiyo, unaweza kuunda mchakato mpya kwa 'CreateProcessAsUser' au kuunda mchakato ulio kamatwa na kuiweka token (kwa ujumla, huwezi kubadilisha token ya msingi ya mchakato unaoendelea).

SeTcbPrivilege

Ikiwa umewezeshwa token hii unaweza kutumia KERB_S4U_LOGON kupata token ya uigaji kwa mtumiaji mwingine yeyote bila kujua taarifa za kuingia, ongeza kundi lolote (admins) kwenye token, weka kiwango cha uaminifu cha token kuwa "medium", na kupewa token hii kwa thread ya sasa (SetThreadToken).

SeBackupPrivilege

Mfumo unalazimishwa kutoa udhibiti wa kusoma kwa faili yoyote (iliyopunguzwa kwa operesheni za kusoma) kwa mamlaka hii. Inatumika kwa kusoma hash za nywila za akaunti za Msimamizi wa ndani kutoka kwenye rejista, baada ya hapo, zana kama "psexec" au "wmiexec" zinaweza kutumika na hash hiyo (mbinu ya Pass-the-Hash). Hata hivyo, mbinu hii inashindwa chini ya hali mbili: wakati akaunti ya Msimamizi wa ndani imezimwa, au wakati sera ipo inayondoa haki za usimamizi kutoka kwa Wasimamizi wa ndani wanaounganisha kwa mbali. Unaweza kuitumia mamlaka hii kwa:

https://github.com/Hackplayers/PsCabesha-tools/blob/master/Privesc/Acl-FullControl.ps1
https://github.com/giuliano108/SeBackupPrivilege/tree/master/SeBackupPrivilegeCmdLets/bin/Debug
kufuata IppSec katika https://www.youtube.com/watch?v=IfCysW0Od8w&t=2610&ab_channel=IppSec
Au kama ilivyoelezwa katika sehemu ya kupandisha mamlaka na Watoa Hifadhi ya:

Privileged Groups

SeRestorePrivilege

Ruhusa ya kupata ufikiaji wa kuandika kwa faili yoyote ya mfumo, bila kujali Orodha ya Udhibiti wa Ufikiaji (ACL) ya faili hiyo, inatolewa na mamlaka hii. Inafungua uwezekano mwingi wa kupandisha mamlaka, ikiwa ni pamoja na uwezo wa kubadilisha huduma, kufanya DLL Hijacking, na kuweka debuggers kupitia Chaguzi za Utekelezaji wa Faili ya Picha kati ya mbinu nyingine mbalimbali.

SeCreateTokenPrivilege

SeCreateTokenPrivilege ni ruhusa yenye nguvu, hasa inavyofaa wakati mtumiaji ana uwezo wa kuigiza tokens, lakini pia katika ukosefu wa SeImpersonatePrivilege. Uwezo huu unategemea uwezo wa kuigiza token inayowakilisha mtumiaji yule yule na ambayo kiwango chake cha uaminifu hakizidi kile cha mchakato wa sasa.

Mambo Muhimu:

Uigaji bila SeImpersonatePrivilege: Inawezekana kutumia SeCreateTokenPrivilege kwa EoP kwa kuigiza tokens chini ya hali maalum.
Hali za Uigaji wa Token: Uigaji wa mafanikio unahitaji token lengwa kuwa ya mtumiaji yule yule na kuwa na kiwango cha uaminifu ambacho ni kidogo au sawa na kiwango cha uaminifu wa mchakato unaojaribu kuigiza.
Uundaji na Ubadilishaji wa Tokens za Uigaji: Watumiaji wanaweza kuunda token ya uigaji na kuiboresha kwa kuongeza SID ya kundi lenye mamlaka (Identifier ya Usalama).

SeLoadDriverPrivilege

Mamlaka hii inaruhusu kupakia na kupakua madereva ya vifaa kwa kuunda kipengee cha rejista chenye thamani maalum za ImagePath na Type. Kwa kuwa ufikiaji wa moja kwa moja wa kuandika kwenye HKLM (HKEY_LOCAL_MACHINE) umepunguzika, HKCU (HKEY_CURRENT_USER) lazima itumike badala yake. Hata hivyo, ili kufanya HKCU itambulike kwa kernel kwa ajili ya usanidi wa dereva, njia maalum lazima ifuatwe.

Njia hii ni \Registry\User\<RID>\System\CurrentControlSet\Services\DriverName, ambapo <RID> ni Kitambulisho cha Kijadi cha mtumiaji wa sasa. Ndani ya HKCU, njia hii yote lazima iundwe, na thamani mbili zinahitaji kuwekwa:

ImagePath, ambayo ni njia ya binary itakayotekelezwa
Type, ikiwa na thamani ya SERVICE_KERNEL_DRIVER (0x00000001).

Hatua za Kufuatia:

Fikia HKCU badala ya HKLM kutokana na ufikiaji wa kuandika uliozuiliwa.
Unda njia \Registry\User\<RID>\System\CurrentControlSet\Services\DriverName ndani ya HKCU, ambapo <RID> inawakilisha Kitambulisho cha Kijadi cha mtumiaji wa sasa.
Weka ImagePath kuwa njia ya utekelezaji wa binary.
Weka Type kama SERVICE_KERNEL_DRIVER (0x00000001).

# Example Python code to set the registry values
import winreg as reg

# Define the path and values
path = r'Software\YourPath\System\CurrentControlSet\Services\DriverName' # Adjust 'YourPath' as needed
key = reg.OpenKey(reg.HKEY_CURRENT_USER, path, 0, reg.KEY_WRITE)
reg.SetValueEx(key, "ImagePath", 0, reg.REG_SZ, "path_to_binary")
reg.SetValueEx(key, "Type", 0, reg.REG_DWORD, 0x00000001)
reg.CloseKey(key)

More ways to abuse this privilege in https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/privileged-accounts-and-token-privileges#seloaddriverprivilege

SeTakeOwnershipPrivilege

Hii ni sawa na SeRestorePrivilege. Kazi yake kuu inaruhusu mchakato kuchukua umiliki wa kitu, ikiepuka hitaji la ufikiaji wa wazi kupitia utoaji wa haki za WRITE_OWNER. Mchakato huu unahusisha kwanza kupata umiliki wa funguo za rejista zinazokusudiwa kwa madhumuni ya kuandika, kisha kubadilisha DACL ili kuwezesha operesheni za kuandika.

takeown /f 'C:\some\file.txt' #Now the file is owned by you
icacls 'C:\some\file.txt' /grant <your_username>:F #Now you have full access
# Use this with files that might contain credentials such as
%WINDIR%\repair\sam
%WINDIR%\repair\system
%WINDIR%\repair\software
%WINDIR%\repair\security
%WINDIR%\system32\config\security.sav
%WINDIR%\system32\config\software.sav
%WINDIR%\system32\config\system.sav
%WINDIR%\system32\config\SecEvent.Evt
%WINDIR%\system32\config\default.sav
c:\inetpub\wwwwroot\web.config

SeDebugPrivilege

Haki hii inaruhusu kudebug mchakato mwingine, ikiwa ni pamoja na kusoma na kuandika katika kumbukumbu. Mikakati mbalimbali ya kuingiza kumbukumbu, inayoweza kukwepa suluhisho nyingi za antivirus na kuzuia uvamizi wa mwenyeji, zinaweza kutumika na haki hii.

Dump memory

Unaweza kutumia ProcDump kutoka kwa SysInternals Suite ili kukamata kumbukumbu ya mchakato. Kwa hakika, hii inaweza kutumika kwa mchakato wa Local Security Authority Subsystem Service (LSASS), ambao unawajibika kuhifadhi akiba za mtumiaji mara tu mtumiaji anapofanikiwa kuingia kwenye mfumo.

Kisha unaweza kupakia dump hii katika mimikatz ili kupata nywila:

mimikatz.exe
mimikatz # log
mimikatz # sekurlsa::minidump lsass.dmp
mimikatz # sekurlsa::logonpasswords

RCE

Ikiwa unataka kupata NT SYSTEM shell unaweza kutumia:

# Get the PID of a process running as NT SYSTEM
import-module psgetsys.ps1; [MyProcess]::CreateProcessFromParent(<system_pid>,<command_to_execute>)

Angalia mamlaka

whoami /priv

The tokens that appear as Disabled zinaweza kuwezeshwa, unaweza kweli kutumia Enabled na Disabled tokens.

Enable All the tokens

Ikiwa una tokens zilizozuiliwa, unaweza kutumia script EnableAllTokenPrivs.ps1 kuwezesha tokens zote:

.\EnableAllTokenPrivs.ps1
whoami /priv

Or the script embed in this post.

Table

Full token privileges cheatsheet at https://github.com/gtworek/Priv2Admin, summary below will only list direct ways to exploit the privilege to obtain an admin session or read sensitive files.

Privilege Impact Tool Execution path Remarks

Privilege	Impact	Tool	Execution path	Remarks
`SeAssignPrimaryToken`	Admin	3rd party tool	"It would allow a user to impersonate tokens and privesc to nt system using tools such as potato.exe, rottenpotato.exe and juicypotato.exe"	Thank you Aurélien Chalot for the update. I will try to re-phrase it to something more recipe-like soon.
`SeBackup`	Threat	Built-in commands	Read sensitve files with `robocopy /b`	- Inaweza kuwa ya kuvutia zaidi ikiwa unaweza kusoma %WINDIR%\MEMORY.DMP - `SeBackupPrivilege` (na robocopy) si ya msaada linapokuja kwa faili zilizo wazi. - Robocopy inahitaji zote SeBackup na SeRestore kufanya kazi na /b parameter.
`SeCreateToken`	Admin	3rd party tool	Create arbitrary token including local admin rights with `NtCreateToken`.
`SeDebug`	Admin	PowerShell	Duplicate the `lsass.exe` token.	Script to be found at FuzzySecurity
`SeLoadDriver`	Admin	3rd party tool	1. Load buggy kernel driver such as `szkg64.sys` 2. Exploit the driver vulnerability Alternatively, the privilege may be used to unload security-related drivers with `ftlMC` builtin command. i.e.: `fltMC sysmondrv`	1. The `szkg64` vulnerability is listed as CVE-2018-15732 2. The `szkg64` exploit code was created by Parvez Anwar
`SeRestore`	Admin	PowerShell	1. Launch PowerShell/ISE with the SeRestore privilege present. 2. Enable the privilege with Enable-SeRestorePrivilege). 3. Rename utilman.exe to utilman.old 4. Rename cmd.exe to utilman.exe 5. Lock the console and press Win+U	Attack may be detected by some AV software. Alternative method relies on replacing service binaries stored in "Program Files" using the same privilege
`SeTakeOwnership`	Admin	Built-in commands	1. `takeown.exe /f "%windir%\system32"` 2. `icalcs.exe "%windir%\system32" /grant "%username%":F` 3. Rename cmd.exe to utilman.exe 4. Lock the console and press Win+U	Attack may be detected by some AV software. Alternative method relies on replacing service binaries stored in "Program Files" using the same privilege.
`SeTcb`	Admin	3rd party tool	Manipulate tokens to have local admin rights included. May require SeImpersonate. To be verified.

SeAssignPrimaryToken

Admin

3rd party tool

"It would allow a user to impersonate tokens and privesc to nt system using tools such as potato.exe, rottenpotato.exe and juicypotato.exe"

Thank you Aurélien Chalot for the update. I will try to re-phrase it to something more recipe-like soon.

SeBackup

Threat

Built-in commands

Read sensitve files with robocopy /b

- Inaweza kuwa ya kuvutia zaidi ikiwa unaweza kusoma %WINDIR%\MEMORY.DMP - SeBackupPrivilege (na robocopy) si ya msaada linapokuja kwa faili zilizo wazi. - Robocopy inahitaji zote SeBackup na SeRestore kufanya kazi na /b parameter.

SeCreateToken

Admin

3rd party tool

Create arbitrary token including local admin rights with NtCreateToken.

SeDebug

Admin

PowerShell

Duplicate the lsass.exe token.

Script to be found at FuzzySecurity

SeLoadDriver

Admin

3rd party tool

1. Load buggy kernel driver such as szkg64.sys 2. Exploit the driver vulnerability Alternatively, the privilege may be used to unload security-related drivers with ftlMC builtin command. i.e.: fltMC sysmondrv

1. The szkg64 vulnerability is listed as CVE-2018-15732 2. The szkg64 exploit code was created by Parvez Anwar

SeRestore

Admin

PowerShell

1. Launch PowerShell/ISE with the SeRestore privilege present. 2. Enable the privilege with Enable-SeRestorePrivilege). 3. Rename utilman.exe to utilman.old 4. Rename cmd.exe to utilman.exe 5. Lock the console and press Win+U

Attack may be detected by some AV software.

Alternative method relies on replacing service binaries stored in "Program Files" using the same privilege

SeTakeOwnership

Admin

Built-in commands

1. takeown.exe /f "%windir%\system32" 2. icalcs.exe "%windir%\system32" /grant "%username%":F 3. Rename cmd.exe to utilman.exe 4. Lock the console and press Win+U

Attack may be detected by some AV software.

Alternative method relies on replacing service binaries stored in "Program Files" using the same privilege.

SeTcb

Admin

3rd party tool

Manipulate tokens to have local admin rights included. May require SeImpersonate.

To be verified.

Reference

Take a look to this table defining Windows tokens: https://github.com/gtworek/Priv2Admin
Take a look to this paper about privesc with tokens.

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousWindows Local Privilege Escalation NextAccess Tokens

Last updated 4 months ago