Friday, August 9, 2019

The useage of 9 permissions for Windows Token

0x00 Preface

This article will combine your own experience, refer to a variety of open source tools and materials, try to summarize this skill, share learning experience
Reference to open source tools and materials:
  • Hot Potato: https://github.com/foxglovesec/Potato
  • Tokenvator:  https://github.com/0xbadjuju/Tokenvator/
  • Powershell version Hot Potato: https://github.com/Kevin-Robertson/Tater
  • Rotten Potato: https://github.com/breenmachine/RottenPotatoNG
  • lonelypotato: https://github.com/decoder-it/lonelypotato
  • Juicy Potato: https://github.com/ohpe/juicy-potato
  • https://github.com/hatRiot/token-priv
  • https://foxglovesecurity.com/2017/08/25/abusing-token-privileges-for-windows-local-privilege-escalation/
  • https://foxglovesecurity.com/2016/01/16/hot-potato/
  • https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/
  • https://foxglovesecurity.com/2017/08/25/abusing-token-privileges-for-windows-local-privilege-escalation/

0x01 Introduction


This article will introduce the following:
  • Brief use of ideas
  • SeImpersonatePrivilege permissions corresponding to the use of ideas and open source code
  • SeAssignPrimaryPrivilege permission corresponding to the use of ideas and open source code
  • SeTcbPrivilege permissions corresponding to the use of ideas and open source code
  • SeBackupPrivilege permissions corresponding to the use of ideas and open source code
  • SeRestorePrivilege permissions corresponding to the use of ideas and open source code
  • SeCreateTokenPrivilege permissions corresponding to the use of ideas and open source code
  • SeLoadDriverPrivilege permissions corresponding to the use of ideas and open source code
  • SeTakeOwnershipPrivilege permissions corresponding to the use of ideas and open source code
  • SeDebugPrivilege permissions corresponding to the use of ideas and open source code

0x02 Brief use of ideas


1. After obtaining the access rights of the target, view the available permissions.

whoami /priv
For example, the normal user has the following permissions
Old text
The admin user has the following permissions
Old text
The permissions of the iis user are as follows
Old text
The Privilege Name item indicates the privilege, and the State indicates the privilege status. We can set the privilege to Disabled or Enabled via WinAPI AdjustTokenPrivileges.
Implementation code for reference:
https://github.com/3gstudent/Homework-of-C-Language/blob/master/EnablePrivilegeandGetTokenInformation.cpp
The code implements the specified permission (SeDebugPrivilege) and looks at the current user name and permissions

2, if you include the following nine permissions, we can further use it

  • SeImpersonatePrivilege
  • SeAssignPrimaryPrivilege
  • SeTcbPrivilege
  • SeBackupPrivilege
  • SeRestorePrivilege
  • SeCreateTokenPrivilege
  • SeLoadDriverPrivilege
  • SeTakeOwnershipPrivilege
  • SeDebugPrivilege
Note:
Users of iis or sqlserver usually have SeImpersonatePrivilege and SeAssignPrimaryPrivilege permissions
Backup service users usually have SeBackupPrivilege and SeRestorePrivilege permissions

0x03 SeImpersonatePrivilege permission utilization


Reference materials:
https://github.com/hatRiot/token-priv/blob/master/abusing_token_eop_1.0.txt#L327

SeImpersonatePrivilege

Impersonatea client after authentication
A process with this privilege can impersonate an existing token but cannot create a new token
The following users have this privilege:
  • Local Administrators group member and local service account
  • Service initiated by the Service Control Manager
  • A COM server that is started by the Component Object Model (COM) infrastructure and configured to run under a specific account
Usually, iis or sqlserver users have this privilege

Use ideas

  1. Use the NTLM Relay to Local Negotiation to get the System user's Token. Use the open source tool Rotten Potato, lonelypotato or Juicy Potato.
  2. Create a new process with WinAPI CreateProcessWithToken. The Token of the System user has the SeImpersonatePrivilege permission to create successfully.
  3. The token has System privileges
Test code for reference:
https://github.com/3gstudent/Homework-of-C-Language/blob/master/EnableSeImpersonatePrivilege.cpp
The code implements the SeImpersonatePrivilege permission to open the current process, calls CreateProcessWithToken, passes in the current process's Token, creates a process, and cooperates with RottenPotato, which can be used to lift the right from LocalService to System permission.

0x04 SeAssignPrimaryPrivilege permission utilization


Reference materials:
https://github.com/hatRiot/token-priv/blob/master/abusing_token_eop_1.0.txt#L359

SeAssignPrimaryPrivilege

Assign tokens to processes (newly created or suspended processes)
Usually, iis or sqlserver users have this privilege

Use idea 1

  1. Get the Token of the System User with NTLM Relay to Local Negotiation
  2. Create a new process through WinAPI CreateProcessAsUser, and pass in the Token of the System user.
  3. The token has System privileges
Test code for reference:
https://github.com/3gstudent/Homework-of-C-Language/blob/master/EnableSeAssignPrimaryTokenPrivilege.cpp
The code implements the SeAssignPrimaryTokenPrivilege permission to open the current process, calls CreateProcessAsUser, passes the Token of the current process, creates a process, and cooperates with RottenPotato, which can be used to grant rights from LocalService to System permission.

Use ideas 2

  1. Get the Token of the System User with NTLM Relay to Local Negotiation
  2. Create a new pending process via WinAPI CreateProcess with the parameter set to CREATE_SUSPENDED
  3. Replace the token of the new process with the Token of the System user via WinAPI NtSetInformationProcess
  4. The token has System privileges

0x05 SeTcbPrivilege permission utilization ideas


Reference materials:
https://github.com/hatRiot/token-priv/blob/master/abusing_token_eop_1.0.txt#L418

SeTcbPrivilege

Equivalent to the highest authority of the system

Use ideas

  1. Call LsaLogonUser to get the Token
  2. Add the Token to the Local System account group
  3. The token has System privileges
Test code for reference:
https://github.com/3gstudent/Homework-of-C-Language/blob/master/EnableSeTcbPrivilege.cpp
The code implements the SeTcbPrivilege permission to open the current process, log in to user test1, add it to the Local System account group, obtain System permissions, and create a registry key.HKEY_LOCAL_MACHINE\SOFTWARE\testtcb

0x06 SeBackupPrivilege permission utilization ideas


Reference materials:
https://github.com/hatRiot/token-priv/blob/master/abusing_token_eop_1.0.txt#L495

SeBackupPrivilege

Used to implement backup operations and have read access to any file in the current system.

Use ideas

  1. Read the registry HKEY_LOCAL_MACHINE\SAMHKEY_LOCAL_MACHINE\SECURITYandHKEY_LOCAL_MACHINE\SYSTEM
  2. The commands for exporting all user hash mimikatz of the current system are as follows:
lsadump::sam /sam:SamBkup.hiv /system:SystemBkup.hiv
Test code for reference:
https://github.com/3gstudent/Homework-of-C-Language/blob/master/EnableSeBackupPrivilege.cpp
The code implements the SeBackupPrivilege permission to open the current process, reads the registry, saves it as a file C:\\test\\SAMC:\\test\\SECURITYandC:\\test\\SYSTEM

0x07 SeRestorePrivilege permission utilization ideas


Reference materials:
https://github.com/hatRiot/token-priv/blob/master/abusing_token_eop_1.0.txt#L528

SeRestorePrivilege

Used to implement recovery operations, have write access to any file in the current system

Use idea 1

  1. Get SeRestorePrivilege permission, modify the registryHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
  2. Hijacking the start of the exe file
  3. Realize the privilege or as a back door

Use ideas 2

  1. Get SeRestorePrivilege permission, write dll file to any path
  2. Implement dll hijacking
  3. Realize the privilege or as a back door
Test code for reference:
https://github.com/3gstudent/Homework-of-C-Language/blob/master/EnableSeRestorePrivilege.cpp
The code implements the SeRestorePrivilege permission to open the current process, creating a registry keyHKEY_LOCAL_MACHINE\SOFTWARE\testrestore

0x08 SeCreateTokenPrivilege permission utilization


Reference materials:
https://github.com/hatRiot/token-priv/blob/master/abusing_token_eop_1.0.txt#L577

SeCreateTokenPrivilege

Used to create a Primary Token

Use ideas

  1. Create a Primary Token via WinAPI ZwCreateToken
  2. Add Token to the local administrator group
  3. The token has System privileges
Test code for reference:
https://github.com/3gstudent/Homework-of-C-Language/blob/master/EnableSeCreateTokenPrivilege.cpp
The code implements the SeCreateTokenPrivilege permission to open the current process, creates a Primary Token, adds it to the local administrator group, and enables the SeDebugPrivilege and SeTcbPrivilege permissions.

0x09 SeLoadDriverPrivilege permission utilization ideas


Reference materials:
https://github.com/hatRiot/token-priv/blob/master/abusing_token_eop_1.0.txt#L626

SeLoadDriverPrivilege

Used to load the driver file

Use ideas

  1. Create a registry of driver files
reg add hkcu\System\CurrentControlSet\CAPCOM /v ImagePath /t REG_SZ /d "\??\C:\test\Capcom.sys"
reg add hkcu\System\CurrentControlSet\CAPCOM /v Type /t REG_DWORD /d 1
  1. Load driver file Capcom.sys
  2. Capcom.sys has a vulnerability. After the system is loaded, it can be upgraded from normal user rights to System permissions. The code can be referenced: https://github.com/tandasat/ExploitCapcom
  3. Get System privileges
Test code for reference: https://github.com/3gstudent/Homework-of-C-Language/blob/master/EnableSeLoadDriverPrivilege.cpp
The code implements the SeLoadDriverPrivilege permission to open the current process, reads the registry key hkcu\System\CurrentControlSet\CAPCOM, and loads the driver file.Capcom.sys

0x0A SeTakeOwnershipPrivilege permission utilization ideas


Reference materials:
https://github.com/hatRiot/token-priv/blob/master/abusing_token_eop_1.0.txt#L688

SeTakeOwnershipPrivilege

Similar to SeRestorePrivilege, it has write permission to any file in the current system.

Use idea 1

  1. Get SeTakeOwnershipPrivilege permission, modify the registryHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
  2. Hijacking the start of the exe file
  3. Realize the privilege or as a back door

Use ideas 2

  1. Get SeTakeOwnershipPrivilege permission, write dll file to any path
  2. Implement dll hijacking
  3. Realize the privilege or as a back door
Test code for reference:
https://github.com/3gstudent/Homework-of-C-Language/blob/master/EnableSeTakeOwnershipPrivilege.cpp
The code implements the SeTakeOwnershipPrivilege permission to open the current process, modify hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Optionsthe permissions of the registry key , and the normal user rights have full operation rights.
Subsequent write operations:
reg add "hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /v takeownership /t REG_SZ /d "C:\\Windows\\System32\\calc.exe"

0x0B SeDebugPrivilege permission utilization ideas


Reference materials:
https://github.com/hatRiot/token-priv/blob/master/abusing_token_eop_1.0.txt#L736

SeDebugPrivilege

Used to debug specified processes, including reading and writing memory, often used to implement dll injection

Use ideas

  1. Find the process of System permissions
  2. Dll injection
  3. Get System privileges
Test code for reference:
https://github.com/3gstudent/Homework-of-C-Language/blob/master/EnableSeDebugPrivilege.cpp
The code implements the SeDebugPrivilege permission to open the current process, injecting dll into the specified process.


No comments:

Post a Comment

Privileged arbitrary file read (CVE-2020-16938) with The Sleuth Kit

After I read one of post from twitter which is about @jonasLyk's  CVE-2020-16938  , I've some idea to do without using 7 zip file ma...