Abusing privileges
Last updated
Last updated
To view the privileges of the current user:
The impacket tool can be used to perform various tasks such as starting a SMB server, dumping secrets from hives in the Windows registry, and running commands with psexec, among many others.
Refer to my impacket notes for more information:
Suppose we have gained a remote shell on a server with the SeBackUp and SeRestore privileges
Due to the set privileges, we are able to save the contents of the SAM and SYSTEM hive registry to a location of our choice (C:\Users\jarrett\system.hive and C:\Users\jarrett\sam.hive in this case):
The command below starts a simple SMB server on the attacker machine with a network share named public pointing to the share directory. This allows us to transfer the files from the target machine to the attacker at a particular share point (share folder).
Attacker machine
The command below copies the content of system.hive and sam.hive at the specified directory to the share point on the attacker machine.
Target machine
The next few commands should be ran from the attacker machine
The command below dumps the hashes from the sam.hiveand system.hivefiles present on the current folder (specified by the LOCAL target option).
The command below uses the hashes found from the impacket-secretsdump command above, to authenticate as the administrator user. This provides us with a remote shell as the administrator user on the target Windows machine
This permission allows a user to take ownership of any object on the system, including files and registry keys.
Suppose we have found a service on the target system that executes an.exefile with SYSTEM privileges (an example would be utilman.exe). Let's name that file rand.exe. Due to our SeTakeOwnership privilege, we are able to take ownership of that file with the command below:
At this point, we are able to provide ourselves any privileges we need over the file. The command below gives our current user (jarrett) full access(F)to the priv.exe file at the specified location.
Finally, we can copy any file of choice to the target file we have full access to:
Take note to be in the correct file directory when using the terminal, or optionally provide the correct path
The command below copies the cmd.exe file topriv.exe:
This provides us with a command prompt with SYSTEM privileges whenever the particular service mentioned above is started.
SeImpersonate: Privilege that allows a user to impersonate another user’s security context
SeAssignPrimaryToken: Privilege that allows assignments of a new security token to a process. This allows that process to impersonate a higher-privileged user (such as SYSTEM).
Breakdown of how the RogueWinRM exploit tool works (As of time of writing, I wasn't able to find a comprehensive technical guide on how it works. However, I have pieced together the key points from research on the main concepts involved in this exploit):
The Background Intelligent Transfer Service (BITS) is started, which automatically initiates a connection to port 5985 (used by WinRM) using SYSTEM privileges.
Port 5985 is typically used for the WinRM service, which is simply a port that exposes a Powershell console to be used remotely through the network.
The SYSTEM-level authentication credentials can be captured from the above-mentioned connection to WinRM on the local target machine (port 5985)
The captured authentication credentials can be used to execute a malicious payload of choice (specified as argument to the RogueWinRM tool) with SYSTEM-level privileges. This is due the SeImpersonate and SeAssignPrimaryToken privileges being set on the user on the target machine
A reverse shell connection can be established to a remote attacker server, essentially providing a SYSTEM-level shell
Windows privileges to admin list
