0x00 Preface

---

Previous articles "Penetration Techniques - Switching from Admin to System Privileges" and "Penetration Techniques - Token Theft and Exploitation" introduced methods to switch from admin privileges to system and TrustedInstaller privileges respectively, with the primary approach being token-based privilege switching.

So, what exploitable methods exist for special tokens of regular users (or LocalService users)? Can privilege escalation be achieved? How to determine?

This article will combine personal experience, reference multiple open-source tools and materials, attempt to summarize this technique, and share learning insights.

Referenced open-source tools and materials:

  • Hot Potato: https://github.com/foxglovesec/Potato
  • PowerShell version Hot Potato: https://github.com/Kevin-Robertson/Tater
  • Rotten Potato: https://github.com/breenmachine/RottenPotatoNG
  • lonelypotato: https://github.com/decoder-it/lonelypotato
  • Juicy Potato: https://github.com/ohpe/juicy-potato
  • https://github.com/hatRiot/token-priv
  • https://foxglovesecurity.com/2017/08/25/abusing-token-privileges-for-windows-local-privilege-escalation/
  • https://foxglovesecurity.com/2016/01/16/hot-potato/
  • https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/
  • https://foxglovesecurity.com/2017/08/25/abusing-token-privileges-for-windows-local-privilege-escalation/

0x01 Introduction

---

This article will cover the following:

  • Brief exploitation approach
  • Exploitation approach and open-source code for SeImpersonatePrivilege
  • Exploitation approach and open-source code for SeAssignPrimaryPrivilege
  • Exploitation approach and open-source code for SeTcbPrivilege
  • Exploitation approach and open-source code for SeBackupPrivilege
  • Exploitation approach and open-source code for SeRestorePrivilege
  • Exploitation approach and open-source code for SeCreateTokenPrivilege
  • Exploitation approach and open-source code for SeLoadDriverPrivilege
  • Exploitation approach and open-source code for SeTakeOwnershipPrivilege
  • Exploitation approach and open-source code for SeDebugPrivilege

0x02 Brief Exploitation Approach

---

1. After gaining access to the target, check available privileges

whoami /priv

For example, the privileges a regular user has are shown in the figure below

Alt text

The privileges an administrator user has are shown in the figure below

Alt text

The privileges an IIS user has are shown in the figure below

Alt text

The 'Privilege Name' item indicates the privileges held, and 'State' indicates the status of the privilege. We can use the WinAPI AdjustTokenPrivileges to set the privilege to Disabled or Enabled

Reference implementation code:

An open-source project

The code implements enabling a specified privilege (SeDebugPrivilege) and viewing the current username and held privileges

2. If the following nine privileges are included, we can further exploit them

  • SeImpersonatePrivilege
  • SeAssignPrimaryPrivilege
  • SeTcbPrivilege
  • SeBackupPrivilege
  • SeRestorePrivilege
  • SeCreateTokenPrivilege
  • SeLoadDriverPrivilege
  • SeTakeOwnershipPrivilege
  • SeDebugPrivilege

Note:

Users of IIS or SQL Server typically have SeImpersonatePrivilege and SeAssignPrimaryPrivilege permissions.

Backup service users typically have SeBackupPrivilege and SeRestorePrivilege permissions.

0x03 Exploitation Ideas for SeImpersonatePrivilege

---

References:

https://github.com/hatRiot/token-priv/blob/master/abusing_token_eop_1.0.txt#L327

SeImpersonatePrivilege

Impersonate a client after authentication

Processes with this privilege can impersonate existing tokens but cannot create new tokens

The following users have this privilege:

  • Local Administrators group members and local service accounts
  • Services started by the Service Control Manager
  • COM servers launched by the Component Object Model (COM) infrastructure and configured to run under a specific account

Typically, IIS or SQL Server users have this privilege

Exploitation approach

  1. Obtain a System user token via NTLM Relay to Local Negotiation

Can use open-source tools such as Rotten Potato, LonelyPotato, or Juicy Potato

  1. Create a new process using the WinAPI CreateProcessWithToken, passing the System user token

Requires SeImpersonatePrivilege to succeed

  1. This token has System privileges

Reference test code:

An open-source project

The code implements enabling the SeImpersonatePrivilege permission of the current process, calls CreateProcessWithToken, passes the current process's Token to create a process, and can be used with RottenPotato to escalate privileges from LocalService to System

0x04 Exploitation ideas for SeAssignPrimaryPrivilege permission

---

Reference materials:

https://github.com/hatRiot/token-priv/blob/master/abusing_token_eop_1.0.txt#L359

SeAssignPrimaryPrivilege

Assign a token to a process (newly created or suspended)

Typically, iis or sqlserver users have this permission

Exploitation idea 1

  1. Use NTLM Relay to Local Negotiation to obtain the System user's Token
  2. Create a new process via WinAPI CreateProcessAsUser, passing the System user's Token
  3. This Token has System privileges

Reference test code:

An open-source project

The code implements enabling the SeAssignPrimaryTokenPrivilege privilege for the current process, calls CreateProcessAsUser, passes the current process's Token to create a process, and combined with RottenPotato, can be used to escalate privileges from LocalService to System.

Exploitation approach 2

  1. Obtain the System user's Token by exploiting NTLM Relay to Local Negotiation
  2. Create a suspended new process via the WinAPI CreateProcess, with the parameter set to CREATE_SUSPENDED
  3. Replace the new process's Token with the System user's Token via the WinAPI NtSetInformationProcess
  4. This Token possesses System privileges

Exploitation approach for the 0x05 SeTcbPrivilege privilege

---

Reference materials:

https://github.com/hatRiot/token-priv/blob/master/abusing_token_eop_1.0.txt#L418

SeTcbPrivilege

Equivalent to obtaining the highest system privileges

Exploitation approach

  1. Call LsaLogonUser to obtain a Token
  2. Add this Token to the Local System account group
  3. This Token has System privileges

Reference test code:

An open-source project

The code implements enabling SeTcbPrivilege for the current process, logs in user test1, adds it to the Local System account group, obtains System privileges, and creates registry key HKEY_LOCAL_MACHINE\SOFTWARE\testtcb

0x06 Exploitation approach for SeBackupPrivilege

---

Reference materials:

https://github.com/hatRiot/token-priv/blob/master/abusing_token_eop_1.0.txt#L495

SeBackupPrivilege

Used to perform backup operations, has read permissions for any file on the current system

Exploitation approach

  1. Read registry HKEY_LOCAL_MACHINE\SAM, HKEY_LOCAL_MACHINE\SECURITY, and HKEY_LOCAL_MACHINE\SYSTEM
  2. Export all user hashes from the current system

mimikatz command is as follows:

lsadump::sam /sam:SamBkup.hiv /system:SystemBkup.hiv

Reference test code:

An open-source project

The code implements enabling the SeBackupPrivilege of the current process, reading the registry, and saving it to files C:\\test\\SAM, C:\\test\\SECURITY, and C:\\test\\SYSTEM

0x07 Exploitation ideas for SeRestorePrivilege

---

Reference materials:

https://github.com/hatRiot/token-priv/blob/master/abusing_token_eop_1.0.txt#L528

SeRestorePrivilege

Used to perform restore operations, granting write permissions to any file on the current system

Exploitation idea 1

  1. Obtain SeRestorePrivilege, modify the registry `HKLM\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Image File Execution Options`

  1. Hijack the startup of exe files
  2. Achieve privilege escalation or serve as a backdoor

Exploitation Idea 2

  1. Obtain SeRestorePrivilege permission, write dll files to arbitrary paths
  2. Achieve dll hijacking
  3. Achieve privilege escalation or serve as a backdoor

Test code for reference:

An open-source project

The code implements enabling SeRestorePrivilege for the current process, creating the registry key HKEY_LOCAL_MACHINE\SOFTWARE\testrestore

0x08 Exploitation Idea for SeCreateTokenPrivilege

---

Reference materials:

https://github.com/hatRiot/token-priv/blob/master/abusing_token_eop_1.0.txt#L577

SeCreateTokenPrivilege

Used to create Primary Token

Exploitation idea

  1. Create Primary Token via WinAPI ZwCreateToken
  2. Add Token to local administrator group
  3. This Token has System privileges

Reference test code:

An open-source project

The code implements enabling SeCreateTokenPrivilege for the current process, creating a Primary Token, adding it to the local administrator group, and enabling SeDebugPrivilege and SeTcbPrivilege

0x09 SeLoadDriverPrivilege exploitation approach

---

Reference materials:

https://github.com/hatRiot/token-priv/blob/master/abusing_token_eop_1.0.txt#L626

SeLoadDriverPrivilege

Used to load driver files

Exploitation approach

  1. Create registry entries for driver files

reg add hkcu\System\CurrentControlSet\CAPCOM /v ImagePath /t REG_SZ /d "\??\C:\test\Capcom.sys"
reg add hkcu\System\CurrentControlSet\CAPCOM /v Type /t REG_DWORD /d 1

  1. Load driver file Capcom.sys
  2. Capcom.sys contains a vulnerability; after system loading, privileges can be escalated from ordinary user to System level. Reference exploit code:

https://github.com/tandasat/ExploitCapcom

  1. Obtain System privileges

Test code for reference:

An open-source project

The code implements enabling SeLoadDriverPrivilege for the current process, reads registry key hkcu\System\CurrentControlSet\CAPCOM, and loads driver file Capcom.sys

0x0A Exploitation approach for SeTakeOwnershipPrivilege

---

Reference materials:

https://github.com/hatRiot/token-priv/blob/master/abusing_token_eop_1.0.txt#L688

SeTakeOwnershipPrivilege

Similar to SeRestorePrivilege, grants write permissions to any file on the current system

Exploitation approach 1

  1. Obtain SeTakeOwnershipPrivilege, modify registry `HKLM\SOFTWARE\Microsoft\Windows`

NT\CurrentVersion\Image File Execution Options

  1. Hijacking EXE file startup
  2. Achieving privilege escalation or acting as a backdoor

Exploitation approach 2

  1. Obtain SeTakeOwnershipPrivilege permissions to write DLL files to arbitrary paths
  2. Implement DLL hijacking
  3. Achieve privilege escalation or act as a backdoor

Reference test code:

An open-source project

The code enables SeTakeOwnershipPrivilege for the current process, modifies permissions for the registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options, granting full operational permissions to standard user accounts

Subsequent write operation:

reg add "hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /v takeownership /t REG_SZ /d "C:\\Windows\\System32\\calc.exe"

0x0B SeDebugPrivilege exploitation approach

---

Reference materials:

https://github.com/hatRiot/token-priv/blob/master/abusing_token_eop_1.0.txt#L736

SeDebugPrivilege

Used to debug specified processes, including reading and writing memory, commonly employed for DLL injection

Exploitation Approach

  1. Locate a process with System privileges
  2. DLL injection
  3. Obtain System privileges

Reference test code:

An open-source project

The code implements enabling SeDebugPrivilege for the current process and injecting a DLL into a specified process

0x0C Summary

---

This article summarizes exploitation methods for nine types of privileges in ordinary user (or LocalService user) Tokens, analyzes exploitation approaches, and refines implementation code