Abusing Token Privileges For Windows Local Privilege Escalation

By @dronesec and @breenmachine


This a project my friend drone <@dronesec> and I have been poking at for quite some time and are glad to finally be releasing. As the title implies, we’re going to be looking at leveraging Windows access tokens with the goal of local privilege escalation. For those familiar with some of my previous work on “Rotten Potato” this might sound familiar, however drone and I took this 10 steps further.

In this post I’m simply going to be providing a summary of the work. The full article and all associated code can be found at: https://github.com/hatRiot/token-priv.

This post is going to be broken into two sections, the first for penetration testers and red teamers, and the second for exploit developers.

For the Red Team

Like the “Rotten Potato” project, this project will be useful for penetration testing and red team scenarios where an attacker has gained access to a non-administrative service account and is looking to elevate privileges to “SYSTEM”. If you recall from the “Rotten Potato” project, in order for the original attack to work, your account needed to have the “SeImpersonatePrivilege”, or “SeAssignPrimaryPrivilege”. Drone and I decided to look at what other privileges could be abused to gain SYSTEM level access and were able to find a whole collection of them! If this is where your interest lies, feel free to skip to sections 3.1 and 3.3 of the paper linked above and take a look at the published code. Each of the modules is associated with a specific privilege and will get you SYSTEM level access or something almost as good.

Here is the list of privileges that we were able to abuse:

  • SeImpersonatePrivilege
  • SeAssignPrimaryPrivilege
  • SeTcbPrivilege
  • SeBackupPrivilege
  • SeRestorePrivilege
  • SeCreateTokenPrivilege
  • SeLoadDriverPrivilege
  • SeTakeOwnershipPrivilege
  • SeDebugPrivilege

From a penetration testing perspective, simply type “whoami /priv” at a Windows command prompt. If you have one of the above privileges, you win.

It may be beneficial to hunt for specific service accounts that have these privileges. For example if you can gain access to the Backup service account, it will almost certainly have the SeBackupPrivilege and SeRestorePrivilege. Gaining access to these service accounts can be accomplished in a number of ways including the following:

  • The service itself is compromised through some vulnerability. Typical
    scenarios include web application vulnerabilities which allow execution
    in the context of the account running IIS, and SQL injection
    vulnerabilities where XP_CMDSHELL can be used to run code in the
    context of the SQL service account.
  • Service account credentials are leaked in some way.
  • Kerberoast style attacks. A Kerberos ticket is requested for the target
    account from the domain controller. Part of this ticket is encrypted
    using the target account’s password hash. This can be efficiently
    cracked offline to yield the account password.
  • Forcing NTLM negotiation. For example, with a backup service, if you were to force it to backup an SMB share that is served up by Responder.py.

As always, you may need to be creative here.

For further details, please see the paper in the GitHub repository https://github.com/hatRiot/token-priv.

For the Exploit Devs

This project was originally conceived by drone as a tool for exploit developers to greatly simplify the exploitation of partial write vulnerabilities. Partial write vulnerabilities are those where we can write something to a chosen location in memory, however we may not control the value being written. The idea here is to abuse the partial write to flip some bits in your users token, thus enabling one of the exploitable privileges. From this point forward, the “exploitation” of the vulnerability involves abusing intended (albeit undocumented) behavior of a series of Windows API calls.

The advantage of this type of strategy for abusing partial writes is that it evades all of the new kernel exploit mitigations! Drone shows in the paper how he was able to greatly simplify the exploits for some recent partial write vulnerabilities. The other great thing is that the exploit code is completely portable. Once the right bits are flipped in the token, the exploit developer needs only to run one of the modules from our project.

For further details, please see the paper in the GitHub repository https://github.com/hatRiot/token-priv.