I have to admit, I really love Windows impersonation tokens! So when it comes to the possibility to "steal" and/or impersonate a token I never give up! This is also another chapter of the never ending story of my loved "JuicyPotato". So, here we are (refer to my previous posts in order to understand how…
After the hype we (@splinter_code and me) created with our recent tweet , it's time to reveal what we exactly did in order to get our loved JuicyPotato kicking again... (don't expect something disruptive 😉 )We won't explain how the *potato exploits works, how it was fixed etc etc, there is so much literature about…
In the last period, there have been several researches on how to escalate privileges by abusing generic impersonation privileges usually assigned to SERVICE accounts. Needless to say, a SERVICE account is required in order to abuse the privileges. The last one, in order of time, "Printer Spoofer" is probably the most dangerous/useful because it only…
Feedback Hub is a feature in Windows 10 which allows users to report problems or suggestions to Microsoft. It relies ond he "diagtrack" service, running as SYSTEM, or better known as "Connected User Experiences and Telemetry" When the Feedback Hub gathers info in order to send them to MS, it does a lot of file…
A few weeks ago I decided to install "open-ssh" on a Windows 2019 server for management purpose. The ssh server/client is based on the opensource project and MS implementation source code can be found here Installing ssh is a very easy task, all you have to do is to install the "feature" via powershell: The…
On a dark and stormy night, I was playing with Forshaw's fantastic NTOBJECTMANGER library which, among the millions of things, is able to "disassemble" RPC servers and implement Local RPC calls in .NET. I was looking at "interesting" RPC servers on my Windows 10 1909 machine when my attention was caught by the "XblGameSave.dll" library. This…
Another episode of the series: From XXX to SYSTEM ! This time I will show you how it is possible to gain SYSTEM privileges on a Windows machine (a fully patched Win 10 in our case) with HYPER-V enabled and being a member of the special "Hyper-V Administrators" Windows group. I know what you are…
Hardlinks again! Yes, there are plenty of opportunities to raise your privileges due to incorrect permissions settings when combined with hardlinks in many softwares (MS included) 😉 In this post I'm going to show how to use the DropBoxUpdater service in order to get SYSTEM privileges starting from a simple Windows user. Please note: I'm…
As promised in my previous post , I will show you how to exploit the "Printconfig" dll with a real world example. But what does Apple's iPhone have to do with it?? Well, keep on reading... (sorry no TL;DR) Some time ago, I was looking for possible privileged file operations exploitable via hardlinks. At some…
This post has been written by me and two friends: @splinter_code and 0xea31This is the "unintended" result of a research we did on Juicypotato exploit in order to find a possible bypass on restrictions MS applied in latest Windows versions.We all know that, up to Windows 2016 and Windows 10 1803, it's possible for a…
