The strange case of “open-ssh” in Windows Server 2019

A few weeks ago I decided to install "open-ssh" on a Windows 2019 server for management purpose. The ssh server/client is based on the opensource project and MS implementation source code can be found here Installing ssh is a very easy task, all you have to do is to install the "feature" via powershell: The…

The strange RPC interface (MS, are you trolling me?)

On a dark and stormy night, I was playing with Forshaw's fantastic NTOBJECTMANGER library which, among the millions of things, is able to "disassemble" RPC servers  and implement Local RPC calls  in .NET. I was looking at "interesting"  RPC servers on my Windows 10 1909 machine when my attention was caught by the "XblGameSave.dll" library. This…

From Hyper-V Admin to SYSTEM

Another episode of the series: From XXX to SYSTEM ! This time I will show you how it is possible to gain SYSTEM privileges on a Windows machine (a fully patched Win 10 in our case) with HYPER-V enabled and being a member of the special "Hyper-V Administrators" Windows group. I know what you are…

From dropbox(updater) to NT AUTHORITY\SYSTEM

Hardlinks again! Yes, there are plenty of opportunities to raise your privileges due to incorrect permissions settings when combined with  hardlinks in many softwares (MS included) 😉 In this post I'm going to show how to use the DropBoxUpdater  service in order to get SYSTEM privileges starting from a simple Windows user. Please note:  I'm…

From arbitrary file overwrite to SYSTEM

Arbitrary File overwrite has always been considered as a critical vulnerability because it can lead in the "worst case" to privilege escalation. In Windows systems this usually means impersonating Administrators or SYSTEM. If a standard user is able, through some "exploit",  to alter the permissions of special protected files -  by granting him modify or…

Creating Windows Access Tokens

Some time ago I was playing with the STOPZilla exploit which is very interesting and educational because it shows how you can abuse from an arbitrary write from the userland into the kernel. In this case the exploit will permit us, by altering the EPROCESS structure of the current process,  to activate an additional privilege, usually …

Combinig LUAFV PostLuafvPostReadWrite Race Condition PE with DiagHub collector exploit -> from standard user to SYSTEM

In this short post I will show you how  to combine Forshaw's  Microsoft Windows 10 1809 - LUAFV PostLuafvPostReadWrite SECTION_OBJECT_POINTERS Race Condition Privilege Escalation with Forshaw's Diaghub Collector exploit.  The LUAFV exploit has been fixed recently and rumors are stating that the "core" part of the Diaghub collector exploit (the possibility for a standard user to…

Donkey’s guide to Resource Based Constrained Delegation Exploitation – from simple user to (almost) DA –

In this last period there has been much talk about kerberos delegations abuse, especially the "Resource Based Constrained Delegation". So I started  writing this post for my friends @DonkeysTeam but then decided to publish it for a "wider" (just kidding)  audience. I won't explain in depth these mechanisms, there are so many articles and blogs…