Demystifying Windows Service “permissions” configuration

I apologize for my presumption,¬† but thought it was a cool title ūüėČ Some days ago, I was reflecting on the SeRestorePrivilege¬†and wondering if a user with this privilege could alter a Service Access, for example: grant to everyone the right to stop/start the service,¬† during a "restore" task.¬†¬†(don't expect some cool bypass or exploit…

Advertisements

Creating Symbolic Links in Windows 10

Creating symbolics links on Windows systems¬† is a feature which has been added starting from Windows Vista. Unlike Unix, where every user can create symbolic links,¬† in Windows,¬† to perform this operation you need a special privilege: SeCreateSymbolicLinkPrivilege. This privilege, if¬†granted, is only available in a high integrity level process.¬† The reason of this security…

No more rotten/juicy potato?

Recently I downloaded the new Windows server 2019 and upgraded my Win10 box to 1809. Obviously, the first thing I did was to test the juicy/rotten exploit and surprisingly it did not work on both OS (tried aslo with other CLSID's) Remember what MS said about this "vulnerability"?¬†Fear the Rotten/Juicy potato attack? So I'm not…

Fear the Rotten/Juicy potato attack?

As promised, this is the official response from Microsoft when I asked them how to protect against the DCOM/NTLM reflection abuse: "The team has responded that with the current model there are no hardening recommendations we can offer. They are taking this report as something to pursue for next-version hardening but I don't have an…

Juicy Potato (abusing the golden privileges)

Today me and my partner in crime Giuseppe, are releasing our small research with Windows impersonate privileges. The result is a tool named "Juicy Potato", which is a kind of sequel of the potato researches we have been inspired for months (RottenPotatoNG¬† and its¬†variants). All the information and results have been published here My personal…

The power of backup operators

"Backup Operators" group is an historical Windows built in group. It was designed to allow its members to perform backup and restore operations by granting the SeBackupPrivilege and the SeRestorePrivilege. What does this mean? Well, for some operations like backup and restore, the DACL (Discretionary Access Control Lists) are ignored; this to permit then backup/restore…

Getting SYSTEM

In your red teaming or pentesting activities escalating to¬† SYSTEM on a Windows box is always the desired objective.¬†The SYSTEM user is a special operating system user with the highest privilege, many post exploitation techniques require this type of access. Of course, in order to get SYSTEM you have be part of the administrators group…

Potatoes and tokens

I just finished playing¬† with the Rotten Potato C# exploit¬† in order to get it work standalone that the author¬† @breenmachine¬† released the C++ standalone version of¬† "Rotten Potato". He really did a great job!¬†https://github.com/foxglovesec/RottenPotatoNG¬† Time for me to play with this new version, dig deeper in some "obscure" Windows API¬† ¬†calls and access tokens¬†…

The lonely potato – part 2 –

As promised in the previous post, I will show you how to embed the "lonely potato" in InstallUtil.exe. Why do we need that? Because, as explained here¬†, with Installutil we can call our C# assembly with whatever extension we like, for example ".txt". Cool way to bypass some Application and File restriction policies.... Quick and…

The lonely potato

Never heard about the "Rotten Potato"? If not, read this post written by the authors of this fantastic exploit before continuing:¬†https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/ The mechanism is quite complex, it allows us to intercept the NTLM authentication challenge which occurs during the¬† DCOM activation through¬† our endpoint listener and impersonate the user's security access¬† token¬† (in this case…