Hands off my service account!

Windows service accounts are one of the preferred attack surface for privilege escalation. If you are able to compromise such an account, it is quite easy to get the highest privileges, mainly due to the powerful impersonation privileges that are granted by default to services by the operating system. Even if Microsoft introduced WSH (Windows…

When a stupid oplock leads you to SYSTEM

As promised in my previous post, I'm going to show you the second method I found in order to circumvent CVE-2020-1317. Prerequisites Domain user has access to a domain joined Windows machineDomain user must be able to create a subdirectory under “Datastore\0” which is theoretically no more possible. But as we will see there are…

When ntuser.pol leads you to SYSTEM

This is a super short writeup following my previous post . My last sentence was a kind of provocation because I already knew that there were at least 2 "bypasses" for CVE-2020-1317. I did not submit them because I totally disagree with recent MSRC changes in their policies, so when I discovered that they were…

Abusing Group Policy Caching

In this post I will show you how I discovered a severe vulnerability in the so-called "Group Policy Caching" which was fixed (among other GP vulnerabilities) in CVE-2020-1317 A standard domain user can perform, via the “gpsvc” service,  arbitrary file overwrite with SYSTEM privileges  by altering behavior of “Group Policy Caching”. Cool, isn't it? The…

The impersonation game

I have to admit, I really love Windows impersonation tokens! So when it comes to the possibility to "steal" and/or impersonate a token I never give up! This is also another chapter of the never ending story of my loved "JuicyPotato".  So, here we are (refer to my previous posts in order to understand how…

No more JuicyPotato? Old story, welcome RoguePotato!

 After the hype we (@splinter_code and me) created with our recent tweet , it's time to reveal what we exactly did in order to get our loved JuicyPotato kicking again... (don't expect something disruptive 😉 )We won't explain how the *potato exploits works, how it was fixed etc etc, there is so much literature about…

From NETWORK SERVICE to SYSTEM

In the last period, there have been several researches on how to escalate privileges by abusing generic impersonation privileges usually assigned to SERVICE accounts. Needless to say,  a SERVICE account is required in order to abuse the privileges. The last one, in order of time, "Printer Spoofer" is probably the most dangerous/useful because it only…

Exploiting Feedback Hub in Windows 10

Feedback Hub is  a feature in Windows 10 which allows users to report problems or suggestions to Microsoft. It relies ond he "diagtrack" service, running as SYSTEM, or better known as "Connected User Experiences and Telemetry" When the Feedback Hub gathers info in order to send them to MS, it does a lot of file…

The strange case of “open-ssh” in Windows Server 2019

A few weeks ago I decided to install "open-ssh" on a Windows 2019 server for management purpose. The ssh server/client is based on the opensource project and MS implementation source code can be found here Installing ssh is a very easy task, all you have to do is to install the "feature" via powershell: The…