From iPhone to NT AUTHORITY\SYSTEM

As promised in my previous post , I will show you how to exploit the "Printconfig" dll with a real world example. But what does Apple's iPhone have to do with it?? Well, keep on reading... (sorry  no TL;DR) Some time ago, me and my "business partner"  @padovah4ck, were looking for possible privileged file operations…

We thought they were potatoes but they were beans (from Service Account to SYSTEM again)

  This post has been written by me and two friends: @splinter_code and 0xea31 This is the "unintended" result of a research we did on Juicypotato exploit in order to find a possible bypass on restrictions MS applied in latest Windows versions. We all know that, up to Windows 2016 and Windows 10 1803, it's…

From arbitrary file overwrite to SYSTEM

Arbitrary File overwrite has always been considered as a critical vulnerability because it can lead in the "worst case" to privilege escalation. In Windows systems this usually means impersonating Administrators or SYSTEM. If a standard user is able, through some "exploit",  to alter the permissions of special protected files -  by granting him modify or…

Creating Windows Access Tokens

Some time ago I was playing with the STOPZilla exploit which is very interesting and educational because it shows how you can abuse from an arbitrary write from the userland into the kernel. In this case the exploit will permit us, by altering the EPROCESS structure of the current process,  to activate an additional privilege, usually …

Combinig LUAFV PostLuafvPostReadWrite Race Condition PE with DiagHub collector exploit -> from standard user to SYSTEM

In this short post I will show you how  to combine Forshaw's  Microsoft Windows 10 1809 - LUAFV PostLuafvPostReadWrite SECTION_OBJECT_POINTERS Race Condition Privilege Escalation with Forshaw's Diaghub Collector exploit.  The LUAFV exploit has been fixed recently and rumors are stating that the "core" part of the Diaghub collector exploit (the possibility for a standard user to…

Donkey’s guide to Resource Based Constrained Delegation Exploitation – from simple user to (almost) DA –

In this last period there has been much talk about kerberos delegations abuse, especially the "Resource Based Constrained Delegation". So I started  writing this post for my friends @DonkeysTeam but then decided to publish it for a "wider" (just kidding)  audience. I won't explain in depth these mechanisms, there are so many articles and blogs…

Windows Named Pipes & Impersonation

  Named pipes are nothing new,  it's a an old technology you will find in many operating systems (Unix, Windows,...) to permit asynchronous or synchronous inter-process communication (IPC) on the same computer or on different computers across the network. With named pipes you can send/receive and share  data between processes using the memory.  They are…

Creating Symbolic Links in Windows 10

Creating symbolics links on Windows systems  is a feature which has been added starting from Windows Vista. Unlike Unix, where every user can create symbolic links,  in Windows,  to perform this operation you need a special privilege: SeCreateSymbolicLinkPrivilege. This privilege, if granted, is only available in a high integrity level process.  The reason of this security…

No more rotten/juicy potato?

Recently I downloaded the new Windows server 2019 and upgraded my Win10 box to 1809. Obviously, the first thing I did was to test the juicy/rotten exploit and surprisingly it did not work on both OS (tried aslo with other CLSID's) Remember what MS said about this "vulnerability"? Fear the Rotten/Juicy potato attack? So I'm not…