Giter VIP home page Giter VIP logo

diagtrackeop's Introduction

DiagTrackEoP

Just another way to abuse SeImpersonate privilege.

This PoC is based on this blog by @crisprss.

In this blog @crisprss showed some interesting method to abuse SeImpersonate privilege using AzureAttestService which comes with recent verions of SQL server, PoC for that can be found here https://github.com/crisprss/magicAzureAttestService.

In that blog he also shows another possible way to abuse SeImpersonate privilege using DiagTrack service but author failed to weaponize it, this is taken from that blog (Translated from Chinese so maybe not 100% accurate) :

But just when I thought it could be triggered normally, I didn't realize that this service is transparent to service users, which also means that it is not feasible to simulate pipeline privilege escalation through service users, because service users such as sqlserver There is no way to call the RPC interface, which also means that you can only escalate rights from the administrator user to SYSTEM in this way, so here is just a process sharing

And yeah if you try to call method exposed by that RPC server from service user you get access denied error

imgage

But why normal , unprivileged users are able to call this method?

My assumption was that because service users operate in session 0 they will not have NT AUTHORITY\INTERACTIVE SID in their token while normal users who login over RDP or interactively will have it.

So how we can get NT AUTHORITY\INTERACTIVE SID from session 0 ? Very easy actually Secondary Logon service will do that for us. We can use LogonUser API call to get token with NT AUTHORITY\INTERACTIVE SID and we dont need valid credentials as we will use NewCredentials(9) logon type. When NewCredentials logon type is used Secondary Logon will make new logon session and copy caller token but it will also insert a NT AUTHORITY\INTERACTIVE SID, this is perfect situation for us as we dont need to have valid credentials ( credentials used with NewCredentials logon type are not verified until user tries to access network resource).

So now that we have token with NT AUTHORITY\INTERACTIVE SID will eploit work ? Yeah it will :D

image

This PoC is tested on Windows 10 and Windows 2019.

Credits

@crisprss - https://www.crisprx.top/archives/561

@itm4n - https://github.com/itm4n/PrintSpoofer

@splinter_code - https://github.com/antonioCoco/RunasCs

diagtrackeop's People

Contributors

wh04m1001 avatar

Stargazers

Rubi1iXD avatar XiaoYi avatar avatar

Forkers

bcdlbgm

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.