Abusing Windows tokens privileges

Abusing Windows tokens privileges

Hi there. The other day I was reading about Windows security features (like always) and I started to poke around Windows' access tokens. And particularly the privileges included in some of those tokens.

1. 1)How Windows performs access checks on different objects

The access token is an object encapsulating every piece of information about security context about a process or a thread. When a user logs on, two access tokens are created: a primary and an impersonation token. The primary tokens can only be associated to processes and the impersonation ones, only to threads (they are mainly used by some IPC mechanisms). Every process initialized by the user has a copy of its access token. This is the basic idea behind access tokens and how they work.

1. 2)The token object in WinObj

There are various ways to get information about the access token associated to a particular process. Using TokenViewer for example (if you want a GUI), or WinDbg if you want all the details together.

I already knew about access tokens, but when looking at them more deeply I realized I wasn´t too much informed about the privileges associated to them. You can learn more about them here: https://docs.microsoft.com/en-us/windows/win32/secauthz/privilege-constants

So I started to read about this and I found a very good talk of Andrea Pierini in Hackinparis 2019 edition. Link to the talk: https://www.youtube.com/watch?v=ur2HPyuQlEU. It is worth watching, seriously. Basically what he says in the talk is that there are various privileges associated with certain access tokens (like service accounts ones) which can lead directly or indirectly to privilege escalation. Foxglove´s security team has also done an interesting research about this. This is their list of exploitable privileges:

I started to be very curious about it, so I wrote a simple Python script to check if you can exploit any account. Just do a runas to execute a new cmd as the user you want and execute the script from there. It would just check if you have any of those privileges and refer you to an article on how to exploit each one.

I have uploaded it to my Github (https://github.com/stark0de/tokenpriv) in case you wanna experiment.

Well, that was all for today. Cheers.

References:

• https://docs.microsoft.com/en-us/windows/win32/secauthz/access-tokens

-https://hackinparis.com/data/slides/2019/talks/HIP2019-Andrea_Pierini-Whoami_Priv_Show_Me_Your_Privileges_And_I_Will_Lead_You_To_System.pdf

-https://github.com/hatRiot/token-priv/blob/master/abusing_token_eop_1.0.txt

-https://decoder.cloud