Tokenvator v2.1.1 releases: A tool to elevate privilege with Windows Tokens

by do son · Published March 22, 2019 · Updated March 22, 2019

Tokenvator

A tool to elevate privilege with Windows Tokens

This tool has two methods of operation – interactive and argument modes

Interactive Mode:
C:> tokenvator.exe
(Tokens) > steal_token 908 cmd.exe
(Tokens) >

Arguments Mode:
C:> tokenvator.exe steal_token 908 cmd.exe
C:>

Methods

GetSystem
- Optional Parameters: Process ID, Command
- Examples:
  (Tokens) > GetSystem
  or
  (Tokens) > GetSystem 504
  or
  (Tokens) > GetSystem 504 regedit.exe
GetTrustedInstaller
- Optional Parameters: Command
- Examples:
  (Tokens) > GetTrustedInstaller
  or
  (Tokens) > GetTrustedInstaller regedit.exe
Steal_Token
- Parameters: Process ID
- Optional Parameters: Command
- Examples:
  (Tokens) > StealToken 1008
  or
  (Tokens) > StealToken calc regedit.exe
  or
  (Tokens) > StealToken 1008 regedit.exe
BypassUAC
- Parameters: Process ID
- Optional Parameters: Command
- Examples:
  (Tokens) > BypassUAC 1008
  or
  (Tokens) > BypassUAC regedit.exe
  or
  (Tokens) > BypassUAC 1008 regedit.exe
List_Privileges
- Parameters: –
- Optional Parameters: –
- Examples:
  (Tokens) > List_Privileges
Set_Privileges
- Parameters: Privilege
- Optional Parameters: –
- Examples:
  (Tokens) > Set_Privileges SeSecurityPrivilege
List_Processes
- Parameters: –
- Optional Parameters: –
- Examples:
  (Tokens) > List_Processes
List_Processes_WMI
- Parameters: –
- Optional Parameters: –
- Examples:
  (Tokens) > List_Processes_WMI
Find_User_Processes
- Parameters: Username
- Optional Parameters: –
- Examples:
  (Tokens) > Find_User_Processes domain\user
Find_User_Processes_WMI
- Parameters: Username
- Optional Parameters: –
- Examples:
  (Tokens) > Find_User_Processes_WMI domain\user
List_User_Sessions
- Parameters: –
- Optional Parameters: –
- Examples:
  (Tokens) > List_User_Sessions
WhoAmI
- Parameters: –
- Optional Parameters: –
- Examples:
  (Tokens) > WhoAmI
RevertToSelf
- Parameters: –
- Optional Parameters: –
- Examples:
  (Tokens) > RevertToSelf
Run
- Parameters: Command
- Optional Parameters: –
- Examples:
  (Tokens) > Run cmd.exe

Changelog v2.1.1

Update to add support for interactive sub-processes

(Tokens) > run cmd.exe
[+] Starting cmd.exe
[*] Note: The prompt is currently missing for input

Microsoft Windows [Version 10.0.17763.379]
(c) 2018 Microsoft Corporation. All rights reserved.

whoami
C:\Tokenvator\Tokenvator\bin\Release-Net45>whoami
windows10pro\0xbadjuju

dir
C:\Tokenvator\Tokenvator\bin\Release-Net45>dir
 Volume in drive C has no label.
 Volume Serial Number is A624-B8DD

 Directory of C:\Tokenvator\Tokenvator\bin\Release-Net45

03/22/2019  11:38 AM    <DIR>          .
03/22/2019  11:38 AM    <DIR>          ..
09/15/2018  02:29 AM         3,010,560 System.Management.Automation.dll
02/21/2019  11:45 AM               161 Tokenvator.exe.config
03/22/2019  11:28 AM           112,128 Tokenvator.pdb
03/22/2019  11:28 AM           117,760 Tokenvator.exe
               4 File(s)      3,240,609 bytes
               2 Dir(s)  84,676,734,976 bytes free

exit
C:\Tokenvator\Tokenvator\bin\Release-Net45>exit

(Tokens) > run powershell.exe
[+] Starting powershell.exe
[*] Note: The prompt is currently missing for input

Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

gci
PS C:\Tokenvator\Tokenvator\bin\Release-Net45> gci


    Directory: C:\Tokenvator\Tokenvator\bin\Release-Net45


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        9/15/2018   2:29 AM        3010560 System.Management.Automation.dll
-a----        2/21/2019  10:45 AM            161 Tokenvator.exe.config
-a----        3/22/2019  11:28 AM         112128 Tokenvator.pdb
-a----        3/22/2019  11:28 AM         117760 Tokenvator.exe


exit
PS C:\Tokenvator\Tokenvator\bin\Release-Net45> exit

Download

Copyright (C) Alexander Leary (@0xbadjuju), NetSPI – 2018

Source: https://github.com/0xbadjuju/

Tokenvator v2.1.1 releases: A tool to elevate privilege with Windows Tokens

Search

Suggested Reading

Tokenvator v2.1.1 releases: A tool to elevate privilege with Windows Tokens

Tokenvator

Methods

GetSystem

GetTrustedInstaller

Steal_Token

BypassUAC

List_Privileges

Set_Privileges

List_Processes

List_Processes_WMI

Find_User_Processes

Find_User_Processes_WMI

List_User_Sessions

WhoAmI

RevertToSelf

Run

Search

Suggested Reading