Jump to content
Sign in to follow this  
satyricon11

Windows 7 Privilege Escalation

Recommended Posts

Hey guys so I'm messing around with a copy of Windows 7, Metasploit, and the python programming language. I've noticed that even after I've got NT/AUTHORITY access on a machine, there are still certain things that I cant do. After doing some research I found out that even with superuser access, I may not be in the correct "privilege ring" to accomplish what I want, ie forcing the computer to stop system critical programs, delete certain files, etc.

 

So my thought here is, knowing that the smss.exe process is responsible for starting the kernel and user modes and loads the registry, what if I created a registry key that lets me interact with a custom python script. Would it inherit the same privs/rights as smss.exe? Does anyone have any thoughts or recommendations?

 

BTW, I know that me wanting to delete or stop system critical files is ridiculous. As stated above, this is all in a VM on my PC and is all proof of concept and me goofing off.

 

Share this post


Link to post
Share on other sites

There's a shell extension called "Take ownership" which you might want to put in, it can be helpful at times. OK, it's sufficiently small that I can just post it here. There's an "add" and "remove" file.

It's not the sort of thing to mess with casually, you could potentially screw a system over royally by using it.

I've used it mainly on Win 7 when getting rid of folders/files remaining on old system drives but wanting to retain some stuff.

 

Not totally relevant to your need but might come in helpful.
As for forking new processes etc off system ones and getting inherited security attributes, not sure that'd work.

Also, the "not authorized" etc messages are usually pretty generic and the Task Manager and similar utilities stop you from killing certain things for your own protection.

 

Call this one "Take ownership - install.reg"

Windows Registry Editor Version 5.00



;Created by Vishal Gupta for AskVG.com



[HKEY_CLASSES_ROOT\*\shell\runas]

@="Take ownership"

"HasLUAShield"=""

"NoWorkingDirectory"=""



[HKEY_CLASSES_ROOT\*\shell\runas\command]

@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"

"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"



[HKEY_CLASSES_ROOT\Directory\shell\runas]

@="Take ownership"

"HasLUAShield"=""

"NoWorkingDirectory"=""



[HKEY_CLASSES_ROOT\Directory\shell\runas\command]

@="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"

"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"

Call this one "Take ownership - uninstall.reg"

Windows Registry Editor Version 5.00



;Created by Vishal Gupta for AskVG.com



[-HKEY_CLASSES_ROOT\*\shell\runas]



[HKEY_CLASSES_ROOT\*\shell\runas]

@=""

"HasLUAShield"=""



[HKEY_CLASSES_ROOT\*\shell\runas\command]

@="\"%1\" %*"

"IsolatedCommand"="\"%1\" %*"



[-HKEY_CLASSES_ROOT\Directory\shell\runas]



Share this post


Link to post
Share on other sites

Generally you don't. Any self-respecting modern multitasking OS has system routines that perform high security functions on your behalf, and security definitions take care of controlling what users and groups can do what.

Share this post


Link to post
Share on other sites

Hey guys so I'm messing around with a copy of Windows 7, Metasploit, and the python programming language. I've noticed that even after I've got NT/AUTHORITY access on a machine, there are still certain things that I cant do. After doing some research I found out that even with superuser access, I may not be in the correct "privilege ring" to accomplish what I want, ie forcing the computer to stop system critical programs, delete certain files, etc.

 

So my thought here is, knowing that the smss.exe process is responsible for starting the kernel and user modes and loads the registry, what if I created a registry key that lets me interact with a custom python script. Would it inherit the same privs/rights as smss.exe? Does anyone have any thoughts or recommendations?

 

BTW, I know that me wanting to delete or stop system critical files is ridiculous. As stated above, this is all in a VM on my PC and is all proof of concept and me goofing off.

Presuming you have disabled UAC?

 

With it enabled, it doesn't matter what account your session is identified with (yes, even SYSTEM), you don't have escalated privileges without invoking UAC.

 

Google "UAC split token".

 

Edit: OK, I re-read what you're asking a few more times.

 

Under normal conditions, the kernel will only allow digitally signed code to run in ring 0. This is by design.

 

You've reached the level where you need to use exploits to get your code executed. No normal mechanism is going to allow you to do this, short of, perhaps, disabling driver signing enforcement with BCDedit or similar, self-signing your payload, and deploying it as a kernel mode device driver.

Edited by SquallStrife
  • Like 1

Share this post


Link to post
Share on other sites

The registry entries suggested by Rybags should work and will likely persist across reboots (at least until your next malware scan or Windows update).

 

Another option is to try running a Meterpreter exe as an administrator, logging into the Meterpreter shell and using getsystem to privilege escalate to NT AUTHORITY\SYSTEM and then either migrate to smss.exe's PID or steal its token using steal_token. Superuser access should theoretically allow you to do all this. Then just drop back into a shell and do as you please. 😀

 

You might also want to try the StickyKeys hack - this is a cheap & dirty one but it works up to Windows 7. Get NT AUTHORITY and robocopy cmd.exe over sethc.exe in a CMD shell. Then reboot. Access the machine either physically or via RDP (make sure to enable it and open the port, etc). Then hit Shift 5 times quickly and voila - you will get a command prompt which is not constrained by the local security policy, which loads after login.

 

Have fun! 😁

 

Hey guys so I'm messing around with a copy of Windows 7, Metasploit, and the python programming language. I've noticed that even after I've got NT/AUTHORITY access on a machine, there are still certain things that I cant do. After doing some research I found out that even with superuser access, I may not be in the correct "privilege ring" to accomplish what I want, ie forcing the computer to stop system critical programs, delete certain files, etc.

 

So my thought here is, knowing that the smss.exe process is responsible for starting the kernel and user modes and loads the registry, what if I created a registry key that lets me interact with a custom python script. Would it inherit the same privs/rights as smss.exe? Does anyone have any thoughts or recommendations?

 

BTW, I know that me wanting to delete or stop system critical files is ridiculous. As stated above, this is all in a VM on my PC and is all proof of concept and me goofing off.

Presuming you have disabled UAC?

 

With it enabled, it doesn't matter what account your session is identified with (yes, even SYSTEM), you don't have escalated privileges without invoking UAC.

 

Google "UAC split token".

 

Edit: OK, I re-read what you're asking a few more times.

 

Under normal conditions, the kernel will only allow digitally signed code to run in ring 0. This is by design.

 

You've reached the level where you need to use exploits to get your code executed. No normal mechanism is going to allow you to do this, short of, perhaps, disabling driver signing enforcement with BCDedit or similar, self-signing your payload, and deploying it as a kernel mode device driver.

Yeah UAC is a bit like SELinux and other mandatory access control systems - your privileges are not solely dependent on your UID - you also need a valid token for the task you want to perform. As correctly noted, executing in Ring 0 requires signed code or an exploit as well as System. Having said that, tokens can be split and stolen - Google, DuckDuckGo, Metasploit Unleashed and ExploitsDB might be helpful.

 

However, I am pretty sure UAC doesn't kick in fully until after login, so the StickyKeys hack is not a bad one to try. I personally have not tried messing around with Ring-0-only system files using this hack (when pen testing the plan generally isn't to completely screw up the system), but if you do try it let me know how you go. I might even spin up some VMs and give it a go myself tomorrow!

Share this post


Link to post
Share on other sites

The one I suggested is persistent. It's sufficiently powerful and could easily make a system unusable by putting the wrong attributes on system files which is why the remove option is included.

Though Windows 10 in fact has very similar capability built in.

Share this post


Link to post
Share on other sites

The one I suggested is persistent. It's sufficiently powerful and could easily make a system unusable by putting the wrong attributes on system files which is why the remove option is included.

Though Windows 10 in fact has very similar capability built in.

Yeah it would be persistent across reboots, etc - what I meant though was that it might not persist across Windows updates or security software updates if said updates affect the registry. The particular keys you're altering are ones that could be relevant to MS's security updates; hence they are more likely to be overwritten during system updates than your average registry key. They might also be "fixed" if, say, the PC crashes and Windows does its auto repair thingy. ;-) Edited by ArchangelOfTheLamb

Share this post


Link to post
Share on other sites

It's just a shell extension so only making easier to do what you could by opening a CMD window. Though I imagine that if you're not running as an admin it probably wouldn't work.

Share this post


Link to post
Share on other sites

It's just a shell extension so only making easier to do what you could by opening a CMD window. Though I imagine that if you're not running as an admin it probably wouldn't work.

It wouldn't - even Windows 7 only allows admins to change group memberships and use certain shell extensions.

 

Mind you from what I gather from the OP, he has already got NT AUTHORITY\SYSTEM, which has even more privileges than just any admin. ;-)

 

One thing I am interested in (which I am going to test when I get around to it) is whether you can privilege escalate your way to "TrustedInstaller" and what level of access that gives you. Just from looking at file permissions, it seems to me that TrustedInstaller might have even better tokens than SYSTEM!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×