Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/yusufqk/SystemToken

Steal privileged token to obtain SYSTEM shell
https://github.com/yusufqk/SystemToken

Last synced: 3 months ago
JSON representation

Steal privileged token to obtain SYSTEM shell

Host: GitHub
URL: https://github.com/yusufqk/SystemToken
Owner: yusufqk
Created: 2020-04-06T19:28:08.000Z (over 4 years ago)
Default Branch: master
Last Pushed: 2020-07-14T06:30:49.000Z (over 4 years ago)
Last Synced: 2024-04-12T18:04:10.483Z (7 months ago)
Language: C
Homepage:
Size: 3.91 KB
Stars: 245
Watchers: 6
Forks: 59
Open Issues: 1
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

awesome-hacking-lists - yusufqk/SystemToken - Steal privileged token to obtain SYSTEM shell (C)

README

# SystemToken

This code will iterate over all processes on a system until it reaches a process with
the following traits:

* The user for that process is SYSTEM
* The owner for that process is Administrators

Once a process is found with these two traits, the token for that process is duplicated and
a new process with that token is created. This will result in a SYSTEM shell.

## System Requirements

This code was tested on a Windows 10 x64 machine using Visual Studio 2019.
Must be run with UAC bypassed and Local Admin privileges.

## Usage

Compile and run SystemToken.exe

## References

This work is based on the research done by [Justin Bui from SpecterOps](https://posts.specterops.io/understanding-and-defending-against-access-token-theft-finding-alternatives-to-winlogon-exe-80696c8a73b)
https://docs.microsoft.com/en-us/windows/win32/secauthz/access-tokens

Windows API exploitation at PentesterAcademy (amazing course, learned alot). The EnablePriv.h file used to enable privileges (no longer provided and never used by this tool) is a modified version from the course.