🧙
Pentesting & Red Teaming Notes
  • Windows
    • Recon - Initial Access
    • Privilege Escalation
      • Enable Privs
      • SeBackupPrivilege
      • SeImpersonatePrivilege
      • SeDebugPrivilege
    • Kerberoasting
    • Lateral Movement
    • MSSQL
    • AD Related
    • Bypass-Evasion Techniques
    • Post Exploitation
    • Miscellaneous
    • UAC Bypass
    • Exploits
      • MS03-026 - RPC DCOM
      • MS04-011 - LSASRV
      • MS08-67 - Netapi
      • MS17-010 - Eternalblue
      • CVE-2019-1388
      • CVE-2020-1472 - Zerologon
      • CVE-2020-16938
      • CVE-2021-1675 - PrintNightmare
      • CVE-2022-21999 - SpoolFool
    • Coerced Auth
  • Linux
  • Abusing Active Directory ACLs
    • ReadLAPSPassword
    • WriteDacl
    • GenericWrite
    • ForceChangePassword
    • WriteOwner
  • Port Forwarding - Tunneling
  • Cloud
  • Mobile
  • Malware Development
    • Process Migration
    • Process Hollowing
    • Dynamic API Resolution
    • Suspended Threads
    • PPID Spoofing
    • Thread Stack Spoofing
    • ETW (Event Tracing for Windows)
    • AMSI Bypass
    • Tools
    • Esoteric
Powered by GitBook
On this page
  1. Windows
  2. Privilege Escalation

Enable Privs

PreviousPrivilege EscalationNextSeBackupPrivilege

Last updated 3 years ago

$definition = @'
using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.Linq;
using System.Runtime.InteropServices;
namespace Set_TokenPermission
{
    public class SetTokenPriv
    {
        [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
        internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall,
        ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);
        [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
        internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok);
        [DllImport("advapi32.dll", SetLastError = true)]
        internal static extern bool LookupPrivilegeValue(string host, string name, ref long pluid);
        [StructLayout(LayoutKind.Sequential, Pack = 1)]
        internal struct TokPriv1Luid
        {
            public int Count;
            public long Luid;
            public int Attr;
        }
        internal const int SE_PRIVILEGE_ENABLED = 0x00000002;
        internal const int SE_PRIVILEGE_DISABLED = 0x00000000;
        internal const int TOKEN_QUERY = 0x00000008;
        internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;
        public static void EnablePrivilege()
        {
            bool retVal;
            TokPriv1Luid tp;
            IntPtr hproc = new IntPtr();
            hproc = Process.GetCurrentProcess().Handle;
            IntPtr htok = IntPtr.Zero;
            List<string> privs = new List<string>() {   "SeRestorePrivilege" };
            
            retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
            tp.Count = 1;
            tp.Luid = 0;
            tp.Attr = SE_PRIVILEGE_ENABLED;
            foreach (var priv in privs)
            {
                retVal = LookupPrivilegeValue(null, priv, ref tp.Luid);
                retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);                              
            }
        }
    }  
}
'@

$type = Add-Type $definition -PassThru
$type[0]::EnablePrivilege() 2>&1
https://www.leeholmes.com/blog/2010/09/24/adjusting-token-privileges-in-powershell/